Download Print this page

Edge-Core ECS4810-12M Layer 2 Management Manual

Hide thumbs Also See for ECS4810-12M Layer 2:

Management manual (1236 pages)

Table of Contents

Advertisement

Quick Links

Download this manual

ECS4810-12M Layer 2

Gigabit Ethernet Switch

Ma nage me nt Gu ide

www.edge-core.com

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the ECS4810-12M Layer 2 and is the answer not in the manual?

Questions and answers

Summary of Contents for Edge-Core ECS4810-12M Layer 2

Page 1 ECS4810-12M Layer 2 Gigabit Ethernet Switch Ma nage me nt Gu ide www.edge-core.com...
Page 3 ANAGEMENT UIDE ECS4810-12M G IGABIT THERNET WITCH Layer 2 Switch with 12 Gigabit Combination Ports (RJ-45/SFP) ECS4810-12M E042014/ST-R04 149100000142A...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 BOUT UIDE This section summarizes the changes in each revision of this guide. EVISION ISTORY 2014 R PRIL EVISION This is the fourth version of this guide. This guide is valid for software release v1.1.4.11. It includes information on the following changes: ◆...
Page 7 BOUT UIDE 2014 R EBRUARY EVISION This is the third version of this guide. This guide is valid for software release v1.1.4.9. It includes information on the following changes: ◆ Corrected description of the command "spanning-tree bpdu-filter" on page 1051. 2013 R ECEMBER EVISION...
Page 8 BOUT UIDE ◆ Added description of RA Guard parameters under "Configuring IPv6 Interface Settings" on page 568. ◆ Added the section "Configuring DHCP Relay Service" on page 592. ◆ Added description of Type and Expire parameters under "Specifying Static Interfaces for a Multicast Router" on page 604.
Page 9 BOUT UIDE ◆ Added the parameter “hardware counters” to the command "show access-list" on page 947. ◆ Added the commands "discard" on page 953 "show discard" on page 959. ◆ Added the command "transceiver-monitor" on page 967. ◆ Updated description of commands "transceiver-threshold current"...
Page 10 BOUT UIDE ◆ Added the commands "bundle" on page 1163 "priority" on page 1171. ◆ Added the command "clear ip igmp snooping statistics" on page 1195. ◆ Added the commands "ip igmp authentication" on page 1204, "ip igmp query-drop" on page 1208, "ip multicast-data-drop"...
Page 11 BOUT UIDE 2011 R EVISION This is the first version of this guide. This guide is valid for software release v1.0.6.0. – 11 –...
Page 12 BOUT UIDE – 12 –...
Page 13: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access Managing System Files...
Page 14 ONTENTS Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting the Start-Up File Showing System Files...
Page 15 ONTENTS Configuring Transceiver Thresholds Performing Cable Diagnostics Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Configuring Load Balancing Saving Power Traffic Segmentation Enabling Traffic Segmentation...
Page 16 ONTENTS Configuring MAC Address Mirroring PANNING LGORITHM Overview Configuring Loopback Detection Configuring Global Settings for STA Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP ONGESTION ONTROL Rate Limiting...
Page 17 ONTENTS 13 S ECURITY EASURES AAA Authentication, Authorization and Accounting Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization Configuring User Accounts Web Authentication Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports...
Page 18 ONTENTS ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Configuring Port Security Configuring 802.1X Port Authentication Configuring 802.1X Global Settings Configuring Port Authenticator Settings for 802.1X Configuring Port Supplicant Settings for 802.1X...
Page 19 ONTENTS Setting the Local Engine ID Specifying a Remote Engine ID Setting SNMPv3 Views Configuring SNMPv3 Groups Setting Community Access Strings Configuring Local SNMPv3 Users Configuring Remote SNMPv3 Users Specifying Trap Managers Creating SNMP Notification Logs Showing SNMP Statistics Remote Monitoring Configuring RMON Alarms Configuring RMON Events Configuring RMON History Samples...
Page 20 ONTENTS Displaying Remote MEPs Displaying Details for Remote MEPs Displaying the Link Trace Cache Displaying Fault Notification Settings Displaying Continuity Check Errors OAM Configuration Enabling OAM on Local Ports Displaying Statistics for OAM Messages Displaying the OAM Event Log Displaying the Status of Remote Interfaces Configuring a Remote Loop Back Test Displaying Results of Remote Loop Back Testing 15 IP C...
Page 21 ONTENTS Dynamic Host Configuration Protocol Specifying a DHCP Client Identifier Configuring DHCP Relay Service 17 M ULTICAST ILTERING Overview Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Specifying Static Interfaces for a Multicast Router Assigning Interfaces to Multicast Services Setting IGMP Snooping Status per Interface Displaying Multicast Groups Discovered by IGMP Snooping Displaying IGMP Snooping Statistics...
Page 22 ONTENTS ECTION OMMAND NTERFACE 18 U SING THE OMMAND NTERFACE Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands...
Page 23 ONTENTS Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status show access-list tcam-utilization show alarm show alarm-status show memory...
Page 24 ONTENTS Automatic Code Upgrade Commands upgrade opcode auto upgrade opcode path upgrade opcode reload show upgrade TFTP Configuration Commands ip tftp retry ip tftp timeout Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect terminal show line Event Logging...
Page 25 ONTENTS logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands sntp client sntp poll sntp server show sntp Manual Configuration Commands clock summer-time (date) clock summer-time (predefined) clock summer-time (recurring) clock timezone calendar set show calendar Time Range time-range absolute periodic...
Page 26 ONTENTS show cluster show cluster members show cluster candidates 21 SNMP C OMMANDS General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host SNMPv3 Commands snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id...
Page 27 ONTENTS show rmon events show rmon history show rmon statistics 23 F AMPLING OMMANDS sflow owner sflow polling instance sflow sampling instance show sflow 24 A UTHENTICATION OMMANDS User Accounts enable password username Authentication Sequence authentication enable authentication login RADIUS Client radius-server acct-port radius-server auth-port radius-server host...
Page 28 ONTENTS server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-port ip http secure-server Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size...
Page 29 ONTENTS dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate Supplicant Commands dot1x identity profile dot1x max-start dot1x pae supplicant dot1x timeout auth-period dot1x timeout held-period dot1x timeout start-period Information Display Commands show dot1x Management IP Filter...
Page 30 ONTENTS network-access mac-filter mac-authentication reauth-time network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access link-detection network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access mac-address-table show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts...
Page 31 ONTENTS ip dhcp snooping trust clear ip dhcp snooping binding clear ip dhcp snooping database flash ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding show ip source-guard show ip source-guard binding ARP Inspection...
Page 32 ONTENTS Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 26 A CCESS ONTROL ISTS IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs access-list ipv6 permit, deny (Standard IPv6 ACL)
Page 33 ONTENTS 27 I NTERFACE OMMANDS Interface Configuration interface alias capabilities description discard flowcontrol history media-type negotiation shutdown speed-duplex clear counters show discard show interfaces brief show interfaces counters show interfaces history show interfaces status show interfaces switchport Transceiver Threshold Configuration transceiver-monitor transceiver-threshold current transceiver-threshold rx-power...
Page 34 ONTENTS 28 L GGREGATION OMMANDS Manual Configuration Commands port channel load-balance channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) lacp timeout Trunk Status Display Commands show lacp show port-channel load-balance 29 P IRRORING OMMANDS Local Port Mirroring Commands...
Page 35 ONTENTS auto-traffic-control alarm-fire-threshold 1013 auto-traffic-control auto-control-release 1014 auto-traffic-control control-release 1015 SNMP Trap Commands 1015 snmp-server enable port-traps atc broadcast-alarm-clear 1015 snmp-server enable port-traps atc broadcast-alarm-fire 1016 snmp-server enable port-traps atc broadcast-control-apply 1016 snmp-server enable port-traps atc broadcast-control-release 1017 snmp-server enable port-traps atc multicast-alarm-clear 1017 snmp-server enable port-traps atc multicast-alarm-fire 1018...
Page 36 ONTENTS 34 S 1039 PANNING OMMANDS spanning-tree 1040 spanning-tree cisco-prestandard 1041 spanning-tree forward-time 1041 spanning-tree hello-time 1042 spanning-tree max-age 1043 spanning-tree mode 1043 spanning-tree pathcost method 1045 spanning-tree priority 1045 spanning-tree mst configuration 1046 spanning-tree system-bpdu-flooding 1047 spanning-tree transmission-limit 1047 max-hops 1048 mst priority...
Page 37 ONTENTS 35 ERPS C 1067 OMMANDS erps 1069 erps domain 1069 control-vlan 1070 enable 1071 guard-timer 1072 holdoff-timer 1072 major-domain 1073 meg-level 1074 mep-monitor 1074 node-id 1075 non-erps-dev-protect 1076 non-revertive 1077 propagate-tc 1081 raps-def-mac 1082 raps-without-vc 1082 ring-port 1084 rpl neighbor 1085 rpl owner 1086...
Page 38 ONTENTS Editing VLAN Groups 1105 vlan database 1105 vlan 1106 Configuring VLAN Interfaces 1107 interface vlan 1107 switchport acceptable-frame-types 1108 switchport allowed vlan 1108 switchport ingress-filtering 1109 switchport mode 1110 switchport native vlan 1111 vlan-trunking 1112 Displaying VLAN Information 1113 show vlan 1113 Configuring IEEE 802.1Q Tunneling...
Page 39 ONTENTS Configuring MAC Based VLANs 1134 mac-vlan 1134 show mac-vlan 1135 Configuring Voice VLANs 1135 voice vlan 1136 voice vlan aging 1137 voice vlan mac-address 1137 switchport voice vlan 1138 switchport voice vlan priority 1139 switchport voice vlan rule 1139 switchport voice vlan security 1140 show voice vlan...
Page 40 ONTENTS police flow 1164 police srtcm-color 1166 police trtcm-color 1168 priority 1171 set cos 1171 set ip dscp 1172 set phb 1173 service-policy 1174 show class-map 1174 show policy-map 1175 show policy-map interface 1176 39 M 1177 ULTICAST ILTERING OMMANDS IGMP Snooping 1178 ip igmp snooping...
Page 41 ONTENTS show ip igmp snooping 1195 show ip igmp snooping group 1196 show ip igmp snooping mrouter 1197 show ip igmp snooping statistics 1198 Static Multicast Routing 1200 ip igmp snooping vlan mrouter 1200 IGMP Filtering and Throttling 1201 ip igmp filter (Global Configuration) 1202 ip igmp profile 1203...
Page 42 ONTENTS clear ipv6 mld snooping statistics 1221 show ipv6 mld snooping 1221 show ipv6 mld snooping group 1222 show ipv6 mld snooping group source-list 1222 show ipv6 mld snooping mrouter 1223 MLD Filtering and Throttling 1223 ipv6 mld filter (Global Configuration) 1224 ipv6 mld profile 1225...
Page 43 ONTENTS show mvr 1244 show mvr associated-profile 1246 show mvr interface 1246 show mvr members 1247 show mvr profile 1249 show mvr statistics 1249 MVR for IPv6 1254 mvr6 associated-profile 1255 mvr6 domain 1256 mvr6 priority 1256 mvr6 profile 1257 mvr6 proxy-query-interval 1258 mvr6 proxy-switching...
Page 44 ONTENTS lldp admin-status 1279 lldp basic-tlv management-ip-address 1279 lldp basic-tlv port-description 1280 lldp basic-tlv system-capabilities 1281 lldp basic-tlv system-description 1281 lldp basic-tlv system-name 1282 lldp dot1-tlv proto-ident 1282 lldp dot1-tlv proto-vid 1283 lldp dot1-tlv pvid 1283 lldp dot1-tlv vlan-name 1284 lldp dot3-tlv link-agg 1284 lldp dot3-tlv mac-phy...
Page 45 ONTENTS clear ethernet cfm ais mpid 1309 show ethernet cfm configuration 1310 show ethernet cfm md 1311 show ethernet cfm ma 1312 show ethernet cfm maintenance-points local 1312 show ethernet cfm maintenance-points local detail mep 1313 show ethernet cfm maintenance-points remote detail 1315 Continuity Check Operations 1317...
Page 46 ONTENTS Delay Measure Operations 1336 ethernet cfm delay-measure two-way 1336 42 OAM C 1339 OMMANDS efm oam 1340 efm oam critical-link-event 1340 efm oam link-monitor frame 1341 efm oam link-monitor frame threshold 1342 efm oam link-monitor frame window 1342 efm oam mode 1343 clear efm oam counters 1344...
Page 47 ONTENTS DHCP for IPv6 1364 ipv6 dhcp client rapid-commit vlan 1364 ipv6 dhcp restart client vlan 1364 show ipv6 dhcp duid 1366 show ipv6 dhcp vlan 1366 DHCP Relay Option 82 1367 ip dhcp relay server 1367 ip dhcp relay information option 1368 ip dhcp relay information policy 1371...
Page 48 ONTENTS show ipv6 traffic 1396 clear ipv6 traffic 1400 ping6 1400 traceroute6 1402 Neighbor Discovery 1403 ipv6 nd dad attempts 1403 ipv6 nd ns-interval 1404 ipv6 nd raguard 1405 ipv6 nd reachable-time 1406 clear ipv6 neighbors 1407 show ipv6 nd raguard 1407 show ipv6 neighbors 1407...
Page 49 ONTENTS 1429 ICENSE NFORMATION The GNU General Public License 1429 1433 LOSSARY 1441 OMMAND 1451 NDEX – 49 –...
Page 50 ONTENTS – 50 –...
Page 51: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 52 IGURES Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Figure 34: Showing Port Statistics (Table) Figure 35: Showing Port Statistics (Chart) Figure 36: Configuring a History Sample Figure 37: Showing Entries for History Sampling Figure 38: Showing Status of Statistical History Sample Figure 39: Showing Current Statistics for a History Sample Figure 40: Showing Ingress Statistics for a History Sample...
Page 53 IGURES Figure 68: Creating Static VLANs Figure 69: Modifying Settings for Static VLANs Figure 70: Showing Static VLANs Figure 71: Configuring Static Members by VLAN Index Figure 72: Configuring Static VLAN Members by Interface Figure 73: Configuring Static VLAN Members by Interface Range Figure 74: Configuring Global Status of GVRP Figure 75: Configuring GVRP for an Interface Figure 76: Showing Dynamic VLANs Registered on the Switch...
Page 54 IGURES Figure 104: STP Root Ports and Designated Ports Figure 105: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree Figure 106: Spanning Tree – Common Internal, Common, Internal Figure 107: Configuring Port Loopback Detection Figure 108: Configuring Global Settings for STA (STP) Figure 109: Configuring Global Settings for STA (RSTP) Figure 110: Configuring Global Settings for STA (MSTP) Figure 111: Displaying Global Settings for STA...
Page 55 IGURES Figure 140: Configuring a Class Map Figure 141: Showing Class Maps Figure 142: Adding Rules to a Class Map Figure 143: Showing the Rules for a Class Map Figure 144: Configuring a Policy Map Figure 145: Showing Policy Maps Figure 146: Adding Rules to a Policy Map Figure 147: Showing the Rules for a Policy Map Figure 148: Configuring a Bundle Rate for a Group of Traffic Flows...
Page 56 IGURES Figure 176: Configuring Global Settings for Network Access Figure 177: Configuring Interface Settings for Network Access Figure 178: Configuring Link Detection for Network Access Figure 179: Configuring a MAC Address Filter for Network Access Figure 180: Showing the MAC Address Filter Table for Network Access Figure 181: Showing Addresses Authenticated for Network Access Figure 182: Configuring HTTPS Figure 183: Downloading the Secure-Site Certificate...
Page 57 IGURES Figure 212: Showing IP Addresses Authorized for Management Access Figure 213: Configuring Port Security Figure 214: Configuring Port Security Figure 215: Configuring Global Settings for 802.1X Port Authentication Figure 216: Configuring Interface Settings for 802.1X Port Authenticator Figure 217: Configuring Interface Settings for 802.1X Port Supplicant Figure 218: Showing Statistics for 802.1X Port Authenticator Figure 219: Showing Statistics for 802.1X Port Supplicant Figure 220: Setting the Filter Type for IP Source Guard...
Page 58 IGURES Figure 248: Creating an SNMP View Figure 249: Showing SNMP Views Figure 250: Adding an OID Subtree to an SNMP View Figure 251: Showing the OID Subtree Configured for SNMP Views Figure 252: Creating an SNMP Group Figure 253: Showing SNMP Groups Figure 254: Setting Community Access Strings Figure 255: Showing Community Access Strings Figure 256: Configuring Local SNMPv3 Users...
Page 59 IGURES Figure 284: Setting ERPS Global Status Figure 285: Sub-ring with Virtual Channel Figure 286: Sub-ring without Virtual Channel Figure 287: Creating an ERPS Ring Figure 288: Creating an ERPS Ring (Primary Ring) Figure 289: Showing Configured ERPS Rings Figure 290: Blocking an ERPS Ring Port Figure 291: Single CFM Maintenance Domain Figure 292: Multiple CFM Maintenance Domains Figure 293: Configuring Global Settings for CFM...
Page 60 IGURES Figure 320: Running a Remote Loop Back Test Figure 321: Displaying the Results of Remote Loop Back Testing Figure 322: Pinging a Network Device Figure 323: Setting the ARP Timeout Figure 324: Displaying ARP Entries Figure 325: Configuring the IPv4 Default Gateway Figure 326: Configuring a Static IPv4 Address Figure 327: Configuring a Dynamic IPv4 Address Figure 328: Showing the IPv4 Address Configured for an Interface...
Page 61 IGURES Figure 356: Showing Static Interfaces Assigned to a Multicast Service Figure 357: Showing Current Interfaces Assigned to a Multicast Service Figure 358: Configuring IGMP Snooping on a VLAN Figure 359: Showing Interface Settings for IGMP Snooping Figure 360: Showing Multicast Groups Learned by IGMP Snooping Figure 361: Displaying IGMP Snooping Statistics –...
Page 62 IGURES Figure 392: Showing the Static MVR6 Groups Assigned to a Port Figure 393: Displaying MVR6 Receiver Groups Figure 394: Displaying MVR6 Statistics – Query Figure 395: Displaying MVR6 Statistics – VLAN Figure 396: Displaying MVR6 Statistics – Port Figure 397: Storm Control by Limiting the Traffic Rate 1008 Figure 398: Storm Control by Shutting Down a Port 1009...
Page 63: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Remote Device Configuration Information Table 11: Traffic Segmentation Forwarding...
Page 64 ABLES Table 32: ERPS Request/State Priority Table 33: Remote MEP Priority Levels Table 34: MEP Defect Descriptions Table 35: OAM Operation State Table 36: Remote Loopback Status Table 37: Address Resolution Protocol Table 38: Show IPv6 Neighbors - display description Table 39: Show IPv6 Statistics - display description Table 40: Show MTU - display description Table 41: General Command Modes...
Page 65 ABLES Table 68: show snmp group - display description Table 69: show snmp user - display description Table 70: show snmp view - display description Table 71: RMON Commands Table 72: sFlow Commands Table 73: Authentication Commands Table 74: User Access Commands Table 75: Default Login Settings Table 76: Authentication Sequence Commands Table 77: RADIUS Client Commands...
Page 66 ABLES Table 104: IPv6 ACL Commands Table 105: MAC ACL Commands Table 106: ARP ACL Commands Table 107: ACL Information Commands Table 108: Interface Commands Table 109: show interfaces switchport - display description Table 110: Link Aggregation Commands Table 111: show lacp counters - display description Table 112: show lacp internal - display description Table 113: show lacp neighbors - display description Table 114: show lacp sysid - display description...
Page 67 ABLES Table 140: L2 Protocol Tunnel Commands 1121 Table 141: VLAN Translation Commands 1125 Table 142: Protocol-based VLAN Commands 1127 Table 143: IP Subnet VLAN Commands 1131 Table 144: MAC Based VLAN Commands 1134 Table 145: Voice VLAN Commands 1135 Table 146: Priority Commands 1143 Table 147: Priority Commands (Layer 2)
Page 68 ABLES Table 176: show mvr6 statistics input - display description 1271 Table 177: show mvr6 statistics output - display description 1272 Table 178: show mvr6 statistics query - display description 1272 Table 179: LLDP Commands 1273 Table 180: LLDP MED Location CA Types 1286 Table 181: CFM Commands 1297...
Page 69: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 71 ◆...
Page 70 | Getting Started ECTION – 70 –...
Page 71: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 72: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4093 using IEEE 802.1Q, port-based, protocol-based, voice VLANs, and QinQ tunnel...
Page 73 | Introduction HAPTER Description of Software Features 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Page 74 | Introduction HAPTER Description of Software Features Broadcast, multicast and unknown unicast storm suppression prevents TORM ONTROL traffic from overwhelming the network.When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
Page 75 | Introduction HAPTER Description of Software Features 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
Page 76 | Introduction HAPTER Description of Software Features frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network. This switch prioritizes each packet based on the required level of service, RAFFIC using eight priority queues with strict priority, Weighted Round Robin RIORITIZATION (WRR), or a combination of strict and weighted queuing.
Page 77: System Defaults
| Introduction HAPTER System Defaults LLDP is used to discover basic information about neighboring devices AYER within the local broadcast domain. LLDP is a Layer 2 protocol that ISCOVERY ROTOCOL advertises information about the sending device and collects information gathered from neighboring network nodes it discovers. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 78 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication and IP Filtering Disabled Security Measures (continued) DHCP Snooping Disabled IP Source Guard Disabled (all ports) Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Server Port SNMP...
Page 79 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Virtual LANs Default VLAN PVID Acceptable Frame Type Ingress Filtering Disabled Switchport Mode (Egress Mode) Hybrid GVRP (global) Disabled GVRP (port interface) Disabled QinQ Tunneling Disabled Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight...
Page 80 | Introduction HAPTER System Defaults – 80 –...
Page 81: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 82: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4093 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 83: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows ■ keys. Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see "Using the Command Line Interface"...
Page 84: Basic Configuration
| Initial Switch Configuration HAPTER Basic Configuration ASIC ONFIGURATION The CLI program provides two different command levels — normal access ONSOLE level (Normal Exec) and privileged access level (Privileged Exec). The ONNECTION commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Page 85: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Username: admin Password: CLI session with the ECS4810-12M is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING AN management access through the network.
Page 86 | Initial Switch Configuration HAPTER Basic Configuration SSIGNING AN DDRESS Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: IP address for the switch ◆ ◆ Network mask for this network Default gateway for the network ◆...
Page 87 | Initial Switch Configuration HAPTER Basic Configuration To configure an IPv6 link local address for the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local”...
Page 88 | Initial Switch Configuration HAPTER Basic Configuration To generate an IPv6 global unicast address for the switch, complete the following steps: From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. From the interface prompt, type “ipv6 address ipv6-address” or “ipv6 address ipv6-address/prefix-length,”...
Page 89 | Initial Switch Configuration HAPTER Basic Configuration YNAMIC ONFIGURATION Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Page 90 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 70-72-CF-1C-BA-52 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.0 Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 91: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages.
Page 92: Table 3: Options 60, 66 And 67 Statements
| Initial Switch Configuration HAPTER Basic Configuration Note the following DHCP client behavior: The bootup configuration file received from a TFTP server is stored on ◆ the switch with the original file name. If this file name already exists in the switch, the file is overwritten.
Page 93: Enabling Snmp Management Access
Simple Network Management Protocol (SNMP) applications such as ANAGEMENT CCESS Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 94 | Initial Switch Configuration HAPTER Basic Configuration “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see "Setting SNMPv3 Views" on page 450).
Page 95: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files where “host-address” is the IP address for the trap receiver, “community- string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host, “version” indicates the SNMP client version, and “auth | noauth | priv”...
Page 96: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files uploaded via FTP/TFTP to a server for backup. The file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the switch will also create a file named “startup1.cfg”...
Page 97 | Initial Switch Configuration HAPTER Managing System Files To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 98 | Initial Switch Configuration HAPTER Managing System Files – 98 –...
Page 99: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 101 ◆ "Basic Management Tasks" on page 121 ◆...
Page 100 | Web Configuration ECTION – 100 –...
Page 101: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions).
Page 102: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the manufacturer’s web site by clicking on the Edge-Core logo. – 102 –...
Page 103: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 104: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 105 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Mirror Sets the source and target ports for mirroring Show Shows the configured mirror sessions Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics History...
Page 106 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Member Shows the active members in a trunk Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics Load Balance Sets the load-distribution method among ports in aggregated links History...
Page 107 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface Maps a protocol group to a VLAN Show Shows the protocol groups mapped to each VLAN IP Subnet Maps IP subnet traffic to a VLAN Show Shows IP subnet to VLAN mapping...
Page 108 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page MSTP Multiple Spanning Tree Algorithm Configure Global Configures initial VLAN and priority for an MST instance Modify Configures the priority or an MST instance Show Configures global settings for an MST instance Add Member...
Page 109 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows configured class maps Modify Modifies the name of a class map Add Rule Configures the criteria used to classify ingress traffic Show Rule Shows the traffic classification rules for a class map Configure Policy...
Page 110 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows the accounting settings used for various service types Configure Service Sets the accounting method applied to specific interfaces for 802.1X, CLI command privilege levels for the console port, and for Telnet Show Information...
Page 111 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Secure Shell Configure Global Configures SSH server settings Configure Host Key Generate Generates the host key pair (public and private) Show Displays RSA and DSA host keys;...
Page 112 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IP Filter Sets IP addresses of clients allowed management access via the web, SNMP, and Telnet Show Shows the addresses to be allowed management access Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses...
Page 113 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page SNMP Simple Network Management Protocol Configure Global Enables SNMP agent status, and sets related trap functions Configure Engine Set Engine ID Sets the SNMP v3 engine ID on this switch Add Remote Engine Sets the SNMP v3 engine ID for a remote device...
Page 114 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Alarm Shows all configured alarms Event Shows all configured events Configure Interface History Periodically samples statistics on a physical interface Statistics Enables collection of statistics on a physical interface Show...
Page 115 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure MA Configure Maintenance Associations Defines a unique CFM service instance, identified by its parent MD, the MA index, the VLAN assigned to the MA, and the MIP creation method Configure Details Configures detailed settings, including continuity check status and...
Page 116 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page General Ping Sends ICMP echo request packets to another node on the network Address Resolution Protocol Configure General Sets the protocol timeout, and enables or disables proxy ARP for the specified VLAN Show Information Shows dynamically learned entries in the IP routing table...
Page 117 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Relay Option 82 Configures DHCP relay service for attached host devices, including DHCP option 82 information, and relay servers Snooping Configure Global Enables DHCP snooping globally, MAC-address verification, information option;...
Page 118 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Statistics Show Query Statistics Shows statistics for query-related messages Show VLAN Statistics Shows statistics for protocol messages and number of active groups Show Port Statistics Shows statistics for protocol messages and number of active...
Page 119 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows addresses profile to domain mapping Configure Interface Configures MVR interface type and immediate leave mode; also displays MVR operational and active status Configure Port Configures MVR attributes for a port Configure Trunk...
Page 120 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 120 –...
Page 121: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 122 | Basic Management Tasks HAPTER Displaying System Information ARAMETERS These parameters are displayed: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. System Up Time – Length of time the management agent has been ◆...
Page 123: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ISPLAYING ARDWARE OFTWARE ERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI R EFERENCES ◆...
Page 124: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames NTERFACE To view hardware and software version information. Click System, then Switch. Figure 4: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for layer 2 jumbo frames.
Page 125: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities NTERFACE To configure support for jumbo frames: Click System, then Capability. Enable or disable support for jumbo frames. Click Apply. Figure 5: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System >...
Page 126 | Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities Configurable PVID Tagging – This switch allows you to override the ◆ default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to "VLAN Configuration"...
Page 127: Managing System Files
| Basic Management Tasks HAPTER Managing System Files ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System > File (Copy) page to upload/download firmware or OPYING ILES VIA configuration settings using FTP, TFTP or HTTP.
Page 128 | Basic Management Tasks HAPTER Managing System Files or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. The maximum number of user-defined configuration files is limited only by available flash memory space.
Page 129: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch.
Page 130: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files Figure 8: Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System >...
Page 131: Showing System Files
| Basic Management Tasks HAPTER Managing System Files Use the System > File (Show) page to show the files in the system HOWING directory, or to delete a file. YSTEM ILES Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted. CLI R EFERENCES "dir"...
Page 132 | Basic Management Tasks HAPTER Managing System Files The host portion of the upgrade file location URL must be a valid IPv4 ◆ IP address. DNS host names are not recognized. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. The path to the directory must also be defined.
Page 133 | Basic Management Tasks HAPTER Managing System Files The switch will send an SNMP trap and make a log entry upon all ◆ upgrade successes and failures. The switch will immediately restart after the upgrade file is successfully ◆ written to the file system and set as the startup image. ARAMETERS The following parameters are displayed: Automatic Opcode Upgrade –...
Page 134 | Basic Management Tasks HAPTER Managing System Files in nested directory structures, from the parent directory, with a prepended forward slash “/”. / – The forward slash must be the last character of the URL. ■ Examples The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: tftp://192.168.0.1/...
Page 135: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock Click Apply. Figure 11: Configuring Automatic Code Upgrade If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0;...
Page 136 | Basic Management Tasks HAPTER Setting the System Clock ARAMETERS The following parameters are displayed: Current Time – Shows the current time set on the switch. ◆ Hours – Sets the hour. (Range: 0-23; Default: 0) ◆ Minutes – Sets the minute value. (Range: 0-59; Default: 0) ◆...
Page 137: Setting The Sntp Polling Interval
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure General - SNTP) page to set the polling SNTP ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R EFERENCES "Time"...
Page 138: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to specify the IP SNTP PECIFYING address for up to three SNTP time servers. ERVERS CLI R EFERENCES "sntp server" on page 738 ◆...
Page 139: Configuring The Console Port
| Basic Management Tasks HAPTER Configuring the Console Port ARAMETERS The following parameters are displayed: Name – Assigns a name to the time zone. (Range: 1-29 characters) ◆ Hours – The number of hours before/after UTC. (Range: -12 – 13) ◆...
Page 140 | Basic Management Tasks HAPTER Configuring the Console Port ARAMETERS The following parameters are displayed: Login Timeout – Sets the interval that the system waits for a user to ◆ log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session.
Page 141: Configuring Telnet Settings
| Basic Management Tasks HAPTER Configuring Telnet Settings NTERFACE To configure parameters for the console port: Click System, then Console. Specify the connection parameters as required. Click Apply Figure 16: Console Port Settings ONFIGURING ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection.
Page 142 | Basic Management Tasks HAPTER Configuring Telnet Settings A maximum of eight sessions can be concurrently opened for Telnet and Secure Shell (i.e., both Telnet and SSH share a maximum number or eight sessions). Login Timeout – Sets the interval that the system waits for a user to ◆...
Page 143: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization Figure 17: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization. CLI R EFERENCES ◆ "show process cpu" on page 696 ARAMETERS The following parameters are displayed: Time Interval –...
Page 144: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization Figure 18: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES "show memory" on page 696 ◆ ARAMETERS The following parameters are displayed: ◆...
Page 145: Resetting The System
| Basic Management Tasks HAPTER Resetting the System ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)" on page 680 ◆...
Page 146 | Basic Management Tasks HAPTER Resetting the System At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload. (Range: 01-31) ■ MM - The month at which to reload. (Range: 01-12) ■...
Page 147 | Basic Management Tasks HAPTER Resetting the System Figure 20: Restarting the Switch (Immediately) Figure 21: Restarting the Switch (In) – 147 –...
Page 148 | Basic Management Tasks HAPTER Resetting the System Figure 22: Restarting the Switch (At) Figure 23: Restarting the Switch (Regularly) – 148 –...
Page 149 NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
Page 150: Interface Configuration
| Interface Configuration HAPTER Port Configuration ONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Use the Interface > Port > General (Configure by Port List) page to enable/ ONFIGURING BY disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 151 | Interface Configuration HAPTER Port Configuration SFP-Forced-1000SFP - Always uses the SFP port (even if a ■ module is not installed), and configured for a 1000BASE SFP transceiver. SFP-Forced-100FX - Always uses the SFP port (even if a module is ■...
Page 152: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration NTERFACE To configure port connection parameters: Click Interface, Port, General. Select Configure by Port List from the Action List. Modify the required interface settings. Click Apply. Figure 24: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE...
Page 153: Displaying Connection Status
| Interface Configuration HAPTER Port Configuration Modify the required interface settings. Click Apply. Figure 25: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation.
Page 154: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration NTERFACE To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 26: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING port to a target port for real-time analysis.
Page 155 | Interface Configuration HAPTER Port Configuration When mirroring VLAN traffic (see "Configuring VLAN Mirroring" on ◆ page 229) or packets based on a source MAC address (see "Configuring MAC Address Mirroring" on page 238), the target port cannot be set to the same target ports as that used for port mirroring by this command.
Page 156: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 29: Displaying Local Port Mirror Sessions Use the Interface > Port > RSPAN page to mirror traffic from remote ONFIGURING switches for analysis at a destination port on the local switch.
Page 157 | Interface Configuration HAPTER Port Configuration OMMAND SAGE ◆ Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in "Configuring Local Port Mirroring" on page 154), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section).
Page 158 | Interface Configuration HAPTER Port Configuration IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. ■ When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
Page 159 | Interface Configuration HAPTER Port Configuration VLAN > Static (Show) page will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, ◆...
Page 160: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the...
Page 161: Table 7: Port Statistics
| Interface Configuration HAPTER Port Configuration CLI R EFERENCES ◆ "show interfaces counters" on page 960 ARAMETERS These parameters are displayed: Table 7: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters.
Page 162 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size.
Page 163 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Utilization Statistics Input Octets in kbits per Number of octets entering this interface in kbits/second. second Input Packets per second Number of packets entering this interface per second. Input Utilization The input utilization rate for this interface.
Page 164 | Interface Configuration HAPTER Port Configuration To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Page 165: Displaying Statistical History
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > History or Interface > Trunk > History page to ISPLAYING display statistical history for the specified interfaces. TATISTICAL ISTORY CLI R EFERENCES "history" on page 955 ◆ "show interfaces history" on page 962 ◆...
Page 166 | Interface Configuration HAPTER Port Configuration Name – Name of sample interval. ◆ To configure a periodic sample of statistics: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Add from the Action menu. Select an interface from the Port or Trunk list. Enter the sample name, the interval, and the number of buckets requested.
Page 167 | Interface Configuration HAPTER Port Configuration To show the configured parameters for a sampling entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show Details from the Action menu. Select Status from the options for Mode. Select an interface from the Port or Trunk list. Select an sampling entry from the Name list.
Page 168 | Interface Configuration HAPTER Port Configuration Figure 39: Showing Current Statistics for a History Sample To show ingress or egress traffic statistics for a sample entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show Details from the Action menu. Select Input Previous Entry or Output Previous Entry from the options for Mode.
Page 169: Displaying Transceiver Data
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > Transceiver page to display identifying ISPLAYING information, and operational parameters for optical transceivers which RANSCEIVER support Digital Diagnostic Monitoring (DDM). CLI R EFERENCES "show interfaces transceiver" on page 973 ◆...
Page 170: Configuring Transceiver Thresholds
| Interface Configuration HAPTER Port Configuration NTERFACE To display identifying information and functional parameters for optical transceivers: Click Interface, Port, Transceiver. Select a port from the scroll-down list. Figure 41: Displaying Transceiver Data Use the Interface > Port > Transceiver page to configure thresholds for ONFIGURING alarm and warning messages for optical transceivers which support Digital RANSCEIVER...
Page 171 | Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed: Port – Port number. (Range: 1-12) ◆ General – Information on connector type and vendor-related ◆ parameters. DDM Information – Information on temperature, supply voltage, ◆ laser bias current, laser power, and received optical power. The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers.
Page 172: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration A low-threshold alarm or warning message is sent if the current ■ value is less than or equal to the threshold, and the last sample value was greater than the threshold. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the low threshold and reaches the high threshold.
Page 173 | Interface Configuration HAPTER Port Configuration CLI R EFERENCES ◆ "Interface Commands" on page 949 OMMAND SAGE Cable diagnostics are performed using Digital Signal Processing (DSP) ◆ test methods. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. Cable diagnostics can only be performed on twisted-pair media.
Page 174: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration NTERFACE To test the cable attached to a port: Click Interface, Port, Cable Test. Click Test for any port to start the cable test. Figure 43: Performing Cable Tests RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Page 175: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration OMMAND SAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Page 176 | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 177 | Interface Configuration HAPTER Trunk Configuration To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member. Click Apply.
Page 178: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 48: Showing Information for Static Trunks Use the Interface > Trunk > Dynamic (Configure Aggregator) pages to set ONFIGURING A the administrative key for an aggregation group, enable LACP on a port, YNAMIC...
Page 179 | Interface Configuration HAPTER Trunk Configuration All ports on both ends of an LACP trunk must be configured for full ◆ duplex, and auto-negotiation. Ports are only allowed to join the same Link Aggregation Group (LAG) if ◆ (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured).
Page 180 | Interface Configuration HAPTER Trunk Configuration Configure Aggregation Port - Actor/Partner Port – Port number. (Range: 1-12) ◆ Admin Key – The LACP administration key must be set to the same ◆ value for ports that belong to the same LAG. (Range: 0-65535; Default –...
Page 181 | Interface Configuration HAPTER Trunk Configuration NTERFACE To configure the admin key for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Aggregator from the Step list. Set the Admin Key and timeout mode for the required LACP group. Click Apply. Figure 50: Configuring the LACP Aggregator Admin Key To enable LACP for a port: Click Interface, Trunk, Dynamic.
Page 182 | Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 52: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 183 | Interface Configuration HAPTER Trunk Configuration To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Configure from the Action list. Modify the required interface settings. (See "Configuring by Port List" on page 150 for a description of the interface settings.) Click Apply.
Page 184: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 988 ◆...
Page 185: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Figure 56: Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
Page 186 | Interface Configuration HAPTER Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Aggregation – The system considers this link to be aggregatable; ◆ Oper State i.e., a potential candidate for aggregation. (continued) Long timeout – Periodic transmission of LACPDUs uses a slow ◆...
Page 187: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation. FOR THE EMOTE CLI R...
Page 188: Configuring Load Balancing
| Interface Configuration HAPTER Trunk Configuration Figure 58: Displaying LACP Port Remote Information Use the Interface > Trunk > Load Balance page to set the load-distribution ONFIGURING method used among ports in aggregated links. ALANCING CLI R EFERENCES "port channel load-balance" on page 980 ◆...
Page 189 | Interface Configuration HAPTER Trunk Configuration trunk. This mode works best for switch-to-router trunk links where traffic through the switch is received from and destined for many different hosts. Source and Destination MAC Address: All traffic with the same ■ source and destination MAC address is output on the same link in a trunk.
Page 190: Saving Power
| Interface Configuration HAPTER Saving Power Figure 59: Configuring Load Balancing AVING OWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI R EFERENCES "power-save" on page 977 ◆ "show power-save" on page 978 ◆...
Page 191 | Interface Configuration HAPTER Saving Power Power savings can only be implemented on Gigabit Ethernet ports when using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Page 192: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 193: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Figure 61: Enabling Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 194 | Interface Configuration HAPTER Traffic Segmentation assigned downlink ports will not be able to communicate with any other ports. If a downlink port is not configured for the session, the assigned uplink ◆ ports will operate as normal ports. ARAMETERS These parameters are displayed: Session ID –...
Page 195: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 63: Showing Traffic Segmentation Members VLAN T RUNKING Use the Interface >...
Page 196 | Interface Configuration HAPTER VLAN Trunking connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports.
Page 197 | Interface Configuration HAPTER VLAN Trunking Figure 65: Configuring VLAN Trunking – 197 –...
Page 198 | Interface Configuration HAPTER VLAN Trunking – 198 –...
Page 199: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 200 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN.
Page 201 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 202: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 67: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 203 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring ◆ Remote Port Mirroring" on page 156). Modify VLAN ID – ID of configured VLAN (1-4093). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆...
Page 204: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 205 | VLAN Configuration HAPTER IEEE 802.1Q VLANs CLI R EFERENCES ◆ "Configuring VLAN Interfaces" on page 1107 "Displaying VLAN Information" on page 1113 ◆ ARAMETERS These parameters are displayed: Edit Member by VLAN VLAN – ID of configured VLAN (1-4093). ◆...
Page 206 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for ■ VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 207 | VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To configure static members by the VLAN index: Click VLAN, Static. Select a VLAN from the scroll-down list. Select Edit Member by VLAN from the Action list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required.
Page 208 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Action list. Set the Interface type to display as Port or Trunk. Enter an interface range.
Page 209: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES "GVRP and Bridge Extension Commands" on page 1100 ◆...
Page 210 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN –...
Page 211 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 75: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 76: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
Page 212: Showing Vlan Statistics
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Statistics page to display statistics on network traffic from VLAN HOWING the Interfaces Group. These statistics display the number of octets and TATISTICS packets received. All values displayed have been accumulated since the last system reboot, and are shown as counts per second.
Page 213: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 214 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 79: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel...
Page 215 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) ◆...
Page 216 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If ◆ the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
Page 217: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
Page 218: Creating Cvlan To Spvlan Mapping Entries
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 80: Enabling QinQ Tunneling Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to REATING SPVLAN mapping entry. CVLAN SPVLAN APPING NTRIES CLI R EFERENCES "switchport dot1q-tunnel service match cvid" on page 1117 ◆...
Page 219 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling NTERFACE To configure a mapping entry: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Add from the Action list. Select an interface from the Port list. Specify the CVID to SVID mapping for packets exiting the specified port.
Page 220: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.
Page 221: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs Figure 83: Adding an Interface to a QinQ Tunnel VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 222: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol ONFIGURING groups. VLAN ROTOCOL ROUPS CLI R EFERENCES "protocol-vlan protocol-group (Configuring Groups)" on page 1128 ◆ ARAMETERS These parameters are displayed: ◆...
Page 223: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Figure 84: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 85: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING protocol group to a VLAN for each interface that will participate in the ROTOCOL...
Page 224 | VLAN Configuration HAPTER Protocol VLANs When a frame enters a port that has been assigned to a protocol VLAN, ◆ it is processed in the following manner: If the frame is tagged, it will be processed according to the standard ■...
Page 225: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs Figure 86: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk.
Page 226 | VLAN Configuration HAPTER Configuring IP Subnet VLANs CLI R EFERENCES ◆ "Configuring IP Subnet VLANs" on page 1131 OMMAND SAGE Each IP subnet can be mapped to only one VLAN ID. An IP subnet ◆ consists of an IP address and a mask. The specified VLAN need not be an existing VLAN.
Page 227: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs Figure 88: Configuring IP Subnet VLANs To show the configured IP subnet VLANs: Click VLAN, IP Subnet. Select Show from the Action list. Figure 89: Showing IP Subnet VLANs MAC- VLAN ONFIGURING BASED Use the VLAN >...
Page 228 | VLAN Configuration HAPTER Configuring MAC-based VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are ◆ supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ARAMETERS These parameters are displayed: MAC Address – A source MAC address which is to be mapped to a ◆...
Page 229: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring Figure 91: Showing MAC-Based VLANs VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 230 | VLAN Configuration HAPTER Configuring VLAN Mirroring ARAMETERS These parameters are displayed: Source VLAN – A VLAN whose traffic will be monitored. ◆ (Range: 1-4093) ◆ Target Port – The destination port that receives the mirrored traffic from the source VLAN. (Range: 1-12) NTERFACE To configure VLAN mirroring: Click VLAN, Mirror.
Page 231: Configuring Vlan Translation
| VLAN Configuration HAPTER Configuring VLAN Translation VLAN T ONFIGURING RANSLATION Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling. CLI R EFERENCES ◆...
Page 232 | VLAN Configuration HAPTER Configuring VLAN Translation NTERFACE To configure VLAN translation: Click VLAN, Translation. Select Add from the Action list. Select a port, and enter the original and new VLAN IDs. Click Apply. Figure 95: Configuring VLAN Translation To show the mapping entries for VLANs translation: Click VLAN, Translation.
Page 233: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 234 | Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed: VLAN – ID of configured VLAN. (Range: 1-4093) ◆ Interface – Port or trunk associated with the device assigned a static ◆ address. MAC Address – Physical address of a device mapped to this interface. ◆...
Page 235: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Figure 98: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
Page 236: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table Figure 99: Setting the Address Aging Time ISPLAYING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch.
Page 237: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table Figure 100: Displaying the Dynamic MAC Address Table LEARING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. CLI R EFERENCES "clear mac-address-table dynamic"...
Page 238: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring Figure 101: Clearing Entries in the Dynamic MAC Address Table MAC A ONFIGURING DDRESS IRRORING Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis.
Page 239 | Address Table Settings HAPTER Configuring MAC Address Mirroring Target Port – The port that will mirror the traffic from the source port. ◆ (Range: 1-12) NTERFACE To mirror packets based on a MAC address: Click MAC Address, Mirror. Select Add from the Action list. Specify the source MAC address and destination port.
Page 240 | Address Table Settings HAPTER Configuring MAC Address Mirroring – 240 –...
Page 241: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 242 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 104: STP Root Ports and Designated Ports Designated Root...
Page 243 | Spanning Tree Algorithm HAPTER Overview Figure 105: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 244: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 245 | Spanning Tree Algorithm HAPTER Configuring Loopback Detection Shutdown Interval – The duration to shut down the interface. ◆ (Range: 60-86400 seconds; Default: 60 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired.
Page 246: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA ONFIGURING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI R EFERENCES ◆...
Page 247 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Be careful when switching between spanning tree modes. Changing ■ modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Page 248 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the switch uses a backwards-compatible subset of RSTP to implement STP, and also apply to MSTP which is based on RSTP according to the standard: Path Cost Method –...
Page 249 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA RSTP does not depend on the forward delay timer in most cases. It is able to confirm that a port can transition to the forwarding state without having to rely on any timer configuration. To achieve fast convergence, RSTP relies on the use of edge ports, and automatic detection of point-to-point link types, both of which allow a port to directly transition to the forwarding state.
Page 250 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 108: Configuring Global Settings for STA (STP) Figure 109: Configuring Global Settings for STA (RSTP) – 250 –...
Page 251: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 110: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 252: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the ◆ root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 253: Table 12: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. ◆ (Default: Enabled) BPDU Flooding - Enables/disables the flooding of BPDUs to other ◆...
Page 254: Table 13: Default Sta Path Costs
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 13: Default STA Path Costs Port Type Short Path Cost Long Path Cost (IEEE 802.1D-1998) (802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 Admin Link Type – The link type attached to this interface. ◆...
Page 255 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 246), edge-port mode ■ cannot automatically transition to operational edge-port state using the automatic setting.
Page 256: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 112: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 257 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging ■ device is always forwarding. If two ports of a switch are connected to the same segment and ■...
Page 258 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 113: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 259: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 1039 ◆...
Page 260 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 261 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 262 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 263: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 1039 ◆...
Page 264 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 253. The default path costs are listed in Table 13 on page 254. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.
Page 265: Congestion Control
ONGESTION ONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 266: Storm Control
| Congestion Control HAPTER Storm Control Rate – Sets the rate limit level. ◆ (Range: 64 - 1,000,000 kbits per second for Gigabit Ethernet ports) NTERFACE To configure rate limits: Click Traffic, Rate Limit. Set the interface type to Port or Trunk. Enable the Rate Limit Status for the required interface.
Page 267 | Congestion Control HAPTER Storm Control When traffic exceeds the threshold specified for broadcast and ◆ multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. Traffic storms can be controlled at the hardware level using Storm ◆...
Page 268: Automatic Traffic Control
| Congestion Control HAPTER Automatic Traffic Control Click Apply. Figure 124: Configuring Storm Control UTOMATIC RAFFIC ONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI R EFERENCES "Automatic Traffic Control Commands"...
Page 269 | Congestion Control HAPTER Automatic Traffic Control The key elements of this diagram are described below: Alarm Fire Threshold – The highest acceptable traffic rate. When ◆ ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it. When traffic exceeds the alarm fire threshold and the apply timer ◆...
Page 270: Setting The Atc Timers
| Congestion Control HAPTER Automatic Traffic Control Use the Traffic > Auto Traffic Control (Configure Global) page to set the ETTING THE time at which to apply the control response after ingress traffic has ATC T IMERS exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Page 271: Configuring Atc Thresholds And Responses
| Congestion Control HAPTER Automatic Traffic Control Figure 127: Configuring ATC Timers Use the Traffic > Auto Traffic Control (Configure Interface) page to set the ONFIGURING storm control mode (broadcast or multicast), the traffic thresholds, the HRESHOLDS AND control response, to automatically release a response of rate limiting, or to ESPONSES send related SNMP trap messages.
Page 272 | Congestion Control HAPTER Automatic Traffic Control Auto Release Control – Automatically stops a traffic control response ◆ of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 125 on page 268.
Page 273 | Congestion Control HAPTER Automatic Traffic Control NTERFACE To configure the response timers for automatic storm control: Click Traffic, Auto Traffic Control. Select Configure Interface from the Step field. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send.
Page 274 | Congestion Control HAPTER Automatic Traffic Control – 274 –...
Page 275: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 276: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, ◆...
Page 277 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a ◆...
Page 278 | Class of Service HAPTER Layer 2 Queue Settings NTERFACE To configure the queue mode: Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 279: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 132: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...
Page 280: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES ◆...
Page 281: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 133: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Select an interface. Figure 134: Showing CoS Values to Egress Queue Mapping 3/4 P AYER...
Page 282: Setting Priority Processing To Dscp Or Cos
| Class of Service HAPTER Layer 3/4 Priority Settings The precedence for priority mapping is DSCP Priority and then Default Port Priority. The default settings used for mapping priority values from ingress traffic to internal DSCP values are used to determine the hardware queues used for egress traffic, not to replace the priority values.
Page 283: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To configure the trust mode: Click Traffic, Priority, Trust Mode. Set the trust mode. Click Apply. Figure 135: Setting the Trust Mode Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in APPING NGRESS incoming packets to per-hop behavior and drop precedence values for...
Page 284: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: Port – Specifies a port. ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ PHB – Per-hop behavior, or the priority used for this router hop. ◆...
Page 285: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 136: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list. Select a port. Figure 137: Showing DSCP to DSCP Internal Mapping Use the Traffic >...
Page 286: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings If a packet arrives with a 802.1Q header but it is not an IP packet, then ◆ the CoS/CFI-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command.
Page 287 | Class of Service HAPTER Layer 3/4 Priority Settings Set the PHB and drop precedence for any of the CoS/CFI combinations. Click Apply. Figure 138: Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP.
Page 288 | Class of Service HAPTER Layer 3/4 Priority Settings – 288 –...
Page 289: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 290: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port.
Page 291 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set ◆...
Page 292 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 141: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 293 | Quality of Service HAPTER Configuring a Class Map Figure 142: Adding Rules to a Class Map To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 143: Showing the Rules for a Class Map –...
Page 294: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies REATING OLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 290), modify service tagging, and enforce bandwidth policing.
Page 295 | Quality of Service HAPTER Creating QoS Policies mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter.
Page 296 | Quality of Service HAPTER Creating QoS Policies information rate (PIR), and their associated burst sizes – committed burst size (BC, or burst rate), and peak burst size (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size.
Page 297 | Quality of Service HAPTER Creating QoS Policies The trTCM can be used to mark a IP packet stream in a service, where ◆ different, decreasing levels of assurances (either absolute or relative) are given to packets which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM.
Page 298 | Quality of Service HAPTER Creating QoS Policies Table 17, "Default Mapping of DSCP Values to Internal PHB/ Drop Values," on page 284). Set IP DSCP – Configures the service provided to ingress traffic by ■ setting an IP DSCP value for a matching packet (as specified in rule settings for a class map).
Page 299 | Quality of Service HAPTER Creating QoS Policies packet, the switch will also mark the two color bits used to set the drop precedence of a packet for Random Early Detection. The color modes include “Color-Blind” which assumes that the packet stream is uncolored, and “Color-Aware”...
Page 300 | Quality of Service HAPTER Creating QoS Policies peak information rate. In addition to the actions defined by this command to transmit, remark the DSCP service value, or drop a packet, the switch will also mark the two color bits used to set the drop precedence of a packet for Random Early Detection.
Page 301 | Quality of Service HAPTER Creating QoS Policies Priority – The priority assigned to the designated traffic flow. ◆ (Range: 0-1000; Default: None) Configure Bundle Policy Name – Name of policy map. (Range: 1-32 characters) ◆ Index – Index for group of class maps. (Range: 1-3) ◆...
Page 302 | Quality of Service HAPTER Creating QoS Policies To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 145: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
Page 303 | Quality of Service HAPTER Creating QoS Policies Figure 146: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 147: Showing the Rules for a Policy Map –...
Page 304 | Quality of Service HAPTER Creating QoS Policies To configure a bundle rate for a group of traffic flows: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Configure Bundle from the Action list. Specify the index, bundle rate, and class maps. Click Apply.
Page 305: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. CLI R EFERENCES "Quality of Service Commands" on page 1157 ◆...
Page 306 | Quality of Service HAPTER Attaching a Policy Map to a Port Figure 150: Attaching a Policy Map to a Port – 306 –...
Page 307: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 308 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES ◆ "Configuring Voice VLANs" on page 1135 OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...
Page 309: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI Figure 151: Configuring a Voice VLAN ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses.
Page 310: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices. Click Apply. Figure 152: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP.
Page 311 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...
Page 312 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and the voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from voice VLAN when VoIP traffic is no longer received on the port.
Page 313: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 314: Aaa Authentication, Authorization And Accounting
| Security Measures HAPTER AAA Authentication, Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source ◆ address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 315: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authentication, Authorization and Accounting To configure AAA on the switch, you need to follow this general process: Configure RADIUS and TACACS+ server access parameters. See "Configuring Local/Remote Logon Authentication" on page 315. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services.
Page 316: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authentication, Authorization and Accounting ARAMETERS These parameters are displayed: Authentication Sequence – Select the authentication, or ◆ authentication sequence required: Local – User authentication is performed only locally by the switch. ■ RADIUS – User authentication is performed using a RADIUS server ■...
Page 317 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 156: Authentication Server Operation console Telnet 1. Client attempts management access. 2. Switch contacts authentication server. RADIUS/ 3. Authentication server challenges client. 4. Client responds with proper password or key. TACACS+ 5.
Page 318 | Security Measures HAPTER AAA Authentication, Authorization and Accounting sequence of servers. The process ends when a server either approves or denies access to a user. Server IP Address – Address of authentication server. ■ (A Server Index entry must be selected to display this item.) Accounting Server UDP Port –...
Page 319 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. ■ Authentication Key – Encryption key used to authenticate logon ■ access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
Page 320 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 157: Configuring Remote Authentication Server (RADIUS) Figure 158: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list.
Page 321: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 159: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 160: Showing AAA Server Groups Use the Security >...
Page 322 | Security Measures HAPTER AAA Authentication, Authorization and Accounting ARAMETERS These parameters are displayed: Configure Global Periodic Update - Specifies the interval at which the local accounting ◆ service updates information for all users on the system to the accounting server. (Range: 1-2147483647 minutes; where 0 means disabled) Configure Method Accounting Type –...
Page 323 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Show Information – Summary Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting ◆ method. Server Group Name - Displays the accounting server group. ◆...
Page 324 | Security Measures HAPTER AAA Authentication, Authorization and Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list. Select the accounting type (802.1X, Exec).
Page 325 | Security Measures HAPTER AAA Authentication, Authorization and Accounting To configure the accounting method applied to specific interfaces, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list. Select the accounting type (802.1X, Exec). Enter the required accounting method.
Page 326: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authentication, Authorization and Accounting To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary. Figure 166: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting.
Page 327 | Security Measures HAPTER AAA Authentication, Authorization and Accounting AAA authentication through a RADIUS or TACACS+ server must be ◆ enabled before authorization is enabled. ARAMETERS These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as Exec, indicating administrative authorization for local console, Telnet, or SSH connections.
Page 328 | Security Measures HAPTER AAA Authentication, Authorization and Accounting NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group: Click Security, AAA, Authorization. Select Configure Method from the Step list. Specify the name of the authorization method and server group name. Click Apply.
Page 329: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts Enter the required authorization method. Click Apply. Figure 170: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization. Select Show Information from the Step list.
Page 330 | Security Measures HAPTER Configuring User Accounts ARAMETERS These parameters are displayed: User Name – The name of the user. ◆ (Maximum length: 32 characters; maximum number of users: 16) ◆ Access Level – Specifies the user level. (Options: 0 - Normal, 15 - Privileged) Normal privilege level provides access to a limited number of the commands which display the current status of the switch, as well as...
Page 331: Web Authentication
| Security Measures HAPTER Web Authentication Figure 172: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 173: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 332: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 315.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.
Page 333: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Figure 174: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...
Page 334: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate. Figure 175: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 335: Table 19: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) The user name and password are both equal to the MAC address being authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
Page 336 | Security Measures HAPTER Network Access (MAC Address Authentication) For example, the attribute “service-policy-in=pp1;rate-limit- input=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps. If duplicate profiles are passed in the Filter-ID attribute, then only the ◆...
Page 337: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) MAC address authentication is configured on a per-port basis, however ONFIGURING there are two configurable parameters that apply globally to all ports on LOBAL ETTINGS the switch. Use the Security > Network Access (Configure Global) page to ETWORK configure MAC address authentication aging and reauthentication time.
Page 338: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 176: Configuring Global Settings for Network Access Use the Security > Network Access (Configure Interface - General) page to ONFIGURING configure MAC authentication on switch ports, including enabling address ETWORK CCESS authentication, setting the maximum MAC count, and enabling dynamic ORTS...
Page 339 | Security Measures HAPTER Network Access (MAC Address Authentication) Dynamic VLAN – Enables dynamic VLAN assignment for an ◆ authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch.
Page 340: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 177: Configuring Interface Settings for Network Access Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION occurs.
Page 341: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 342 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC ◆ addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 343: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.
Page 344: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 181: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 345: Table 20: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. The following web browsers and operating systems currently support ◆...
Page 346: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Figure 182: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 347 | Security Measures HAPTER Configuring HTTPS Private Key Source File Name – Name of private key file stored on ◆ the TFTP server. Private Password – Password stored in the private key file. This ◆ password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
Page 348: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 349 | Security Measures HAPTER Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 353, or use the copy tftp public-key command (page 705) to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Page 350: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
Page 351 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, ◆ but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that ◆...
Page 352: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...
Page 353: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell Figure 185: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
Page 354 | Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed: User Name – This drop-down box selects the user who’s public key ◆ you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...
Page 355: Access Control Lists
| Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 356 | Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 128. ◆ The maximum number of rules per system is 512 rules. ◆ An ACL can have up to 64 rules. However, due to resource restrictions, ◆...
Page 357: Setting A Time Range
| Security Measures HAPTER Access Control Lists denied (because the decision to deny a packet has a higher priority for security reasons). A packet will also be denied if the IP ACL denies it and the MAC ACL accepts it. Use the Security >...
Page 358 | Security Measures HAPTER Access Control Lists NTERFACE To configure a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Add from the Action list. Enter the name of a time range. Click Apply. Figure 189: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL.
Page 359 | Security Measures HAPTER Access Control Lists Fill in the required parameters for the selected mode. Click Apply. Figure 191: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list.
Page 360: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Show TCAM) page to show HOWING utilization parameters for TCAM (Ternary Content Addressable Memory), TCAM U TILIZATION including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Page 361: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Figure 193: Showing TCAM Utilization Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE ACL N AME AND CLI R EFERENCES "access-list ip" on page 926 ◆...
Page 362 | Security Measures HAPTER Access Control Lists NTERFACE To configure the name and type of an ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add from the Action list. Fill in the ACL Name field, and select the ACL type. Click Apply.
Page 363: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IP ACL)" on page 927 ◆...
Page 364: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Click Apply. Figure 196: Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES...
Page 365 | Security Measures HAPTER Access Control Lists Source/Destination Port – Source/destination port number for the ◆ specified protocol type. (Range: 0-65535) Source/Destination Port Bit Mask – Decimal number representing ◆ the port bits to match. (Range: 0-65535) Protocol – Specifies the protocol type to match as TCP, UDP or Others, ◆...
Page 366: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Select IP Extended from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 367 | Security Measures HAPTER Access Control Lists Action – An ACL can contain any combination of rules which permit or ◆ deny a packet. Source Address Type – Specifies the source IP address. Use “Any” to ◆ include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix”...
Page 368: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists Figure 198: Configuring a Standard IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)"...
Page 369 | Security Measures HAPTER Access Control Lists Source/Destination Prefix-Length – A decimal value indicating how ◆ many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 bits for the source prefix;...
Page 370: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists Figure 199: Configuring an Extended IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING configure a MAC ACL based on hardware addresses, packet format, and MAC ACL Ethernet type.
Page 371 | Security Measures HAPTER Access Control Lists Packet Format – This attribute includes the following packet types: ◆ Any – Any Ethernet packet type. ■ Untagged-eth2 – Untagged Ethernet II packets. ■ Untagged-802.3 – Untagged Ethernet 802.3 packets. ■ Tagged-eth2 – Tagged Ethernet II packets. ■...
Page 372: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Figure 200: Configuring a MAC ACL Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING ACLs based on ARP message addresses. ARP Inspection can then use these ARP ACL ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP...
Page 373 | Security Measures HAPTER Access Control Lists Source/Destination IP Subnet Mask – Subnet mask for source or ◆ destination address. (See the description for Subnet Mask on page 363.) Source/Destination MAC Address Type – Use “Any” to include all ◆ possible addresses, “Host”...
Page 374: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists Figure 201: Configuring a ARP ACL After configuring ACLs, use the Security > ACL (Configure Interface – INDING A ORT TO AN Configure) page to bind the ports that need to filter traffic to the CCESS ONTROL appropriate ACLs.
Page 375: Configuring Acl Mirroring
| Security Measures HAPTER Access Control Lists NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select Configure from the Action list. Select IP, MAC or IPv6 from the Type list. Select a port.
Page 376 | Security Measures HAPTER Access Control Lists Add one or more mirrored ports to ACL as described under "Binding a Port to an Access Control List" on page 374. Use the Add Mirror page to specify the ACL and the destination port to which matching traffic will be mirrored.
Page 377: Showing Acl Hardware Counters
| Security Measures HAPTER Access Control Lists Figure 204: Showing the VLANs to Mirror Use the Security > ACL > Configure Interface (Show Hardware Counters) HOWING page to show statistics for ACL hardware counters. ACL H ARDWARE OUNTERS CLI R EFERENCES "show access-list"...
Page 378: Arp Inspection
| Security Measures HAPTER ARP Inspection Select a port. Select ingress or egress traffic. Figure 205: Showing ACL Statistics ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
Page 379: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection If ARP Inspection is disabled globally, then it becomes inactive for ■ all VLANs, including those where inspection is enabled. When ARP Inspection is disabled, all ARP request and reply packets ■ will bypass the ARP Inspection engine and their switching behavior will match that of all other packets.
Page 380 | Security Measures HAPTER ARP Inspection ARP Inspection Logging By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, ◆...
Page 381: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 382 | Security Measures HAPTER ARP Inspection packets not matching any rules are dropped, and the DHCP snooping bindings database check is bypassed. If Static is not specified, ARP packets are first validated against the ◆ selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity.
Page 383: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate. ARP I NSPECTION CLI R EFERENCES "ARP Inspection" on page 904 ◆...
Page 384: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection Figure 208: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or ARP I NSPECTION dropped for various reasons.
Page 385: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Statistics from the Action list. Figure 209: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated ARP I...
Page 386: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Log from the Action list. Figure 210: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
Page 387 | Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or ◆ by specifying both the start address and end address. ARAMETERS These parameters are displayed: Mode ◆ Web –...
Page 388: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 212: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 389 | Security Measures HAPTER Configuring Port Security When the port security state is changed from enabled to disabled, all ◆ dynamically learned entries are cleared from the address table. If port security is enabled, and the maximum number of allowed ◆...
Page 390: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication The maximum address count is effective when port security is enabled or disabled. Current MAC Count – The number of MAC addresses currently ◆ associated with this interface. MAC Filter – Shows if MAC address filtering has been set under ◆...
Page 391 | Security Measures HAPTER Configuring 802.1X Port Authentication that authorized users can use the same credentials for authentication from any point within the network. This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights.
Page 392: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication Each client that needs to be authenticated must have dot1X client ◆ software installed and properly configured. The RADIUS server and 802.1X client support EAP. (The switch only ◆ supports EAPOL in order to pass the EAP packets from the server to the client.) The RADIUS server and client also have to support the same EAP ◆...
Page 393: Configuring Port Authenticator Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Identity Profile Password – The dot1x supplicant password used to ◆ identify this switch as a supplicant when responding to an MD5 challenge from the authenticator. (Range: 1-8 characters) Confirm Profile Password – This field is used to confirm the dot1x ◆...
Page 394 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When the switch functions as a local authenticator between supplicant devices attached to the switch and the authentication server, configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page.
Page 395 | Security Measures HAPTER Configuring 802.1X Port Authentication In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Page 396 | Security Measures HAPTER Configuring 802.1X Port Authentication Re-authentication Period – Sets the time period after which a ◆ connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) Re-authentication Max Retries – The maximum number of times the ◆...
Page 397: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Authenticator. Modify the authentication settings for each port as required. Click Apply Figure 216: Configuring Interface Settings for 802.1X Port Authenticator Use the Security >...
Page 398 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 392) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...
Page 399: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 217: Configuring Interface Settings for 802.1X Port Supplicant Use the Security >...
Page 400 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
Page 401 | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 218: Showing Statistics for 802.1X Port Authenticator – 401 –...
Page 402: Ip Source Guard
| Security Measures HAPTER IP Source Guard To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 219: Showing Statistics for 802.1X Port Supplicant IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 403 | Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 404: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard Max Binding Entry – The maximum number of entries that can be ◆ bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see "DHCP Snooping"...
Page 405 | Security Measures HAPTER IP Source Guard If there is an entry with the same VLAN ID and MAC address, and ■ the type of entry is static IP source guard binding, then the new entry will replace the old one. If there is an entry with the same VLAN ID and MAC address, and ■...
Page 406 | Security Measures HAPTER IP Source Guard NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Add from the Action list. Enter the required bindings for each port. Click Apply Figure 221: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Binding.
Page 407: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface. NFORMATION FOR IP S YNAMIC OURCE CLI R EFERENCES UARD INDINGS "show ip dhcp snooping binding"...
Page 408: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping Figure 223: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
Page 409 | Security Measures HAPTER DHCP Snooping Filtering rules are implemented as follows: ◆ If the global DHCP snooping is disabled, all DHCP packets are ■ forwarded. If DHCP snooping is enabled globally, and also enabled on the VLAN ■ where the DHCP packet is received, all DHCP packets are forwarded for a trusted port.
Page 410: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping information when assigning IP addresses, or to set other services or policies for clients. It is also an effective tool in preventing malicious network attacks from attached clients on DHCP services, such as IP Spoofing, Client Identifier Spoofing, MAC Address Spoofing, and Address Exhaustion.
Page 411 | Security Measures HAPTER DHCP Snooping header of the packet is not same as the client's hardware address in the DHCP packet, the packet is dropped. (Default: Enabled) DHCP Snooping Information Option Status – Enables or disables ◆ DHCP Option 82 information relay. (Default: Disabled) DHCP Snooping Information Option Sub-option Format –...
Page 412: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping Figure 224: Configuring Global Settings for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or DHCP disable DHCP snooping on specific VLANs. VLAN NOOPING ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...
Page 413: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click IP Service, DHCP Snooping. Select Configure VLAN from the Step list. Enable DHCP Snooping on any existing VLAN. Click Apply Figure 225: Configuring DHCP Snooping on a VLAN Use the IP Service >...
Page 414: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping Circuit ID – Specifies DHCP Option 82 circuit ID suboption information. ◆ Mode – Specifies the default string “VLAN-Unit-Port” or an arbitrary ■ string. (Default: VLAN-Unit-Port) Value – An arbitrary string inserted into the circuit identifier field. ■...
Page 415 | Security Measures HAPTER DHCP Snooping Type – Entry types include: ◆ DHCP-Snooping – Dynamically snooped. ■ Static-DHCPSNP – Statically configured. ■ VLAN – VLAN to which this entry is bound. ◆ Interface – Port or trunk to which this entry is bound. ◆...
Page 416 | Security Measures HAPTER DHCP Snooping – 416 –...
Page 417: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 418: Table 24: Logging Levels
| Basic Administration Protocols HAPTER Configuring Event Logging Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems. Up to 4096 log entries can be stored in the flash memory, with the oldest entries being overwritten first when the available log memory (256 kilobytes) has been exceeded.
Page 419 | Basic Administration Protocols HAPTER Configuring Event Logging All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). NTERFACE To configure the logging of error messages to system memory: Click Administration, Log, System.
Page 420: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 229: Showing Error Messages Logged to System Memory Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations. You can also limit the event ONFIGURATION messages sent to only those messages below a specified level.
Page 421: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging NTERFACE To configure the logging of error messages to remote servers: Click Administration, Log, Remote. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. Click Apply.
Page 422 | Basic Administration Protocols HAPTER Configuring Event Logging Email Destination Address – Specifies the email recipients of alert ◆ messages. You can specify up to five recipients. Server IP Address – Specifies a list of up to three recipient SMTP ◆...
Page 423: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 424 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Page 425: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 232: Configuring LLDP Timing Attributes Use the Administration > LLDP (Configure Interface - Configure General) ONFIGURING page to specify the message attributes for individual interfaces, including LLDP I NTERFACE whether messages are transmitted, received, or both transmitted and TTRIBUTES received, whether SNMP notifications are sent, and the type of information advertised.
Page 426 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol MED Notification – Enables the transmission of SNMP trap ◆ notifications about LLDP-MED changes. (Default: Disabled) Basic Optional TLVs – Configures basic information included in the ◆ TLV field of advertised messages. Management Address –...
Page 427 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the ■ VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 199). (Default: Enabled) VLAN Name – The name of all VLANs to which this interface has ■...
Page 428 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Country – The two-letter ISO 3166 country code in capital ASCII ■ letters. (Example: DK, DE or US) Device entry refers to – The type of device to which the location ■...
Page 429: Configuring Lldp Interface Civic-Address
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Configure Interface – Add CA-Type) page ONFIGURING to specify the physical location of the device attached to an interface. LLDP I NTERFACE IVIC DDRESS CLI R EFERENCES "lldp med-location civic-addr"...
Page 430 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Select Add CA-Type from the Action list. Select an interface from the Port or Trunk list. Specify a CA-Type and CA-Value pair. Click Apply. Figure 234: Configuring the Civic Address for an LLDP Interface To show the physical location of the attached device: Click Administration, LLDP.
Page 431: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Local Device Information) page to LLDP ISPLAYING display information about the switch, such as its MAC address, chassis ID, OCAL EVICE management IP address, and port information. NFORMATION CLI R EFERENCES...
Page 432: Table 28: Port Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 27: System Capabilities (Continued) ID Basis Reference WLAN Access Point IEEE 802.11 MIB Router IETF RFC 1812 Telephone IETF RFC 2011 DOCSIS cable device IETF RFC 2669 and IETF RFC 2670 End Station Only IETF RFC 2011 ◆...
Page 433 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 28: Port ID Subtype (Continued) ID Basis Reference Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned Port/Trunk ID – A string that contains the specific identifier for the ◆...
Page 434: Displaying Lldp Remote Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 237: Displaying Local Device Information for LLDP (Port) Figure 238: Displaying Local Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE...
Page 435 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Name – A string that indicates the system’s administratively ◆ assigned name. Port Details Port – Port identifier on local switch. ◆ Remote Index – Index of remote device attached to this port. ◆...
Page 436: Table 29: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Port-Protocol VLAN List – The port-based protocol VLANs ◆ configured on this interface, whether the given port (associated with the remote system) supports port-based protocol VLANs, and whether the port-based protocol VLANs are enabled on the given port associated with the remote system.
Page 437 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol integer value derived from the list position of the corresponding dot3MauType as listed in IETF RFC 3636 and is equal to the last number in the respective dot3MauType OID. Port Details – 802.3 Extension Power Information Remote Power Class –...
Page 438 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Class 2 – Endpoint devices that supports media stream capabilities. ■ Class 3 – Endpoint devices that directly supports end users of the IP ■ communication systems. Network Connectivity Device – Devices that provide access to the ■...
Page 439 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Unknown Policy Flag – Indicates that an endpoint device wants to ◆ explicitly advertise that this policy is required by the device, but is currently unknown. VLAN ID – The VLAN identifier (VID) for the port as defined in IEEE ◆...
Page 440 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Power Value – The total power in watts required by a PD device from ◆ a PSE device, or the total power a PSE device is capable of sourcing over a maximum length cable based on its current configuration. This parameter supports a maximum power required or available value of 102.3 Watts to allow for future expansion.
Page 441 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 239: Displaying Remote Device Information for LLDP (Port) – 441 –...
Page 442 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 240: Displaying Remote Device Information for LLDP (Port Details) – 442 –...
Page 443: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 241: Displaying Remote Device Information for LLDP (End Node) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING statistics for LLDP-capable devices attached to the switch, and for LLDP EVICE...
Page 444 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Age-out Count – The number of times that a ◆ neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired. Port/Trunk Frames Discarded –...
Page 445: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 243: Displaying LLDP Device Statistics (Port) IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Page 446: Table 30: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
Page 447: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol Configuring SNMPv3 Management Access Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station.
Page 448: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Enable SNMP and the required trap types. Click Apply Figure 244: Configuring Global Settings for SNMP Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE change the local engine ID.
Page 449: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Select Set Engine ID from the Action list. Enter an ID of a least 9 hexadecimal characters. Click Apply Figure 245: Configuring the Local Engine ID for SNMP Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A page to configure a engine ID for a remote management station.
Page 450: Setting Snmpv3 Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure a remote SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Add Remote Engine from the Action list. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host.
Page 451 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Add View View Name – The name of the SNMP view. (Range: 1-32 characters) ◆ OID Subtree – Specifies the initial object identifier of a branch within ◆...
Page 452 | Basic Administration Protocols HAPTER Simple Network Management Protocol To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 249: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP.
Page 453: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list. Select a view name from the list of existing views.
Page 454: Table 31: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Read View – The configured view for read access. ◆ (Range: 1-32 characters) Write View – The configured view for write access. ◆ (Range: 1-32 characters) Notify View – The configured view for notifications. ◆...
Page 455 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group Private Traps † swPowerStatus ChangeTrap 1.3.6.1.4.1.259.10.1.11.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.11.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled.
Page 456 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.11.2.1.0.108 This notification indicates that the CPU utilization has fallen from cpuUtiRisingThreshold to cpuUtiFallingThreshold. swMemoryUtiRisingThreshold 1.3.6.1.4.1.259.10.1.11.2.1.0.109 This notification indicates that the memory Notification utilization has risen from memoryUtiFallingThreshold to...
Page 457 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 458: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 459: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 255: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify...
Page 460 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters ◆...
Page 461: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 257: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from...
Page 462 | Basic Administration Protocols HAPTER Simple Network Management Protocol Security Level – The following security levels are only used for the ◆ groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in ■ SNMP communications.
Page 463 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 258: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 259: Showing Remote SNMPv3 Users –...
Page 464: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 465 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IPv4 or IPv6 address of a new management station to ◆ receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 466 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IPv4 or IPv6 address of a new management station to ◆ receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 467 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 260: Configuring Trap Managers (SNMPv1) Figure 261: Configuring Trap Managers (SNMPv2c)
Page 468: Creating Snmp Notification Logs
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 262: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 263: Showing Trap Managers Use the Administration >...
Page 469 | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits. The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
Page 470: Showing Snmp Statistics
| Basic Administration Protocols HAPTER Simple Network Management Protocol Fill in the IP address of a configured trap manager and the filter profile name. Click Apply Figure 264: Creating SNMP Notification Logs To show configured SNMP notification logs: Click Administration, SNMP. Select Configure Notify Filter from the Step list.
Page 471 | Basic Administration Protocols HAPTER Simple Network Management Protocol Unknown community name – The total number of SNMP messages ◆ delivered to the SNMP entity which used a SNMP community name not known to said entity. Illegal operation for community name supplied – The total ◆...
Page 472: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring Response PDUs – The total number of SNMP Get-Response PDUs ◆ which have been accepted and processed by, or generated by, the SNMP protocol entity. Trap PDUs – The total number of SNMP Trap PDUs which have been ◆...
Page 473: Configuring Rmon Alarms
| Basic Administration Protocols HAPTER Remote Monitoring periodically communicates with the switch using the SNMP protocol. However, if the switch encounters a critical event, it can automatically send a trap message to the management agent which can then respond to the event if so configured.
Page 474 | Basic Administration Protocols HAPTER Remote Monitoring Rising Event Index – The index of the event to use if an alarm is ◆ triggered by monitored variables reaching or crossing above the rising threshold. If there is no corresponding entry in the event control table, then no event will be generated.
Page 475 | Basic Administration Protocols HAPTER Remote Monitoring Figure 267: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 268: Showing Configured RMON Alarms –...
Page 476: Configuring Rmon Events
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered. The response can include RMON E VENTS logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Page 477 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.
Page 478: Configuring Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring Figure 270: Showing Configured RMON Events Use the Administration > RMON (Configure Interface - Add - History) page RMON ONFIGURING to collect statistics on a physical interface to monitor network utilization, ISTORY AMPLES packet types, and errors.
Page 479 | Basic Administration Protocols HAPTER Remote Monitoring ARAMETERS These parameters are displayed: Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 ◆...
Page 480 | Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History. Figure 272: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON.
Page 481: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates. CLI R EFERENCES "Remote Monitoring Commands"...
Page 482 | Basic Administration Protocols HAPTER Remote Monitoring Figure 274: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click Statistics.
Page 483: Switch Clustering
| Basic Administration Protocols HAPTER Switch Clustering Figure 276: Showing Collected RMON Statistical Samples WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 484: Configuring General Settings For Clusters
| Basic Administration Protocols HAPTER Switch Clustering A switch can only be a member of one cluster. ◆ The cluster VLAN 4093 is not configured by default. Before using ◆ clustering, take the following actions to set up this VLAN: Create VLAN 4093 (see "Configuring VLAN Groups"...
Page 485: Cluster Member Configuration
| Basic Administration Protocols HAPTER Switch Clustering NTERFACE To configure a switch cluster: Click Administration, Cluster. Select Configure Global from the Step list. Set the required attributes for a Commander or a managed candidate. Click Apply Figure 277: Configuring a Switch Cluster Use the Administration >...
Page 486 | Basic Administration Protocols HAPTER Switch Clustering NTERFACE To configure cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Add from the Action list. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate.
Page 487: Managing Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering Figure 280: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING switch in the cluster. LUSTER EMBERS CLI R EFERENCES "Switch Clustering" on page 758 ◆ ARAMETERS These parameters are displayed: Member ID –...
Page 488: Ethernet Ring Protection Switching
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate. Figure 281: Managing a Cluster Member THERNET ROTECTION WITCHING...
Page 489 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching blocking traffic over the RPL. When a ring failure occurs, the RPL owner is responsible for unblocking the RPL, allowing this link to be used for traffic. Ring nodes may be in one of two states: Idle –...
Page 490 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology. This arrangement consists of conjoined rings connected by one or more interconnection points, and is based on the following criteria: The R-APS channels are not shared across Ethernet Ring ◆...
Page 491 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 283: Ring Interconnection Architecture (Multi-ring/Ladder Network) Normal Condition Signal Fail Condition RPL Owner RPL Owner Node Node for ERP1 for ERP1 ring node B ring node A ring node B ring node A ERP1 ERP1...
Page 492: Erps Global Configuration
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Enable ERPS (Configure Global): Before enabling a ring as described in the next step, first globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled, no ERPS rings will work. Enable an ERPS ring (Configure Domain –...
Page 493: Erps Ring Configuration
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To globally enable ERPS on the switch: Click Administration, ERPS. Select Configure Global from the Step list. Mark the ERPS Status check box. Click Apply. Figure 284: Setting ERPS Global Status Use the Administration >...
Page 494 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Show Domain Name – Name of a configured ERPS ring. ◆ ID – ERPS ring identifier used in R-APS messages. ◆ Admin Status – Shows whether ERPS is enabled on the switch. ◆...
Page 495 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Local FS – Shows if a forced switch command was issued on this ◆ interface. Local MS – Shows if a manual switch command was issued on this ◆ interface. MEP – The CFM MEP used to monitor the status on this link. ◆...
Page 496 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently. If set to version 1, MS and FS operator commands are filtered, and the switch set to revertive mode.
Page 497 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching RPL Owner – Specifies a ring node to be the RPL owner. ■ Only one RPL owner can be configured on a ring. The owner ■ blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the Forced Switch or Manual Switch commands on the Configure Operation page).
Page 498 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching A ring node that has one ring port in an SF condition and detects the SF condition cleared, continuously transmits the R-APS (NR – no request) message with its own Node ID as the priority information over both ring ports, informing that no request is present at this ring node and initiates a guard timer.
Page 499 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching (NR, RB) message without a DNF indication, all ring nodes flush the FDB. Recovery for Forced Switching – A Forced Switch command is ■ removed by issuing the Clear command (Configure Operation page) to the same ring node where Forced Switch mode is in effect.
Page 500 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching informing the ring that the RPL is blocked, and flushes its FDB. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB.
Page 501 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command. Recovery with non-revertive mode is handled as follows: ■ The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action.
Page 502 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching R-APS with VC – Configures an R-APS virtual channel to connect two ◆ interconnection points on a sub-ring, allowing ERPS protocol traffic to be tunneled across an arbitrary Ethernet network. (Default: Enabled) A sub-ring may be attached to a primary ring with or without a ■...
Page 503 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching ring link in the sub-ring will cause the R-APS channel of the sub-ring to be segmented, thus preventing R-APS message exchange between some of the sub-ring’s ring nodes. No R-APS messages are inserted or extracted by other rings or sub- rings at the interconnection nodes where a sub-ring is attached.
Page 504 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Non-ERPS Device Protection – Sends non-standard health-check ◆ packets when an owner node enters protection state without any link down event having been detected through Signal Fault messages. (Default: Disabled) The RPL owner node detects a failed link when it receives R-APS ■...
Page 505 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero. Instead, the hold-off timer will be started.
Page 506 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching WTB Expire – The time before the wait-to-block timer expires. ◆ WTR Expire – The time before the wait-to-restore timer expires. ◆ West/East – Connects to next ring node to the west/east. ◆...
Page 507 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching RPL – If node is connected to the RPL, this shows by which interface. ◆ NTERFACE To create an ERPS ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Add from the Action list.
Page 508 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 288: Creating an ERPS Ring (Primary Ring) To show the configured ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 289: Showing Configured ERPS Rings –...
Page 509: Erps Forced And Manual Mode Operations
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Operation) page to block a ring ERPS F ORCED AND port using Forced Switch or Manual Switch commands. ANUAL PERATIONS CLI R EFERENCES "erps forced-switch" on page 1089 ◆...
Page 510: Table 32: Erps Request/State Priority
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Page 511 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Manual Switch – Blocks specified ring port, in the absence of a ■ failure or an FS command. (Options: West or East) A ring with no request has a logical topology with the traffic ■...
Page 512 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request.
Page 513: Connectivity Fault Management
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 290: Blocking an ERPS Ring Port ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 514 | Basic Administration Protocols HAPTER Connectivity Fault Management A Maintenance Level allows maintenance domains to be nested in a ◆ hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution.
Page 515 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 292: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 516: Configuring Global Settings For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent.
Page 517 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1297 ARAMETERS These parameters are displayed: Global Configuration CFM Status – Enables CFM processing globally on the switch. ◆ (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
Page 518 | Basic Administration Protocols HAPTER Connectivity Fault Management Link Trace Cache Hold Time – The hold time for CFM link trace cache ◆ entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field.
Page 519 | Basic Administration Protocols HAPTER Connectivity Fault Management Cross Check MEP Unknown – Sends a trap if an unconfigured MEP ◆ comes up. A MEP Unknown trap is sent if cross-checking is enabled , and a CCM is received from a remote MEP that is not configured in the static list NTERFACE To configure global settings for CFM: Click Administration, CFM.
Page 520: Configuring Interfaces For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings. CLI R EFERENCES "ethernet cfm port-enable"...
Page 521 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1297 OMMAND SAGE Configuring General Settings Where domains are nested, an upper-level hierarchical domain must ◆ have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Page 522: Table 33: Remote Mep Priority Levels
| Basic Administration Protocols HAPTER Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification A fault alarm can generate an SNMP notification. It is issued when the ◆...
Page 523 | Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: Creating a Maintenance Domain MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric ◆ characters) MD Level – Authorized maintenance level for this domain. ◆...
Page 524 | Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To create a maintenance domain: Click Administration, CFM. Select Configure MD from the Step list. Select Add from the Action list. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). Specify the manner in which MIPs can be created within each domain.
Page 525: Configuring Cfm Maintenance Associations
| Basic Administration Protocols HAPTER Connectivity Fault Management To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters. Click Apply Figure 297: Configuring Detailed Settings for Maintenance Domains Use the Administration >...
Page 526 | Basic Administration Protocols HAPTER Connectivity Fault Management Multiple domains at the same maintenance level cannot have an MA on ◆ the same VLAN (see "Configuring CFM Maintenance Domains" on page 520). Before removing an MA, first remove the MEPs assigned to it (see ◆...
Page 527 | Basic Administration Protocols HAPTER Connectivity Fault Management MIP Creation Type – Specifies the CFM protocol’s creation method for ◆ maintenance intermediate points (MIPs) in this MA: Default – MIPs can be created for this MA on any bridge port ■...
Page 528 | Basic Administration Protocols HAPTER Connectivity Fault Management AIS Transmit Level – Configure the AIS maintenance level in an MA. ◆ (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level AIS Suppress Alarm – Enables/disables suppression of the AIS. ◆...
Page 529 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 299: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM. Select Configure MA from the Step list. Select Configure Details from the Action list. Select an entry from MD Index and MA Index. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters.
Page 530: Configuring Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.
Page 531: Configuring Remote Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Figure 301: Configuring Maintenance End Points To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 302: Showing Maintenance End Points Use the Administration >...
Page 532 | Basic Administration Protocols HAPTER Connectivity Fault Management OMMAND SAGE ◆ All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross-check process. Remote MEPs can only be configured if local domain service access ◆...
Page 533: Transmitting Link Trace Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 303: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 304: Showing Remote Maintenance End Points Use the Administration >...
Page 534 | Basic Administration Protocols HAPTER Connectivity Fault Management LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, ◆ with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. LTMs are used to isolate faults.
Page 535: Transmitting Loop Back Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 305: Transmitting Link Trace Messages Use the Administration > CFM (Transmit Loopback) page to transmit RANSMITTING Loopback Messages (LBMs).
Page 536 | Basic Administration Protocols HAPTER Connectivity Fault Management MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the ◆ loopback message. (Range: 1-8191) Target ◆ MEP ID – The identifier of a remote MEP that is the target of a ■...
Page 537: Transmitting Delay-Measure Requests
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Transmit Delay Measure) page to send RANSMITTING periodic delay-measure requests to a specified MEP within a maintenance ELAY EASURE association. EQUESTS CLI R EFERENCES "ethernet cfm delay-measure two-way" on page 1336 ◆...
Page 538 | Basic Administration Protocols HAPTER Connectivity Fault Management Count – The number of times to retry sending the message if no ◆ response is received before the specified timeout. (Range: 1-5; Default: 5) Packet Size – The size of the delay-measure message. ◆...
Page 539: Displaying Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP) page ISPLAYING to show information for the MEPs configured on this device. OCAL CLI R EFERENCES "show ethernet cfm maintenance-points local" on page 1312 ◆...
Page 540: Displaying Details For Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP ISPLAYING ETAILS Details) page to show detailed CFM information about a local MEP in the OCAL continuity check database. CLI R EFERENCES "show ethernet cfm maintenance-points local detail mep"...
Page 541: Displaying Local Mips
| Basic Administration Protocols HAPTER Connectivity Fault Management Suppressing Alarms – Shows if the specified MEP is currently ◆ suppressing sending frames containing AIS information following the detection of defect conditions. NTERFACE To show detailed information for the MEPs configured on this device: Click Administration, CFM.
Page 542: Displaying Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain. ◆ MA Name – Maintenance association name. ◆ ◆ Primary VLAN – Service VLAN ID. Interface –...
Page 543: Displaying Details For Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management MA Name – Maintenance association name. ◆ Level – Authorized maintenance level for this domain. ◆ Primary VLAN – Service VLAN ID. ◆ MEP Up – Indicates whether or not this MEP is functioning normally. ◆...
Page 544 | Basic Administration Protocols HAPTER Connectivity Fault Management MA Name – Maintenance association name. ◆ Level – Authorized maintenance level for this domain. ◆ MAC Address – MAC address of this MEP entry. ◆ Primary VLAN – Service VLAN ID. ◆...
Page 545: Displaying The Link Trace Cache
| Basic Administration Protocols HAPTER Connectivity Fault Management Select Show Information from the Step list. Select Show Remote MEP Details from the Action list. Select an entry from MD Index and MA Index. Select a MEP ID. Figure 312: Showing Detailed Information on Remote MEPs Use the Administration >...
Page 546 | Basic Administration Protocols HAPTER Connectivity Fault Management Forwarded – Shows whether or not this link trace message was ◆ forwarded. A message is not forwarded if received by the target MEP. Ingress MAC Address – MAC address of the ingress port on the target ◆...
Page 547: Displaying Fault Notification Settings
| Basic Administration Protocols HAPTER Connectivity Fault Management Select Show Link Trace Cache from the Action list. Figure 313: Showing the Link Trace Cache Use the Administration > CFM > Show Information (Show Fault Notification ISPLAYING Generator) page to display configuration settings for the fault notification AULT OTIFICATION generator.
Page 548: Displaying Continuity Check Errors
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM. Select Show Information from the Step list. Select Show Fault Notification Generator from the Action list. Figure 314: Showing Settings for the Fault Notification Generator Use the Administration >...
Page 549 | Basic Administration Protocols HAPTER Connectivity Fault Management VIDS – MA x is associated with a specific VID list , an MEP is ■ configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port.
Page 550: Oam Configuration
| Basic Administration Protocols HAPTER OAM Configuration OAM C ONFIGURATION The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loopback testing, and displaying remote device information.
Page 551 | Basic Administration Protocols HAPTER OAM Configuration Table 35: OAM Operation State (Continued) State Description Operational When the local OAM entity learns that both it and the remote OAM entity have accepted the peering, the state moves to this state. Non Oper Half Duplex This state is returned whenever Ethernet OAM is enabled but the interface is in half-duplex operation.
Page 552: Displaying Statistics For Oam Messages
| Basic Administration Protocols HAPTER OAM Configuration Window Size – The period of time in which to check the reporting ■ threshold for errored frame link events. (Range: 10-65535 in units of 10 milliseconds; Default: 10 units of 10 milliseconds, or the equivalent of 1 second) Threshold Count –...
Page 553: Displaying The Oam Event Log
| Basic Administration Protocols HAPTER OAM Configuration Clear – Clears statistical counters for the selected ports. ◆ OAMPDU – Message types transmitted and received by the OAM ◆ protocol, including Information OAMPDUs, unique Event OAMPDUs, Loopback Control OAMPDUs, and Organization Specific OAMPDUs. NTERFACE To display statistics for OAM messages: Click Administration, OAM, Counters.
Page 554: Displaying The Status Of Remote Interfaces
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display link events for the selected port: Click Administration, OAM, Event Log. Select a port from the drop-down list. Figure 318: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING information about attached OAM-enabled devices.
Page 555: Configuring A Remote Loop Back Test
| Basic Administration Protocols HAPTER OAM Configuration not support the unidirectional function, but can parse error messages sent from a peer with unidirectional capability. Link Monitor – Shows if the OAM entity can send and receive Event ◆ Notification OAMPDUs. MIB Variable Retrieval –...
Page 556: Table 36: Remote Loopback Status
| Basic Administration Protocols HAPTER OAM Configuration To perform a loopback test, first enable Remote Loop Back Mode, click ◆ Test, and then click End. The number of packets transmitted and received will be displayed. ARAMETERS These parameters are displayed: Loopback Mode of Remote Device Port –...
Page 557: Displaying Results Of Remote Loop Back Testing
| Basic Administration Protocols HAPTER OAM Configuration Packets Received – The number of loop back frames received ■ during the last loopback test on this interface. Loss Rate – The percentage of packets for which there was no ■ response. NTERFACE To initiate a loop back test to the peer device attached to the selected port: Click Administration, OAM, Remote Loop Back.
Page 558 | Basic Administration Protocols HAPTER OAM Configuration Packets Received – The number of loop back frames received during ◆ the last loop back test on this interface. Loss Rate – The percentage of packets transmitted for which there ◆ was no response. NTERFACE To display the results of remote loop back testing for each port for which this information is available:...
Page 559: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 560 | IP Configuration HAPTER Using the Ping Function OMMAND SAGE ◆ Use the ping command to see if another site on the network can be reached. The following are some results of the ping command: ◆ Normal response - The normal response occurs in one to ten ■...
Page 561: Address Resolution Protocol
| IP Configuration HAPTER Address Resolution Protocol DDRESS ESOLUTION ROTOCOL The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this switch (or any standards-based switch/router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
Page 562: Displaying Arp Entries
| IP Configuration HAPTER Address Resolution Protocol The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the switch may tie up resources by repeating ARP requests for addresses recently flushed from the table. When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address.
Page 563: Setting The Switch's Ip Address (Ip Version 4)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an IPv4 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Page 564: Configuring Ipv4 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Use the System > IP (Configure Interface – Add Address) page to ONFIGURING configure an IPv4 address for the switch. An IPv4 address is obtained via NTERFACE ETTINGS DHCP by default for VLAN 1.
Page 565 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static IPv4 address for the switch: Click System, IP. Select Configure Interface from the Step list. Select Add Address from the Action list. Select the VLAN through which the management station is attached, set the IP Address Mode to “User Specified,”...
Page 566 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: Click System, IP. Select Configure Interface from the Step list. Select Add Address from the Action list. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP”...
Page 567: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Select Show Address from the Action list. Select an entry from the VLAN list. Figure 328: Showing the IPv4 Address Configured for an Interface ’ IP A (IP V ETTING THE WITCH DDRESS...
Page 568: Configuring Ipv6 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) An IPv6 default gateway can only be successfully set when a ■ network interface that directly connects to the gateway has been configured on the switch. NTERFACE To configure an IPv6 default gateway for the switch: Click IP, IPv6 Configuration.
Page 569 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) parameters used to facilitate this process are the number of attempts made to verify whether or not a duplicate address exists on the same network segment, and the interval between neighbor solicitations used to verify reachability information.
Page 570 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ND DAD Attempts – The number of consecutive neighbor solicitation ◆ messages sent on an interface during duplicate address detection. (Range: 0-600, Default: 3) Configuring a value of 0 disables duplicate address detection. ■...
Page 571 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) non-address configuration information (such as a default gateway) when DHCPv6 is restarted. Prior to submitting a client request to a DHCPv6 server, the switch should be configured with a link-local address using the Address Autoconfig option.
Page 572 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Specify the VLAN to configure, enable address auto-configuration, or enable IPv6 explicitly to automatically configure a link-local address and enable IPv6 on the selected interface. Set the MTU size, the maximum number of duplicate address detection messages, the neighbor solicitation message interval, and the remote node reachable time.
Page 573: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 331: Configuring RA Guard for an IPv6 Interface Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an ONFIGURING AN IPv6 interface for management access over the network. DDRESS CLI R EFERENCES...
Page 574 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) You can also manually configure the global unicast address by ■ entering the full address and prefix length. You can configure multiple IPv6 global unicast addresses per interface, ◆...
Page 575 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address. For example, if a device had an EUI-48 address of 28-9F-18-1C- 82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A.
Page 576: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface" on page 1393 ◆...
Page 577: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Select Show IPv6 Address from the Action list. Select a VLAN from the list. Figure 333: Showing Configured IPv6 Addresses Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to HOWING THE display the IPv6 addresses detected for neighbor devices.
Page 578 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 38: Show IPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: Incomplete - Address resolution is being carried out on the entry. ◆...
Page 579: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 1396 ◆...
Page 580 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 581 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
Page 582 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages sent by Messages the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface.
Page 583 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 335: Showing IPv6 Statistics (IPv6) Figure 336: Showing IPv6 Statistics (ICMPv6) – 583 –...
Page 584: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 337: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 585: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 408. This chapter provides information on the following IP services, including: ◆...
Page 586: Configuring A List Of Domain Names
| IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed: Domain Lookup – Enables DNS host name-to-address translation. ◆ (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 587 | IP Services HAPTER Domain Name Service through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers" on page 588).
Page 588: Configuring A List Of Name Servers
| IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 1355 ◆...
Page 589: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Domain Name Service Figure 343: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING configure static entries in the DNS table that are used to map domain DNS H TATIC OST TO...
Page 590: Displaying The Dns Cache
| IP Services HAPTER Domain Name Service Figure 344: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 345: Showing Static Entries in the DNS Table Use the IP Service >...
Page 591: Dynamic Host Configuration Protocol
| IP Services HAPTER Dynamic Host Configuration Protocol Type – This field includes CNAME which specifies the host address for ◆ the owner, and ALIAS which specifies an alias. IP – The IP address associated with this record. ◆ TTL – The time to live reported by the name server. ◆...
Page 592: Configuring Dhcp Relay Service
| IP Services HAPTER Dynamic Host Configuration Protocol ARAMETERS These parameters are displayed in the web interface: VLAN – ID of configured VLAN. ◆ Vendor Class ID – The following options are supported when the ◆ check box is marked to enable this feature: Default –...
Page 593 | IP Services HAPTER Dynamic Host Configuration Protocol These fields identify the requesting device by indicating the interface through which the relay agent received the request. If DHCP relay is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.
Page 594 | IP Services HAPTER Dynamic Host Configuration Protocol the management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server. If a DHCP relay server has been set on the switch, when the switch ■...
Page 595 | IP Services HAPTER Dynamic Host Configuration Protocol A DHCP relay server has been set on the switch, when the switch ■ receives a DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). A DHCP relay server has been set on the switch, when the switch ■...
Page 596 | IP Services HAPTER Dynamic Host Configuration Protocol Server IP Address – Addresses of DHCP servers or relay servers to be ◆ used by the switch’s DHCP relay agent in order of preference. NTERFACE To configure DHCP relay service: Click IP Service, DHCP, Relay Option 82. Enable or disable Option 82.
Page 597: Multicast
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles ◆ the maximum of multicast groups allowed on an interface. Multicast VLAN Registration for IPv4 –...
Page 598: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router.
Page 599 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Only IGMPv3 hosts can request service from a specific multicast source. When downstream hosts request service from a specific source for a multicast service, these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources.
Page 600: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) The only deviation from TR-101 is that the marking of IGMP traffic initiated by the switch with priority bits as defined in R-250 is not supported. Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic intelligently.
Page 601 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Proxy Reporting Status – Enables IGMP Snooping with Proxy ◆...
Page 602 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) TCN Query Solicit – Sends out an IGMP general query solicitation ◆ when a spanning tree topology change notification (TCN) occurs. (Default: Disabled) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation).
Page 603 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This command only applies when proxy reporting is enabled. Router Port Expire Time – The time the switch waits after the ◆ previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) IGMP Snooping Version –...
Page 604: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add Static PECIFYING TATIC Multicast Router) page to statically attach an interface to a multicast NTERFACES FOR A router/switch. ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 605 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To specify a static interface attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Add Static Multicast Router from the Action list. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router.
Page 606: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) dynamically discovered by the switch or statically assigned to an interface on the switch. To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list.
Page 607 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Port or Trunk – Specifies the interface assigned to a multicast group. ◆ Multicast IP – The IP address for a specific multicast service. ◆ NTERFACE To statically assign an interface to a multicast service: Click Multicast, IGMP Snooping, IGMP Member.
Page 608 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 356: Showing Static Interfaces Assigned to a Multicast Service To show the all interfaces statically or dynamically assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Show Current Member from the Action list. Select the VLAN for which to display this information.
Page 609: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to IGMP ETTING configure IGMP snooping attributes for a VLAN. To configure snooping NOOPING TATUS globally, refer to "Configuring IGMP Snooping and Query Parameters" on NTERFACE page 600.
Page 610 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast Router Termination – These messages are sent when a router ◆ stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: Multicast forwarding is disabled on an interface. ■...
Page 611 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period.
Page 612 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) in report and leave messages sent upstream from the multicast router port. Interface Version – Sets the protocol version for compatibility with ◆ other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
Page 613 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Query Address – A static source address for locally generated ◆ query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 614: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show VLAN Information from the Action list. Figure 359: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping.
Page 615: Displaying Igmp Snooping Statistics
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 360: Showing Multicast Groups Learned by IGMP Snooping Use the Multicast >...
Page 616 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) General Query Sent – The number of general queries sent from this ◆ interface. Specific Query Received – The number of specific queries received ◆ on this interface. Specific Query Sent – The number of specific queries sent from this ◆...
Page 617 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To display statistics for IGMP snooping query-related messages: Click Multicast, IGMP Snooping, Statistics. Select Show Query Statistics from the Action list. Select a VLAN. Figure 361: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics.
Page 618 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 362: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.
Page 619: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Page 620: Configuring Igmp Filter Profiles
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 364: Enabling IGMP Filtering and Throttling Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page IGMP ONFIGURING to create an IGMP profile and set its access mode. Then use the (Add ILTER ROFILES Multicast Group Range) page to configure the multicast groups to filter.
Page 621 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode. Click Apply.
Page 622: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Click Apply. Figure 367: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Show Multicast Group Range from the Action list.
Page 623 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups removes an existing group and replaces it with the new multicast group. ARAMETERS These parameters are displayed: Interface – Port or trunk identifier. ◆ An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.
Page 624: Multicast Vlan Registration For Ipv4
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 369: Configuring IGMP Filtering and Throttling Interface Settings VLAN R ULTICAST EGISTRATION FOR Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.
Page 625: Configuring Mvr Global Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 370: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE ◆ General Configuration Guidelines for MVR: Enable MVR for a domain on the switch, and select the MVR VLAN (see "Configuring MVR Domain Settings"...
Page 626 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 ARAMETERS These parameters are displayed: Proxy Switching – Configures MVR proxy switching, where the source ◆ port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Page 627 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Proxy Query Interval – Configures the interval at which the receiver ◆ port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) This parameter sets the general query interval at which active ■...
Page 628: Configuring Mvr Domain Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Use the Multicast > MVR (Configure Domain) page to enable MVR globally ONFIGURING on the switch, and select the VLAN that will serve as the sole channel for MVR D OMAIN common multicast streams supported by the service provider.
Page 629: Configuring Mvr Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To configure settings for an MVR domain: Click Multicast, MVR. Select Configure Domain from the Step list. Select a domain from the scroll-down list. Enable MVR for the selected domain, select the MVR VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required.
Page 630 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 IGMP snooping and MVR share a maximum number of 1024 groups. ◆ Any multicast streams received in excess of this limitation will be flooded to all ports in the associated domain. ARAMETERS These parameters are displayed: Configure Profile...
Page 631 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To show the configured MVR group address profiles: Click Multicast, MVR. Select Configure Profile from the Step list. Select Show from the Action list. Figure 374: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: Click Multicast, MVR.
Page 632: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 376: Showing the MVR Group Address Profiles Assigned to a Domain Use the Multicast > MVR (Configure Interface) page to configure each ONFIGURING interface that participates in the MVR protocol as a source port or receiver NTERFACE TATUS port.
Page 633 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 remaining subscribers for that multicast group before removing the port from the group list. Using immediate leave can speed up leave latency, but should only ■ be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Page 634: Assigning Static Mvr Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To configure interface settings for MVR: Click Multicast, MVR. Select Configure Interface from the Step list. Select Port or Trunk interface. Select an MVR domain. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached.
Page 635 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 The MVR VLAN cannot be specified as the receiver VLAN for static ◆ bindings. ARAMETERS These parameters are displayed: Domain ID – An independent multicast domain. (Range: 1-5) ◆ ◆ Interface – Port or trunk identifier. VLAN –...
Page 636: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Select an MVR domain. Select the port or trunk for which to display this information. Figure 379: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast ISPLAYING groups either statically or dynamically assigned to the MVR receiver groups ECEIVER...
Page 637: Displaying Mvr Statistics
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To display the interfaces assigned to the MVR receiver groups: Click Multicast, MVR. Select Show Member from the Step list. Select an MVR domain. Figure 380: Displaying MVR Receiver Groups Use the Multicast >...
Page 638 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 General Query Sent – The number of general queries sent from this ◆ interface. Specific Query Received – The number of specific queries received ◆ on this interface. Specific Query Sent – The number of specific queries sent from this ◆...
Page 639 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To display statistics for MVR query-related messages: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list. Select an MVR domain. Figure 381: Displaying MVR Statistics – Query –...
Page 640 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain. Select a VLAN. Figure 382: Displaying MVR Statistics –...
Page 641: Multicast Vlan Registration For Ipv6
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR domain. Select a Port. Figure 383: Displaying MVR Statistics –...
Page 642: Configuring Mvr6 Global Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Set the interfaces that will join the MVR as source ports or receiver ports (see "Configuring MVR6 Interface Status" on page 648). For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see "Assigning Static MVR6...
Page 643 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Robustness Value – Configures the expected packet loss, and thereby ◆ the number of times to generate report and group-specific queries. (Range: 1-10; Default: 2) This parameter is used to set the number of times report messages ■...
Page 644: Configuring Mvr6 Domain Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 384: Configuring Global Settings for MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 MVR6 ONFIGURING globally on the switch, and select the VLAN that will serve as the sole OMAIN ETTINGS channel for common multicast streams supported by the service provider.
Page 645: Configuring Mvr6 Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Upstream Source IPv6 – The source IPv6 address assigned to all ◆ MVR6 control packets sent upstream on the specified domain. This parameter must be a full IPv6 address including the network prefix and host address bits.
Page 646 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 OMMAND SAGE ◆ Use the Configure Profile page to statically configure all multicast group addresses that will join the MVR6 VLAN. Any multicast data associated with an MVR6 group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group.
Page 647 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Click Apply. Figure 386: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: Click Multicast, MVR6. Select Configure Profile from the Step list. Select Show from the Action list. Figure 387: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: Click Multicast, MVR6.
Page 648: Configuring Mvr6 Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 388: Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: Click Multicast, MVR6. Select Associate Profile from the Step list. Select Show from the Action list.
Page 649 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 note that VLAN membership for MVR6 receiver ports cannot be set to access mode (see"Adding Static Members to VLANs" on page 204). One or more interfaces may be configured as MVR6 source ports. A ◆...
Page 650: Assigning Static Mvr6 Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 multicast traffic from one of the MVR6 groups, or a multicast group has been statically assigned to an interface. Immediate Leave – Configures the switch to immediately remove an ◆ interface from a multicast stream as soon as it receives a leave message for that group.
Page 651 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing ◆ Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 652: Displaying Mvr6 Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To show the static MVR6 groups assigned to an interface: Click Multicast, MVR6. Select Configure Static Group Member from the Step list. Select Show from the Action list. Select an MVR6 domain. Select the port or trunk for which to display this information.
Page 653: Displaying Mvr6 Statistics
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Expire – Time before this entry expires if no membership report is ◆ received from currently active or new clients. Count – The number of multicast services currently being forwarded ◆ from the MVR6 VLAN.
Page 654 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 General Query Received – The number of general queries received ◆ on this interface. General Query Sent – The number of general queries sent from this ◆ interface. Specific Query Received – The number of specific queries received ◆...
Page 655 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 NTERFACE To display statistics for MVR6 query-related messages: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list. Select an MVR6 domain. Figure 394: Displaying MVR6 Statistics – Query –...
Page 656 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR6 domain. Select a VLAN. Figure 395: Displaying MVR6 Statistics –...
Page 657 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR6 domain. Select a Port. Figure 396: Displaying MVR6 Statistics –...
Page 658 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 – 658 –...
Page 659: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 661 ◆ "General Commands" on page 675 ◆...
Page 660 | Command Line Interface ECTION "Class of Service Commands" on page 1143 ◆ "Quality of Service Commands" on page 1157 ◆ "Multicast Filtering Commands" on page 1177 ◆ "LLDP Commands" on page 1273 ◆ "CFM Commands" on page 1297 ◆ "OAM Commands"...
Page 661: Using The Command Line Interface
SING THE OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). CCESSING THE When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Page 662: Telnet Connection
| Using the Command Line Interface HAPTER Accessing the CLI Telnet operates over the IP transport protocol. In this environment, your ELNET ONNECTION management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 663: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 664: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 665 | Using the Command Line Interface HAPTER Entering Commands power-save Shows the power saving information pppoe Displays PPPoE configuration process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server RADIUS server information reload Shows the reload settings rmon...
Page 666: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands If you terminate a partial keyword with a question mark, alternatives that ARTIAL EYWORD match the initial letters are provided. (Remember not to leave a space OOKUP between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...
Page 667: Exec Commands
| Using the Command Line Interface HAPTER Entering Commands The command classes and associated modes are displayed in the following table: Table 41: General Command Modes Class Mode Exec Normal Privileged Configuration Access Control List Global Class Map ERPS IGMP Profile Interface Line Multiple Spanning Tree...
Page 668: Configuration Commands
| Using the Command Line Interface HAPTER Entering Commands Configuration commands are privileged level commands used to modify ONFIGURATION switch settings. These commands modify the running configuration only OMMANDS and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
Page 669: Table 42: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the...
Page 670: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 671: Output Modifiers
| Using the Command Line Interface HAPTER CLI Command Groups VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Console# Some of the show commands include options for output modifiers. For UTPUT ODIFIERS example, the “show running-config” command includes the following keyword options: Console#show running-config ? | Output modifiers...
Page 672 | Using the Command Line Interface HAPTER CLI Command Groups Table 44: Command Group Index (Continued) Command Group Description Page User Authentication Configures user names and passwords, logon access using local or remote authentication, management access through the web server, Telnet server and Secure Shell;...
Page 673 | Using the Command Line Interface HAPTER CLI Command Groups Table 44: Command Group Index (Continued) Command Group Description Page Configures Operations, Administration and Maintenance 1339 remote management tools required to monitor and maintain the links to subscriber CPEs Domain Name Service Configures DNS services.
Page 674 | Using the Command Line Interface HAPTER CLI Command Groups – 674 –...
Page 675: General Commands
ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 45: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 676: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload delay, or at a periodic interval. You can reboot the system immediately, or (Global Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 677: Enable
| General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 678: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (680) enable password (802) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 679: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 680: Disable
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 681: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 682 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 682 –...
Page 683: System Management Commands
YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 46: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 684: Hostname
| System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 685: Banner Configure
If, for example, a mistake is made in the company name, it can be corrected with the banner configure company command. XAMPLE Console(config)#banner configure Company: Edge-Core Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr.
Page 686: Banner Configure Company
| System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
Page 687: Banner Configure Dc-Power-Info
| System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 688: Banner Configure Equipment-Info
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 689: Banner Configure Equipment-Location
HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id ECS4810-12M floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting.
Page 690: Banner Configure Lp-Number
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 691: Banner Configure Manager-Info
| System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 692: Banner Configure Note
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 693: Show Banner
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis Edge-Core - ECS4810-12M Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 694: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status Table 49: System Status Commands (Continued) Command Function Mode show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly This command shows utilization parameters for TCAM (Ternary Content...
Page 695: Show Alarm-Status
| System Management Commands HAPTER System Status Installation Guide. Refer to the Installation Guide for information on how to use the alarm relay contacts and external site alarm inputs. XAMPLE Console#show alarm input name Name of Alarm Input of unit 1 index 1: ALARM_IN1 Name of Alarm Input of unit 1 index 2: ALARM_IN2...
Page 696: Show Memory
| System Management Commands HAPTER System Status Current Minor Alarm Output Status:[INACTIVE] Console# This command shows memory utilization parameters. show memory OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, and the total amount of system memory.
Page 697: Show Running-Config
| System Management Commands HAPTER System Status Console# ELATED OMMANDS process cpu (785) This command displays the configuration information currently in use. show running-config YNTAX show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093) OMMAND...
Page 698: Show Startup-Config
| System Management Commands HAPTER System Status XAMPLE Console#show running-config Building startup configuration. Please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-e0-0c-00-00-fd_00</stackingMac> snmp-server community public ro snmp-server community private rw snmp-server enable traps authentication username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database...
Page 699: Show System
| System Management Commands HAPTER System Status This command displays settings for key command modes. Each mode ◆ group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: MAC address for the switch ■...
Page 700: Show Tech-Support
| System Management Commands HAPTER System Status Jumbo Frame : Disabled Main Power Status : Active Redundant Power Status : Inactive Console# This command displays a detailed list of system settings designed to help show tech-support technical support resolve configuration or functional problems. OMMAND Normal Exec, Privileged Exec OMMAND...
Page 701: Show Version
| System Management Commands HAPTER System Status OMMAND SAGE The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key -------------------------------- --------- ---------- admin 15 None...
Page 702: Show Watchdog
| System Management Commands HAPTER Frame Size This command shows if watchdog debugging is enabled. show watchdog OMMAND Privileged Exec XAMPLE Console#show watchdog Software Watchdog Information Status : Enabled Console# This command monitors key processes, and automatically reboots the watchdog software system if any of these processes are not responding correctly.
Page 703: File Management
| System Management Commands HAPTER File Management EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE This switch provides more efficient throughput for large sequential data ◆ transfers by supporting Layer 2 jumbo frames on Gigabit Ethernet ports or trunks up to 10240 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 704: General Commands
| System Management Commands HAPTER File Management specified as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the FTP/TFTP server, but cannot be used as the destination on the switch. Table 51: Flash/File Commands Command Function Mode...
Page 705: Copy
| System Management Commands HAPTER File Management OMMAND SAGE ◆ A colon (:) is required after the specified file type. If the file contains an error, it cannot be set as the default file. ◆ XAMPLE Console(config)#boot system config: startup Console(config)# ELATED OMMANDS...
Page 706 | System Management Commands HAPTER File Management OMMAND SAGE ◆ The system prompts for data required to complete the copy command. The destination file name should not contain slashes (\ or /), and the ◆ maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server.
Page 707 | System Management Commands HAPTER File Management Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish.
Page 708: Delete
| System Management Commands HAPTER File Management Success. Write to FLASH Programming. Success. Console# This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1.
Page 709: Dir
| System Management Commands HAPTER File Management XAMPLE This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# ELATED OMMANDS dir (709) delete public-key (832) This command displays a list of files in flash memory. YNTAX dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file.
Page 710: Whichboot
| System Management Commands HAPTER File Management XAMPLE The following example shows how to display all file information: Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ---------- Unit 1: ecs4810_12m_1.1.2.2.bix OpCode 2013-10-07 11:09:12 12933584 ecs4810_12m_v1.1.4.10.bix OpCode 2012-10-19 08:12:39 12982728 Factory_Default_Config.cfg...
Page 711 | System Management Commands HAPTER File Management EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE This command is used to enable or disable automatic upgrade of the ◆ operational code. When the switch starts up and automatic image upgrade is enabled by this command, the switch will follow these steps when it boots up: It will search for a new version of the image at the location specified upgrade opcode path...
Page 712: Upgrade Opcode Path
| System Management Commands HAPTER File Management This command specifies an TFTP server and directory in which the new upgrade opcode opcode is stored. Use the no form of this command to clear the current path setting. YNTAX upgrade opcode path opcode-dir-url no upgrade opcode path opcode-dir-url - The location of the new code.
Page 713: Upgrade Opcode Reload
| System Management Commands HAPTER File Management This command reloads the switch automatically after the opcode upgrade is upgrade opcode completed. Use the no form to disable this feature. reload YNTAX [no] upgrade opcode reload EFAULT ETTING Disabled OMMAND Global Configuration XAMPLE This shows how to specify a TFTP server where new code is stored.
Page 714: Ip Tftp Timeout
| System Management Commands HAPTER File Management EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#ip tftp retry 10 Console(config)# This command specifies the time the switch can wait for a response from a ip tftp timeout TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting.
Page 715: Line
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 716: Databits
| System Management Commands HAPTER Line EFAULT ETTING There is no default line. OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 717: Exec-Timeout
| System Management Commands HAPTER Line XAMPLE To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# ELATED OMMANDS parity (719) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout...
Page 718: Login
| System Management Commands HAPTER Line This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 719: Parity
| System Management Commands HAPTER Line This command defines the generation of a parity bit. Use the no form to parity restore the default setting. YNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING...
Page 720: Password-Thresh
| System Management Commands HAPTER Line OMMAND SAGE ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns...
Page 721: Silent-Time
| System Management Commands HAPTER Line XAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# ELATED OMMANDS silent-time (721) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Page 722: Stopbits
| System Management Commands HAPTER Line EFAULT ETTING 115200 bps OMMAND Line Configuration OMMAND SAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
Page 723: Timeout Login Response
| System Management Commands HAPTER Line This command sets the interval that the system waits for a user to log into timeout login the CLI. Use the no form to restore the default setting. response YNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 724: Terminal
| System Management Commands HAPTER Line XAMPLE Console#disconnect 1 Console# ELATED OMMANDS show ssh (836) show users (700) This command configures terminal settings, including escape-character, terminal lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting. YNTAX terminal {escape-character {ASCII-number | character} | history [size size] | length length | terminal-type {ansi-bbs |...
Page 725: Show Line
| System Management Commands HAPTER Line XAMPLE This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line.
Page 726: Event Logging
| System Management Commands HAPTER Event Logging VENT OGGING This section describes commands used to configure event logging on the switch. Table 54: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory based...
Page 727: Logging History
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 728: Logging Host
| System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server.
Page 729: Logging Trap
| System Management Commands HAPTER Event Logging XAMPLE Console(config)#logging on Console(config)# ELATED OMMANDS logging history (727) logging trap (729) clear log (730) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 730: Clear Log
| System Management Commands HAPTER Event Logging This command clears messages from the log buffer. clear log YNTAX clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 731: Show Logging
| System Management Commands HAPTER Event Logging XAMPLE The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
Page 732: Smtp Alerts
| System Management Commands HAPTER SMTP Alerts Table 56: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command.
Page 733: Logging Sendmail
| System Management Commands HAPTER SMTP Alerts Table 58: Event Logging Commands (Continued) Command Function Mode logging sendmail level Severity threshold used to trigger alert messages logging sendmail Email recipients of alert messages destination-email logging sendmail Email address used for “From” field of alert messages GC source-email show logging sendmail Displays SMTP event handler settings...
Page 734: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts To send email alerts, the switch first opens a connection, sends all the ◆ email alerts waiting in the queue one by one, and finally closes the connection. To open a connection, the switch first selects the server that ◆...
Page 735: Logging Sendmail Destination-Email
| System Management Commands HAPTER SMTP Alerts This command specifies the email recipients of alert messages. Use the no logging sendmail form to remove a recipient. destination-email YNTAX [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) EFAULT ETTING...
Page 736: Show Logging Sendmail
| System Management Commands HAPTER Time This command displays the settings for the SMTP event handler. show logging sendmail OMMAND Normal Exec, Privileged Exec XAMPLE Console#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source Email Address: bill@this-company.com...
Page 737: Sntp Commands
| System Management Commands HAPTER Time SNTP Commands This command enables SNTP client requests for time synchronization from sntp client NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. YNTAX [no] sntp client EFAULT...
Page 738: Sntp Poll
| System Management Commands HAPTER Time This command sets the interval between sending time requests when the sntp poll switch is set to SNTP client mode. Use the no form to restore to the default. YNTAX sntp poll seconds no sntp poll seconds - Interval between time requests.
Page 739: Show Sntp
| System Management Commands HAPTER Time XAMPLE Console(config)#sntp server 10.1.0.19 Console# ELATED OMMANDS sntp client (737) sntp poll (738) show sntp (739) This command displays the current time and configuration settings for the show sntp SNTP client, and indicates whether or not the local time has been properly updated.
Page 740 | System Management Commands HAPTER Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-year- The year summer time will begin. b-hour - The hour summer time will begin.
Page 741: Clock Summer-Time (Predefined)
| System Management Commands HAPTER Time ELATED OMMANDS show sntp (739) This command configures the summer time (daylight savings time) status clock summer-time and settings for the switch using predefined configurations for several (predefined) major regions in the world. Use the no form to disable summer time. YNTAX clock summer-time name predefined [australia | europe | new- zealand | usa]...
Page 742: Clock Summer-Time (Recurring)
| System Management Commands HAPTER Time XAMPLE The following example sets the Summer Time setting to use the predefined settings for the European region Console(config)#clock summer-time MESZ predefined europe Console(config)# ELATED OMMANDS show sntp (739) This command allows the user to manually configure the start, end, and clock summer-time offset times of summer time (daylight savings time) for the switch on a (recurring)
Page 743: Clock Timezone
| System Management Commands HAPTER Time offset - Summer-time offset from the regular time zone, in minutes. (Range: 0-99 minutes) EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
Page 744: Calendar Set
| System Management Commands HAPTER Time EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 745: Show Calendar
| System Management Commands HAPTER Time Range XAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15:12:34 1 February 2002 Console# This command displays the system clock. show calendar EFAULT ETTING None OMMAND Normal Exec, Privileged Exec XAMPLE...
Page 746: Absolute
| System Management Commands HAPTER Time Range EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE This command sets a time range for use by other functions, such as Access Control Lists. XAMPLE Console(config)#time-range r&d Console(config-time-range)# ELATED OMMANDS Access Control Lists (925) This command sets the time range for the execution of a command.
Page 747: Periodic
| System Management Commands HAPTER Time Range effect if the current time is within the absolute time range and one of the periodic time ranges. XAMPLE This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)#...
Page 748: Show Time-Range
| System Management Commands HAPTER Synchronous Ethernet If both an absolute rule and one or more periodic rules are configured ◆ for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Page 749: Synce
| System Management Commands HAPTER Synchronous Ethernet Table 62: Sync-E Commands Command Function Mode synce Enables SyncE on all ports that support SyncE synce ethernet Enables SyncE on a port that supports SyncE synce ethernet clock- Manually sets a port as a clock source or candidate source clock source at the specified priority synce auto-clock-source-...
Page 750: Synce Ethernet
| System Management Commands HAPTER Synchronous Ethernet used in combination to achieve a high level of frequency synchronization with a common defined time. SyncE delivers a high level of frequency accuracy, but cannot deliver ◆ time-of-day information (i.e., GMT). Conversely, PTP supports time-of- day information required by billing and service level agreements.
Page 751: Synce Ethernet Clock-Source
| System Management Commands HAPTER Synchronous Ethernet SyncE can only be enabled on two ports at the same time. ◆ XAMPLE Console(config)#syncd ethernet 1/28 Console(config)# This command manually sets a port as a clock source, or as a candidate synce ethernet clock source at the specified priority when using automatic clock source clock-source selection.
Page 752: Synce Auto-Clock-Source-Selecting
| System Management Commands HAPTER Synchronous Ethernet never locked the clock source and no valid clock source exists, SyncE will operate in free-run mode. If SyncE locked the clock source, SyncE will operate in locked mode. Note that a clock is said to be in holdover mode if it was previously synchronized to another clock (normally the primary reference clock) but is now free-running on its own internal oscillator, whose frequency is being adjusted using data acquired while it had been synchronized to...
Page 753: Synce Force-Clock-Source-Selecting
| System Management Commands HAPTER Synchronous Ethernet will not be changed unless the current active clock source becomes invalid. If SyncE has locked the clock source and the clock source becomes ◆ invalid, SyncE will operate in holdover mode, switching over to the local reference clock if all available clock source signals fail.
Page 754: Synce Ssm Ethernet
| System Management Commands HAPTER Synchronous Ethernet If SyncE has been enabled on more than one port, the switch will ◆ choose the clock source port based on the current clock source port status and priority. A port can be forced to be the clock source port regardless of the ◆...
Page 755 | System Management Commands HAPTER Synchronous Ethernet port. SSM will be sent out of the other SSM-enabled ports once a second. If SSM has not been received on the clock source port after five seconds, the other SSM-enabled ports will stop sending SSM until a new clock source is selected.
Page 756: Synce Clk-Src-Ssm
| System Management Commands HAPTER Synchronous Ethernet Console(config)#synce ssm ethernet 1/12 Console(config)# This command uses SSM to select the clock source according to the SSM synce clk-src-ssm quality level, priority and port number. Use the no form to disable this function.
Page 757: Table 64: Show Sync - Display Description For Sync
| System Management Commands HAPTER Synchronous Ethernet 1/10 Enabled 1/11 Enabled 1/12 Enabled SyncE Clock Source Selection Mode: SSM SyncE Active Clock Source Locked: No SyncE Clock Source Status: Port Priority Active Clock Source Clock Status --------- -------- ------------------- ------------ 1/ 7 Good 1/ 8...
Page 758: Switch Clustering
| System Management Commands HAPTER Switch Clustering Table 64: show sync - display description for sync (Continued) Field Description Tx SSM Shows transmitted Quality Level message type: QL-NONE: This port is not transmitting SSM or ◆ timeout information QL-EEC1: Transmitting QL-EEC1 messages ◆...
Page 759: Cluster
| System Management Commands HAPTER Switch Clustering then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. Clustered switches must be in the same Ethernet broadcast domain. In ◆ other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Page 760: Cluster Commander
| System Management Commands HAPTER Switch Clustering There can be up to 100 candidates and 36 member switches in one ◆ cluster. A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and ◆...
Page 761: Cluster Ip-Pool
| System Management Commands HAPTER Switch Clustering This command sets the cluster IP address pool. Use the no form to reset to cluster ip-pool the default address. YNTAX cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 762: Rcommand
| System Management Commands HAPTER Switch Clustering OMMAND Global Configuration OMMAND SAGE The maximum number of cluster Members is 36. ◆ The maximum number of cluster Candidates is 100. ◆ XAMPLE Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# This command provides access to a cluster Member CLI for configuration. rcommand YNTAX rcommand id member-id...
Page 763: Show Cluster Members
| System Management Commands HAPTER Switch Clustering Heartbeat Loss Count : 3 seconds Number of Members Number of Candidates : 2 Console# This command shows the current switch cluster members. show cluster members OMMAND Privileged Exec XAMPLE Console#show cluster members Cluster Members: Role : Active member...
Page 764 | System Management Commands HAPTER Switch Clustering – 764 –...
Page 765: Snmp Commands
SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 766 | SNMP Commands HAPTER Table 66: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs ATC Trap Commands...
Page 767: General Snmp Commands
| SNMP Commands HAPTER General SNMP Commands Table 66: SNMP Commands (Continued) Command Function Mode Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm process cpu Sets the rising and falling threshold for the CPU utilization alarm show memory Shows memory utilization parameters...
Page 768: Snmp-Server Contact
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. private - Read/write access. Authorized management stations are able ◆ to both retrieve and modify MIB objects. OMMAND Global Configuration XAMPLE...
Page 769: Show Snmp
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (768) This command can be used to check the status of SNMP communications. show snmp EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND...
Page 770: Snmp Target Host Commands
| SNMP Commands HAPTER SNMP Target Host Commands 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# SNMP Target Host Commands This command enables this device to send Simple Network Management snmp-server Protocol traps or informs (i.e., SNMP notifications).
Page 771: Snmp-Server Host
| SNMP Commands HAPTER SNMP Target Host Commands XAMPLE Console(config)#snmp-server enable traps link-up-down Console(config)# ELATED OMMANDS snmp-server host (771) This command specifies the recipient of a Simple Network Management snmp-server host Protocol notification operation. Use the no form to remove the specified host.
Page 772 | SNMP Commands HAPTER SNMP Target Host Commands SNMP Version: 1 UDP Port: 162 OMMAND Global Configuration OMMAND SAGE If you do not enter an snmp-server host command, no notifications ◆ are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Page 773: Snmpv3 Commands
| SNMP Commands HAPTER SNMPv3 Commands The switch can send SNMP Version 1, 2c or 3 notifications to a host IP ◆ address, depending on the SNMP version that the management station supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications.
Page 774: Snmp-Server Group
| SNMP Commands HAPTER SNMPv3 Commands A remote engine ID is required when using SNMPv3 informs. (See the ◆ snmp-server host command.) The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host.
Page 775 | SNMP Commands HAPTER SNMPv3 Commands EFAULT ETTING Default groups: public (read only), private (read/write) readview - Every object belonging to the Internet OID space (1). writeview - Nothing is defined. notifyview - Nothing is defined. OMMAND Global Configuration OMMAND SAGE A group sets the access policy for the assigned users.
Page 776: Snmp-Server User
| SNMP Commands HAPTER SNMPv3 Commands This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. YNTAX snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password...
Page 777: Snmp-Server View
| SNMP Commands HAPTER SNMPv3 Commands Before you configure a remote user, use the snmp-server engine-id ◆ command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides.
Page 778: Show Snmp Engine-Id
| SNMP Commands HAPTER SNMPv3 Commands XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Page 779: Show Snmp Group
| SNMP Commands HAPTER SNMPv3 Commands Four default groups are provided – SNMPv1 read-only access and read/ show snmp group write access, and SNMPv2c read-only access and read/write access. OMMAND Privileged Exec XAMPLE Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none...
Page 780: Show Snmp User
| SNMP Commands HAPTER SNMPv3 Commands Table 68: show snmp group - display description (Continued) Field Description Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. This command shows information on SNMP users. show snmp user OMMAND Privileged Exec...
Page 781: Show Snmp View
| SNMP Commands HAPTER Notification Log Commands This command shows information on the SNMP views. show snmp view OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included...
Page 782: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Notification Log Commands Disabling logging with this command does not delete the entries stored ◆ in the notification log. XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# This command creates an SNMP notification log. Use the no form to snmp-server remove this log.
Page 783: Show Nlm Oper-Status
| SNMP Commands HAPTER Notification Log Commands To avoid this problem, notification logging should be configured and ◆ enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 784: Show Snmp Notify-Filter
| SNMP Commands HAPTER Additional Trap Commands This command displays the configured notification logs. show snmp notify-filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23...
Page 785: Process Cpu
| SNMP Commands HAPTER Additional Trap Commands This command sets an SNMP trap based on configured thresholds for CPU process cpu utilization. Use the no form to restore the default setting. YNTAX process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Page 786 | SNMP Commands HAPTER Additional Trap Commands – 786 –...
Page 787: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 788: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 789: Rmon Event
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and ◆ the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 790: Rmon Collection History
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm ◆ triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.
Page 791 | Remote Monitoring Commands HAPTER show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
Page 792: Show Rmon Alarms
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlentry 1 owner mike Console(config-if)# This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0...
Page 793: Show Rmon Statistics
| Remote Monitoring Commands HAPTER 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 This command shows the information collected for all configured entries in show rmon the statistics group.
Page 794 | Remote Monitoring Commands HAPTER – 794 –...
Page 795: Flow Sampling Commands
AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 796 | Flow Sampling Commands HAPTER timeout-value - The length of time the sFlow interface is available to send samples to a receiver, after which the owner and associated polling and sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector.
Page 797 | Flow Sampling Commands HAPTER This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# This command enables an sFlow polling data source, for a specified sflow polling interface, that polls periodically based on a specified time interval.
Page 798 | Flow Sampling Commands HAPTER This command enables an sFlow data source instance for a specific sflow sampling interface that takes samples periodically based on the number of packets instance processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Page 799 | Flow Sampling Commands HAPTER This command shows the global and interface settings for the sFlow show sflow process. YNTAX show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent. (Range: 1-30 alphanumeric characters) interface ethernet unit/port unit - Stack unit.
Page 800 | Flow Sampling Commands HAPTER – 800 –...
Page 801: Authentication Commands
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 802: User Accounts
| Authentication Commands HAPTER User Accounts CCOUNTS The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 715), user authentication via a remote authentication server (page 801), and host access authentication...
Page 803: Username
| Authentication Commands HAPTER User Accounts XAMPLE Console(config)#enable password level 15 0 admin Console(config)# ELATED OMMANDS enable (677) authentication enable (804) This command adds named users, requires authentication at login, username specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level.
Page 804: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence XAMPLE This example shows how the set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access.
Page 805: Authentication Login
| Authentication Commands HAPTER Authentication Sequence RADIUS and TACACS+ logon authentication assigns a specific privilege ◆ level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. You can specify three authentication methods in a single command to ◆...
Page 806: Radius Client
| Authentication Commands HAPTER RADIUS Client “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Page 807: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client OMMAND Global Configuration XAMPLE Console(config)#radius-server acct-port 181 Console(config)# This command sets the RADIUS server network port. Use the no form to radius-server restore the default. auth-port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 808: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 809: Radius-Server Retransmit
| Authentication Commands HAPTER RADIUS Client This command sets the number of retries. Use the no form to restore the radius-server default. retransmit YNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 810: Show Radius-Server
| Authentication Commands HAPTER TACACS+ Client This command displays the current settings for the RADIUS server. show radius-server EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout...
Page 811: Tacacs-Server Host
| Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server and other optional tacacs-server host parameters. Use the no form to remove the server, or to restore the default values. YNTAX tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server.
Page 812: Tacacs-Server Port
| Authentication Commands HAPTER TACACS+ Client OMMAND Global Configuration XAMPLE Console(config)#tacacs-server key green Console(config)# This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 813: Tacacs-Server Timeout
| Authentication Commands HAPTER TACACS+ Client XAMPLE Console(config)#tacacs-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication tacacs-server requests to the TACACS+ server. Use the no form to restore the default. timeout YNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Page 814: Aaa
| Authentication Commands HAPTER TACACS+ Server Group: Group Name Member Index ------------------------- ------------- tacacs+ Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Page 815: Aaa Accounting Exec
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 816: Aaa Accounting Update
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 817: Aaa Authorization Exec
| Authentication Commands HAPTER Using the command without specifying an interim interval enables ◆ updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service.
Page 818: Aaa Group Server
| Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 819: Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 820: Authorization Exec
| Authentication Commands HAPTER XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to local console, Telnet or authorization exec SSH connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...
Page 821: Web Server
| Authentication Commands HAPTER Web Server user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show accounting Accounting Type : dot1x Method List : default Group List...
Page 822: Ip Http Port
| Authentication Commands HAPTER Web Server This command specifies the TCP port number used by the web browser ip http port interface. Use the no form to use the default port. YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Page 823: Ip Http Secure-Port
| Authentication Commands HAPTER Web Server This command specifies the UDP port number used for HTTPS connection to ip http secure-port the switch’s web interface. Use the no form to restore the default port. YNTAX ip http secure-port port_number no ip http secure-port port_number –...
Page 824: Table 81: Https System Support
| Authentication Commands HAPTER Web Server OMMAND SAGE ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. If you enable HTTPS, you must indicate this in the URL that you specify ◆...
Page 825: Telnet Server
| Authentication Commands HAPTER Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 82: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 826: Ip Telnet Port
| Authentication Commands HAPTER Telnet Server This command specifies the TCP port number used by the Telnet interface. ip telnet port Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 827: Show Ip Telnet
| Authentication Commands HAPTER Secure Shell This command displays the configuration settings for the Telnet server. show ip telnet OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE HELL...
Page 828 | Authentication Commands HAPTER Secure Shell Table 83: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 829 | Authentication Commands HAPTER Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 830: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell The client sends a signature generated using the private key to the switch. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.
Page 831: Ip Ssh Server-Key Size
| Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The SSH server supports up to eight client sessions. The maximum ◆ number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server uses DSA or RSA for key exchange when the client first ◆...
Page 832: Ip Ssh Timeout
| Authentication Commands HAPTER Secure Shell This command configures the timeout for the SSH server. Use the no form ip ssh timeout to restore the default setting. YNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING...
Page 833: Ip Ssh Crypto Host-Key Generate
| Authentication Commands HAPTER Secure Shell XAMPLE Console#delete public-key admin dsa Console# This command generates the host key pair (i.e., public and private). ip ssh crypto host-key generate YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...
Page 834: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell This command clears the host key from memory (i.e. RAM). ip ssh crypto zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. EFAULT ETTING Clears both the DSA and RSA key.
Page 835: Show Ip Ssh
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (833) This command displays the connection settings used when authenticating show ip ssh client access to the SSH server. OMMAND Privileged Exec XAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 836: Show Ssh
| Authentication Commands HAPTER Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5...
Page 837: Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 838: General Commands
| Authentication Commands HAPTER 802.1X Port Authentication Table 85: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator Information Display Commands show dot1x Shows all dot1x related information General Commands...
Page 839: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# This command enables IEEE 802.1X port authentication globally on the dot1x system- switch.
Page 840: Dot1X Max-Reauth-Req
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
Page 841: Dot1X Operation-Mode
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# This command allows hosts (clients) to connect to an 802.1X-authorized dot1x port. Use the no form with no keywords to restore the default to single operation-mode host.
Page 842: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 843: Dot1X Timeout Quiet-Period
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# ELATED OMMANDS dot1x timeout re-authperiod (843) This command sets the time that a switch port waits after the maximum dot1x timeout request count (see page 840) has been exceeded before attempting to quiet-period acquire a new client.
Page 844: Dot1X Timeout Supp-Timeout
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout response to an EAP request from a client before re-transmitting an EAP supp-timeout packet.
Page 845: Dot1X Re-Authenticate
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT 30 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# This command forces re-authentication on all ports or a specific interface. dot1x re-authenticate YNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Page 846: Supplicant Commands
| Authentication Commands HAPTER 802.1X Port Authentication Supplicant Commands This command sets the dot1x supplicant user name and password. Use the dot1x identity no form to delete the identity settings. profile YNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.
Page 847: Dot1X Pae Supplicant
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# This command enables dot1x supplicant mode on a port. Use the no form dot1x pae to disable dot1x supplicant mode on a port. supplicant YNTAX [no] dot1x pae supplicant...
Page 848: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits for a response dot1x timeout from the authenticator. Use the no form to restore the default setting. auth-period YNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Page 849: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits before resending dot1x timeout an EAPOL start frame to the authenticator. Use the no form to restore the start-period default setting. YNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Page 850 | Authentication Commands HAPTER 802.1X Port Authentication Supplicant Parameters – Shows the supplicant user name used when ◆ the switch responds to an MD5 challenge from an authenticator (page 846). 802.1X Port Summary – Displays the port access control parameters ◆...
Page 851 | Authentication Commands HAPTER 802.1X Port Authentication Request Count– Number of EAP Request packets sent to the ■ Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP ■ Success, Failure or Request packet received from the Authentication Server.
Page 852: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch. Table 86: Management IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management...
Page 853: Show Management
| Authentication Commands HAPTER Management IP Filter If anyone tries to access a management interface on the switch from an ◆ invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 854: Pppoe Intermediate Agent
| Authentication Commands HAPTER PPPoE Intermediate Agent SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# NTERMEDIATE GENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Page 855: Pppoe Intermediate-Agent
| Authentication Commands HAPTER PPPoE Intermediate Agent This command enables the PPPoE Intermediate Agent globally on the pppoe switch. Use the no form to disable this feature. intermediate-agent YNTAX [no] pppoe intermediate-agent EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE The switch inserts a tag identifying itself as a PPPoE Intermediate Agent ◆...
Page 856: Pppoe Intermediate-Agent Port-Enable
| Authentication Commands HAPTER PPPoE Intermediate Agent EFAULT ETTING ◆ Access Node Identifier: IP address of the management interface. Generic Error Message: PPPoE Discover packet too large to process. Try ◆ reducing the number of tags added. OMMAND Global Configuration OMMAND SAGE The switch uses the access-node-identifier to generate the circuit-id for...
Page 857: Pppoe Intermediate-Agent Port-Format-Type
| Authentication Commands HAPTER PPPoE Intermediate Agent This command sets the circuit-id or remote-id for an interface. Use the no pppoe form to restore the default settings. intermediate-agent port-format-type YNTAX pppoe intermediate-agent port-format-type {circuit-id | remote-id} id-string circuit-id - String identifying the circuit identifier (or interface) on this switch to which the user is connected.
Page 858: Pppoe Intermediate-Agent Trust
| Authentication Commands HAPTER PPPoE Intermediate Agent This command sets an interface to trusted mode to indicate that it is pppoe connected to a PPPoE server. Use the no form to set an interface to intermediate-agent untrusted mode. trust YNTAX [no] pppoe intermediate-agent trust EFAULT ETTING...
Page 859: Clear Pppoe Intermediate-Agent Statistics
| Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent vendor-tag strip Console(config-if)# This command clears statistical counters for the PPPoE Intermediate Agent. clear pppoe intermediate-agent statistics YNTAX clear pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Stack unit.
Page 860: Show Pppoe Intermediate-Agent Statistics
| Authentication Commands HAPTER PPPoE Intermediate Agent PPPoE Discover packet too large to process. Try reducing the number of tags added. PPPoE Intermediate Agent Oper Generic Error Message PPPoE Discover packet too large to process. Try reducing the number of tags added.
Page 861 | Authentication Commands HAPTER PPPoE Intermediate Agent Table 88: show pppoe intermediate-agent statistics - display description Field Description PADT PPPoE Active Discovery Terminate Dropped Response from Response from an interface which not been configured as trusted. untrusted Request towards Request sent to an interface which not been configured as trusted. untrusted Malformed Corrupted PPPoE message.
Page 862 | Authentication Commands HAPTER PPPoE Intermediate Agent – 862 –...
Page 863: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
Page 864: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 865 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE The default maximum number of MAC addresses allowed on a secure ◆ port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 866: Show Port Security
| General Security Measures HAPTER Port Security XAMPLE The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap ELATED OMMANDS show interfaces status (965) shutdown (957) mac-address-table static (1034) This command displays port security status and the secure address count.
Page 867: Table 91: Show Port Security - Display Description
| General Security Measures HAPTER Port Security Table 91: show port security - display description Field Description Port Security The configured status (enabled or disabled). Port Status The operational status: Secure/Down – Port security is disabled. ◆ Secure/Up – Port security is enabled. ◆...
Page 868: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) MAC Filter ID Last Intrusion MAC : 00-10-22-00-00-01 Last Time Detected Intrusion MAC : 2010/7/29 15:13:03 Console# (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Page 869: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Table 92: Network Access Commands (Continued) Command Function Mode show network-access Displays information for entries in the secure MAC mac-address-table address table show network-access Displays information for entries in the MAC filter mac-filter tables Use this command to enable aging for authenticated MAC addresses stored...
Page 870: Network-Access Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to add a MAC address into a filter table. Use the no network-access form of this command to remove the specified MAC address. mac-filter YNTAX [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table.
Page 871: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the time period after which a connected MAC mac-authentication address must be re-authenticated. Use the no form of this command to reauth-time restore the default value. YNTAX mac-authentication reauth-time seconds no mac-authentication reauth-time...
Page 872: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 93: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (Kbps) rate-limit-input=100 (Kbps) rate-limit-output=rate (Kbps)
Page 873: Network-Access Guest-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE When enabled, the VLAN identifiers returned by the RADIUS server ◆ through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs.
Page 874: Network-Access Link-Detection
| General Security Measures HAPTER Network Access (MAC Address Authentication) When used with 802.1X authentication, the intrusion-action must be ◆ set for “guest-vlan” to be effective (see the dot1x intrusion-action command). XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# Use this command to enable link detection for the selected port. Use the network-access no form of this command to restore the default.
Page 875: Network-Access Link-Detection Link-Up
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# Use this command to detect link-up events. When detected, the switch can network-access shut down the port, send an SNMP trap, or both. Use the no form of this link-detection command to disable this feature.
Page 876: Network-Access Max-Mac-Count
| General Security Measures HAPTER Network Access (MAC Address Authentication) trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port. EFAULT ETTING Disabled OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# Use this command to set the maximum number of MAC addresses that can network-access...
Page 877: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable network access authentication on a port. Use network-access the no form of this command to disable network access authentication. mode mac-authentication YNTAX [no] network-access mode mac-authentication EFAULT ETTING Disabled...
Page 878: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the specified MAC address filter. Use the no network-access form of this command to disable the specified MAC address filter. port-mac-filter YNTAX network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
Page 879: Mac-Authentication Max-Mac-Count
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the maximum number of MAC addresses that can mac-authentication be authenticated on a port via MAC authentication. Use the no form of this max-mac-count command to restore the default. YNTAX mac-authentication max-mac-count count no mac-authentication max-mac-count...
Page 880: Show Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display the MAC authentication settings for port show interfaces. network-access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 881: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display secure MAC address table entries. show network-access mac-address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 882: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication Use this command to display information for entries in the MAC filter show network- tables. access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 883: Web-Auth Login-Attempts
| General Security Measures HAPTER Web Authentication Table 94: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port and (Port) forces the users to re-authenticate web-auth re-authenticate (IP)
Page 884: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication This command defines the amount of time a host must wait after exceeding web-auth the limit for failed login attempts, before it may attempt web quiet-period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 885: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication This command globally enables web authentication for the switch. Use the web-auth no form to restore the default. system-auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 886: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth and forces the users to re-authenticate. re-authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Page 887: Show Web-Auth
| General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
Page 888: Show Web-Auth Summary
| General Security Measures HAPTER DHCP Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 889: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping Table 95: DHCP Snooping Commands (Continued) Command Function Mode show ip dhcp snooping Shows the DHCP snooping configuration settings show ip dhcp snooping Shows the DHCP snooping binding table entries binding This command enables DHCP snooping globally. Use the no form to restore ip dhcp snooping the default setting.
Page 890 | General Security Measures HAPTER DHCP Snooping If DHCP snooping is enabled globally, and also enabled on the VLAN ■ where the DHCP packet is received, but the port is not trusted, it is processed as follows: If the DHCP packet is a reply packet from a DHCP server ■...
Page 891: Ip Dhcp Snooping Information Option
| General Security Measures HAPTER DHCP Snooping This command enables the use of DHCP Option 82 information for the ip dhcp snooping switch, and specifies the frame format to use for the remote-id when information option Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no- subtype keyword to enable use of sub-type and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to...
Page 892: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping When the DHCP Snooping Information Option is enabled, clients can be ◆ identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
Page 893: Ip Dhcp Snooping Verify Mac-Address
| General Security Measures HAPTER DHCP Snooping OMMAND Global Configuration OMMAND SAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Page 894: Ip Dhcp Snooping Vlan
| General Security Measures HAPTER DHCP Snooping This command enables DHCP snooping on the specified VLAN. Use the no ip dhcp snooping form to restore the default setting. vlan YNTAX [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4093) EFAULT ETTING Disabled...
Page 895: Ip Dhcp Snooping Information Option Circuit-Id
| General Security Measures HAPTER DHCP Snooping This command specifies DHCP Option 82 circuit-id suboption information. ip dhcp snooping Use the no form to disable this feature. information option circuit-id YNTAX ip dhcp snooping information option circuit-id string string no dhcp snooping information option circuit-id string - An arbitrary string inserted into the circuit identifier field.
Page 896: Ip Dhcp Snooping Trust
| General Security Measures HAPTER DHCP Snooping The ip dhcp snooping information option circuit-id command ■ can be used to modify the default settings described above. XAMPLE This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string mv2 Console(config-if)# This command configures the specified interface as trusted.
Page 897: Clear Ip Dhcp Snooping Binding
| General Security Measures HAPTER DHCP Snooping XAMPLE This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# ELATED OMMANDS ip dhcp snooping (889) ip dhcp snooping vlan (894) This command clears DHCP snooping binding table entries from RAM. Use clear ip dhcp this command without any optional keywords to clear all entries from the snooping binding...
Page 898: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 899: Show Ip Dhcp Snooping Binding
| General Security Measures HAPTER IP Source Guard This command shows the DHCP snooping binding table entries. show ip dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5...
Page 900 | General Security Measures HAPTER IP Source Guard ip-address - A valid unicast IP address, including classful types A, B or C. unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) EFAULT ETTING No configured entries OMMAND Global Configuration OMMAND SAGE...
Page 901: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard This command configures the switch to filter inbound traffic based on ip source-guard source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard...
Page 902: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: ◆ If DHCP snooping is disabled (see page 889), IP source guard will ■ check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 903: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 904: Arp Inspection
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 905: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 98: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...
Page 906: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use ip arp inspection the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 907: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 908: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 909: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection ◆ command, it becomes active only on those VLANs where it has been enabled with this command.
Page 910: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port, Static Aggregation) OMMAND SAGE This command applies to both trusted and untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, ◆ the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 911: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection This command displays the global configuration settings for ARP show ip Inspection. arp inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 912: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip the associated VLAN, port, and address components. arp inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 913: Denial Of Service Protection
| General Security Measures HAPTER Denial of Service Protection OMMAND SAGE Enter this command to display the configuration settings for all VLANs, or display the settings for a specific VLAN by entering the VLAN identifier. XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name...
Page 914: Dos-Protection Echo-Chargen
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS echo/chargen attacks in which the dos-protection echo service repeats anything sent to it, and the chargen (character echo-chargen generator) service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service.
Page 915: Dos-Protection Tcp-Flooding
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS TCP-flooding attacks in which a dos-protection perpetrator sends a succession of TCP SYN requests (with or without a tcp-flooding spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Page 916: Dos-Protection Tcp-Syn-Fin-Scan
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a dos-protection TCP SYN/FIN scan message is used to identify listening TCP ports. The scan tcp-syn-fin-scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags.
Page 917: Dos-Protection Tcp-Xmas-Scan
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS TCP-xmas-scan in which a so-called dos-protection TCP XMAS scan message is used to identify listening TCP ports. This scan tcp-xmas-scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Page 918: Dos-Protection Win-Nuke
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS WinNuke attacks in which affected the dos-protection Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, win-nuke the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.”...
Page 919: Port-Based Traffic Segmentation
| General Security Measures HAPTER Port-based Traffic Segmentation BASED RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 920: Traffic-Segmentation Session
| General Security Measures HAPTER Port-based Traffic Segmentation When traffic segmentation is enabled, the forwarding state for the ◆ uplink and downlink ports assigned to different client sessions is shown below. Table 101: Traffic Segmentation Forwarding Destination Session #1 Session #1 Session #2 Session #2 Normal...
Page 921: Traffic-Segmentation Uplink/Downlink
| General Security Measures HAPTER Port-based Traffic Segmentation OMMAND Global Configuration Command Usage Use this command to create a new traffic-segmentation client session. ◆ ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode. Example Console(config)#traffic-segmentation session 1 Console(config)#...
Page 922: Traffic-Segmentation Uplink-To-Uplink
| General Security Measures HAPTER Port-based Traffic Segmentation A downlink port can only communicate with an uplink port in the same ◆ session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports.
Page 923: Show Traffic-Segmentation
| General Security Measures HAPTER Port-based Traffic Segmentation This command displays the configured traffic segments. show traffic-segmentation OMMAND Privileged Exec XAMPLE Console#show traffic-segmentation Private VLAN Status Enabled Uplink-to-Uplink Mode : Forwarding Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------- Ethernet Ethernet Ethernet Ethernet...
Page 924 | General Security Measures HAPTER Port-based Traffic Segmentation – 924 –...
Page 925: Lists
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 926: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 927: Permit, Deny (Standard Ip Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 928: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 929 | Access Control Lists HAPTER IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING...
Page 930: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 931: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND Interface Configuration (Ethernet) OMMAND SAGE Only one ACL can be bound to a port. ◆ If an ACL is already bound to a port and you bind a different ACL to it, ◆...
Page 932: Ipv6 Acls
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (927) ip access-group (930) 6 ACL The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
Page 933: Permit, Deny (Standard Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 934: Permit, Deny (Extended Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 935 | Access Control Lists HAPTER IPv6 ACLs to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
Page 936: Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (932) Time Range (745) This command binds a port to an IPv6 ACL. Use the no form to remove the ipv6 access-group port.
Page 937: Show Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs This command shows the ports assigned to IPv6 ACLs. show ipv6 access-group OMMAND Privileged Exec XAMPLE Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# ELATED OMMANDS ipv6 access-group (936) This command displays the rules for configured IPv6 ACLs.
Page 938: Mac Acls
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 939: Permit, Deny (Mac Acl)
| Access Control Lists HAPTER MAC ACLs ELATED OMMANDS permit, deny (939) mac access-group (941) show mac access-list (942) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 940 | Access Control Lists HAPTER MAC ACLs {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 –...
Page 941: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs XAMPLE This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# ELATED OMMANDS access-list mac (938) Time Range (745) This command binds a MAC ACL to a port.
Page 942: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs This command shows the ports assigned to MAC ACLs. show mac access-group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS mac access-group (941) This command displays the rules for configured MAC ACLs. show mac access-list YNTAX...
Page 943: Arp Acls
| Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
Page 944: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny a specified source or destination address in ARP messages. Use the no (ARP ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
Page 945: Show Access-List Arp
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (943) This command displays the rules for configured ARP ACLs.
Page 946: Acl Information
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 107: ACL Information Commands Command Function Mode clear access-list Clears hit counter for rules in all ACLs, or in a specified hardware counters ACL.
Page 947: Show Access-List
| Access Control Lists HAPTER ACL Information MAC access-list jerry Console# This command shows all ACLs and associated rules. show access-list YNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp –...
Page 948 | Access Control Lists HAPTER ACL Information – 948 –...
Page 949: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 108: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 950: Interface Configuration
| Interface Commands HAPTER Interface Configuration Table 108: Interface Commands (Continued) Command Function Mode transceiver-threshold Sends a trap when the transceiver temperature falls temperature outside the specified thresholds transceiver-threshold Sends a trap when the power level of the transmitted tx-power signal power outside the specified thresholds transceiver-threshold Sends a trap when the transceiver voltage falls outside...
Page 951: Alias
| Interface Commands HAPTER Interface Configuration OMMAND SAGE The craft interface is provided as an out-of-band management connection which is isolated from all other ports on the switch. This interface must first be configured with an IPv4 or IPv6 address before a connection can be made through Telnet, SSH, or HTTP.
Page 952: Capabilities
| Interface Commands HAPTER Interface Configuration This command advertises the port capabilities of a given interface during capabilities auto-negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values. YNTAX [no] capabilities {1000full | 100full | 100half | 10full | 10half | flowcontrol | symmetric}...
Page 953: Description
| Interface Commands HAPTER Interface Configuration ELATED OMMANDS negotiation (956) speed-duplex (958) flowcontrol (954) This command adds a description to an interface. Use the no form to description remove the description. YNTAX description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 954: Flowcontrol
| Interface Commands HAPTER Interface Configuration OMMAND Interface Configuration (Ethernet) OMMAND SAGE Use the no discard command to allow CDP or PVST packets to be forwarded to other ports in the same VLAN which are also configured to forward the specified packet type. XAMPLE The following example forwards CDP packets entering port 5.
Page 955: History
| Interface Commands HAPTER Interface Configuration XAMPLE The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (956) capabilities (flowcontrol, symmetric) (952) This command configures a periodic sampling of statistics, specifying the history sampling interval and number of samples.
Page 956: Media-Type
| Interface Commands HAPTER Interface Configuration This command forces the port type selected for combination ports. Use the media-type no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed).
Page 957: Shutdown
| Interface Commands HAPTER Interface Configuration When auto-negotiation is enabled the switch will negotiate the best ◆ settings for a link based on the capabilities command. When auto- negotiation is disabled, you must manually specify the link attributes with the speed-duplex flowcontrol commands.
Page 958: Speed-Duplex
| Interface Commands HAPTER Interface Configuration This command configures the speed and duplex mode of a given interface speed-duplex when auto-negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex 1000full - Forces 1000 Mbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
Page 959: Clear Counters
| Interface Commands HAPTER Interface Configuration This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093) EFAULT ETTING None...
Page 960: Show Interfaces Brief
| Interface Commands HAPTER Interface Configuration Eth 1/ 6 Default Default This command displays a summary of key information, including show interfaces operational status, native VLAN ID, default priority, speed/duplex mode, brief and port type for all ports. OMMAND Privileged Exec OMMAND SAGE If link status is down due to an administrative setting or the result of a...
Page 961 | Interface Commands HAPTER Interface Configuration OMMAND SAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" on page 160. XAMPLE Console#show interfaces counters ethernet 1/1 Ethernet 1/ 1 ===== IF table Stats ===== 2166458 Octets Input...
Page 962: Show Interfaces History
| Interface Commands HAPTER Interface Configuration 1 Packets Output per second 0.00 % Output Utilization Console#show interfaces counters vlan 1 VLAN 1 21462 Octets Input 93 Packets Input Console# This command displays statistical history for the specified interfaces. show interfaces history show interfaces history [interface [name [current | previous index count] [input | output]]]...
Page 963 | Interface Commands HAPTER Interface Configuration Interval : 1 minute(s) Buckets Requested : 15 Buckets Granted : 15 Status : Active Current Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------- 00d 02:50:52 15059355 80275 43750 2304 Discards Errors...
Page 964 | Interface Commands HAPTER Interface Configuration Octets Output Unicast Multicast Broadcast --------------- ------------- ------------- ------------- 8896498997 11151669 4734465 119595 Discards Errors ------------- ------------- Console# This example shows the statistics recorded for a named entry in the sampling table. Console#show interfaces history ethernet 1/1 1min Interface : Eth 1/ 1 Name...
Page 965: Show Interfaces Status
| Interface Commands HAPTER Interface Configuration 00d 00:06:37 7572668 00d 00:07:37 8548505 This command displays the status for an interface. show interfaces status YNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093) EFAULT...
Page 966: Show Interfaces Switchport
| Interface Commands HAPTER Interface Configuration Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames) MAC Learning Status : Enabled Console# This command displays the administrative and operational status of the show interfaces specified interfaces.
Page 967: Transceiver Threshold Configuration
| Interface Commands HAPTER Transceiver Threshold Configuration Table 109: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled Threshold it also shows the threshold level (page 1005). Multicast Shows if multicast storm suppression is enabled or disabled; if enabled it Threshold also shows the threshold level (page...
Page 968: Transceiver-Threshold Current
| Interface Commands HAPTER Transceiver Threshold Configuration OMMAND Interface Configuration (SFP Ports) XAMPLE Console(config)interface ethernet 1/25 Console(config-if)#transceiver-monitor Console# This command sets thresholds for transceiver current which can be used to transceiver- trigger an alarm or warning message. Use the no form to restore the threshold current default settings.
Page 969: Transceiver-Threshold Rx-Power
| Interface Commands HAPTER Transceiver Threshold Configuration was greater than the threshold. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the low threshold and reaches the high threshold. Threshold events are triggered as described above to avoid a hysteresis ◆...
Page 970: Transceiver-Threshold Temperature
| Interface Commands HAPTER Transceiver Threshold Configuration OMMAND SAGE ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). Refer to the Command Usage section under the transceiver-threshold ◆ current command for more information on configuring transceiver thresholds.
Page 971: Transceiver-Threshold Tx-Power
| Interface Commands HAPTER Transceiver Threshold Configuration OMMAND Interface Configuration (SFP Ports) OMMAND SAGE Refer to the Command Usage section under the transceiver-threshold ◆ current command for more information on configuring transceiver thresholds. Trap messages enabled by the transceiver-monitor command are sent ◆...
Page 972: Transceiver-Threshold Voltage
| Interface Commands HAPTER Transceiver Threshold Configuration OMMAND SAGE ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). Refer to the Command Usage section under the transceiver-threshold ◆ current command for more information on configuring transceiver thresholds.
Page 973: Show Interfaces Transceiver
| Interface Commands HAPTER Transceiver Threshold Configuration OMMAND SAGE ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. Trap messages enabled by the transceiver-monitor command are sent ◆ to any management station configured by the snmp-server host command.
Page 974: Show Interfaces Transceiver-Threshold
| Interface Commands HAPTER Transceiver Threshold Configuration Fiber Type : Single Mode (SM) Eth Compliance Codes : 1000BASE-LX Baud Rate : 1200 MBd Vendor OUI : 00-17-6A Vendor Name : AVAGO Vendor PN : AFCT-5705APZ Vendor Rev : 0000 Vendor SN : AC1119S00XU Date Code : 11-05-13...
Page 975: Cable Diagnostics
| Interface Commands HAPTER Cable Diagnostics XAMPLE Console#show interfaces transceiver-threshold ethernet 1/12 Information of Eth 1/12 DDM Thresholds Low Alarm Low Warning High Warning High Alarm ----------- ------------ ------------ ------------ ------------ Temperature(Celsius) -123.00 0.00 70.00 75.00 Voltage(Volts) 3.10 3.15 3.45 3.50 Current(mA) 6.00...
Page 976: Show Cable-Diagnostics
| Interface Commands HAPTER Cable Diagnostics This command shows the results of a cable diagnostics test. show cable- diagnostics YNTAX show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) OMMAND Privileged Exec OMMAND SAGE...
Page 977: Power Savings
| Interface Commands HAPTER Power Savings Power Savings This command enables power savings mode on the specified port. Use the power-save no form to disable this feature. YNTAX [no] power-save EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet) OMMAND SAGE ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
Page 978: Show Power-Save
| Interface Commands HAPTER Power Savings Power-savings mode on a active link only works when the connection speed is 100 Mbps or higher at linkup, and line length is less than 60 meters. Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling.
Page 979: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 980: Manual Configuration Commands
| Link Aggregation Commands HAPTER Manual Configuration Commands All ports in a trunk must be configured in an identical manner, including ◆ communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. Any of the Gigabit ports on the front panel can be trunked together, ◆...
Page 981 | Link Aggregation Commands HAPTER Manual Configuration Commands EFAULT ETTING src-dst-mac OMMAND Global Configuration OMMAND SAGE This command applies to all static and dynamic trunks on the switch. ◆ To ensure that the switch traffic load is distributed evenly across all ◆...
Page 982: Channel-Group
| Link Aggregation Commands HAPTER Dynamic Configuration Commands This command adds a port to a trunk. Use the no form to remove a port channel-group from a trunk. YNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-12) EFAULT ETTING The current port will be added to this trunk.
Page 983 | Link Aggregation Commands HAPTER Dynamic Configuration Commands A trunk formed with another switch using LACP will automatically be ◆ assigned the next available port-channel ID. If the target switch has also enabled LACP on the connected ports, the ◆ trunk will be activated automatically.
Page 984: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER Dynamic Configuration Commands This command configures a port's LACP administration key. Use the no lacp admin-key form to restore the default setting. (Ethernet Interface) YNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link.
Page 985: Lacp Port-Priority
| Link Aggregation Commands HAPTER Dynamic Configuration Commands This command configures LACP port priority. Use the no form to restore lacp port-priority the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 986: Lacp System-Priority
| Link Aggregation Commands HAPTER Dynamic Configuration Commands This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link.
Page 987: Lacp Timeout
| Link Aggregation Commands HAPTER Dynamic Configuration Commands EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system ◆ priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 988: Trunk Status Display Commands
| Link Aggregation Commands HAPTER Trunk Status Display Commands If the actor does not receive an LACPDU from its partner before the ◆ configured timeout expires, the partner port information will be deleted from the LACP group. When a dynamic port-channel member leaves a port-channel, the ◆...
Page 989: Table 111: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER Trunk Status Display Commands LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 111: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group.
Page 990: Table 113: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Trunk Status Display Commands Table 112: show lacp internal - display description (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; ◆...
Page 991: Show Port-Channel Load-Balance
| Link Aggregation Commands HAPTER Trunk Status Display Commands Table 113: show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner.
Page 992 | Link Aggregation Commands HAPTER Trunk Status Display Commands – 992 –...
Page 993: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 994 | Port Mirroring Commands HAPTER Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) EFAULT ETTING ◆...
Page 995: Show Port Monitor
| Port Mirroring Commands HAPTER Local Port Mirroring Commands ACL-based mirroring is only used for ingress traffic. To mirror an ACL, ◆ follow these steps: Use the access-list command (page 925) to add an ACL. Use the access-group command to add a mirrored port to access control list.
Page 996: Rspan Mirroring Commands
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND SAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). XAMPLE The following shows mirroring configured from port 6 to port 5: Console(config)#interface ethernet 1/5 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor...
Page 997 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
Page 998: Rspan Source
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use this command to specify the source port and traffic type to be mirrored rspan source remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. YNTAX [no] rspan session session-id source interface interface-list [rx | tx | both]...
Page 999: Rspan Destination
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use this command to specify the destination port to monitor the mirrored rspan destination traffic. Use the no form to disable RSPAN on the specified port. YNTAX rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id –...
Page 1000: Rspan Remote Vlan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use this command to specify the RSPAN VLAN, switch role (source, rspan remote vlan intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. YNTAX [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface...
Page 1001: No Rspan Session
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands show vlan command will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. XAMPLE The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)#...
Page 1002 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands XAMPLE Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) : None RX Only : None TX Only : None BOTH : None Destination Port (monitor port) : Eth 1/2 Destination Tagged Mode : Untagged Switch Role : Destination...

This manual is also suitable for:

Ecs4810-12m