Page 1 SSE-G2252 Switch SSE-G2252P Switch SSE-G2252 SSE-G2252 Switch SSE-G2252P SSE-G2252P Switch USER’S MANUAL Revison 1.0b...
Page 2 State of California, USA. The State of California, County of Santa Clara shall be the exclusive venue for the resolution of any such disputes. Supermicro's total liability for all claims will not exceed the price paid for the hardware product.
Page 3 BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the following switches: SSE-G2252 G IGABIT THERNET WITCH Layer 2+ Managed Switch with 48 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Ports...
Page 4 This section summarizes the changes in each revision of this guide. EVISION ISTORY 1.0, S 2015 R EVISION EPTEMBER ELEASE This is the first version of this guide. This guide is valid for software release v2.0.0.4. 2015 R EVISION OVEMBER EVISION This is the second version of this guide with new changes for the latest software release.
Page 5: Table Of Contents
’ ANUAL ABLE OF ONTENTS ..........15 ETTING TARTED INTRODUCTION .
Page 6 Configuring Support for Jumbo Frames ..........................68 Displaying Bridge Extension Capabilities.........................69 Managing System Files..............................70 Copying Files via FTP/SFTP/TFTP or HTTP......................70 Saving the Running Configuration to a Local File......................73 Setting the Start-Up File..............................74 Showing System Files ..............................75 Automatic Operation Code Upgrade ...........................75 Setting the System Clock..............................79 Setting the Time Manually ............................80 Setting the SNTP Polling Interval ..........................81...
Page 7 Configuring VLAN Mirroring ............................176 ADDRESS TABLE SETTINGS ..............179 Configuring MAC Address Learning ..........................179 Setting Static Addresses..............................181 Changing the Aging Time..............................182...
Page 8 Configuring Interface Settings for Web Authentication ...................281 Network Access (MAC Address Authentication) ......................282 Configuring Global Settings for Network Access.....................284 Configuring Network Access for Ports ........................285 Configuring Port Link Detection..........................287 Configuring a MAC Address Filter...........................288 Displaying Secure MAC Address Information ......................290 Configuring HTTPS.................................291 Configuring Global Settings for HTTPS........................291 Replacing the Default Secure-site Certificate ......................293...
Page 9 Link Layer Discovery Protocol............................374 Setting LLDP Timing Attributes..........................375 Configuring LLDP Interface Attributes ........................377 Configuring LLDP Interface Civic-Address ......................381 Displaying LLDP Local Device Information ......................383 Displaying LLDP Remote Device Information......................386 Displaying Device Statistics............................394 Power over Ethernet.................................396 Setting the Switch’s Overall PoE Power Budget ......................396 Setting the Port PoE Power Budget...........................398 Simple Network Management Protocol ..........................400 Configuring Global Settings for SNMP ........................402...
Page 10 UDLD Configuration...............................513 Configuring UDLD Protocol Intervals........................514 Configuring UDLD Interface Settings ........................515 Displaying UDLD Neighbor Information .........................517 15 MULTICAST FILTERING ..............519 Overview..................................519 Layer 2 IGMP (Snooping and Query for IPv4) .......................520 Configuring IGMP Snooping and Query Parameters....................522...
Page 11 Dynamic Host Configuration Protocol ..........................617 Specifying a DHCP Client Identifier.........................617 Enabling DHCP Dynamic Provision ..........................620 Configuring the PPPoE Intermediate Agent........................621 Configuring PPPoE IA Global Settings ........................621 Configuring PPPoE IA Interface Settings .........................622 Showing PPPoE IA Statistics ............................624 18 GENERAL IP ROUTING ............... 627 Overview..................................627 Initial Configuration ..............................627 IP Routing and Switching ..............................628...
Page 12 PPPoE Intermediate Agent ..............................810 24 GENERAL SECURITY MEASURES............. . 817 Port Security ..................................818 Network Access (MAC Address Authentication) ......................824 Web Authentication .................................837...
Page 13 37 CLASS OF SERVICE COMMANDS ............. 1121 Priority Commands (Layer 2) ............................1121 Priority Commands (Layer 3 and 4) ..........................1125 38 QUALITY OF SERVICE COMMANDS .
Page 14: I Getting Started
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: “Introduction” on page 17 •...
Page 15: Key Features
Chapter 1: Introduction Key Features NTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 static routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 16: Description Of Software Features
Chapter 1: Introduction Description of Software Features Table 1-1: Key Features (Continued) Feature Description Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4094 using IEEE 802.1Q, port-based, protocol-based, voice VLANs, and QinQ tunnel...
Page 17 Chapter 1: Introduction Description of Software Features This switch authenticates management access via the console port, Telnet, UTHENTICATION or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Page 18 Chapter 1: Introduction Description of Software Features Broadcast, multicast and unknown unicast storm suppression prevents TORM ONTROL traffic from overwhelming the network.When enabled on a port, the level of traffic passing through the port is restricted. If traffic rises above a pre- defined threshold, it will be throttled until the level falls back beneath the threshold.
Page 19 Chapter 1: Introduction Description of Software Features but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. • Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP.
Page 20 Chapter 1: Introduction Description of Software Features This switch prioritizes each packet based on the required level of service, RAFFIC using four priority queues with strict priority, Weighted Round Robin (WRR) RIORITIZATION scheduling, or a combination of strict and weighted queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application.
Page 21 Chapter 1: Introduction Description of Software Features ERPS can be used to increase the availability and robustness of Ethernet THERNET rings, such as those used in Metropolitan Area Networks (MAN). ERPS ROTECTION provides Layer 2 loop avoidance and fast reconvergence in Layer 2 ring WITCHING topologies, supporting up to 255 nodes in the ring structure.
Page 22: System Defaults
Chapter 1: Introduction System Defaults YSTEM EFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 1-2: System Defaults Function Parameter...
Page 23 Chapter 1: Introduction System Defaults Table 1-2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled...
Page 24 Chapter 1: Introduction System Defaults Table 1-2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight Queue: 0 1 2 3 Weight: 1 2 4 6 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings...
Page 25: Initial Switch Configuration
Chapter 2: Initial Switch Configuration Connecting to the Switch NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 26: Required Connections
Chapter 2: Initial Switch Configuration Connecting to the Switch Control port access through IEEE 802.1X security or static address • filtering Filter packets using Access Control Lists (ACLs) • Configure up to 4094 IEEE 802.1Q VLANs • Enable GVRP automatic VLAN registration •...
Page 27: Remote Connections
Chapter 2: Initial Switch Configuration Basic Configuration Set the data format to 8 data bits, 1 stop bit, and no parity. • Set flow control to none. • • Set the emulation mode to VT100. When using HyperTerminal, select Terminal keys, not Windows •...
Page 28: Setting Passwords
Console(config)#username guest password 0 [password] Console(config)#username ADMIN password 0 [password] Console(config)# * This manual covers the SSE-G2252 and SSE-G2252P Gigabit Ethernet switches. Other than the support for PoE on the SSE-G2252P, there are no other significant differences. Therefore nearly all of the screen display examples are based on the SSE-G2252.
Page 29 Chapter 2: Initial Switch Configuration Basic Configuration You must establish IP address information for the switch to obtain ETTING AN management access through the network. This can be done in either of the DDRESS following ways: • Manual — You have to input the information, including IP address and subnet mask.
Page 30 Chapter 2: Initial Switch Configuration Basic Configuration To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit...
Page 31 Chapter 2: Initial Switch Configuration Basic Configuration ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console#...
Page 32 Chapter 2: Initial Switch Configuration Basic Configuration Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): 2001:db8:2222:7272::66/64, subnet is 2001:db8:2222:7272::/64 Joined group address(es): ff02::1:ff00:66 ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds...
Page 33 Chapter 2: Initial Switch Configuration Basic Configuration To obtain IP settings via BOOTP, type “ip address bootp” and press • <Enter>. Type “end” to return to the Privileged Exec mode. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface”...
Page 34 Chapter 2: Initial Switch Configuration Basic Configuration ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Address for Multi-segment Network —...
Page 35 Chapter 2: Initial Switch Configuration Basic Configuration Information passed on to the switch from a DHCP server may also include a OWNLOADING A configuration file to be downloaded and the TFTP servers where that file ONFIGURATION can be accessed. If the Factory Default Configuration file is used to THER provision the switch at startup, in addition to requesting IP configuration ARAMETERS...
Page 36 "Option66,67_1" { #DHCP Option 60 Vendor class two match if option vendor-class-identifier = "SSE-G2252-series.cfg"; option tftp-server-name "192.168.255.101"; option bootfile-name "test"; Use “SSE-G2252-series.cfg” for the vendor-class-identifier in the dhcpd.conf file. The switch can be configured to accept management commands from SNMP NABLING Simple Network Management Protocol (SNMP) applications.
Page 37 Chapter 2: Initial Switch Configuration Basic Configuration configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred. The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients.
Page 38 Chapter 2: Initial Switch Configuration Basic Configuration ECEIVERS You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
Page 39: Managing System Files
Chapter 2: Initial Switch Configuration Managing System Files ANAGING YSTEM ILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 40 Chapter 2: Initial Switch Configuration Managing System Files contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup”...
Page 41: Web Configuration
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: “Using the Web Interface” on page 45 • “Basic Management Tasks” on page 65 •...
Page 42 “General IP Routing” on page 627 • – 44 –...
Page 43: Using The Web Interface
Chapter 3: Using the Web Interface Connecting to the Web Interface SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 8, Mozilla Firefox 36, or Google Chrome 41, or more recent versions).
Page 44: Navigating The Web Browser Interface
Ethernet switches. Other than the support for PoE (SSE-G2252P), there are no other differences. Therefore nearly all of the screen display examples are based on the SSE-G2252. The panel graphics for all of switch types are shown on the following page.
Page 45: Configuration Options
Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Figure 3-2: Front Panel Indicators SSE-G2252 SSE-G2252P Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Page 46 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Switch Shows the number of ports, hardware version, power status, and firmware version numbers Capability Enables support for jumbo frames; shows the bridge extension parameters File Copy...
Page 47 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Sets the source and target ports for mirroring Show Shows the configured mirror sessions Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics History...
Page 48 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Chart Shows Interface, Etherlike, and RMON port statistics History Shows statistical history for the specified interfaces. Load Balance Sets the load-distribution method among ports in aggregated links Green Ethernet Adjusts the power provided to ports based on the length of the cable used to connect to other devices...
Page 49 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page IP Subnet Maps IP subnet traffic to a VLAN Show Shows IP subnet to VLAN mapping MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping Mirror...
Page 50 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page MSTP Multiple Spanning Tree Algorithm Configure Global Configures initial VLAN and priority for an MST instance Show Shows configured MST instances Modify Modifies priority for an MST instance Add Member...
Page 51 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Show Shows configured class maps Modify Modifies the name of a class map Add Rule Configures the criteria used to classify ingress traffic Show Rule Shows the traffic classification rules for a class map Configure Policy...
Page 52 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Show Information Summary Shows the configured accounting methods, and the methods applied to specific interfaces Statistics Shows basic accounting information recorded for user sessions Authorization Enables authorization of requested services Configure Method...
Page 53 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Configure User Key Copy Imports user public keys from TFTP server Show Displays RSA and DSA user keys; deletes user keys Access Control Lists Configure Time Range Configures the time to apply an ACL...
Page 54 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Configure Global Enables authentication and EAPOL pass-through Configure Interface Sets authentication parameters for individual ports Authenticator Sets port authenticator settings Supplicant Sets port supplicant settings Show Statistics...
Page 55 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Add CA-Type Specifies the location of the device attached to an interface Show CA-Type Shows the location of the device attached to an interface Modify CA-Type Modifies the location of the device attached to an interface Show Local Device Information...
Page 56 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Configure Trap Configures notification managers to receive messages on key events that occur this switch Show Shows configured notification managers Configure Notify Filter Creates an SNMP notification log Show...
Page 57 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Show Shows list of configured ERPS rings, status, and settings Configure Details Configures ring parameters Configure Operation Blocks a ring port using Forced Switch or Manual Switch commands Connectivity Fault Management Configure Global...
Page 58 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Show Remote MEP Details Displays detailed CFM information about a specified remote MEP in the continuity check database Show Link Trace Cache Shows information about link trace operations launched from this device Show Fault Notification Generator...
Page 59 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Show Shows static routing entries Modify Modifies the selected static routing entry Routing Table Show Information Shows all routing entries, including local and static routes IPv6 Configuration Configure Global Sets an IPv6 default gateway for traffic with no known next hop...
Page 60 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Configure VLAN Enables DHCP snooping on a VLAN Configure Interface Sets the trust mode for an interface Show Information Displays the DHCP Snooping binding information Dynamic Provision Enables dynamic provisioning via DHCP PPPoE Intermediate Agent...
Page 61 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Statistics Show Query Statistics Shows statistics for query-related messages Show VLAN Statistics Shows statistics for protocol messages, number of active groups Show Port Statistics Shows statistics for protocol messages, number of active groups Show Trunk Statistics...
Page 62 Chapter 3: Using the Web Interface Navigating the Web Browser Interface Table 3-2: Switch Main Menu (Continued) Menu Description Page Show VLAN Statistics Shows statistics for protocol messages and number of active groups Show Port Statistics Shows statistics for protocol messages and number of active groups Show Trunk Statistics Shows statistics for protocol messages and number of active...
Page 63: Basic Management Tasks
Chapter 4: Basic Management Tasks Displaying System Information ASIC ANAGEMENT ASKS This chapter describes the following topics: • Displaying System Information – Provides basic system description, including contact information. • Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 64 ARAMETERS These parameters are displayed: System Description – Brief description of device type. • System Object ID – MIB II object ID for switch’s network • management subsystem. SSE-G2252– 1.3.6.1.4.1.259.10.1.39.101, • ECS4210-52P: 1.3.6.1.4.1.259.10.1.39.102 SSE-G2252P – 1.3.6.1.4.1.259.10.1.39.102, • ECS4210-52P: 1.3.6.1.4.1.259.10.1.39.102 •...
Page 65: Displaying Hardware/Software Versions
Chapter 4: Basic Management Tasks Displaying Hardware/Software Versions ISPLAYING ARDWARE OFTWARE ERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI R EFERENCES “System Management Commands”...
Page 66: Configuring Support For Jumbo Frames
Chapter 4: Basic Management Tasks Configuring Support for Jumbo Frames Figure 4-2: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for Layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Page 67: Displaying Bridge Extension Capabilities
Chapter 4: Basic Management Tasks Displaying Bridge Extension Capabilities Click Apply. Figure 4-3: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs.
Page 68: Managing System Files
Chapter 4: Basic Management Tasks Managing System Files Max Supported VLAN ID – The maximum configurable VLAN • identifier supported on this switch. GMRP – GARP Multicast Registration Protocol (GMRP) allows network • devices to register end stations with multicast groups. This switch does not support GMRP;...
Page 69 Chapter 4: Basic Management Tasks Managing System Files You can also set the switch to use new firmware or configuration settings without overwriting the current version. Just download the file using a different name from the current version, and then set the new file as the startup file.
Page 70 Chapter 4: Basic Management Tasks Managing System Files FTP/SFTP/TFTP Server IP Address – The IP address of an FTP/SFTP/ • TFTP server. User Name – The user name for FTP/SFTP server access. • Password – The password for FTP/SFTP server access. •...
Page 71: Saving The Running Configuration To A Local File
Chapter 4: Basic Management Tasks Managing System Files Figure 4-5: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch.
Page 72: Setting The Start-Up File
Chapter 4: Basic Management Tasks Managing System Files Select the current startup file on the switch to overwrite or specify a new file name. Then click Apply. Figure 4-6: Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System >...
Page 73: Showing System Files
Chapter 4: Basic Management Tasks Managing System Files Use the System > File (Show) page to show the files in the system HOWING directory, or to delete a file. YSTEM ILES Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted. CLI R EFERENCES “dir”...
Page 74 G2252-series.bix and SSE-G2252-series.bix are considered to be unique files. Thus, if the upgrade file is stored as sse-G2252-series.bix (or even SSE-g2252-series.bix) on a case-sensitive server, then the switch (requesting SSE-G2252-series.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Page 75 Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The SSE-G2252-SERIES.BIX filename must not be included since it is automatically appended by the switch.
Page 76 Chapter 4: Basic Management Tasks Managing System Files host – Defines the IP address of the FTP server. Valid IP addresses • consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. • filedir – Defines the directory, relative to the FTP server root, where the upgrade file can be found.
Page 77: Setting The System Clock
Chapter 4: Basic Management Tasks Setting the System Clock Click System, then File. Select Automatic Operation Code Upgrade from the Action list. Mark the check box to enable Automatic Opcode Upgrade. Enter the URL of the FTP or TFTP server, and the path and directory containing the operation code.
Page 78: Setting The Time Manually
Chapter 4: Basic Management Tasks Setting the System Clock Use the System > Time (Configure General - Manual) page to set the ETTING THE system time on the switch manually without using SNTP. ANUALLY CLI R EFERENCES “calendar set” on page 710 •...
Page 79: Setting The Sntp Polling Interval
Chapter 4: Basic Management Tasks Setting the System Clock Use the System > Time (Configure General - SNTP) page to set the polling SNTP ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R EFERENCES “Time”...
Page 80: Configuring Time Servers
Chapter 4: Basic Management Tasks Setting the System Clock Current Time – Shows the current time set on the switch. • Authentication Status – Enables authentication for time requests and • updates between the switch and NTP servers. (Default: Disabled) You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
Page 81 Chapter 4: Basic Management Tasks Setting the System Clock ARAMETERS The following parameters are displayed: SNTP Server IP Address – Sets the IPv4 or IPv6 address for up to • three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.
Page 82 Chapter 4: Basic Management Tasks Setting the System Clock Authentication Key – Specifies the number of the key in the NTP • Authentication Key List to use for authentication with the configured server. NTP authentication is optional. If enabled on the System > Time (Configure General) page, you must also configure at least one key on the System >...
Page 83 Chapter 4: Basic Management Tasks Setting the System Clock NTP A PECIFYING UTHENTICATION Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list. CLI R EFERENCES “ntp authentication-key” on page 702 •...
Page 84: Setting The Time Zone
Chapter 4: Basic Management Tasks Setting the System Clock Figure 4-17: Showing the NTP Authentication Key List Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 85: Configuring The Console Port
Chapter 4: Basic Management Tasks Configuring the Console Port Figure 4-18: Setting the Time Zone ONFIGURING THE ONSOLE Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 86: Configuring Telnet Settings
Chapter 4: Basic Management Tasks Configuring Telnet Settings Stop Bits – Sets the number of the stop bits transmitted per byte. • (Range: 1-2; Default: 1 stop bit) Parity – Defines the generation of a parity bit. Communication • protocols provided by some terminals can require a specific parity bit setting.
Page 87 Chapter 4: Basic Management Tasks Configuring Telnet Settings Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.) These parameters can be configured via the web or CLI interface.
Page 88: Configuring Cpu Guard
Chapter 4: Basic Management Tasks Configuring CPU Guard NTERFACE To configure parameters for the console port: Click System, then Telnet. Specify the connection parameters as required. Click Apply Figure 4-20: Telnet Connection Settings CPU G ONFIGURING UARD Use the System > CPU Guard page to set the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second.
Page 89: Displaying Cpu Utilization
Chapter 4: Basic Management Tasks Displaying CPU Utilization buffer) until the number of packets being processed falls below the minimum threshold. (Range: 50-500 pps; Default: 500 pps) Minimum Threshold – If packet flow has been stopped after • exceeding the maximum threshold, normal flow will be restored after usaage falls beneath the minimum threshold.
Page 90 Chapter 4: Basic Management Tasks Displaying CPU Utilization CLI R EFERENCES “show process cpu” on page 655 • “show process cpu task” on page 657 • ARAMETERS The following parameters are displayed: Show Information • Time Interval – The interval at which to update the displayed utilization rate.
Page 91: Displaying Memory Utilization
Chapter 4: Basic Management Tasks Displaying Memory Utilization Figure 4-22: Displaying CPU Utilization To display CPU utilization by task: Click System, CPU Utilization, Show Information by Task. Figure 4-23: Displaying CPU Utilization by Task ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters.
Page 92: Resetting The System
Chapter 4: Basic Management Tasks Resetting the System ARAMETERS The following parameters are displayed: Free Size – The amount of memory currently free for use. • Used Size – The amount of memory allocated to active processes. • Total – The total amount of system memory. •...
Page 93 Chapter 4: Basic Management Tasks Resetting the System “The switch will be rebooted at March 9 12:00:00 2012. Remaining Time: 0 days, 2 hours, 46 minutes, 5 seconds. Reloading switch regularly time: 12:00 everyday.” Refresh – Refreshes reload information. Changes made through the •...
Page 94 Chapter 4: Basic Management Tasks Resetting the System Monthly - Day of the month at which to reload. (Range: 1-31) • NTERFACE To restart the switch: Click System, then Reset. Select the required reset mode. For any option other than to reset immediately, fill in the required parameters Click Apply.
Page 95 Chapter 4: Basic Management Tasks Resetting the System Figure 4-27: Restarting the Switch (At) Figure 4-28: Restarting the Switch (Regularly) – 97 –...
Page 96: Interface Configuration
Chapter 5: Interface Configuration Port Configuration NTERFACE ONFIGURATION This chapter describes the following topics: • Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. • Local Port Mirroring – Sets the source and target ports for mirroring on the local switch.
Page 97 Chapter 5: Interface Configuration Port Configuration CLI R EFERENCES “Interface Commands” on page 921 • OMMAND SAGE Auto-negotiation must be disabled before you can configure or force an • RJ-45 interface to use the Speed/Duplex mode or Flow Control options. When using auto-negotiation, the optimal settings will be negotiated •...
Page 98 Chapter 5: Interface Configuration Port Configuration 100h - Supports 100 Mbps half-duplex operation • 100f - Supports 100 Mbps full-duplex operation • • 1000f - Supports 1000 Mbps full-duplex operation FC - Flow control can eliminate frame loss by “blocking” traffic from •...
Page 99: Configuring By Port Range
Chapter 5: Interface Configuration Port Configuration Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 100: Configuring Local Port Mirroring
Chapter 5: Interface Configuration Port Configuration Type – Indicates the port type. (100BASE-FX, 1000BASE-T, • 1000BASE SFP) Name – Interface label. • Admin – Shows if the port is enabled or disabled. • Oper Status – Indicates if the link is Up or Down. •...
Page 101 Chapter 5: Interface Configuration Port Configuration CLI R EFERENCES “Local Port Mirroring Commands” on page 973 • OMMAND SAGE Traffic can be mirrored from one or more source ports to a destination • port on the same switch (local port mirroring as described in this section), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in “Configuring Remote Port Mirroring”...
Page 102: Configuring Remote Port Mirroring
Chapter 5: Interface Configuration Port Configuration Figure 5-5: Configuring Local Port Mirroring To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 5-6: Displaying Local Port Mirror Sessions Use the Interface > RSPAN page to mirror traffic from remote switches for ONFIGURING analysis at a destination port on the local switch.
Page 103 Chapter 5: Interface Configuration Port Configuration Figure 5-7: Configuring Remote Port Mirroring Intermediate Switch Intermediate Switch RPSAN VLAN Uplink Port Uplink Port Destination Switch Source Switch Source Port Uplink Port Uplink Port Destination Port Tagged or untagged traffic Ingress or egress traffic from the RSPAN VLAN is is mirrored onto the RSPAN analyzed at this port.
Page 104 Chapter 5: Interface Configuration Port Configuration tagged or untagged, and the RSPAN VLAN. Then specify each uplink port where the mirrored traffic is being received. RSPAN Limitations • The following limitations apply to the use of RSPAN on this switch: RSPAN Ports –...
Page 105 Chapter 5: Interface Configuration Port Configuration Source - Specifies this device as the source of remotely mirrored • traffic. Intermediate - Specifies this device as an intermediate switch, • transparently passing mirrored traffic from one or more sources to one or more destinations. Destination - Specifies this device as a switch configured with a •...
Page 106: Showing Port Or Trunk Statistics
Chapter 5: Interface Configuration Port Configuration Figure 5-8: Configuring Remote Port Mirroring (Source) Figure 5-9: Configuring Remote Port Mirroring (Intermediate) Figure 5-10: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK...
Page 107 Chapter 5: Interface Configuration Port Configuration heavy traffic). RMON statistics provide access to a broad range of statistics, including a total count of different frame types and sizes passing through each port. All values displayed have been accumulated since the last system reboot, and are shown as counts per second.
Page 108 A count of successfully transmitted frames for which transmission is inhibited by more than one collision. (Due to a chip limitation, this item is not supported on the SSE-G2252.) Late Collisions The number of times that a collision is detected later than 512 bit- times into the transmission of a packet.
Page 109 Chapter 5: Interface Configuration Port Configuration Table 5-1: Port Statistics (Continued) Parameter Description Oversize Packets The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. 64 Bytes Packets The total number of packets (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
Page 110 Chapter 5: Interface Configuration Port Configuration Figure 5-11: Showing Port Statistics (Table) To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list.
Page 111: Displaying Statistical History
Chapter 5: Interface Configuration Port Configuration Figure 5-12: Showing Port Statistics (Chart) Use the Interface > Port > History or Interface > Trunk > History page to ISPLAYING display statistical history for the specified interfaces. TATISTICAL ISTORY CLI R EFERENCES “history”...
Page 112 Chapter 5: Interface Configuration Port Configuration Port – Port number. (Range: 1-12) • History Name – Name of sample interval. (Range: 1-32 characters) • • Interval - The interval for sampling statistics. (Range: 1-86400 minutes) Requested Buckets - The number of samples to take. (Range: 1-96) •...
Page 113 Chapter 5: Interface Configuration Port Configuration Figure 5-13: Configuring a History Sample To show the configured entries for a history sample: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show from the Action menu. Select an interface from the Port or Trunk list. Figure 5-14: Showing Entries for History Sampling To show the configured parameters for a sampling entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics.
Page 114 Chapter 5: Interface Configuration Port Configuration Figure 5-15: Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show Details from the Action menu. Select Current Entry from the options for Mode.
Page 115: Displaying Transceiver Data
Chapter 5: Interface Configuration Port Configuration Select Input Previous Entry or Output Previous Entry from the options for Mode. Select an interface from the Port or Trunk list. Select an sampling entry from the Name list. Figure 5-17: Showing Ingress Statistics for a History Sample Use the Interface >...
Page 116: Configuring Transceiver Thresholds
Chapter 5: Interface Configuration Port Configuration NTERFACE To display identifying information and functional parameters for optical transceivers: Click Interface, Port, Transceiver. Select a port from the scroll-down list. Figure 5-18: Displaying Transceiver Data Use the Interface > Port > Transceiver page to configure thresholds for ONFIGURING alarm and warning messages for optical transceivers which support Digital RANSCEIVER...
Page 117 Chapter 5: Interface Configuration Port Configuration “transceiver-threshold voltage” on page 943 • “show interfaces transceiver-threshold” on page 945 • ARAMETERS These parameters are displayed: Port – Port number. (Range: 1-52) • General – Information on connector type and vendor-related • parameters.
Page 118 Chapter 5: Interface Configuration Port Configuration Power: -40.00-8.20 dBm • The threshold value for Rx and Tx power is calculated as the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). Threshold values for alarm and warning messages can be configured as described below.
Page 119: Performing Cable Diagnostics
Chapter 5: Interface Configuration Port Configuration Figure 5-19: Configuring Transceiver Thresholds Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING port. The cable test will check for any cable faults (short, open, etc.). If a ABLE IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 120 Chapter 5: Interface Configuration Port Configuration Open – Open pair, no link partner • Short – Shorted pair • • Impedance error – Terminating impedance is not in the reference range. No cable • Not tested • Not supported – This message is displayed for Gigabit Ethernet •...
Page 121: Trunk Configuration
Chapter 5: Interface Configuration Trunk Configuration Figure 5-20: Performing Cable Tests RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two devices.
Page 122: Configuring A Static Trunk
Chapter 5: Interface Configuration Trunk Configuration You can create up to 16 trunks on a switch, with up to eight ports per • trunk. The ports at both ends of a connection must be configured as trunk • ports. When configuring static trunks on switches of different types, they •...
Page 123 Chapter 5: Interface Configuration Trunk Configuration ARAMETERS These parameters are displayed: Trunk ID – Trunk identifier. (Range: 1-16) • Member – The initial trunk member. Use the Add Member page to • configure additional members. Unit – Unit identifier. (Range: 1) •...
Page 124 Chapter 5: Interface Configuration Trunk Configuration Figure 5-23: Adding Static Trunks Members To configure connection parameters for a static trunk: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Configure from the Action list. Modify the required interface settings. (Refer to “Configuring by Port List”...
Page 125: Configuring A Dynamic Trunk
Chapter 5: Interface Configuration Trunk Configuration Use the Interface > Trunk > Dynamic pages to set the administrative key ONFIGURING A for an aggregation group, enable LACP on a port, configure protocol YNAMIC RUNK parameters for local and partner ports, or to set Ethernet connection parameters.
Page 126 Chapter 5: Interface Configuration Trunk Configuration Admin Key – LACP administration key is used to identify a specific link • aggregation group (LAG) during local LACP setup on the switch. (Range: 0-65535) If the port channel admin key is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (see Configure Aggregation Port - Actor/Partner) used by the interfaces that joined the group.
Page 127 Chapter 5: Interface Configuration Trunk Configuration By default, the actor’s operational key is determined by port's link speed (1000f - 4, 100f - 3, 10f - 2), and copied to the admin key. System Priority – LACP system priority is used to determine link •...
Page 128 Chapter 5: Interface Configuration Trunk Configuration Figure 5-27: Configuring the LACP Aggregator Admin Key To enable LACP for a port: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click General. Enable LACP on the required ports.
Page 129 Chapter 5: Interface Configuration Trunk Configuration Figure 5-29: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Show Member from the Action list. Select a Trunk.
Page 130: Displaying Lacp Port Counters
Chapter 5: Interface Configuration Trunk Configuration Figure 5-31: Configuring Connection Settings for a Dynamic Trunk To show connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Show from the Action list. Figure 5-32: Showing Connection Parameters for Dynamic Trunks Use the Interface >...
Page 131: Displaying Lacp Settings And Status For The Local Side
Chapter 5: Interface Configuration Trunk Configuration Table 5-2: LACP Port Counters (Continued) Parameter Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 132 Chapter 5: Interface Configuration Trunk Configuration ARAMETERS These parameters are displayed: Table 5-3: LACP Internal Configuration Information Parameter Description LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin Key Current administrative value of the key for the aggregation port.
Page 133: Displaying Lacp Settings And Status For The Remote Side
Chapter 5: Interface Configuration Trunk Configuration Figure 5-34: Displaying LACP Port Internal Information Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation.
Page 134: Configuring Load Balancing
Chapter 5: Interface Configuration Trunk Configuration NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Internal. Select a group member from the Port list. Figure 5-35: Displaying LACP Port Remote Information Use the Interface >...
Page 135 Chapter 5: Interface Configuration Trunk Configuration destined for many different hosts. Do not use this mode for switch- to-server trunk links where the destination IP address is the same for all traffic. • Destination MAC Address: All traffic with the same destination MAC address is output on the same link in a trunk.
Page 136: Saving Power
Chapter 5: Interface Configuration Saving Power Click Interface, Trunk, Load Balance. Select the required method from the Load Balance Mode list. Click Apply. Figure 5-36: Configuring Load Balancing AVING OWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port.
Page 137 Chapter 5: Interface Configuration Saving Power consumption can be reduced since signal attenuation is proportional to cable length. When power-savings mode is enabled, the switch analyzes cable length to determine whether or not it can reduce the signal amplitude used on a particular link. Power savings can only be implemented on Gigabit Ethernet ports when using twisted-pair cabling.
Page 138: Traffic Segmentation
Chapter 5: Interface Configuration Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 139: Configuring Uplink And Downlink Ports
Chapter 5: Interface Configuration Traffic Segmentation Figure 5-38: Enabling Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 140 Chapter 5: Interface Configuration Traffic Segmentation If a downlink port is not configured for the session, the assigned uplink • ports will operate as normal ports. ARAMETERS These parameters are displayed: Session ID – Traffic segmentation session. (Range: 1-4) • Direction –...
Page 141: Vlan Trunking
Chapter 5: Interface Configuration VLAN Trunking Figure 5-40: Showing Traffic Segmentation Members VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES “vlan-trunking” on page 1091 •...
Page 142 Chapter 5: Interface Configuration VLAN Trunking To prevent loops from forming in the spanning tree, all unknown VLANs • will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode). • If both VLAN trunking and ingress filtering are disabled on an interface, packets with unknown VLAN tags will still be allowed to enter this interface and will be flooded to all other ports where VLAN trunking is enabled.
Page 143: Vlan Configuration
Chapter 6: VLAN Configuration IEEE 802.1Q VLANs VLAN C ONFIGURATION This chapter includes the following topics: • IEEE 802.1Q VLANs – Configures static and dynamic VLANs. IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain • customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 144 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4094 VLANs based on the IEEE 802.1Q standard •...
Page 145 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs Figure 6-1: VLAN Compliant and VLAN Non-compliant Devices tagged frames VA: VLAN Aware VU: VLAN Unaware tagged untagged frames frames VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 146: Configuring Vlan Groups
Chapter 6: VLAN Configuration IEEE 802.1Q VLANs If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs” on page 153).
Page 147 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs VLAN ID – ID of VLAN or range of VLANs (1-4094). • Up to 4094 VLAN groups can be defined. VLAN 1 is the default untagged VLAN. VLAN 4093 is dedicated for Switch Clustering.
Page 148 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs Figure 6-3: Creating Static VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name, operational status, or Layer 3 Interface status as required.
Page 149: Adding Static Members To Vlans
Chapter 6: VLAN Configuration IEEE 802.1Q VLANs Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or DDING TATIC Edit Member by Interface Range) pages to configure port members for the VLAN EMBERS TO selected VLAN index, interface, or a range of interfaces. Use the menus for editing port members to configure the VLAN behavior for specific interfaces, including the mode of operation (Hybrid or 1Q Trunk), the default VLAN identifier (PVID), accepted frame types, and ingress filtering.
Page 150 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs Hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member. Acceptable Frame Type – Sets the interface to accept all frame • types, including tagged or untagged frames, or only tagged frames. When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
Page 151 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below.
Page 152 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs Modify the settings for any interface as required. Click Apply. Figure 6-7: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Action list. Set the Interface type to display as Port or Trunk.
Page 153: Configuring Dynamic Vlan Registration
Chapter 6: VLAN Configuration IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES “GVRP and Bridge Extension Commands” on page 1079 •...
Page 154 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs the group. (Range: 500-18000 centiseconds; Default: 1000 centiseconds) Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status –...
Page 155 Chapter 6: VLAN Configuration IEEE 802.1Q VLANs Figure 6-10: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 6-11: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
Page 156: Ieee 802.1Q Tunneling
Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 157 Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling Figure 6-13: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch A) (edge switch B) Tunnel Access Port Tunnel Access Port Tunnel...
Page 158 Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling An uplink port receives one of the following packets: Untagged • • One tag (CVLAN or SPVLAN) Double tag (CVLAN + SPVLAN) • The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
Page 159: Enabling Qinq Tunneling On The Switch
Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN. Static trunk port groups are compatible with QinQ tunnel ports as long •...
Page 160 Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. CLI R EFERENCES “Configuring IEEE 802.1Q Tunneling” on page 1094 • ARAMETERS These parameters are displayed: • Tunnel Status –...
Page 161: Creating Cvlan To Spvlan Mapping Entries
Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling Figure 6-14: Enabling QinQ Tunneling Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to REATING SPVLAN mapping entry. CVLAN SPVLAN APPING NTRIES CLI R EFERENCES “switchport dot1q-tunnel service match cvid” on page 1096 •...
Page 162 Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling NTERFACE To configure a mapping entry: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Add from the Action list. Select an interface from the Port list. Specify the CVID to SVID mapping for packets exiting the specified port.
Page 163: Adding An Interface To A Qinq Tunnel
Chapter 6: VLAN Configuration IEEE 802.1Q Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.
Page 164: Protocol Vlans
Chapter 6: VLAN Configuration Protocol VLANs Figure 6-17: Adding an Interface to a QinQ Tunnel VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 165 Chapter 6: VLAN Configuration Protocol VLANs CLI R EFERENCES “protocol-vlan protocol-group (Configuring Groups)” on page 1107 • ARAMETERS These parameters are displayed: Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the • frame type used by this protocol. Protocol Type –...
Page 166: Mapping Protocol Groups To Interfaces
Chapter 6: VLAN Configuration Protocol VLANs Figure 6-18: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 6-19: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING protocol group to a VLAN for each interface that will participate in the ROTOCOL...
Page 167 Chapter 6: VLAN Configuration Protocol VLANs If the frame is untagged and the protocol type matches, the frame • is forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the • frame is forwarded to the default VLAN for this interface. ARAMETERS These parameters are displayed: Interface –...
Page 168: Configuring Ip Subnet Vlans
Chapter 6: VLAN Configuration Configuring IP Subnet VLANs Figure 6-20: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk.
Page 169 Chapter 6: VLAN Configuration Configuring IP Subnet VLANs OMMAND SAGE Each IP subnet can be mapped to only one VLAN ID. An IP subnet • consists of an IP address and a mask. The specified VLAN need not be an existing VLAN. When an untagged frame is received by a port, the source IP address is •...
Page 170: Configuring Mac-Based Vlans
Chapter 6: VLAN Configuration Configuring MAC-based VLANs Figure 6-22: Configuring IP Subnet VLANs To show the configured IP subnet VLANs: Click VLAN, IP Subnet. Select Show from the Action list. Figure 6-23: Showing IP Subnet VLANs MAC- VLAN ONFIGURING BASED Use the VLAN >...
Page 171 Chapter 6: VLAN Configuration Configuring MAC-based VLANs When MAC-based, IP subnet-based, or protocol-based VLANs are • supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ARAMETERS These parameters are displayed: MAC Address – A source MAC address which is to be mapped to a •...
Page 172: Configuring Vlan Mirroring
Chapter 6: VLAN Configuration Configuring VLAN Mirroring Figure 6-24: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 6-25: Showing MAC-Based VLANs VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis.
Page 173 Chapter 6: VLAN Configuration Configuring VLAN Mirroring The target port receives traffic from all monitored source VLANs and • can become congested. Some mirror traffic may therefore be dropped from the target port. • When mirroring VLAN traffic or packets based on a source MAC address (see “Configuring MAC Address Mirroring”...
Page 174 Chapter 6: VLAN Configuration Configuring VLAN Mirroring Figure 6-27: Showing the VLANs to Mirror – 178 –...
Page 175: Address Table Settings
Chapter 7: Address Table Settings Configuring MAC Address Learning DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table.
Page 176 Chapter 7: Address Table Settings Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the • following conditions exist: 802.1X Port Authentication has been globally enabled on the switch • (see “Configuring 802.1X Global Settings” on page 399).
Page 177: Setting Static Addresses
Chapter 7: Address Table Settings Setting Static Addresses Click Apply. Figure 7-2: Configuring MAC Address Learning for a VLAN ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved.
Page 178: Changing The Aging Time
Chapter 7: Address Table Settings Changing the Aging Time Delete-on-reset - Assignment lasts until the switch is reset. • Permanent - Assignment is permanent. (This is the default.) • NTERFACE To configure a static MAC address: Click MAC Address, Static. Select Add from the Action list.
Page 179: Displaying The Dynamic Address Table
Chapter 7: Address Table Settings Displaying the Dynamic Address Table CLI R EFERENCES “Changing the Aging Time” on page 182 • ARAMETERS These parameters are displayed: Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. •...
Page 180: Clearing The Dynamic Address Table
Chapter 7: Address Table Settings Clearing the Dynamic Address Table MAC Address – Physical address associated with this interface. • VLAN – ID of configured VLAN (1-4094). • • Interface – Indicates a port or trunk. Type – Shows that the entries in this table are learned. •...
Page 181: Configuring Mac Address Mirroring
Chapter 7: Address Table Settings Configuring MAC Address Mirroring Clear by – All entries can be cleared; or you can clear the entries for a • specific MAC address, all the entries in a VLAN, or all the entries associated with a port or trunk. NTERFACE To clear the entries in the dynamic address table: Click MAC Address, Dynamic.
Page 182 Chapter 7: Address Table Settings Configuring MAC Address Mirroring When mirroring VLAN traffic (see “Configuring VLAN Mirroring” on • page 235) or packets based on a source MAC address, the target port cannot be set to the same target ports as that used for port mirroring (see “Configuring Local Port Mirroring”...
Page 183: Issuing Mac Address Traps
Chapter 7: Address Table Settings Issuing MAC Address Traps Figure 7-9: Showing the Source MAC Addresses to Mirror MAC A SSUING DDRESS RAPS Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed. ARAMETERS These parameters are displayed: Configure Global...
Page 184 Chapter 7: Address Table Settings Issuing MAC Address Traps Figure 7-10: Issuing MAC Address Traps (Global Configuration) To enable MAC address traps at the interface level: Click MAC Address, MAC Notification. Select Configure Interface from the Step list. Enable MAC notification traps for the required ports. Click Apply.
Page 185: Spanning Tree Algorithm
Chapter 8: Spanning Tree Algorithm Overview PANNING LGORITHM This chapter describes the following basic topics: • Loopback Detection – Configures detection and response to loopback BPDUs. • Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. Interface Settings for STA –...
Page 186 Chapter 8: Spanning Tree Algorithm Overview between root ports and designated ports, eliminating any possible network loops. Figure 8-1: STP Root Ports and Designated Ports Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
Page 187: Configuring Loopback Detection
Chapter 8: Spanning Tree Algorithm Configuring Loopback Detection on page 206). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region. A Common Spanning Tree (CST) interconnects all adjacent MST Regions, and acts as a virtual bridge node for communications with STP or RSTP nodes in the global network.
Page 188 Chapter 8: Spanning Tree Algorithm Configuring Loopback Detection Loopback detection will not be active if Spanning Tree is disabled on the switch. When configured for manual release mode, then a link down/up event will not release the port from the discarding state. CLI R EFERENCES “Spanning Tree Commands”...
Page 189: Configuring Global Settings For Sta
Chapter 8: Spanning Tree Algorithm Configuring Global Settings for STA Figure 8-4: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch.
Page 190 Chapter 8: Spanning Tree Algorithm Configuring Global Settings for STA MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 191 Chapter 8: Spanning Tree Algorithm Configuring Global Settings for STA To VLAN: Floods BPDUs to all other ports within the receiving port’s • native VLAN (i.e., as determined by port’s PVID). This is the default. To All: Floods BPDUs to all other ports on the switch. •...
Page 192 Chapter 8: Spanning Tree Algorithm Configuring Global Settings for STA network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) Default: 20 • Minimum: The higher of 6 or [2 x (Hello Time + 1)] •...
Page 193 Chapter 8: Spanning Tree Algorithm Configuring Global Settings for STA NTERFACE To configure global STA settings: Click Spanning Tree, STA. Select Configure Global from the Step list. Select Configure from the Action list. Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section.
Page 194 Chapter 8: Spanning Tree Algorithm Configuring Global Settings for STA Figure 8-6: Configuring Global Settings for STA (RSTP) Figure 8-7: Configuring Global Settings for STA (MSTP) – 198 –...
Page 195: Displaying Global Settings For Sta
Chapter 8: Spanning Tree Algorithm Displaying Global Settings for STA ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch. CLI R EFERENCES “show spanning-tree”...
Page 196: Configuring Interface Settings For Sta
Chapter 8: Spanning Tree Algorithm Configuring Interface Settings for STA Figure 8-8: Displaying Global Settings for STA ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Configure) page to configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
Page 197 Chapter 8: Spanning Tree Algorithm Configuring Interface Settings for STA Range: 0-240, in steps of 16 • Admin Path Cost – This parameter is used by the STA to determine • the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 198 Chapter 8: Spanning Tree Algorithm Configuring Interface Settings for STA border around part of the network where the root bridge is allowed. (Default: Disabled) Admin Edge Port – Since end nodes cannot cause forwarding loops, • they can pass directly through to the spanning tree forwarding state. Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables...
Page 199: Displaying Interface Settings For Sta
Chapter 8: Spanning Tree Algorithm Displaying Interface Settings for STA BPDU Filter – BPDU filtering allows you to avoid transmitting BPDUs • on configured edge ports that are connected to end nodes. By default, STA sends BPDUs to all ports regardless of whether administrative edge is enabled on a port.
Page 200 Chapter 8: Spanning Tree Algorithm Displaying Interface Settings for STA ARAMETERS These parameters are displayed: Spanning Tree – Shows if STA has been enabled on this interface. • BPDU Flooding – Shows if BPDUs will be flooded to other ports when •...
Page 201 Chapter 8: Spanning Tree Algorithm Displaying Interface Settings for STA manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 200. Oper Edge Port – This parameter is initialized to the setting for Admin •...
Page 202: Configuring Multiple Spanning Trees
Chapter 8: Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 8-11: Displaying Interface Settings for STA ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES “Spanning Tree Commands”...
Page 203 Chapter 8: Spanning Tree Algorithm Configuring Multiple Spanning Trees All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. ARAMETERS These parameters are displayed: MST ID –...
Page 204 Chapter 8: Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 8-13: Displaying MST Instances To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 205 Chapter 8: Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 8-15: Displaying Global Settings for an MST Instance To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list.
Page 206: Configuring Interface Settings For Mstp
Chapter 8: Spanning Tree Algorithm Configuring Interface Settings for MSTP Figure 8-17: Displaying Members of an MST Instance MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES “Spanning Tree Commands”...
Page 207 Chapter 8: Spanning Tree Algorithm Configuring Interface Settings for MSTP Admin MST Path Cost – This parameter is used by the MSTP to • determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 208 Chapter 8: Spanning Tree Algorithm Configuring Interface Settings for MSTP Figure 8-19: Displaying MSTP Interface Settings – 212 –...
Page 209: Congestion Control
Chapter 9: Congestion Control Rate Limiting ONGESTION ONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 210: Storm Control
Chapter 9: Congestion Control Storm Control NTERFACE To configure rate limits: Click Traffic, Rate Limit. Set the interface type to Port or Trunk. Check the Status box to enable rate limiting for an interface. Set the rate limit for the required interfaces. Click Apply.
Page 211 Chapter 9: Congestion Control Storm Control triggers various control responses. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port. • Rate limits set by the storm control function are also used by automatic storm control when the control response is set to rate control on the Auto Traffic Control (Configure Interface) page.
Page 212: Automatic Traffic Control
Chapter 9: Congestion Control Automatic Traffic Control Click Apply. Figure 9-2: Configuring Storm Control UTOMATIC RAFFIC ONTROL Use the Traffic > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI R EFERENCES “Automatic Traffic Control Commands”...
Page 213: Setting The Atc Timers
Chapter 9: Congestion Control Automatic Traffic Control When traffic exceeds the alarm fire threshold and the apply timer • expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged. • Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires.
Page 214 Chapter 9: Congestion Control Automatic Traffic Control CLI R EFERENCES “auto-traffic-control apply-timer” on page 788 • “auto-traffic-control release-timer” on page 788 • OMMAND SAGE After the apply timer expires, the settings in the Traffic > Automatic • Traffic Control (Configure Interface) page are used to determine if a control action will be triggered (as configured under the Action field) or a trap message sent (as configured under the Trap Storm Fire field).
Page 215: Configuring Atc Thresholds And Responses
Chapter 9: Congestion Control Automatic Traffic Control Figure 9-5: Configuring ATC Timers Use the Traffic > Auto Traffic Control (Configure Interface) page to set the ONFIGURING storm control mode (broadcast or multicast), the traffic thresholds, the HRESHOLDS AND control response, to automatically release a response of rate limiting, or to ESPONSES send related SNMP trap messages.
Page 216 Chapter 9: Congestion Control Automatic Traffic Control Auto Release Control – Automatically stops a traffic control response • of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 9-3 on page 216.
Page 217 Chapter 9: Congestion Control Automatic Traffic Control NTERFACE To configure the response timers for automatic storm control: Click Traffic, Auto Traffic Control. Select Configure Interface from the Step field. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send.
Page 218: Class Of Service
Chapter 10: Class of Service Layer 2 Queue Settings LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 219: Selecting The Queue Mode
Chapter 10: Class of Service Layer 2 Queue Settings If the output port is an untagged member of the associated VLAN, • these frames are stripped of all VLAN tags prior to transmission. ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. •...
Page 220 Chapter 10: Class of Service Layer 2 Queue Settings WRR queuing specifies a relative weight for each queue. WRR uses a • predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
Page 221 Chapter 10: Class of Service Layer 2 Queue Settings Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 222 Chapter 10: Class of Service Layer 2 Queue Settings mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 235). The switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Page 223: Mapping Cos Values To Egress Queues
Chapter 10: Class of Service Layer 2 Queue Settings ARAMETERS These parameters are displayed: PHB – Per-hop behavior, or the priority used for this router hop. • (Range: 0-7, where 7 is the highest priority) • Queue – Output queue buffer. (Range: 0-3, where 3 is the highest CoS priority queue) NTERFACE To map internal PHB to hardware queues:...
Page 224: Layer 3/4 Priority Settings
Chapter 10: Class of Service Layer 3/4 Priority Settings Figure 10-6: Showing CoS Values to Egress Queue Mapping 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 225 Chapter 10: Class of Service Layer 3/4 Priority Settings OMMAND SAGE If the QoS mapping mode is set to IP Precedence, and the ingress • packet type is IPv4, then priority processing will be based on the IP Precedence value in the ingress packet. If the QoS mapping mode is set to DSCP, and the ingress packet type is •...
Page 226: Mapping Ip Precedence Values To Internal Dscp Values
Chapter 10: Class of Service Layer 3/4 Priority Settings Figure 10-7: Setting the Trust Mode Use the Traffic > Priority > IP Precedence to DSCP page to map IP APPING precedence values in incoming packets to per-hop behavior and drop RECEDENCE ALUES precedence values for priority processing.
Page 227 Chapter 10: Class of Service Layer 3/4 Priority Settings Random Early Detection starts dropping yellow and red packets when • the buffer fills up to 0x60 packets, and then starts dropping any packets regardless of color when the buffer fills up to 0x80 packets. ARAMETERS These parameters are displayed in the web interface: Interface –...
Page 228 Chapter 10: Class of Service Layer 3/4 Priority Settings To show the IP Precedence to internal PHB/drop precedence map in the web interface: Click Traffic, Priority, IP Precedence to DSCP. Select Add from the Action list. Select an interface. Figure 10-9: Showing the IP Precedence to DSCP Internal Map Use the Traffic >...
Page 229 Chapter 10: Class of Service Layer 3/4 Priority Settings map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. ARAMETERS These parameters are displayed: DSCP – DSCP value in ingress packets. (Range: 0-63) •...
Page 230: Mapping Cos Priorities To Internal Dscp Values
Chapter 10: Class of Service Layer 3/4 Priority Settings Figure 10-10: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list. Figure 10-11: Showing DSCP to DSCP Internal Mapping Use the Traffic >...
Page 231 Chapter 10: Class of Service Layer 3/4 Priority Settings Note that priority tags in the original packet are not modified by this command. The internal DSCP consists of three bits for per-hop behavior (PHB) • which determines the queue to which a packet is sent; and two bits for drop precedence (namely color) which is used by Random Early Detection (RED) to control traffic congestion.
Page 232 Chapter 10: Class of Service Layer 3/4 Priority Settings Figure 10-12: Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Figure 10-13: Showing CoS to DSCP Internal Mapping –...
Page 233: Quality Of Service
Chapter 11: Quality of Service Overview UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic.
Page 234: Configuring A Class Map
Chapter 11: Quality of Service Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, or a CoS value.
Page 235 Chapter 11: Quality of Service Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 • characters) Add Rule Class Name – Name of the class map. • Type – The criteria specified by the match command. (This field is set •...
Page 236 Chapter 11: Quality of Service Configuring a Class Map Select Configure Class from the Step list. Select Show from the Action list. Figure 11-2: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Add Rule from the Action list.
Page 237: Creating Qos Policies
Chapter 11: Quality of Service Creating QoS Policies Select Show Rule from the Action list. Figure 11-4: Showing the Rules for a Class Map REATING OLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 240), modify service tagging, and...
Page 238 Chapter 11: Quality of Service Creating QoS Policies burst size (BC, or burst rate), and excess burst size (BE). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the excess burst size. • The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Page 239 Chapter 11: Quality of Service Creating QoS Policies If the packet has been precolored as yellow or green and if • Te(t)-B 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else •...
Page 240 Chapter 11: Quality of Service Creating QoS Policies if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else • the packet is green and both Tp and Tc are decremented by B. • When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Aware mode: If the packet has been precolored as red or if Tp(t)-B <...
Page 241 Chapter 11: Quality of Service Creating QoS Policies Set CoS – Configures the service provided to ingress traffic by • setting an internal CoS value for a matching packet (as specified in rule settings for a class map). (Range: 0-7) Table 10-7, “Default Mapping of CoS/CFI to Internal PHB/Drop Precedence,”...
Page 242 Chapter 11: Quality of Service Creating QoS Policies Drop – Drops out of conformance traffic. • srTCM (Police Meter) – Defines the committed information rate • (CIR, or maximum throughput), committed burst size (BC, or burst rate) and excess burst size (BE), and the action to take for traffic conforming to the maximum throughput, exceeding the maximum throughput but within the excess burst size, or exceeding the excess burst size.
Page 243 Chapter 11: Quality of Service Creating QoS Policies Set IP DSCP – Decreases DSCP priority for out of • conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic. • trTCM (Police Meter) – Defines the committed information rate •...
Page 244 Chapter 11: Quality of Service Creating QoS Policies Drop – Drops out of conformance traffic. • Violate – Specifies whether the traffic that exceeds the peak • information rate (PIR) will be dropped or the DSCP service level will be reduced. Set IP DSCP –...
Page 245 Chapter 11: Quality of Service Creating QoS Policies Figure 11-6: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add Rule from the Action list. Select the name of a policy map. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class.
Page 246: Attaching A Policy Map To A Port
Chapter 11: Quality of Service Attaching a Policy Map to a Port Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 11-8: Showing the Rules for a Policy Map TTACHING A OLICY AP TO A Use the Traffic >...
Page 247 Chapter 11: Quality of Service Attaching a Policy Map to a Port Check the box under the Ingress field to enable a policy map for a port. Select a policy map from the scroll-down box. Click Apply. Figure 11-9: Attaching a Policy Map to a Port –...
Page 248: Voip Traffic Configuration
Chapter 12: VoIP Traffic Configuration Overview IP T RAFFIC ONFIGURATION This chapter covers the following topics: • Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. • Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Page 249 Chapter 12: VoIP Traffic Configuration Configuring VoIP Traffic CLI R EFERENCES “Configuring Voice VLANs” on page 1114 • OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see “Adding Static Members to VLANs”...
Page 250: Configuring Telephony Oui
Chapter 12: VoIP Traffic Configuration Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses.
Page 251: Configuring Voip Traffic Ports
Chapter 12: VoIP Traffic Configuration Configuring VoIP Traffic Ports Figure 12-2: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list. Figure 12-3: Showing an OUI Telephony List IP T ONFIGURING...
Page 252 Chapter 12: VoIP Traffic Configuration Configuring VoIP Traffic Ports Mode – Specifies if the port will be added to the Voice VLAN when VoIP • traffic is detected. (Default: None) None – The Voice VLAN feature is disabled on the port. The port will •...
Page 253 Chapter 12: VoIP Traffic Configuration Configuring VoIP Traffic Ports Click Traffic, VoIP. Select Configure Interface from the Step list. Configure any required changes to the VoIP settings each port. Click Apply. Figure 12-4: Configuring Port Settings for a Voice VLAN –...
Page 254: Security Measures
Chapter 13: Security Measures ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 255: Aaa Authentication, Authorization And Accounting
Chapter 13: Security Measures AAA Authentication, Authorization and Accounting IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the • source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings. • DHCP Snooping –...
Page 256: Configuring Local/Remote Logon Authentication
Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use.
Page 257: Configuring Remote Logon Authentication Servers
Chapter 13: Security Measures AAA Authentication, Authorization and Accounting TACACS – User authentication is performed using a TACACS+ • server only. [authentication sequence] – User authentication is performed by • up to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication.
Page 258 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting CLI R EFERENCES “RADIUS Client” on page 760 • “TACACS+ Client” on page 764 • “AAA” on page 767 • OMMAND SAGE If a remote authentication server is used, you must specify the •...
Page 259 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. • Authentication Key – Encryption key used to authenticate logon • access for client. Enclose any string containing blank spaces in double quotes.
Page 260 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting NTERFACE To configure the parameters for RADIUS or TACACS+ authentication: Click Security, AAA, Server. Select Configure Server from the Step list. Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server.
Page 261 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list. Select RADIUS or TACACS+ server type.
Page 262: Configuring Aaa Accounting
Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Figure 13-6: Showing AAA Server Groups Use the Security > AAA > Accounting page to enable accounting of ONFIGURING requested services for billing or security purposes, and also to display the AAA A CCOUNTING configured accounting methods, the methods applied to specific interfaces,...
Page 263 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers. No information is sent to the servers about the method to use. •...
Page 264 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Interface - Displays the port, console or Telnet interface to which • these rules apply. (This field is null if the accounting method and associated server group has not been assigned to an interface.) Show Information –...
Page 265 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Figure 13-8: Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Show from the Action list.
Page 266 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Figure 13-10: Configuring AAA Accounting Service for 802.1X Service Figure 13-11: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting.
Page 267: Configuring Aaa Authorization
Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Select Show Information from the Step list. Click Statistics. Figure 13-13: Displaying Statistics for AAA Accounting Sessions Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces.
Page 268 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Group Settings page. Authorization is only supported for TACACS+ servers. Configure Service Authorization Type - Specifies EXEC authorization, or Command • authorization for specific CLI privilege levels. Console Method Name – Specifies a user defined method name to •...
Page 269 Chapter 13: Security Measures AAA Authentication, Authorization and Accounting Click Security, AAA, Authorization. Select Configure Method from the Step list. Select Show from the Action list. Figure 13-15: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization.
Page 270: Configuring User Accounts
Chapter 13: Security Measures Configuring User Accounts Figure 13-17: Displaying the Applied AAA Authorization Method ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES “User Accounts and Privilege Levels”...
Page 271 Chapter 13: Security Measures Configuring User Accounts Level 15 provides full access to all commands. The privilege level associated with any command can be changed using privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Page 272: Web Authentication
Chapter 13: Security Measures Web Authentication Figure 13-18: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 13-19: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 273: Configuring Global Settings For Web Authentication
Chapter 13: Security Measures Web Authentication Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication. ETTINGS FOR UTHENTICATION CLI R EFERENCES “Web Authentication” on page 837 • ARAMETERS These parameters are displayed: Web Authentication Status –...
Page 274 Chapter 13: Security Measures Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES “Web Authentication” on page 837 •...
Page 275: Configuring Interface Settings For Web Authentication
Chapter 13: Security Measures Network Access (MAC Address Authentication) Figure 13-21: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Page 276 Chapter 13: Security Measures Network Access (MAC Address Authentication) Authenticated MAC addresses are stored as dynamic entries in the • switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
Page 277: Configuring Global Settings For Network Access
Chapter 13: Security Measures Network Access (MAC Address Authentication) If duplicate profiles are passed in the Filter-ID attribute, then only the • first profile is used. For example, if the attribute is “service-policy-in=p1;service-policy- in=p2”, then the switch applies only the DiffServ profile “p1.” Any unsupported profiles in the Filter-ID attribute are ignored.
Page 278: Configuring Network Access For Ports
Chapter 13: Security Measures Network Access (MAC Address Authentication) Aging Status – Enables aging for authenticated MAC addresses stored • in the secure MAC address table. (Default: Disabled) This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on...
Page 279 Chapter 13: Security Measures Network Access (MAC Address Authentication) CLI R EFERENCES “Network Access (MAC Address Authentication)” on page 824 • ARAMETERS These parameters are displayed: MAC Authentication • Status – Enables MAC authentication on a port. (Default: Disabled) • •...
Page 280: Configuring Port Link Detection
Chapter 13: Security Measures Network Access (MAC Address Authentication) Dynamic QoS – Enables dynamic QoS assignment for an • authenticated port. (Default: Disabled) MAC Filter ID – Allows a MAC Filter to be assigned to the port. MAC • addresses or MAC address ranges present in a selected MAC Filter are exempt from authentication on the specified port (as described under Configuring a MAC Address Filter).
Page 281: Configuring Amac Address Filter
Chapter 13: Security Measures Network Access (MAC Address Authentication) Link up – Only link up events will trigger the port action. • Link down – Only link down events will trigger the port action. • • Link up and down – All link up and link down events will trigger the port action.
Page 282 Chapter 13: Security Measures Network Access (MAC Address Authentication) OMMAND SAGE Specified MAC addresses are exempt from authentication. • Up to 65 filter tables can be defined. • There is no limitation on the number of entries used in a filter table. •...
Page 283: Displaying Secure Mac Address Information
Chapter 13: Security Measures Network Access (MAC Address Authentication) Figure 13-26: Showing the MAC Address Filter Table for Network Access Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected...
Page 284: Configuring Https
Chapter 13: Security Measures Configuring HTTPS Select Show Information from the Step list. Use the sort key to display addresses based MAC address, interface, or attribute. Restrict the displayed addresses by entering a specific address in the MAC Address field, specifying a port in the Interface field, or setting the address type to static or dynamic in the Attribute field.
Page 285 Chapter 13: Security Measures Configuring HTTPS If you enable HTTPS, you must indicate this in the URL that you specify • in your browser: https://device[:port_number] When you start HTTPS, the connection is established in this way: • The client authenticates the server using the server’s digital •...
Page 286: Replacing The Default Secure-Site Certificate
Chapter 13: Security Measures Configuring HTTPS Select Configure Global from the Step list. Enable HTTPS and specify the port number if required. Click Apply. Figure 13-28: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate.
Page 287: Configuring The Secure Shell
Chapter 13: Security Measures Configuring the Secure Shell Certificate Source File Name – Name of certificate file stored on the • TFTP server. Private Key Source File Name – Name of private key file stored on • the TFTP server. Private Password –...
Page 288 Chapter 13: Security Measures Configuring the Secure Shell switch generates a public-key that the client uses along with a local user name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered.
Page 289 Chapter 13: Security Measures Configuring the Secure Shell 1024 35 13410816856098939210409449201554253476316419218729589211 43173880055536161631051775940838686311092912322268285192 54374603100937187721199696317813662774141689851320491172 04830339254324101637997592371449011938006090253948408482 71781943722884025331159521348610229029789827213532671316 29432532818915045306393916643 steve@192.168.1.19 Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service –...
Page 290: Configuring The Ssh Server
Chapter 13: Security Measures Configuring the Secure Shell The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Page 291: Generating The Host Key Pair
Chapter 13: Security Measures Configuring the Secure Shell Authentication Timeout – Specifies the time interval in seconds that • the SSH server waits for a response from a client during an authentication attempt. (Range: 1-120 seconds; Default: 120 seconds) • Authentication Retries –...
Page 292 Chapter 13: Security Measures Configuring the Secure Shell A host key pair must be configured on the switch before you can enable the SSH server. See “Configuring the SSH Server” on page 297. CLI R EFERENCES “Secure Shell” on page 782 •...
Page 293: Importing User Public Keys
Chapter 13: Security Measures Configuring the Secure Shell Figure 13-31: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
Page 294 Chapter 13: Security Measures Configuring the Secure Shell User Name – This drop-down box selects the user who’s public key • you wish to manage. Note that you must first create users on the User Accounts page (see “Configuring User Accounts” on page 277).
Page 295: Access Control Lists
Chapter 13: Security Measures Access Control Lists Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear. Click Clear. Figure 13-34: Showing the SSH User’s Public Key CCESS ONTROL ISTS...
Page 296: Setting A Time Range
Chapter 13: Security Measures Access Control Lists An ACL can have up to 64 rules. However, due to resource restrictions, • the average number of rules bound to the ports should not exceed 20. The maximum number of rules that can be bound to the ports is 64 for •...
Page 297 Chapter 13: Security Measures Access Control Lists OMMAND SAGE If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Page 298 Chapter 13: Security Measures Access Control Lists Select Configure Time Range from the Step list. Select Show from the Action list. Figure 13-36: Showing a List of Time Ranges To configure a rule for a time range: Click Security, ACL. Select Configure Time Range from the Step list.
Page 299: Showing Tcam Utilization
Chapter 13: Security Measures Access Control Lists Figure 13-38: Showing the Rules Configured for a Time Range Use the Security > ACL (Configure ACL - Show TCAM) page to show TCAM HOWING utilization parameters for TCAM (Ternary Content Addressable Memory), TILIZATION including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Page 300: Setting The Acl Name And Type
Chapter 13: Security Measures Access Control Lists Click Security, ACL. Select Configure ACL from the Step list. Select Show TCAM from the Action list. Figure 13-39: Showing TCAM Utilization Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R...
Page 301 Chapter 13: Security Measures Access Control Lists ARP – ARP ACL specifies static IP-to-MAC address bindings used for • ARP inspection (see “ARP Inspection” on page 325). NTERFACE To configure the name and type of an ACL: Click Security, ACL. Select Configure ACL from the Step list.
Page 302 Chapter 13: Security Measures Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R EFERENCES “permit, deny (Standard IP ACL)” on page 897 •...
Page 303: Configuring A Standard Ipv4 Acl
Chapter 13: Security Measures Access Control Lists If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Click Apply. Figure 13-42: Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL.
Page 304 Chapter 13: Security Measures Access Control Lists Type – Selects the type of ACLs to show in the Name list. • Name – Shows the names of ACLs matching the selected type. • • Action – An ACL can contain any combination of rules which permit or deny a packet.
Page 305 Chapter 13: Security Measures Access Control Lists 32 (urg) – Urgent pointer • For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use control-code 2, control bit mask 2 •...
Page 306: Configuring An Extended Ipv4 Acl
Chapter 13: Security Measures Access Control Lists Figure 13-43: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES “permit, deny (Standard IPv6 ACL)”...
Page 307: Configuring A Standard Ipv6 Acl
Chapter 13: Security Measures Access Control Lists Source Prefix-Length – A decimal value indicating how many • contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits) • Time Range – Name of a time range. NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL.
Page 308 Chapter 13: Security Measures Access Control Lists “show ipv6 access-list” on page 909 • “Time Range” on page 711 • ARAMETERS These parameters are displayed: Type – Selects the type of ACLs to show in the Name list. • Name – Shows the names of ACLs matching the selected type. •...
Page 309 Chapter 13: Security Measures Access Control Lists 44: Fragment (RFC 2460) • 50: Encapsulating Security Payload (RFC 2406) • • 51: Authentication (RFC 2402) 60: Destination Options (RFC 2460) • Time Range – Name of a time range. • NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL.
Page 310: Configuring An Extended Ipv6 Acl
Chapter 13: Security Measures Access Control Lists Figure 13-45: Configuring an Extended IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING configure a MAC ACL based on hardware addresses, packet format, and MAC ACL Ethernet type.
Page 311 Chapter 13: Security Measures Access Control Lists Source/Destination Bit Mask – Hexadecimal mask for source or • destination MAC address. Packet Format – This attribute includes the following packet types: • Any – Any Ethernet packet type. • Untagged-eth2 – Untagged Ethernet II packets. •...
Page 312: Configuring An Arp Acl
Chapter 13: Security Measures Access Control Lists Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55- 66). If you select “MAC,” enter a base address and a hexadecimal bit mask for an address range.
Page 313 Chapter 13: Security Measures Access Control Lists Name – Shows the names of ACLs matching the selected type. • Action – An ACL can contain any combination of permit or deny rules. • • Packet Type – Indicates an ARP request, ARP response, or either type. (Range: IP, Request, Response;...
Page 314: Binding A Port To An Access Control List
Chapter 13: Security Measures Access Control Lists Enable logging if required. Click Apply. Figure 13-47: Configuring a ARP ACL After configuring ACLs, use the Security > ACL (Configure Interface – INDING A ORT TO AN Configure) page to bind the ports that need to filter traffic to the CCESS ONTROL appropriate ACLs.
Page 315: Configuring Acl Mirroring
Chapter 13: Security Measures Access Control Lists Time Range – Name of a time range. • Counter – Enables counter for ACL statistics. • NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select Configure from the Action list.
Page 316 Chapter 13: Security Measures Access Control Lists Add one or more mirrored ports to ACL as described under “Binding a Port to an Access Control List” on page 321. Use the Add Mirror page to specify the ACL and the destination port to which matching traffic will be mirrored.
Page 317: Showing Acl Hardware Counters
Chapter 13: Security Measures Access Control Lists Figure 13-50: Showing the VLANs to Mirror Use the Security > ACL > Configure Interface (Show Hardware Counters) HOWING page to show statistics for ACL hardware counters. ACL H ARDWARE OUNTERS CLI R EFERENCES “Console#show access-list”...
Page 318: Arp Inspection
Chapter 13: Security Measures ARP Inspection Select ingress or egress traffic. Figure 13-51: Showing ACL Statistics ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
Page 319: Configuring Global Settings For Arp Inspection
Chapter 13: Security Measures ARP Inspection When ARP Inspection is disabled, all ARP request and reply packets • will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. • Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
Page 320 Chapter 13: Security Measures ARP Inspection The administrator can configure the log facility rate. • When the switch drops a packet, it places an entry in the log buffer, • then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer.
Page 321 Chapter 13: Security Measures ARP Inspection Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply. Figure 13-52: Configuring Global Settings for ARP Inspection Use the Security > ARP Inspection (Configure VLAN) page to enable ARP ONFIGURING inspection for any VLAN and to specify the ARP ACL to use.
Page 322: Configuring Vlan Settings For Arp Inspection
Chapter 13: Security Measures ARP Inspection ARP Inspection VLAN ID – Selects any configured VLAN. (Default: 1) • ARP Inspection VLAN Status – Enables ARP Inspection for the • selected VLAN. (Default: Disabled) ARP Inspection ACL Name • ARP ACL – Allows selection of any configured ARP ACLs. •...
Page 323: Displaying Arp Inspection Statistics
Chapter 13: Security Measures ARP Inspection Interface – Port or trunk identifier. • Trust Status – Configures the port as trusted or untrusted. • (Default: Untrusted) By default, all untrusted ports are subject to ARP packet rate limiting, and all trusted ports are exempt from ARP packet rate limiting. Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded, while those arriving on untrusted interfaces are subject to all configured ARP...
Page 324 Chapter 13: Security Measures ARP Inspection CLI R EFERENCES “show ip arp inspection statistics” on page 883 • ARAMETERS These parameters are displayed: Table 13-4: ARP Inspection Statistics Parameter Description Received ARP packets before Count of ARP packets received but not exceeding the ARP ARP inspection rate limit Inspection rate limit.
Page 325: Displaying The Arp Inspection Log
Chapter 13: Security Measures Filtering IP Addresses for Management Access Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated NSPECTION VLAN, port, and address components. CLI R EFERENCES “show ip arp inspection log”...
Page 326 Chapter 13: Security Measures Filtering IP Addresses for Management Access OMMAND SAGE The management interfaces are open to all IP addresses by default. • Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an •...
Page 327: Configuring Port Security
Chapter 13: Security Measures Configuring Port Security Click Apply Figure 13-57: Creating an IP Address Filter for Management Access To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 13-58: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY...
Page 328 Chapter 13: Security Measures Configuring Port Security To configure the maximum number of address entries which can be • learned on a port, and then specify the maximum number of dynamic addresses allowed. The switch will learn up to the maximum number of allowed address pairs <source MAC address, VLAN>...
Page 329 Chapter 13: Security Measures Configuring Port Security None: No action should be taken. (This is the default.) • Trap: Send an SNMP trap message. • • Shutdown: Disable the port. Trap and Shutdown: Send an SNMP trap message and disable the •...
Page 330: Configuring 802.1X Port Authentication
Chapter 13: Security Measures Configuring 802.1X Port Authentication Figure 13-59: Configuring Port Security 802.1X P ONFIGURING UTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 331: Configuring 802.1X Global Settings
Chapter 13: Security Measures Configuring 802.1X Port Authentication hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Figure 13-60: Configuring Port Authentication 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. RADIUS 3.
Page 332 Chapter 13: Security Measures Configuring 802.1X Port Authentication EAPOL Pass Through – Passes EAPOL frames through to all ports in • STP forwarding state when dot1x is globally disabled. (Default: Disabled) When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, EAPOL Pass Through can be enabled to allow the switch to forward EAPOL frames from other switches on to the authentication servers, thereby allowing...
Page 333: Configuring Port Authenticator Settings For 802.1X
Chapter 13: Security Measures Configuring 802.1X Port Authentication Figure 13-61: Configuring Global Settings for 802.1X Port Authentication Use the Security > Port Authentication (Configure Interface – ONFIGURING Authenticator) page to configure 802.1X port settings for the switch as the UTHENTICATOR local authenticator.
Page 334 Chapter 13: Security Measures Configuring 802.1X Port Authentication Status – Indicates if authentication is enabled or disabled on the port. • The status is disabled if the control mode is set to Force-Authorized. Authorized – Displays the 802.1X authorization status of connected •...
Page 335 Chapter 13: Security Measures Configuring 802.1X Port Authentication Tx Period – Sets the time period during an authentication session that • the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) • Supplicant Timeout – Sets the time that a switch port waits for a response to an EAP request from a client before re-transmitting an EAP packet.
Page 336 Chapter 13: Security Measures Configuring 802.1X Port Authentication State – Current state (including initialize, disconnected, connecting, • authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). • Reauth Count – Number of times connecting state is re-entered. Current Identifier – Identifier sent in each EAP Success, Failure or •...
Page 337: Configuring Port Supplicant Settings For 802.1X
Chapter 13: Security Measures Configuring 802.1X Port Authentication Figure 13-62: Configuring Interface Settings for 802.1X Port Authenticator Use the Security > Port Authentication (Configure Interface – Supplicant) ONFIGURING page to configure 802.1X port settings for supplicant requests issued from UPPLICANT a port to an authenticator on another device.
Page 338 Chapter 13: Security Measures Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port – Port number. • PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled) • If the attached client must be authenticated through another device in the network, supplicant status must be enabled. Supplicant status can only be enabled if PAE Control Mode is set to “Force-Authorized”...
Page 339: Displaying 802.1X Statistics
Chapter 13: Security Measures Configuring 802.1X Port Authentication Figure 13-63: Configuring Interface Settings for 802.1X Port Supplicant Use the Security > Port Authentication (Show Statistics) page to display ISPLAYING statistics for dot1x protocol exchanges for any port. 802.1X S TATISTICS CLI R EFERENCES “show dot1x”...
Page 340 Chapter 13: Security Measures Configuring 802.1X Port Authentication Table 13-6: 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator.
Page 341: Dos Protection
Chapter 13: Security Measures DoS Protection Figure 13-64: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 13-65: Showing Statistics for 802.1X Port Supplicant ROTECTION Use the Security >...
Page 342 Chapter 13: Security Measures DoS Protection or to obstruct the communication media between the intended users and the target so that they can no longer communicate adequately. This section describes how to protect against DoS attacks. CLI R EFERENCES • “Denial of Service Protection”...
Page 343 Chapter 13: Security Measures DoS Protection UDP Flooding Attack – Attacks in which a perpetrator sends a large • number of UDP packets (with or without a spoofed-Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet.
Page 344: Ipv4 Source Guard
Chapter 13: Security Measures IPv4 Source Guard OURCE UARD IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping”...
Page 345 Chapter 13: Security Measures IPv4 Source Guard the SIP-MAC option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded. •...
Page 346: Configuring Static Bindings For Ipv4 Source Guard
Chapter 13: Security Measures IPv4 Source Guard Use the Security > IP Source Guard > Static Binding page to bind a static ONFIGURING address to a port. Table entries include a MAC address, IP address, lease TATIC INDINGS FOR time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All OURCE UARD static entries are configured with an infinite lease time, which is indicated...
Page 347 Chapter 13: Security Measures IPv4 Source Guard Lease Time – The time for which this IP address is leased to the client. • (This value is zero for all static addresses.) NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Binding.
Page 348 Chapter 13: Security Measures IPv6 Source Guard Query by Port – A port on this switch. • • VLAN – ID of a configured VLAN (Range: 1-4094) MAC Address – A valid unicast MAC address. • IP Address – A valid unicast IP address, including classful types A, B •...
Page 349: Ipv6 Source Guard
Chapter 13: Security Measures IPv6 Source Guard the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see the DHCPv6 Snooping commands). IPv6 source guard can be used to prevent traffic attacks caused when a host tries to use the IPv6 address of a neighbor to access the network.
Page 350: Configuring Static Bindings For Ipv6 Source Guard
Chapter 13: Security Measures IPv6 Source Guard entry type is static IPv6 source guard binding, the packet will be forwarded. If ND snooping or DHCP snooping is enabled, IPv6 source guard will • check the VLAN ID, source IP address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, dynamic ND snooping binding, or dynamic DHCPv6 snooping binding, the packet will be forwarded.
Page 351 Chapter 13: Security Measures IPv6 Source Guard bindings, until the number of entries in the binding table reaches the newly configured maximum number of allowed bindings. NTERFACE To set the IPv6 Source Guard filter for ports: Click Security, IPv6 Source Guard, Port Configuration. Set the required filtering type for each port.
Page 352 Chapter 13: Security Measures IPv6 Source Guard If there is an entry with same MAC address and IPv6 address, and • the type of the entry is either a dynamic ND snooping binding or DHCPv6 snooping binding, then the new entry will replace the old one and the entry type will be changed to static IPv6 source guard binding.
Page 353 Chapter 13: Security Measures IPv6 Source Guard Figure 13-72: Configuring Static Bindings for IPv6 Source Guard To display static bindings for Iv6 Source Guard: Click Security, IPv6 Source Guard, Static Configuration. Select Show from the Action list. Figure 13-73: Displaying Static Bindings for IPv6 Source Guard Use the Security >...
Page 354: Dhcp Snooping
Chapter 13: Security Measures DHCP Snooping MAC Address – Physical address associated with the entry. • Interface – Port to which this entry is bound. • • IPv6 Address – IPv6 address corresponding to the client. Type – Shows the entry type: •...
Page 355 Chapter 13: Security Measures DHCP Snooping or fire wall. When DHCP snooping is enabled globally and enabled on a VLAN interface, DHCP messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped. •...
Page 356 Chapter 13: Security Measures DHCP Snooping If the DHCP snooping is globally disabled, all dynamic bindings are • removed from the binding table. Additional considerations when the switch itself is a DHCP client – • The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted.
Page 357: Dhcp Snooping Global Configuration
Chapter 13: Security Measures DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP S NOOPING DHCP Snooping globally on the switch, or to configure MAC Address LOBAL Verification. ONFIGURATION CLI R EFERENCES “DHCPv4 Snooping” on page 843 •...
Page 358: Dhcp Snooping Vlan Configuration
Chapter 13: Security Measures DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click IP Service, DHCP, Snooping. Select Configure Global from the Step list. Select the required options for the general DHCP snooping process and for the DHCP snooping information policy. Click Apply Figure 13-75: Configuring Global Settings for DHCP Snooping Use the IP Service >...
Page 359: Configuring Ports For Dhcp Snooping
Chapter 13: Security Measures DHCP Snooping DHCP Snooping Status – Enables or disables DHCP snooping for the • selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Page 360: Displaying Dhcp Snooping Binding Information
Chapter 13: Security Measures DHCP Snooping Trust Status – Enables or disables a port as trusted. • (Default: Disabled) Circuit ID – Specifies DHCP Option 82 circuit ID suboption information. • Mode – Specifies the default string “VLAN-Unit-Port” or an arbitrary •...
Page 361 Chapter 13: Security Measures DHCP Snooping Lease Time – The time for which this IP address is leased to the client. • Type – Entry types include: • • DHCP-Snooping – Dynamically snooped. Static-DHCPSNP – Statically configured. • VLAN – VLAN to which this entry is bound. •...
Page 362: Basic Administration Protocols
Chapter 14: Basic Administration Protocols Configuring Event Logging ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: • Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 363: System Log Configuration
Chapter 14: Basic Administration Protocols Configuring Event Logging Use the Administration > Log > System (Configure Global) page to enable YSTEM or disable event logging, and specify which levels are logged to RAM or ONFIGURATION flash memory. Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems.
Page 364 Chapter 14: Basic Administration Protocols Configuring Event Logging The Flash Level must be equal to or less than the RAM Level. All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface). All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source).
Page 365: Remote Log Configuration
Chapter 14: Basic Administration Protocols Configuring Event Logging Figure 14-2: Showing Error Messages Logged to System Memory Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations. You can also limit the event ONFIGURATION messages sent to only those messages below a specified level.
Page 366: Sending Simple Mail Transfer Protocol Alerts
Chapter 14: Basic Administration Protocols Configuring Event Logging NTERFACE To configure the logging of error messages to remote servers: Click Administration, Log, Remote. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. Click Apply.
Page 367: Link Layer Discovery Protocol
Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Email Destination Address – Specifies the email recipients of alert • messages. You can specify up to five recipients. Server IP Address – Specifies a list of up to three recipient SMTP •...
Page 368: Setting Lldp Timing Attributes
Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol details such as device identification, capabilities and configuration settings. LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers. Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches.
Page 369 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Reinitialization Delay – Configures the delay before attempting to re- • initialize after LLDP ports are disabled or the link goes down. (Range: 1-10 seconds; Default: 2 seconds) When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted.
Page 370: Configuring Lldp Interface Attributes
Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Figure 14-5: Configuring LLDP Timing Attributes Use the Administration > LLDP (Configure Interface – Configure General) ONFIGURING page to specify the message attributes for individual interfaces, including LLDP I NTERFACE whether messages are transmitted, received, or both transmitted and TTRIBUTES received, whether SNMP notifications are sent, and the type of information advertised.
Page 371 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol MED Notification – Enables the transmission of SNMP trap • notifications about LLDP-MED changes. (Default: Disabled) Basic Optional TLVs – Configures basic information included in the • TLV field of advertised messages. Management Address –...
Page 372 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the • VLAN with which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 147). • VLAN Name – The name of all VLANs to which this interface has been assigned (see “IEEE 802.1Q VLANs”...
Page 373 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol configurations frequently result in voice quality degradation or complete service disruption. MED-Location Civic Address – Configures information for the location of • the attached device included in the MED TLV field of advertised messages, including the country and the device type.
Page 374: Configuring Lldp Interface Civic-Address
Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Figure 14-6: Configuring LLDP Interface Attributes Use the Administration > LLDP (Configure Interface – Add CA-Type) page ONFIGURING to specify the physical location of the device attached to an interface. LLDP I NTERFACE IVIC DDRESS...
Page 375 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Table 14-2: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519 Floor Room 509B Any number of CA type and value pairs can be specified for the civic...
Page 376: Displaying Lldp Local Device Information
Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Select Show CA-Type from the Action list. Select an interface from the Port or Trunk list. Figure 14-8: Showing the Civic Address for an LLDP Interface Use the Administration > LLDP (Show Local Device Information) page to LLDP ISPLAYING display information about the switch, such as its MAC address, chassis ID,...
Page 377 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol System Name – A string that indicates the system’s administratively • assigned name (see “Displaying System Information” on page 65). System Description – A textual description of the network entity. This •...
Page 378 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Table 14-5: Port ID Subtype ID Basis Reference Interface alias IfAlias (IETF RFC 2863) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 4133) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name...
Page 379: Displaying Lldp Remote Device Information
Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Figure 14-9: Displaying Local Device Information for LLDP (General) Figure 14-10: Displaying Local Device Information for LLDP (Port) Figure 14-11: Displaying Local Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports...
Page 380 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol ARAMETERS These parameters are displayed: Port Local Port – The local port to which a remote LLDP-capable device is • attached. Chassis ID – An octet string indicating the specific identifier for the •...
Page 381 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Management Address List – The management addresses for this • device. Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
Page 382 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Table 14-6: Remote Port Auto-Negotiation Advertised Capability Capability Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode 1000BASE-X, -LX, -SX, -CX full duplex mode 1000BASE-T half duplex mode 1000BASE-T full duplex mode •...
Page 383 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol derived from the ifNumber of the ifIndex for the port component associated with the remote system. If the remote port is not in link aggregation state and/or it does not support link aggregation, this value should be zero.
Page 384 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Voice Signaling • Guest Signaling • • Guest Voice Signaling Softphone Voice • Video Conferencing • Streaming Video • • Video Signaling Tagged Flag – Indicates whether the specified application type is •...
Page 385 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Country Code – The two-letter ISO 3166 country code in capital ASCII • letters. (Example: DK, DE or US) What – The type of device to which the location applies as described •...
Page 386 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Figure 14-13: Displaying Remote Device Information for LLDP (Port Details) Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. – 393 –...
Page 387: Displaying Device Statistics
Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Figure 14-14: Displaying Remote Device Information for LLDP (End Node) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING statistics for LLDP-capable devices attached to the switch, and for LLDP EVICE TATISTICS protocol messages transmitted or received on all local interfaces.
Page 388 Chapter 14: Basic Administration Protocols Link Layer Discovery Protocol Port/Trunk Frames Discarded – Number of frames discarded because they did • not conform to the general validation rules as well as any specific usage rules defined for the particular TLV. Frames Invalid –...
Page 389: Power Over Ethernet
Chapter 14: Basic Administration Protocols Power over Ethernet Figure 14-16: Displaying LLDP Device Statistics (Port) OWER OVER THERNET The SSE-G2252P can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device.
Page 390 Chapter 14: Basic Administration Protocols Power over Ethernet exceeds the power budget, the switch uses port power priority settings to limit the supplied power. CLI R EFERENCES “Power over Ethernet Commands” on page 965 • ARAMETERS These parameters are displayed: •...
Page 391: Setting The Port Poe Power Budget
Chapter 14: Basic Administration Protocols Power over Ethernet Figure 14-17: Setting the Switch’s PoE Budget Use the Administration > PoE > PSE (Configure Interface) page to set the ETTING THE maximum power provided to a port. OWER UDGET CLI R EFERENCES “Power over Ethernet Commands”...
Page 392 Chapter 14: Basic Administration Protocols Power over Ethernet If a device is connected to a low-priority port and causes the switch • to exceed its budget, power to this port is not turned on. If a device is connected to a critical or high-priority port and would •...
Page 393: Simple Network Management Protocol
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Click Administration, PoE, PSE. Enable PoE power on selected ports. Set the priority and the power budget. And specify a time range during which PoE will be provided to an interface. Click Apply.
Page 394 Chapter 14: Basic Administration Protocols Simple Network Management Protocol management station must first submit a valid community string for authentication. Access to the switch from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 395: Configuring Global Settings For Snmp
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to configure the community strings authorized for management access. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station.
Page 396: Setting The Local Engine Id
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Link-up and Link-down Traps – Issues a notification message • whenever a port link is established or broken. (Default: Enabled) MAC Notification Traps – Issues a trap when a dynamic MAC address •...
Page 397: Specifying A Remote Engine Id
Chapter 14: Basic Administration Protocols Simple Network Management Protocol ARAMETERS These parameters are displayed: Engine ID – A new engine ID can be specified by entering 9 to 64 • hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.
Page 398 Chapter 14: Basic Administration Protocols Simple Network Management Protocol ARAMETERS These parameters are displayed: Remote Engine ID – The engine ID can be specified by entering 9 to • 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.
Page 399: Setting Snmpv3 Views
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Use the Administration > SNMP (Configure View) page to configure ETTING SNMPv3 views which are used to restrict user access to specified portions SNMP IEWS of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree.
Page 400 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-23: Creating an SNMP View To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 14-24: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database:...
Page 401: Configuring Snmpv3 Groups
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-25: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.
Page 402 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Security Level – The following security levels are only used for the • groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in • SNMP communications.
Page 403 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Table 14-10: Supported Notification Messages (Continued) Model Level Group linkUp* 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state).
Page 404 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Table 14-10: Supported Notification Messages (Continued) Model Level Group swAtcMcastStormAlarmFireTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.74 When multicast traffic is detected as the storm, this trap is fired. swAtcMcastStormAlarmClearTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.75 When multicast storm is detected as normal traffic, this trap is fired.
Page 405 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Table 14-10: Supported Notification Messages (Continued) Model Level Group macNotificationTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.138 This trap is sent when there are changes of the dynamic MAC addresses on the switch. lbdDetectionTrap This trap is sent when a loopback 1.3.6.1.4.1.259.
Page 406: Setting Community Access Strings
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Enter a group name, assign a security model and level, and then select read, write, and notify views. Click Apply Figure 14-27: Creating an SNMP Group To show SNMP groups: Click Administration, SNMP. Select Configure Group from the Step list.
Page 407 Chapter 14: Basic Administration Protocols Simple Network Management Protocol ARAMETERS These parameters are displayed: Community String – A community string that acts like a password • and permits access to the SNMP protocol. Range: 1-32 characters, case sensitive Default strings: “public” (Read-Only), “private” (Read/Write) Access Mode –...
Page 408: Configuring Local Snmpv3 Users
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-30: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify SNMP SERS the source of SNMPv3 trap messages sent from the local switch.
Page 409 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Privacy Protocol – The encryption algorithm use for data privacy; • only 56-bit DES is currently available. Privacy Password – Enter plain text characters for the privacy • password. (Range: 8-32 characters) NTERFACE To configure a local SNMPv3 user: Click Administration, SNMP.
Page 410: Configuring Remote Snmpv3 Users
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-32: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from SNMP SERS the local switch.
Page 411 Chapter 14: Basic Administration Protocols Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and • encryption. Authentication Protocol – The method used for user authentication. • (Options: MD5, SHA; Default: MD5) Authentication Password – Enter plain text characters for the •...
Page 412: Specifying Trap Managers
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-33: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 14-34: Showing Remote SNMPv3 Users Use the Administration >...
Page 413 Chapter 14: Basic Administration Protocols Simple Network Management Protocol “snmp-server enable traps” on page 726 • OMMAND SAGE Notifications are issued by the switch as trap messages by default. The • recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt.
Page 414 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. UDP Port – Specifies the UDP port number used by the trap manager. •...
Page 415 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Timeout – The number of seconds to wait for an acknowledgment • before resending an inform message. (Range: 0-2147483647 centiseconds; Default: 1500 centiseconds) • Retry times – The maximum number of times to resend an inform message if the recipient does not acknowledge receipt.
Page 416 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-35: Configuring Trap Managers (SNMPv1) Figure 14-36: Configuring Trap Managers (SNMPv2c) Figure 14-37: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list.
Page 417: Creating Snmp Notification Logs
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-38: Showing Trap Managers Use the Administration > SNMP (Configure Notify Filter - Add) page to SNMP REATING create an SNMP notification log. OTIFICATION CLI R EFERENCES “nlm” on page 738 •...
Page 418 Chapter 14: Basic Administration Protocols Simple Network Management Protocol When a trap host is created using the Administration > SNMP • (Configure Trap – Add) page described on page 419, a default notify filter will be created. ARAMETERS These parameters are displayed: IP Address –...
Page 419: Showing Snmp Statistics
Chapter 14: Basic Administration Protocols Simple Network Management Protocol Figure 14-40: Showing SNMP Notification Logs Use the Administration > SNMP (Show Statistics) page to show counters HOWING for SNMP input and output protocol data units. SNMP S TATISTICS CLI R EFERENCES “show snmp”...
Page 420 Chapter 14: Basic Administration Protocols Simple Network Management Protocol Get-next PDUs – The total number of SNMP Get-Next PDUs which • have been accepted and processed, or generated, by the SNMP protocol entity. • Set-request PDUs – The total number of SNMP Set-Request PDUs which have been accepted and processed, or generated, by the SNMP protocol entity.
Page 421: Remote Monitoring
Chapter 14: Basic Administration Protocols Remote Monitoring Figure 14-41: Showing SNMP Statistics EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 422 Chapter 14: Basic Administration Protocols Remote Monitoring CLI R EFERENCES “Remote Monitoring Commands” on page 745 • OMMAND SAGE If an alarm is already defined for an index, the entry must be deleted • before any changes can be made. ARAMETERS These parameters are displayed: Index –...
Page 423 Chapter 14: Basic Administration Protocols Remote Monitoring threshold. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 0-65535) Owner – Name of the person who created this entry. (Range: 1-127 • characters) NTERFACE To configure an RMON alarm:...
Page 424: Configuring Rmon Events
Chapter 14: Basic Administration Protocols Remote Monitoring Figure 14-43: Showing Configured RMON Alarms Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered. The response can include RMON E VENTS logging the alarm or sending a message to a trap manager.
Page 425 Chapter 14: Basic Administration Protocols Remote Monitoring settings for event logging (see “System Log Configuration” on page 370). Trap – Sends a trap message to all configured trap managers (see • “Specifying Trap Managers” on page 419). Log and Trap – Logs the event and sends a trap message. •...
Page 426: Configuring Rmon History Samples
Chapter 14: Basic Administration Protocols Remote Monitoring Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 14-45: Showing Configured RMON Events Use the Administration > RMON (Configure Interface - Add - History) page RMON ONFIGURING to collect statistics on a physical interface to monitor network utilization,...
Page 427 Chapter 14: Basic Administration Protocols Remote Monitoring normally assigned. For example, if control entry 15 is assigned to port 5, this index entry will be removed from the Show and Show Details page for port 8. ARAMETERS These parameters are displayed: Port –...
Page 428 Chapter 14: Basic Administration Protocols Remote Monitoring Figure 14-46: Configuring an RMON History Sample To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History.
Page 429: Configuring Rmon Statistical Samples
Chapter 14: Basic Administration Protocols Remote Monitoring Figure 14-48: Showing Collected RMON History Samples Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates.
Page 430 Chapter 14: Basic Administration Protocols Remote Monitoring Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 14-49: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON.
Page 431: Switch Clustering
Chapter 14: Basic Administration Protocols Switch Clustering Figure 14-51: Showing Collected RMON Statistical Samples WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 432: Configuring General Settings For Clusters
Chapter 14: Basic Administration Protocols Switch Clustering The cluster VLAN 4093 is not configured by default. Before using • clustering, take the following actions to set up this VLAN: Create VLAN 4093 (see “Configuring VLAN Groups” on page 150). Add the participating ports to this VLAN (see “Adding Static Members to VLANs”...
Page 433: Cluster Member Configuration
Chapter 14: Basic Administration Protocols Switch Clustering NTERFACE To configure a switch cluster: Click Administration, Cluster. Select Configure Global from the Step list. Set the required attributes for a Commander or a managed candidate. Click Apply Figure 14-52: Configuring a Switch Cluster Use the Administration >...
Page 434 Chapter 14: Basic Administration Protocols Switch Clustering Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. Click Apply. Figure 14-53: Configuring a Cluster Members To show the cluster members: Click Administration, Cluster. Select Configure Member from the Step list.
Page 435: Managing Cluster Members
Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Use the Administration > Cluster (Show Member) page to manage another ANAGING switch in the cluster. LUSTER EMBERS CLI R EFERENCES “Switch Clustering” on page 714 • ARAMETERS These parameters are displayed: Member ID –...
Page 436 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links. The mechanisms and protocol defined in G.8032 achieve highly reliable and stable protection;...
Page 437 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching blocks the RPL and transmits an R-APS (NR, RB - ring blocked) message. Nodes receiving this message flush the forwarding database and unblock their previously blocked ports. The ring is now returned to Idle state. Figure 14-57: ERPS Ring Components East Port West Port...
Page 438 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Ring nodes C and D, that are common to both ERP1 and ERP2, are called interconnection nodes. The ring link between the interconnection nodes are controlled and protected by the ring it belongs to. In the example for the Normal Condition, the ring link between ring nodes C and D is part of ERP1, and, as such, are controlled and protected by ERP1.
Page 439 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching unblocked (Protection state) to ensure proper connectivity among all ring nodes until the failure is recovered. Configure ERPS timers (Configure Domain – Configure Details): Set the Guard timer to prevent ring nodes from receiving outdated R-APS messages, the Hold-off timer to filter out intermittent link faults, and...
Page 440: Erps Global Configuration
Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Global) page to globally enable ERPS G LOBAL or disable ERPS on the switch. ONFIGURATION CLI R EFERENCES “erps” on page 1051 • ARAMETERS These parameters are displayed: ERPS Status –...
Page 441 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching ARAMETERS These parameters are displayed: Domain Name – Name of an ERPS ring. (Range: 1-12 characters) • Domain ID – ERPS ring identifier used in R-APS messages. • (Range: 1-255) Show Domain Name –...
Page 442 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed. Forwarding – The transmission and reception of traffic is allowed; • transmission, reception and forwarding of R-APS messages is allowed.
Page 443 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2. (This • is the default setting.) In addition to the basic features provided by version 1, version 2 also supports: Multi-ring/ladder network support •...
Page 444 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching The Control VLAN must not be configured as a Layer 3 interface • (with an IP address), a dynamic VLAN (with GVRP enabled), nor as a private VLAN. • In addition, only ring ports may be added to the Control VLAN. No other ports can be members of this VLAN.
Page 445 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Revertive – Sets the method of recovery to Idle State through • revertive or non-revertive mode. (Default: Enabled) Revertive behavior allows the switch to automatically return the RPL • from Protection state to Idle state through the exchange of protocol messages.
Page 446 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Recovery with Non-revertive Mode – In non-revertive operation, • the ring does not automatically revert when all ring links and ring nodes have recovered and no external requests are active. Non-revertive operation is handled in the following way: The RPL Owner Node does not generate a response on reception of an R-APS (NR) messages.
Page 447 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB.
Page 448 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching WTB timer and waits for it to expire. While the WTB timer is running, any latent R-APS (MS) message is ignored due to the higher priority of the WTB running signal. When the WTB timer expires, it generates the WTB expire signal.
Page 449 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching For example, a node that has one ring port in SF condition and detects that the condition has been cleared, will continuously transmit R-APS (NR) messages with its own Node ID as priority information over both ring ports, informing its neighbors that no request is present at this node.
Page 450 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Figure 14-60: Sub-ring with Virtual Channel Interconnection Node RPL Port Ring Node Major Ring Sub-ring with Virtual Channel Virtual Channel Sub-ring without R-APS Virtual Channel – Under certain • circumstances it may not be desirable to use a virtual channel to interconnect the sub-ring over an arbitrary Ethernet network.
Page 451 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”. If this command is disabled, the following strings are used as the node identifier: ERPSv1: 01-19-A7-00-00-01 •...
Page 452 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching When non-ERPS device protection is enabled on the ring, the ring ports on the RPL owner node and non-owner nodes will not be blocked when signal loss is detected by CCM loss events. •...
Page 453 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching RPL owner node receives an outdated remote MS request during the recovery process. When recovering from an FS or MS command, the delay timer must be long enough to receive any latent remote FS or MS commands. This delay timer called the WTB timer is defined to be 5 seconds longer than the guard timer.
Page 454 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed. Forwarding – The transmission and reception of traffic is allowed; • transmission, reception and forwarding of R-APS messages is allowed.
Page 455 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Figure 14-63: Creating an ERPS Ring To configure the ERPS parameters for a ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Configure Details from the Action list. Configure the ERPS parameters for this node.
Page 456 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Figure 14-64: Creating an ERPS Ring To show the configured ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 14-65: Showing Configured ERPS Rings –...
Page 457: Erps Forced And Manual Mode Operations
Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Operation) page to block a ring ERPS F ORCED AND port using Forced Switch or Manual Switch commands. ANUAL PERATIONS CLI R EFERENCES “erps forced-switch” on page 1071 •...
Page 458 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching node having a prior local forced switch request. The ring nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Page 459 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching instead of directly issuing a FS command at the ring node under maintenance in order to avoid falling into the above mentioned unrecoverable situation. • Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command.
Page 460 Chapter 14: Basic Administration Protocols Ethernet Ring Protection Switching ring node keeps the ring port blocked due to the previous manual switch command. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request.
Page 461: Connectivity Fault Management
Chapter 14: Basic Administration Protocols Connectivity Fault Management Figure 14-66: Blocking an ERPS Ring Port ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 462 Chapter 14: Basic Administration Protocols Connectivity Fault Management A Maintenance Level allows maintenance domains to be nested in a • hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution.
Page 463 Chapter 14: Basic Administration Protocols Connectivity Fault Management Figure 14-68: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 464: Configuring Global Settings For Cfm
Chapter 14: Basic Administration Protocols Connectivity Fault Management defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
Page 465 Chapter 14: Basic Administration Protocols Connectivity Fault Management CLI R EFERENCES “CFM Commands” on page 1269 • ARAMETERS These parameters are displayed: Global Configuration CFM Status – Enables CFM processing globally on the switch. • (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
Page 466 Chapter 14: Basic Administration Protocols Connectivity Fault Management Linktrace responses are returned from each MIP along the path and from the target MEP. Information stored in the cache includes the maintenance domain name, MA name, MEPID, sequence number, and TTL value (see Displaying Fault Notification Settings). Link Trace Cache Hold Time –...
Page 467 Chapter 14: Basic Administration Protocols Connectivity Fault Management Cross Check MEP Missing – Sends a trap if the cross-check timer • expires and no CCMs have been received from a remote MEP configured in the static list. A MEP Missing trap is sent if cross-checking is enabled , and no CCM is received for a remote MEP configured in the static list Cross Check MEP Unknown –...
Page 468: Configuring Interfaces For Cfm
Chapter 14: Basic Administration Protocols Connectivity Fault Management Figure 14-69: Configuring Global Settings for CFM CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings.
Page 469: Configuring Cfm Maintenance Domains
Chapter 14: Basic Administration Protocols Connectivity Fault Management Click Apply. Figure 14-70: Configuring Interfaces for CFM Use the Administration > CFM (Configure MD) pages to create and ONFIGURING configure a Maintenance Domain (MD) which defines a portion of the CFM M AINTENANCE network for which connectivity faults can be managed.
Page 470 Chapter 14: Basic Administration Protocols Connectivity Fault Management “Default” or “Explicit,” and the MIP creation state machine is invoked (as defined in IEEE 802.1ag). The default option allows MIPs to be created for all interconnection points within an MA, regardless of the domain’s level in the maintenance hierarchy (e.g., customer, provider, or operator).
Page 471 Chapter 14: Basic Administration Protocols Connectivity Fault Management Table 14-12: Remote MEP Priority Levels Priority Level Level Name Description remErrXcon DefErrorCCM, DefXconCCM or DefRemoteCCM. errXcon DefErrorCCM or DefXconCCM. xcon DefXconCCM noXcon No defects DefXconCCM or lower are to be reported. Table 14-13: MEP Defect Descriptions Defect Description...
Page 472 Chapter 14: Basic Administration Protocols Connectivity Fault Management MEP Archive Hold Time – The time that data from a missing MEP is • retained in the continuity check message (CCM) database before being purged. (Range: 1-65535 minutes; Default: 100 minutes) A change to the hold time only applies to entries stored in the database after this attribute is changed.
Page 473: Configuring Cfm Maintenance Associations
Chapter 14: Basic Administration Protocols Connectivity Fault Management Figure 14-72: Showing Maintenance Domains To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters.
Page 474 Chapter 14: Basic Administration Protocols Connectivity Fault Management the MEP List to assign domain service access points (DSAPs) to this service instance (see “Configuring Maintenance End Points” on page 485). • An MA must be defined before any associated DSAPs or remote MEPs can be assigned (see “Configuring Remote Maintenance End Points”...
Page 475 Chapter 14: Basic Administration Protocols Connectivity Fault Management MA Name – MA name. (Range: 1-43 alphanumeric characters) • Each MA name must be unique within the CFM domain. • Primary VLAN – Service VLAN ID. (Range: 1-4094) This is the VLAN through which all CFM functions are executed for this MIP Creation Type –...
Page 476 Chapter 14: Basic Administration Protocols Connectivity Fault Management The cross-check start delay, which sets the maximum delay this device waits for a remote MEP to come up before starting the cross-check operation, is a domain-level parameter. To set this parameter, use the CFM MD Configuration screen (see Configuring CFM Maintenance Domains).
Page 477 Chapter 14: Basic Administration Protocols Connectivity Fault Management Select Configure MA from the Step list. Select Show from the Action list. Select an entry from the MD Index list. Figure 14-75: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM.
Page 478: Configuring Maintenance End Points
Chapter 14: Basic Administration Protocols Connectivity Fault Management Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.
Page 479: Configuring Remote Maintenance End Points
Chapter 14: Basic Administration Protocols Connectivity Fault Management Click Apply. Figure 14-77: Configuring Maintenance End Points To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 14-78: Showing Maintenance End Points Use the Administration >...
Page 480 Chapter 14: Basic Administration Protocols Connectivity Fault Management OMMAND SAGE All MEPs that exist on other devices inside a maintenance association • should be statically configured to ensure full connectivity through the cross-check process. Remote MEPs can only be configured if local domain service access •...
Page 481: Transmitting Link Trace Messages
Chapter 14: Basic Administration Protocols Connectivity Fault Management Figure 14-79: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 14-80: Showing Remote Maintenance End Points Use the Administration >...
Page 482 Chapter 14: Basic Administration Protocols Connectivity Fault Management LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, • with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. •...
Page 483: Transmitting Loop Back Messages
Chapter 14: Basic Administration Protocols Connectivity Fault Management Click Apply. Check the results in the Link Trace cache (see Displaying the Link Trace Cache). Figure 14-81: Transmitting Link Trace Messages Use the Administration > CFM (Transmit Loopback) page to transmit RANSMITTING Loopback Messages (LBMs).
Page 484 Chapter 14: Basic Administration Protocols Connectivity Fault Management Source MEP ID – The identifier of a source MEP that will send the • loopback message. (Range: 1-8191) Target • MEP ID – The identifier of a remote MEP that is the target of a •...
Page 485: Transmitting Delay-Measure Requests
Chapter 14: Basic Administration Protocols Connectivity Fault Management Use the Administration > CFM (Transmit Delay Measure) page to send RANSMITTING periodic delay-measure requests to a specified MEP within a maintenance ELAY EASURE association. EQUESTS CLI R EFERENCES “ethernet cfm delay-measure two-way” on page 1307 •...
Page 486 Chapter 14: Basic Administration Protocols Connectivity Fault Management Count – The number of times to retry sending the message if no • response is received before the specified timeout. (Range: 1-5; Default: 5) • Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes;...
Page 487: Displaying Local Meps
Chapter 14: Basic Administration Protocols Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP) page ISPLAYING to show information for the MEPs configured on this device. OCAL CLI R EFERENCES “show ethernet cfm maintenance-points local” on page 1284 •...
Page 488: Displaying Details For Local Meps
Chapter 14: Basic Administration Protocols Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP ISPLAYING ETAILS Details) page to show detailed CFM information about a local MEP in the OCAL continuity check database. CLI R EFERENCES “show ethernet cfm maintenance-points local detail mep”...
Page 489: Displaying Local Mips
Chapter 14: Basic Administration Protocols Connectivity Fault Management Suppressing Alarms – Shows if the specified MEP is currently • suppressing sending frames containing AIS information following the detection of defect conditions. NTERFACE To show detailed information for the MEPs configured on this device: Click Administration, CFM.
Page 490: Displaying Remote Meps
Chapter 14: Basic Administration Protocols Connectivity Fault Management ARAMETERS These parameters are displayed: MD Name – Maintenance domain name. • Level – Authorized maintenance level for this domain. • MA Name – Maintenance association name. • Primary VLAN – Service VLAN ID. •...
Page 491: Displaying Details For Remote Meps
Chapter 14: Basic Administration Protocols Connectivity Fault Management MA Name – Maintenance association name. • Level – Authorized maintenance level for this domain. • • Primary VLAN – Service VLAN ID. MEP Up – Indicates whether or not this MEP is functioning normally. •...
Page 492 Chapter 14: Basic Administration Protocols Connectivity Fault Management MA Name – Maintenance association name. • Level – Authorized maintenance level for this domain. • • MAC Address – MAC address of this MEP entry. Primary VLAN – Service VLAN ID. •...
Page 493: Displaying The Link Trace Cache
Chapter 14: Basic Administration Protocols Connectivity Fault Management NTERFACE To show detailed information for remote MEPs: Click Administration, CFM. Select Show Information from the Step list. Select Show Remote MEP Details from the Action list. Select an entry from MD Index and MA Index. Select a MEP ID.
Page 494 Chapter 14: Basic Administration Protocols Connectivity Fault Management MA – Maintenance association name. • IP Address / Alias – IP address or DNS alias of the target device’s • CPU. Forwarded – Shows whether or not this link trace message was •...
Page 495: Displaying Fault Notification Settings
Chapter 14: Basic Administration Protocols Connectivity Fault Management HIT – Target located on this device. • NTERFACE To show information about link trace operations launched from this device: Click Administration, CFM. Select Show Information from the Step list. Select Show Link Trace Cache from the Action list. Figure 14-89: Showing the Link Trace Cache Use the Administration >...
Page 496: Displaying Continuity Check Errors
Chapter 14: Basic Administration Protocols Connectivity Fault Management NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM. Select Show Information from the Step list. Select Show Fault Notification Generator from the Action list. Figure 14-90: Showing Settings for the Fault Notification Generator Use the Administration >...
Page 497: Oam Configuration
Chapter 14: Basic Administration Protocols OAM Configuration VIDS – MA x is associated with a specific VID list , an MEP is • configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port.
Page 498 Chapter 14: Basic Administration Protocols OAM Configuration CLI R EFERENCES “OAM Commands” on page 1309 • ARAMETERS These parameters are displayed: Port – Port identifier. (Range: 1-52) • Admin Status – Enables or disables OAM functions. • (Default: Disabled) Operation State – Shows the operational state between the local and •...
Page 499 Chapter 14: Basic Administration Protocols OAM Configuration Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. When system power fails, the switch will always send a dying gasp trap message prior to power down. Critical Event –...
Page 500: Displaying Statistics For Oam Messages
Chapter 14: Basic Administration Protocols OAM Configuration Figure 14-92: Enabling OAM for Local Ports Use the Administration > OAM > Counters page to display statistics for the ISPLAYING various types of OAM messages passed across each port. TATISTICS FOR OAM M ESSAGES CLI R EFERENCES...
Page 501: Displaying The Oam Event Log
Chapter 14: Basic Administration Protocols OAM Configuration Figure 14-93: Displaying Statistics for OAM Messages Use the Administration > OAM > Event Log page to display link events for ISPLAYING THE the selected port. OAM E VENT CLI R EFERENCES • “show efm oam event-log interface”...
Page 502: Displaying The Status Of Remote Interfaces
Chapter 14: Basic Administration Protocols OAM Configuration Figure 14-94: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING information about attached OAM-enabled devices. TATUS OF EMOTE NTERFACES CLI R EFERENCES • “show efm oam status remote interface” on page 1319 ARAMETERS These parameters are displayed: Port –...
Page 503: Configuring A Remote Loop Back Test
Chapter 14: Basic Administration Protocols OAM Configuration NTERFACE To display information about attached OAM-enabled devices: Click Administration, OAM, Remote Interface. Figure 14-95: Displaying Status of Remote Interfaces Use the Administration > OAM > Remote Loopback (Remote Loopback ONFIGURING A Test) page to initiate a loop back test to the peer device attached to the EMOTE selected port.
Page 504 Chapter 14: Basic Administration Protocols OAM Configuration Loopback Mode – Shows if loop back mode is enabled on the peer. • This attribute must be enabled before starting the loopback test. Loopback Status – Shows if loopback testing is currently running. •...
Page 505: Displaying Results Of Remote Loop Back Testing
Chapter 14: Basic Administration Protocols OAM Configuration Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. Set the number of packets to send and the packet size, and then click Test.
Page 506: Udld Configuration
Chapter 14: Basic Administration Protocols UDLD Configuration Select Show Test Result from the Action list. Figure 14-97: Displaying the Results of Remote Loop Back Testing UDLD C ONFIGURATION The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Page 507: Configuring Udld Protocol Intervals
Chapter 14: Basic Administration Protocols UDLD Configuration Use the Administration > UDLD > Configure Global page to configure the UDLD ONFIGURING UniDirectional Link Detection message probe interval, detection interval, ROTOCOL NTERVALS and recovery interval. ARAMETERS These parameters are displayed: Message Interval – Configures the message interval between UDLD •...
Page 508: Configuring Udld Interface Settings
Chapter 14: Basic Administration Protocols UDLD Configuration Click Administration, UDLD, Configure Global. Select Configure Global from the Step list. Configure the message and detection intervals. Enable automatic recovery if required, and set the recovery interval. Click Apply. Figure 14-98: Configuring UDLD Protocol Intervals Use the Administration >...
Page 509 Chapter 14: Basic Administration Protocols UDLD Configuration Aggressive Mode – Reduces the shut-down delay after loss of • bidirectional connectivity is detected. (Default: Disabled) UDLD can function in two modes: normal mode and aggressive mode. In normal mode, determination of link status at the end of the •...
Page 510: Displaying Udld Neighbor Information
Chapter 14: Basic Administration Protocols UDLD Configuration Enable UDLD and aggressive mode on the required ports. Click Apply. Figure 14-99: Configuring UDLD Interface Settings Use the Administration > UDLD (Show Information) page to show UDLD ISPLAYING neighbor information, including neighbor state, expiration time, and UDLD N EIGHBOR protocol intervals.
Page 511 Chapter 14: Basic Administration Protocols UDLD Configuration Figure 14-100: Displaying UDLD Neighbor Information – 518 –...
Page 512: Multicast Filtering
Chapter 15: Multicast Filtering Overview ULTICAST ILTERING This chapter describes how to configure the following multicast services: • IGMP Snooping – Configures snooping and query parameters. Filtering and Throttling – Filters specified multicast service, or throttles • the maximum of multicast groups allowed on an interface. MLD Snooping –...
Page 513: Layer 2 Igmp (Snooping And Query For Ipv4)
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router.
Page 514 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) acceptable), but for IGMPv3 hosts, it may include a specific address when requested. Only IGMPv3 hosts can request service from a specific multicast source. When downstream hosts request service from a specific source for a multicast service, these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources.
Page 515: Configuring Igmp Snooping And Query Parameters
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) The only deviation from TR-101 is that the marking of IGMP traffic initiated by the switch with priority bits as defined in R-250 is not supported. Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic intelligently.
Page 516 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. • Proxy Reporting Status –...
Page 517 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets. • TCN Query Solicit – Sends out an IGMP general query solicitation when a spanning tree topology change notification (TCN) occurs.
Page 518 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) IGMP Unsolicited Report Interval – Specifies how often the • upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled. (Range: 1-65535 seconds, Default: 400 seconds) When a new upstream interface (that is, uplink port) starts up, the switch sends unsolicited reports for all currently learned multicast channels via the new upstream interface.
Page 519: Specifying Static Interfaces For A Multicast Router
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 15-2: Configuring General Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Multicast Router (Add Static PECIFYING TATIC Multicast Router) page to statically attach an interface to a multicast NTERFACES FOR A router/switch.
Page 520 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router VLAN – Selects the VLAN for which to display any configured static • multicast routers. Interface – Shows the interface to which the specified static multicast •...
Page 521: Assigning Interfaces To Multicast Services
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 15-4: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 522 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) OMMAND SAGE Static multicast addresses are never aged out. • When a multicast address is assigned to an interface in a specific VLAN, • the corresponding traffic can only be forwarded to ports within that VLAN.
Page 523: Setting Igmp Snooping Status Per Interface
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 15-7: Showing Static Interfaces Assigned to a Multicast Service Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to IGMP ETTING configure IGMP snooping attributes for a VLAN. To configure snooping NOOPING TATUS globally, refer to...
Page 524 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the occurrence of these events: • Upon the expiration of a periodic (randomized) timer. As a part of a router's start up procedure.
Page 525 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) hosts want to receive multicast traffic. This is referred to as IGMP Snooping. (Default: Enabled) When IGMP snooping is enabled globally (see page 522), the per VLAN interface settings for IGMP snooping take precedence. When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally.
Page 526 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 527 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This command applies when the switch is serving as the querier (page 522), or as a proxy host when IGMP snooping proxy reporting is enabled (page 522). • Last Member Query Interval –...
Page 528: Filtering Igmp Query Packets And Multicast Data
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Select the VLAN to configure and update the required parameters. Click Apply. Figure 15-8: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface.
Page 529: Displaying Multicast Groups Discovered By Igmp Snooping
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) “ip multicast-data-drop” on page 1181 • ARAMETERS These parameters are displayed: • Interface – Specifies port or trunk selection. IGMP Query Drop – Configures an interface to drop any IGMP query •...
Page 530: Displaying Igmp Snooping Statistics
Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ARAMETERS These parameters are displayed: VLAN – An interface on the switch that is forwarding traffic to • downstream ports for the specified multicast group address. • Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface.
Page 531 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ARAMETERS These parameters are displayed: VLAN – VLAN identifier. (Range: 1-4094) • Port – Port identifier. (Range: 1-52) • Trunk – Trunk identifier. (Range: 1-16) • Query Statistics Other Querier –...
Page 532 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Report – The number of IGMP membership reports received on this • interface. Leave – The number of leave messages received on this interface. • G Query – The number of general query messages received on this •...
Page 533 Chapter 15: Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 15-12: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics. Select Show VLAN Statistics from the Action list. Select a VLAN.
Page 534: Filtering And Throttling Igmp Groups
Chapter 15: Multicast Filtering Filtering and Throttling IGMP Groups To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port. Figure 15-14: Displaying IGMP Snooping Statistics – Port IGMP G ILTERING AND HROTTLING...
Page 535: Enabling Igmp Filtering And Throttling
Chapter 15: Multicast Filtering Filtering and Throttling IGMP Groups dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Use the Multicast > IGMP Snooping > Filter (Configure General) page to IGMP NABLING enable IGMP filtering and throttling globally on the switch.
Page 536 Chapter 15: Multicast Filtering Filtering and Throttling IGMP Groups Profile ID – Creates an IGMP profile. (Range: 1-4294967295) • • Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Page 537 Chapter 15: Multicast Filtering Filtering and Throttling IGMP Groups Figure 15-17: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add Multicast Group Range from the Action list.
Page 538: Configuring Igmp Filtering And Throttling For Interfaces
Chapter 15: Multicast Filtering Filtering and Throttling IGMP Groups Figure 15-19: Showing the Groups Assigned to an IGMP Filtering Profile Use the Multicast > IGMP Snooping > Filter (Configure Interface) page to IGMP ONFIGURING assign and IGMP filter profile to interfaces on the switch, or to throttle ILTERING AND multicast traffic by limiting the maximum number of multicast groups an HROTTLING FOR...
Page 539: Mld Snooping (Snooping And Query For Ipv6)
Remember that IGMP Snooping and MLD Snooping are independent functions, and can therefore both function at the same time. Due to an ASIC limitation in the SSE-G2252, MLDv2 reports with source list is not supported. The switch can only process IS_EX (is...
Page 540: Configuring Mld Snooping And Query Parameters
Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) excluded), TO_EX (change to excluded), and TO_IN (change to included) records without source list. Use the Multicast > MLD Snooping > General page to configure the switch ONFIGURING to forward multicast traffic intelligently. Based on the MLD query and report MLD S NOOPING AND messages, the switch forwards multicast traffic only to the ports that...
Page 541: Setting Immediate Leave Status For Mld Snooping Per Interface
Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) This attribute controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. • Router Port Expiry Time – The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired.
Page 542: Specifying Static Interfaces For An Ipv6 Multicast Router
Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ARAMETERS These parameters are displayed: VLAN – A VLAN identification number. (Range: 1-4094) • Immediate Leave Status – Immediately deletes a member port of an • IPv6 multicast service when a leave packet is received at that port and immediate leave is enabled for the parent VLAN.
Page 543 Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) OMMAND SAGE MLD Snooping must be enabled globally on the switch (see “Configuring MLD Snooping and Query Parameters” on page 547) before a multicast router port can take effect. ARAMETERS These parameters are displayed: VLAN –...
Page 544 Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 15-24: Showing Static Interfaces Attached an IPv6 Multicast Router To show all the interfaces attached to a multicast router: Click Multicast, MLD Snooping, Multicast Router. Select Current Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 545 Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) When a multicast address is assigned to an interface in a specific VLAN, • the corresponding traffic can only be forwarded to ports within that VLAN. ARAMETERS These parameters are displayed: VLAN –...
Page 546: Showing Mld Snooping Groups And Source List
Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 15-27: Showing Static Interfaces Assigned to an IPv6 Multicast Ser- vice To display information about all IPv6 multicast groups, MLD Snooping or multicast routing must first be enabled on the switch. To show all of the interfaces statically or dynamically assigned to an IPv6 multicast service: Click Multicast, MLD Snooping, MLD Member.
Page 547 Chapter 15: Multicast Filtering MLD Snooping (Snooping and Query for IPv6) CLI R EFERENCES “show ipv6 mld snooping group source-list” on page 1195 • ARAMETERS These parameters are displayed: VLAN – VLAN identifier. (Range: 1-4094) • Interface – Port or trunk identifier. •...
Page 548: Multicast Vlan Registration For Ipv4
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Figure 15-29: Showing IPv6 Multicast Services and Corresponding Sources VLAN R ULTICAST EGISTRATION FOR Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.
Page 549: Configuring Mvr Global Settings
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Figure 15-30: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE • General Configuration Guidelines for MVR: Enable MVR for a domain on the switch, and select the MVR VLAN (see “Configuring MVR Domain Settings”...
Page 550 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 ARAMETERS These parameters are displayed: Proxy Switching – Configures MVR proxy switching, where the source • port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Page 551: Configuring Mvr Domain Settings
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 This parameter sets the general query interval at which active • receiver ports send out general queries. This interval is only effective when proxy switching is enabled. • Source Port Mode – Configures the switch to forward any multicast •...
Page 552 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 CLI R EFERENCES “MVR for IPv4” on page 1204 • ARAMETERS These parameters are displayed: Domain ID – An independent multicast domain. (Range: 1-5) • MVR Status – When MVR is enabled on the switch, any multicast data •...
Page 553: Configuring Mvr Group Address Profiles
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Click Apply. Figure 15-32: Configuring Domain Settings for MVR Use the Multicast > MVR (Configure Profile and Associate Profile) pages to ONFIGURING assign the multicast group address for required services to one or more ROUP DDRESS MVR domains.
Page 554 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Associate Profile Domain ID – An independent multicast domain. (Range: 1-5) • • Profile Name – The name of a profile to be assigned to this domain. (Range: 1-21 characters) NTERFACE To configure an MVR group address profile: Click Multicast, MVR.
Page 555: Configuring Mvr Interface Status
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Click Multicast, MVR. Select Associate Profile from the Step list. Select Add from the Action list. Select a domain from the scroll-down list, and enter the name of a group profile. Click Apply.
Page 556: Assigning Static Mvr Multicast Groups To Interfaces
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 OMMAND SAGE A port configured as an MVR receiver or source port can join or leave • multicast groups configured under MVR. However, note that these ports can also use IGMP snooping to join or leave any other multicast groups using the standard rules for multicast filtering.
Page 557 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 must be manually configured as a member of the MVR VLAN (see “Adding Static Members to VLANs” on page 153). Receiver – A subscriber port that can receive multicast data sent •...
Page 558 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. Click Apply.
Page 559 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Group IP Address – Defines a multicast service sent to the selected • port. Multicast groups must be assigned from the MVR group range configured on the Configure General page. NTERFACE To assign a static MVR group to an interface: Click Multicast, MVR.
Page 560: Displaying Mvr Receiver Groups
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Figure 15-39: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast ISPLAYING groups either statically or dynamically assigned to the MVR receiver groups ECEIVER ROUPS on each interface.
Page 561: Displaying Mvr Statistics
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Figure 15-40: Displaying MVR Receiver Groups Use the Multicast > MVR > Show Statistics pages to display MVR protocol- ISPLAYING related statistics for the specified interface. MVR S TATISTICS CLI R EFERENCES “show mvr statistics”...
Page 562 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Number of Reports Sent – The number of reports sent from this • interface. Number of Leaves Sent – The number of leaves sent from this • interface. VLAN, Port, and Trunk Statistics Input Statistics Report –...
Page 563 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Figure 15-41: Displaying MVR Statistics – Query To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain.
Page 564 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv4 Figure 15-42: Displaying MVR Statistics – VLAN To display MVR protocol-related statistics for a port: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR domain.
Page 565: Multicast Vlan Registration For Ipv6
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Figure 15-43: Displaying MVR Statistics – Port VLAN R ULTICAST EGISTRATION FOR MVR6 functions in a manner similar to that described for MRV (see “Multicast VLAN Registration for IPv4” on page 555).
Page 566: Mvr For Ipv4
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 CLI R EFERENCES “MVR for IPv6” on page 1226 • ARAMETERS These parameters are displayed: Proxy Switching – Configures MVR proxy switching, where the source • port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Page 567 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Proxy Query Interval – Configures the interval at which the receiver • port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) • This parameter sets the general query interval at which active receiver ports send out general queries.
Page 568 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 MVR6 ONFIGURING globally on the switch, and select the VLAN that will serve as the sole OMAIN ETTINGS channel for common multicast streams supported by the service provider. CLI R EFERENCES “MVR for IPv6”...
Page 569 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Click Multicast, MVR6. Select Configure Domain from the Step list. Select a domain from the scroll-down list. Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required.
Page 570 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 MRV6 domains can be associated with more than one MVR6 profile. But • since MVR6 domains cannot share the group range, an MRV6 profile can only be associated with one MVR6 domain. ARAMETERS These parameters are displayed: Configure Profile...
Page 571 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Click Multicast, MVR6. Select Configure Profile from the Step list. Select Show from the Action list. Figure 15-47: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: Click Multicast, MVR6.
Page 572: Configuring Mvr6 Interface Status
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Figure 15-49: Showing MVR6 Group Address Profiles Assigned to a Domain Use the Multicast > MVR6 (Configure Interface) page to configure each MVR6 ONFIGURING interface that participates in the MVR6 protocol as a source port or receiver NTERFACE TATUS port.
Page 573 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Using immediate leave can speed up leave latency, but should only • be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Page 574 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 NTERFACE To configure interface settings for MVR6: Click Multicast, MVR6. Select Configure Interface from the Step list. Select Port or Trunk interface. Select an MVR6 domain. Set each port that will participate in the MVR6 protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached.
Page 575 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 ARAMETERS These parameters are displayed: Domain ID – An independent multicast domain. (Range: 1-5) • Interface – Port or trunk identifier. • VLAN – VLAN identifier. (Range: 1-4094) • Group IPv6 Address – Defines a multicast service sent to the selected •...
Page 576 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Figure 15-52: Showing the Static MVR6 Groups Assigned to a Port Use the Multicast > MVR6 (Show Member) page to show the multicast MVR6 ISPLAYING groups either statically or dynamically assigned to the MVR6 receiver ECEIVER ROUPS groups on each interface.
Page 577: Displaying Mvr6 Statistics
Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Figure 15-53: Displaying MVR6 Receiver Groups Use the Multicast > MVR6 > Show Statistics pages to display MVR6 ISPLAYING protocol-related statistics for the specified interface. MVR6 S TATISTICS CLI R EFERENCES “show mvr6 statistics”...
Page 578 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Number of Leaves Sent – The number of leaves sent from this • interface. VLAN, Port, and Trunk Statistics Input Statistics Report – The number of MLD membership reports received on this •...
Page 579 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 Figure 15-54: Displaying MVR6 Statistics – Query To display MVR6 protocol-related statistics for a VLAN: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR6 domain.
Page 580 Chapter 15: Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR6 domain. Select a Port. Figure 15-56: Displaying MVR6 Statistics –...
Page 581: Ip Configuration
Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 4) IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types.
Page 582 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 4) The precedence for configuring IP interfaces is the IP > General > • Routing Interface (Add Address) menu, and then static routes. ARAMETERS These parameters are displayed: VLAN – ID of the configured VLAN (1-4094). By default, all ports on •...
Page 583 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 4) Click Apply. Figure 16-1: Configuring a Static IPv4 Address To obtain an dynamic address through DHCP/BOOTP for the switch: Click IP, General, Routing Interface. Select Add Address from the Action list. Select any configured VLAN, and set IP Address Mode to “BOOTP”...
Page 584: Setting The Switch's Ip Address (Ip Version 6)
Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DHCP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Page 585: Configuring The Ipv6 Default Gateway
Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) with a global unicast address. Both link-local and global unicast address types can either be dynamically assigned (using the Configure Interface page) or manually configured (using the Add IPv6 Address page). •...
Page 586 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 16-4: Configuring the IPv6 Default Gateway Use the IP > IPv6 Configuration (Configure Interface) page to configure ONFIGURING general IPv6 settings for the selected VLAN, including auto-configuration of NTERFACE ETTINGS a global unicast interface address, and explicit configuration of a link local...
Page 587 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Address Autoconfig – Enables stateless autoconfiguration of an IPv6 • address on an interface and enables IPv6 functionality on that interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages, and the host portion is automatically generated using the modified EUI-64 form of the interface identifier (i.e., the switch’s MAC address).
Page 588 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) ND DAD Attempts – The number of consecutive neighbor solicitation • messages sent on an interface during duplicate address detection. (Range: 0-600; Default: 3) • Configuring a value of 0 disables duplicate address detection. Duplicate address detection determines if a new unicast IPv6 •...
Page 589 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) The time limit configured by this parameter allows the router to • detect unavailable neighbors. During the neighbor discover process, an IPv6 node will multicast neighbor solicitation messages to search for neighbor nodes.
Page 590 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network. This information may include the default router address taken from the observed source address of the RA message, as well as on-link prefix information.
Page 591: Configuring An Ipv6 Address
Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Click IP, IPv6 Configuration. Select Configure Interface from the Action list. Select RA Guard mode. Enable RA Guard for untrusted interfaces. Click Apply. Figure 16-6: Configuring RA Guard for an IPv6 Interface Use the IP >...
Page 592 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) The global unicast address can be automatically configured by • taking the network prefix from router advertisements observed on the local interface, and using the modified EUI-64 form of the interface identifier to automatically create the host portion of the address (see “Configuring IPv6 Interface Settings”...
Page 593 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) length is less than 64 bits. If the specified prefix length exceeds 64 bits, then the bits used in the network portion of the address will take precedence over the interface identifier. •...
Page 594 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 16-7: Configuring an IPv6 Address Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES “show ipv6 interface”...
Page 595 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Note that the solicited-node multicast address (link-local scope FF02) is used to resolve the MAC addresses for neighbor nodes since IPv6 does not support the broadcast method used by the Address Resolution Protocol in IPv4.
Page 596 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 16-1: Show IPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: • Incomplete - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
Page 597 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) CLI R EFERENCES “show ipv6 traffic” on page 1358 • OMMAND SAGE This switch provides statistics for the following traffic types: IPv6 – The Internet Protocol for Version 6 addresses provides a •...
Page 598 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 16-2: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 599 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 16-2: Show IPv6 Statistics - display description (Continued) Field Description Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface. Fragment Failed The number of IPv6 datagrams that have been discarded because they needed to be fragmented at this output interface but could not be.
Page 600 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 16-2: Show IPv6 Statistics - display description (Continued) Field Description Time Exceeded Messages The number of ICMP Time Exceeded messages sent by the interface. Parameter Problem The number of ICMP Parameter Problem messages sent by the Message interface.
Page 601: Showing Ipv6 Statistics
Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 16-10: Showing IPv6 Statistics (IPv6) Figure 16-11: Showing IPv6 Statistics (ICMPv6) – 607 –...
Page 602: Showing The Mtu For Responding Destinations
Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 16-12: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 603 Chapter 16: IP Configuration Setting the Switch’s IP Address (IP Version 6) – 609 –...
Page 604: Ip Services
Chapter 17: IP Services Domain Name Service IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) and a DHCP client identifier for the switch. For information on DHCP snooping which is included in this folder, see “DHCP Snooping”...
Page 605: Configuring A List Of Domain Names
Chapter 17: IP Services Domain Name Service ARAMETERS These parameters are displayed: Domain Lookup – Enables DNS host name-to-address translation. • (Default: Disabled) • Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 606: Configuring A List Of Name Servers
Chapter 17: IP Services Domain Name Service When an incomplete host name is received by the DNS service on this • switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see “Configuring a List of Name Servers”...
Page 607 Chapter 17: IP Services Domain Name Service CLI R EFERENCES “ip name-server” on page 1324 • “show dns” on page 1326 • OMMAND SAGE To enable DNS service on this switch, configure one or more name • servers, and enable domain lookup status (see “Configuring General DNS Service Parameters”...
Page 608: Configuring Static Dns Host To Address Entries
Chapter 17: IP Services Domain Name Service Figure 17-5: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING TATIC configure static entries in the DNS table that are used to map domain DNS H OST TO names to IP addresses.
Page 609: Displaying The Dns Cache
Chapter 17: IP Services Domain Name Service Figure 17-6: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 17-7: Showing Static Entries in the DNS Table Use the IP Service >...
Page 610: Dynamic Host Configuration Protocol
Chapter 17: IP Services Dynamic Host Configuration Protocol IP – The IP address associated with this record. • TTL – The time to live reported by the name server. • • Host – The host name associated with this record. NTERFACE To display entries in the DNS cache: Click IP Service, DNS, Cache.
Page 611 Chapter 17: IP Services Dynamic Host Configuration Protocol By default, DHCP option 66/67 parameters are not carried in a DHCP • server reply. To ask for a DHCP reply with option 66/67 information, the DHCP client request sent by this switch includes a “parameter request list”...
Page 612 Chapter 17: IP Services Dynamic Host Configuration Protocol that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server. When the server receives the DHCP request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch).
Page 613: Enabling Dhcp Dynamic Provision
Chapter 17: IP Services Enabling DHCP Dynamic Provision DHCP D NABLING YNAMIC ROVISION Use the IP Service > DHCP > Dynamic Provision to enable dynamic provisioning via DHCP. CLI R EFERENCES “ip dhcp dynamic-provision” on page 1329 • OMMAND SAGE DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.
Page 614: Configuring The Pppoe Intermediate Agent
Chapter 17: IP Services Configuring the PPPoE Intermediate Agent ONFIGURING THE NTERMEDIATE GENT This section describes how to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers. Use the IP Service >...
Page 615: Configuring Pppoe Ia Interface Settings
Chapter 17: IP Services Configuring the PPPoE Intermediate Agent PPPoE Discover packet too large to process. Try reducing the number of tags added.) Operational Generic Error Message – The configured generic error • message. NTERFACE To configure global settings for PPPoE IA: Click IP Service, PPPoE Intermediate Agent.
Page 616 Chapter 17: IP Services Configuring the PPPoE Intermediate Agent Set any interfaces connecting the switch to a PPPoE Server as • trusted. Interfaces that connect the switch to users (PPPoE clients) should be set as untrusted. • At least one trusted interface must be configured on the switch for the PPPoE IA to function.
Page 617: Showing Pppoe Ia Statistics
Chapter 17: IP Services Configuring the PPPoE Intermediate Agent Click Apply. Figure 17-14: Configuring Interface Settings for PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to E IA HOWING show statistics on PPPoE IA protocol messages. TATISTICS CLI R EFERENCES...
Page 618 Chapter 17: IP Services Configuring the PPPoE Intermediate Agent NTERFACE To show statistics for PPPoE IA protocol messages: Click IP Service, PPPoE Intermediate Agent. Select Show Statistics from the Step list. Select Port or Trunk interface type. Figure 17-15: Showing PPPoE Intermediate Agent Statistics –...
Page 619: General Ip Routing
Chapter 18: General IP Routing Overview IP R ENERAL OUTING This chapter provides information on network functions including: • Ping – Sends ping message to another node on the network. Trace Route – Sends ICMP echo request packets to another node on the •...
Page 620: Ip Routing And Switching
Chapter 18: General IP Routing IP Routing and Switching Figure 18-1: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP R OUTING AND...
Page 621: Routing Path Management
Chapter 18: General IP Routing IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
Page 622: Configuring Ip Routing Interfaces
Chapter 18: General IP Routing Configuring IP Routing Interfaces Static routing requires routing information to be stored in the switch • either manually or when a connection is set up by an application outside the switch. • Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
Page 623: Using The Ping Function
Chapter 18: General IP Routing Configuring IP Routing Interfaces To configure a default gateway for IPv4, use the static routing table as described on page 639, enter 0.0.0.0 for the IP address and subnet mask, and then specify this switch itself or another router as the gateway. To configure a gateway for IPv6, see “Configuring the IPv6 Default Gateway”...
Page 624: Using The Trace Route Function
Chapter 18: General IP Routing Configuring IP Routing Interfaces the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. You can also ping a multicast global address within the full range of • FFxE::/16. NTERFACE To ping another device on the network: Click IP, General, Ping.
Page 625 Chapter 18: General IP Routing Configuring IP Routing Interfaces OMMAND SAGE Use the trace route function to determine the path taken to reach a • specified destination. A trace terminates when the destination responds, when the maximum • timeout (TTL) is exceeded, or the maximum number of hops is exceeded.
Page 626: Address Resolution Protocol
Chapter 18: General IP Routing Address Resolution Protocol DDRESS ESOLUTION ROTOCOL The router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Page 627 Chapter 18: General IP Routing Address Resolution Protocol traffic to the router, which in turn uses its own routing table to forward the traffic to the remote destination. Figure 18-4: Proxy ARP Proxy ARP request no routing, no default gateway Remote ARP Server ARAMETERS...
Page 628: Configuring Static Arp Addresses
Chapter 18: General IP Routing Address Resolution Protocol For devices that do not respond to ARP requests or do not respond in a ONFIGURING TATIC timely manner, traffic will be dropped because the IP address cannot be ARP A DDRESSES mapped to a physical address.
Page 629: Displaying Dynamic Or Local Arp Entries
Chapter 18: General IP Routing Address Resolution Protocol Figure 18-6: Configuring Static ARP Entries To display static entries in the ARP cache: Click IP, ARP. Select Configure Static Address from the Step List. Select Show from the Action List. Figure 18-7: Displaying Static ARP Entries Use the IP >...
Page 630: Displaying Arp Statistics
Chapter 18: General IP Routing Address Resolution Protocol Figure 18-8: Displaying Dynamic ARP Entries To display all local entries in the ARP cache: Click IP, ARP. Select Show Information from the Step List. Click Other Address. Figure 18-9: Displaying Local ARP Entries Use the IP >...
Page 631: Configuring Static Routes
SAGE • Up to 24 static routes can be configured. Due to a hardware limitation on the SSE-G2252, static routes do not • work with DiffServ. Hardware processing of static routes is enabled by default. If you must use DiffServ, then use the...
Page 632: Displaying The Routing Table
Chapter 18: General IP Routing Displaying the Routing Table Next Hop – IP address of the next router hop used for this route. • Distance – An administrative distance indicating that this route can be • overridden by other routing information. (Range: 1-255, Default: 1) NTERFACE To configure static routes: Click IP, Routing, Static Routes.
Page 633 Chapter 18: General IP Routing Displaying the Routing Table than one of these methods, the priority for route selection is local, static, and then dynamic (except when the distance parameter of a dynamic route is set to a value that makes its priority exceed that of a static route). Also note that the route for a local interface is not enabled (i.e., listed in the routing table) unless there is at least one active link connected to that interface.
Page 634 Chapter 18: General IP Routing Displaying the Routing Table Click IP, Routing, Routing Table. Figure 18-13: Displaying the Routing Table – 642 –...
Page 635: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: “General Commands” on page 645 • “System Management Commands” on page 653 • “SNMP Commands”...
Page 636 “Spanning Tree Commands” on page 1021 • “ERPS Commands” on page 1049 • • “VLAN Commands” on page 1079 “Class of Service Commands” on page 1121 • “Quality of Service Commands” on page 1133 • “Multicast Filtering Commands” on page 1151 •...
Page 637: General Commands
Chapter 19: General Commands ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 19-1: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 638 Chapter 19: General Commands OMMAND SAGE This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. XAMPLE Console(config)#prompt RD2 RD2(config)#...
Page 639 Chapter 19: General Commands OMMAND Global Configuration OMMAND SAGE This command resets the entire system. • Any combination of reload options may be specified. If the same option • is re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. •...
Page 640 Chapter 19: General Commands EFAULT ETTING Level 15 OMMAND Normal Exec OMMAND SAGE “super” is the default password required to change the command mode • from Normal Exec to Privileged Exec. (To set this password, see the enable password command.) •...
Page 641 Chapter 19: General Commands EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The history buffer size is fixed at 10 Execution commands and 10 Configuration commands. XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history:...
Page 642 Chapter 19: General Commands XAMPLE Console#configure Console(config)# ELATED OMMANDS end (651) This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.
Page 643 Chapter 19: General Commands XAMPLE This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE...
Page 644 Chapter 19: General Commands XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 652 –...
Page 645: System Management Commands
Chapter 20: System Management Commands Device Designation YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 20-1: System Management Commands Command Group Function Device Designation...
Page 646: System Status
Chapter 20: System Management Commands System Status no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#hostname RD#1 Console(config)# YSTEM TATUS This section describes commands used to display system information. Table 20-3: System Status Commands Command Function...
Page 647 Chapter 20: System Management Commands System Status OMMAND Privileged Exec OMMAND SAGE Policy control entries (PCEs) are used by various system functions which rely on rule-based searches, including Access Control Lists (ACLs), IP Source Guard filter rules, Quality of Service (QoS) processes, or traps. For example, when binding an ACL to a port, each rule in an ACL will use two PCEs;...
Page 648 Chapter 20: System Management Commands System Status OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 39% CPU Utilization in the past 60 seconds Average Utilization : 36% Maximum Utilization : 39% Alarm Status Current Alarm Status : Off...
Page 649 Chapter 20: System Management Commands System Status Table 20-4: show process cpu guard - display description Field Description Low Watermark If packet flow has been stopped after exceeding the high watermark, normal flow will be restored after usaage falls beneath the low watermark.
Page 650 Chapter 20: System Management Commands System Status DRIVER_GROUP_FR 0.00 0.00 0.00 DRIVER_GROUP_TW 4.00 1.90 4.04 DRIVER_GROUP_TX 0.00 0.00 0.00 ERPS_GROUP 0.00 0.00 0.00 0.00 0.00 0.00 GVRP_GROUP 0.00 0.00 0.00 HTTP_TD 0.00 0.00 0.00 IML_RX 0.00 0.00 0.00 IML_TX 0.00 0.00 0.00 IP_SERVICE_GROU...
Page 651 Chapter 20: System Management Commands System Status WEB_PROC 0.00 0.00 0.00 WEBAUTH_TD 0.00 0.00 0.00 WTDOG_PROC 0.00 0.00 0.00 XFER_GROUP 0.00 0.00 0.00 XFER_PROC 0.00 0.00 0.00 XFER_TD 0.00 0.00 0.00 Console# This command displays the configuration information currently in use. show running-config YNTAX...
Page 652 Chapter 20: System Management Commands System Status Any configured settings for the console port and Telnet • XAMPLE Console#show running-config Building startup configuration. Please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-e0-0c-00-00-fd_00</stackingMac> snmp-server community public ro snmp-server community private rw snmp-server enable traps authentication username ADMIN access-level 15 username ADMIN password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4...
Page 653 For a description of the items shown by this command, refer to • “Displaying System Information” on page The ECS4210-52T - SSE-G2252P has three fans., ECS4210-52P - 3 • XAMPLE Console#show system System Description : SSE-G2252 System OID String : 1.3.6.1.4.1.259.10.1.39.101 – 661 –...
Page 654 XAMPLE Console#show tech-support show system: System Description : SSE-G2252 Managed GE Switch System OID String : 1.3.6.1.4.1.259.10.1.39.101 System Information System Up Time : 0 days, 1 hours, 28 minutes, and 51.70 seconds...
Page 655 Chapter 20: System Management Commands System Status EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key --------- --------- ----------...
Page 656: Frame Size
Chapter 20: System Management Commands Frame Size Console# This command shows if watchdog debugging is enabled. show watchdog OMMAND Privileged Exec XAMPLE Console#show watchdog Software Watchdog Information Status : Enabled Console# This command monitors key processes, and automatically reboots the watchdog software system if any of these processes are not responding correctly.
Page 657: File Management
Chapter 20: System Management Commands File Management YNTAX [no] jumbo frame EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE This switch provides more efficient throughput for large sequential data • transfers by supporting Layer 2 jumbo frames on Gigabit Ethernet ports or trunks up to 10240 bytes.
Page 658 Chapter 20: System Management Commands File Management Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/SFTP/TFTP server. The configuration file can be later downloaded to restore switch settings. The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it.
Page 659 Chapter 20: System Management Commands File Management filename - Name of configuration file or code image. * The colon (:) is required. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE A colon (:) is required after the specified file type. •...
Page 660 Chapter 20: System Management Commands File Management running-config - Keyword that allows you to copy to/from the current running configuration. sftp - Keyword that copies a file to or from a SFTP server. startup-config - The configuration used for system initialization. tftp - Keyword that allows you to copy to/from a TFTP server.
Page 661 Chapter 20: System Management Commands File Management Although the underlying premises of SFTP are similar to SCP, it requires • some additional steps to verify the protocol versions and perform security checks. SFTP connection setup includes verification of the DSS signature, creation of session keys, creation of client-server and server- client ciphers, SSH key exchange, and user authentication.
Page 662 Chapter 20: System Management Commands File Management Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Page 663 Chapter 20: System Management Commands File Management This example shows how to copy a file from an SFTP server. Note that the public key offered by the server is not found on the local system, but is saved locally after the user selects to continue the copy operation. Console#copy sftp file SFTP server IP address: 192.168.0.110 Choose file type:...
Page 664 Chapter 20: System Management Commands File Management YNTAX dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Page 665 The name for the new image stored on the TFTP server must be SSE-G2252-SERIES.BIX. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the...
Page 666 Chapter 20: System Management Commands File Management image not set to start up the system will be overwritten by the new version. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. It sets the new version as the startup image.
Page 667 Chapter 20: System Management Commands File Management OMMAND SAGE This command is used in conjunction with the upgrade opcode auto • command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. The name for the new image stored on the TFTP server must be SSE- •...
Page 668 Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path File Name : SSE-G2252-series.bix Console# TFTP Configuration Commands This command specifies the number of times the switch can retry ip tftp retry transmitting a request to a TFTP server after waiting for the configured timeout period and receiving no response.
Page 669 Chapter 20: System Management Commands File Management This command specifies the time the switch can wait for a response from a ip tftp timeout TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. YNTAX ip tftp timeout seconds no ip tftp timeout...
Page 670: Line
Chapter 20: System Management Commands Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 671 Chapter 20: System Management Commands Line vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING There is no default line. OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY”...
Page 672 Chapter 20: System Management Commands Line Console(config-line)#databits 7 Console(config-line)# ELATED OMMANDS parity (681) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
Page 673 Chapter 20: System Management Commands Line local - Selects local password checking. Authentication is based on the user name specified with the username command. EFAULT ETTING login local OMMAND Line Configuration OMMAND SAGE • There are three authentication modes provided by the switch itself at login: •...
Page 674 Chapter 20: System Management Commands Line odd - Odd parity EFAULT ETTING No parity OMMAND Line Configuration OMMAND SAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. XAMPLE To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# This command specifies the password for a line.
Page 675 Chapter 20: System Management Commands Line XAMPLE Console(config-line)#password 0 secret Console(config-line)# ELATED OMMANDS login (680) password-thresh (683) This command sets the password intrusion threshold which limits the password-thresh number of failed logon attempts. Use the no form to remove the threshold value.
Page 676 Chapter 20: System Management Commands Line YNTAX silent-time [seconds] no silent-time seconds - The number of seconds to disable console response. (Range: 0-65535; where 0 means disabled) EFAULT ETTING Disabled OMMAND Line Configuration XAMPLE To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# ELATED...
Page 677 Chapter 20: System Management Commands Line Console(config-line)#speed 57600 Console(config-line)# This command sets the number of the stop bits transmitted per byte. Use stopbits the no form to restore the default setting. YNTAX stopbits {1 | 2} no stopbits 1 - One stop bit 2 - Two stop bits EFAULT ETTING...
Page 678 Chapter 20: System Management Commands Line The timeout for Telnet cannot be disabled. • Using the command without specifying a timeout restores the default • setting. XAMPLE To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# This command terminates an SSH, Telnet, or console connection.
Page 679 Chapter 20: System Management Commands Line escape-character - The keyboard character used to escape from current line input. ASCII-number - ASCII decimal equivalent. (Range: 0-255) character - Any valid keyboard character. history - The number of lines stored in the command buffer, and recalled using the arrow keys.
Page 680: Event Logging
Chapter 20: System Management Commands Event Logging XAMPLE To show all lines, enter this command: Console#show line Terminal Configuration for this session: Length : 24 Width : 80 History Size : 10 Escape Character(ASCII-number) : 27 Terminal Type : VT100 Console Configuration: Password Threshold : 3 times EXEC Timeout...
Page 681 Chapter 20: System Management Commands Event Logging This command controls the logging of commands entered in the CLI. Use logging command the no form to restore the default setting. YNTAX [no] logging command EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE This logging command controls the logging of command entered through the CLI commands to temporary system RAM (i.e., memory flushed on...
Page 682 Chapter 20: System Management Commands Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 683 Chapter 20: System Management Commands Event Logging YNTAX logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - The UDP port number used by the remote server. (Range: 1-65535) EFAULT ETTING UPD Port: 514...
Page 684 Chapter 20: System Management Commands Event Logging ELATED OMMANDS logging history (690) logging trap (692) clear log (692) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 685 Chapter 20: System Management Commands Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (693) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 686 Chapter 20: System Management Commands Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {command | flash | ram | sendmail | trap} command - Displays settings for storing commands entered through the CLI.
Page 687: Smtp Alerts
Chapter 20: System Management Commands SMTP Alerts Remote Log Facility Type : Local use 7 Remote Log Level Type : Debugging messages Remote Log Server IP Address : 1.2.3.4 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console#...
Page 688 Chapter 20: System Management Commands SMTP Alerts EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail the no form to remove an SMTP server. host YNTAX [no] logging sendmail host host host - IPv4 or IPv6 address of an SMTP server that will be sent alert...
Page 689 Chapter 20: System Management Commands SMTP Alerts YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page 690). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7) EFAULT ETTING Level 7...
Page 690 Chapter 20: System Management Commands SMTP Alerts This command sets the email address used for the “From” field in alert logging sendmail messages. Use the no form to restore the default value. source-email YNTAX logging sendmail source-email email-address no logging sendmail source-email email-address - The source email address used in alert messages.
Page 691: Time
Chapter 20: System Management Commands Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 692 Chapter 20: System Management Commands Time OMMAND Global Configuration OMMAND SAGE The time acquired from time servers is used to record accurate dates • and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 693 Chapter 20: System Management Commands Time XAMPLE Console(config)#sntp poll 60 Console# ELATED OMMANDS sntp client (699) This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list.
Page 694 Chapter 20: System Management Commands Time OMMAND SAGE This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast). XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode...
Page 695 Chapter 20: System Management Commands Time YNTAX ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5. key - An MD5 authentication key string.
Page 696 Chapter 20: System Management Commands Time OMMAND Global Configuration OMMAND SAGE The SNTP and NTP clients cannot be enabled at the same time. First • disable the SNTP client before using this command. The time acquired from time servers is used to record accurate dates •...
Page 697 Chapter 20: System Management Commands Time You can configure up to 50 NTP servers on the switch. Re-enter this • command for each server you want to configure. NTP authentication is optional. If enabled with the ntp authenticate • command, you must also configure at least one key number using the ntp authentication-key command.
Page 698 Chapter 20: System Management Commands Time Manual Configuration Commands This command sets the start, end, and offset times of summer time clock summer-time (daylight savings time) for the switch on a one-time basis. Use the no form (date) to disable summer time. YNTAX clock summer-time name date b-date b-month b-year b-hour b-minute e-date e-month e-year e-hour e-minute [offset]...
Page 699 Chapter 20: System Management Commands Time This command sets the summer-time time zone relative to the • currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone.
Page 700 Chapter 20: System Management Commands Time Table 20-15: Predefined Summer-Time Parameters Region Start Time, Day, End Time, Day, Rel. Offset Week, & Month Week, & Month Australia 00:00:00, Sunday, 23:59:59, Sunday, 60 min Week 5 of October Week 5 of March Europe 00:00:00, Sunday, 23:59:59, Sunday,...
Page 701 Chapter 20: System Management Commands Time e-day - The day of the week summer time will end. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-hour - The hour when summer time will end.
Page 702 Chapter 20: System Management Commands Time hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC. after-utc - Sets the local time zone after (west) of UTC.
Page 703: Time Range
Chapter 20: System Management Commands Time Range OMMAND Privileged Exec OMMAND SAGE Note that when SNTP is enabled, the system clock cannot be manually configured. XAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2012. Console#calendar set 15:12:34 1 February 2012 Console# This command displays the system clock.
Page 704 Chapter 20: System Management Commands Time Range This command specifies the name of a time range, and enters time range time-range configuration mode. Use the no form to remove a previously specified time range. YNTAX [no] time-range name name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING None...
Page 705 Chapter 20: System Management Commands Time Range OMMAND Time Range Configuration OMMAND SAGE If a time range is already configured, you must use the no form of this • command to remove the current entry prior to configuring a new time range.
Page 706: Switch Clustering
Chapter 20: System Management Commands Switch Clustering OMMAND Time Range Configuration OMMAND SAGE If a time range is already configured, you must use the no form of this • command to remove the current entry prior to configuring a new time range.
Page 707 Chapter 20: System Management Commands Switch Clustering clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network. Table 20-17: Switch Cluster Commands Command Function Mode cluster Configures clustering on the switch cluster commander Configures the switch as a cluster Commander cluster ip-pool...
Page 708 Chapter 20: System Management Commands Switch Clustering This command enables clustering on the switch. Use the no form to disable cluster clustering. YNTAX [no] cluster EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE To create a switch cluster, first be sure that clustering is enabled on the •...
Page 709 Chapter 20: System Management Commands Switch Clustering These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. • Cluster Member switches can be managed through a Telnet connection to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch.
Page 710 • There is no need to enter the username and password for access to the Member switch CLI. XAMPLE Console#rcommand id 1 CLI session with the SSE-G2252 is opened. To end the CLI session, enter [Exit]. Vty-0# – 718 –...
Page 711 Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : SSE-G2252 Managed GE Switch Console# This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec...
Page 712: Snmp Commands
Chapter 21: SNMP Commands SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 713 Chapter 21: SNMP Commands Table 21-1: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs ATC Trap Commands...
Page 714 Chapter 21: SNMP Commands Table 21-1: SNMP Commands (Continued) Command Function Mode process cpu Sets the rising and falling threshold for the CPU utilization alarm process cpu guard Sets the CPU utilization watermark and threshold show memory Shows memory utilization parameters show process cpu Shows CPU utilization parameters show process cpu guard...
Page 715 Chapter 21: SNMP Commands EFAULT ETTING public - Read-only access. Authorized management stations are only • able to retrieve MIB objects. private - Read/write access. Authorized management stations are able • to both retrieve and modify MIB objects. OMMAND Global Configuration XAMPLE Console(config)#snmp-server community alpha rw Console(config)#...
Page 716 Chapter 21: SNMP Commands EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (724) This command can be used to check the status of SNMP communications. show snmp EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command provides information on the community access strings,...
Page 717 Chapter 21: SNMP Commands 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# SNMP Target Host Commands This command enables this device to send Simple Network Management snmp-server Protocol traps or informs (i.e., SNMP notifications).
Page 718 Chapter 21: SNMP Commands The authentication, link-up, and link-down traps are legacy • notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
Page 719 Chapter 21: SNMP Commands port - Host UDP port to use. (Range: 1-65535; Default: 162) EFAULT ETTING Host Address: None Notification Type: Traps SNMP Version: 1 UDP Port: 162 OMMAND Global Configuration OMMAND SAGE If you do not enter an snmp-server host command, no notifications •...
Page 720 Chapter 21: SNMP Commands Enable the SNMP agent (page 723). Create a remote SNMPv3 user to use in the message exchange process (page 733). Create a view with the required notification messages (page 734). Create a group that includes the required notify view (page 731).
Page 721 Chapter 21: SNMP Commands OMMAND SAGE This command can enable MAC authentication traps on the current interface only if they are also enabled at the global level with the snmp- server enable traps mac-authentication command. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# This command shows if SNMP traps are enabled or disabled for the show snmp-server...
Page 722 Chapter 21: SNMP Commands remote - Specifies an SNMP engine on a remote device. ip-address - IPv4 or IPv6 address of the remote device. engineid-string - String identifying the engine ID. (Range: 9-64 hexadecimal characters) EFAULT ETTING A unique engine ID is automatically generated by the switch based on its MAC address.
Page 723 Chapter 21: SNMP Commands YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3. auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
Page 724 Chapter 21: SNMP Commands This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. YNTAX snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]...
Page 725 Chapter 21: SNMP Commands Before you configure a remote user, use the snmp-server engine-id • command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/ privacy digests from the user’s password.
Page 726 Chapter 21: SNMP Commands XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Page 727 Chapter 21: SNMP Commands OMMAND Privileged Exec XAMPLE Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent Row Status: active Group Name: public Security Model: v1 Read View: defaultview Write View: none Notify View: none Storage Type: volatile...
Page 728 Chapter 21: SNMP Commands This command shows information on SNMP users. show snmp user OMMAND Privileged Exec XAMPLE Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 729 Chapter 21: SNMP Commands Row Status: active Console# Table 21-5: show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree. View Type Indicates if the view is included or excluded. Storage Type The storage type for this entry.
Page 730 Chapter 21: SNMP Commands profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the snmp- server host command. The notification log is stored locally. It is not sent to a remote device.
Page 731 Chapter 21: SNMP Commands XAMPLE This example first creates an entry for a remote host, and then instructs the switch to record this device as the remote host for the specified notification log. Console(config)#snmp-server host 10.1.19.23 batman Console(config)#snmp-server notify-filter A1 remote 10.1.19.23 Console# This command shows the operational status of configured notification logs.
Page 732 Chapter 21: SNMP Commands falling-threshold - Falling threshold for memory utilization alarm expressed in percentage. (Range: 1-100) EFAULT ETTING Rising Threshold: 90% Falling Threshold: 70% OMMAND Global Configuration OMMAND SAGE Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered.
Page 733 Chapter 21: SNMP Commands XAMPLE Console(config)#process cpu rising 80 Console(config)#process cpu falling 60 Console(config)# ELATED OMMANDS show process cpu (655) This command sets the CPU utilization high and low watermarks in process cpu guard percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second.
Page 734 Chapter 21: SNMP Commands OMMAND SAGE Once the high watermark is exceeded, utilization must drop beneath • the low watermark before the alarm is terminated, and then exceed the high watermark again before another alarm is triggered. Once the maximum threshold is exceeded, utilization must drop •...
Page 735: Remote Monitoring Commands
Chapter 22: Remote Monitoring Commands EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 736 Chapter 22: Remote Monitoring Commands variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.n defines the MIB variable, plus the etherStatsIndex.
Page 737 Chapter 22: Remote Monitoring Commands XAMPLE Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.1 15 delta rising-threshold 100 1 falling-threshold 30 1 owner mike Console(config)# This command creates a response event for an alarm. Use the no form to rmon event remove an event. YNTAX rmon event index [log] | [trap community] | [description string] | [owner name]...
Page 738 Chapter 22: Remote Monitoring Commands This command periodically samples statistics on a physical interface. Use rmon collection the no form to disable periodic sampling. history YNTAX rmon collection history controlEntry index [buckets number [interval seconds]] | [interval seconds] | [owner name [buckets number [interval seconds]] no rmon collection history controlEntry index index –...
Page 739 Chapter 22: Remote Monitoring Commands Console(config-if)#rmon collection history controlEntry 15 Console(config-if)#end Console#show running-config interface ethernet 1/5 rmon collection history controlEntry 15 buckets 50 interval 1800 interface ethernet 1/8 no rmon collection history controlEntry 15 XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history controlentry 21 owner mike buckets 24 interval 60 owner mike Console(config-if)# This command enables the collection of statistics on a physical interface.
Page 740 Chapter 22: Remote Monitoring Commands This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 This command shows the settings for all configured events.
Page 741 Chapter 22: Remote Monitoring Commands This command shows the information collected for all configured entries in show rmon the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets,...
Page 742: Authentication Commands
Chapter 23: Authentication Commands User Accounts and Privilege Levels UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 743 Chapter 23: Authentication Commands User Accounts and Privilege Levels Table 23-2: User Access Commands Command Function Mode privilege Assigns a privilege level to specified command groups or individual commands show privilege Shows the privilege level for the current user, or the privilege level for commands modified by the privilege command After initially logging onto the system, you should set the Privileged Exec...
Page 744 Chapter 23: Authentication Commands User Accounts and Privilege Levels The encrypted password is required for compatibility with legacy • password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server. There is no need for you to manually configure encrypted passwords.
Page 745 Chapter 23: Authentication Commands User Accounts and Privilege Levels settings, and to any other commands assigned to levels 7-0 using privilege command. nopassword - No password is required for this user to log in. {0 | 7} - 0 means plain password, 7 means encrypted password. password password - The authentication password for the user.
Page 746 Chapter 23: Authentication Commands User Accounts and Privilege Levels level level - Specifies the privilege level for the specified command. Refer to the default settings described for the access level parameter under the username command. (Range: 0-15) command - Specifies any command contained within the specified mode.
Page 747 Chapter 23: Authentication Commands Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 23-4: Authentication Sequence Commands Command Function Mode...
Page 748 Chapter 23: Authentication Commands Authentication Sequence XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (754) This command defines the login authentication method and precedence. authentication login Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login...
Page 749: Radius Client
Chapter 23: Authentication Commands RADIUS Client ELATED OMMANDS username - for setting the local user names and passwords (755) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 750 Chapter 23: Authentication Commands RADIUS Client This command sets the RADIUS server network port. Use the no form to radius-server restore the default. auth-port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 751 Chapter 23: Authentication Commands RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 acct-port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS encryption key. Use the no form to restore radius-server key the default.
Page 752 Chapter 23: Authentication Commands RADIUS Client OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication radius-server requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Page 753: Tacacs+ Client
Chapter 23: Authentication Commands TACACS+ Client Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout RADIUS Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C LIENT Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
Page 754 Chapter 23: Authentication Commands TACACS+ Client retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-540) EFAULT ETTING authentication port - 49...
Page 755 Chapter 23: Authentication Commands TACACS+ Client port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#tacacs-server port 181 Console(config)# This command sets the number of retries. Use the no form to restore the tacacs-server default.
Page 756: Aaa
Chapter 23: Authentication Commands OMMAND Global Configuration XAMPLE Console(config)#tacacs-server timeout 10 Console(config)# This command displays the current settings for the TACACS+ server. show tacacs-server EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times Timeout Server 1:...
Page 757 Chapter 23: Authentication Commands Table 23-7: AAA Commands (Continued) Command Function Mode aaa accounting exec Enables accounting of Exec services aaa accounting update Enables periodoc updates to be sent to the accounting server aaa authorization exec Enables authorization of Exec sessions aaa group server Groups security servers in to defined lists server...
Page 758 Chapter 23: Authentication Commands OMMAND SAGE The accounting of Exec mode commands is only supported by TACACS+ • servers. Note that the default and method-name fields are only used to • describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Page 759 Chapter 23: Authentication Commands XAMPLE Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# This command enables the accounting of requested Exec services for aaa accounting exec network access. Use the no form to disable the accounting service. YNTAX aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service...
Page 760 Chapter 23: Authentication Commands This command enables the sending of periodic updates to the accounting aaa accounting server. Use the no form to restore the default setting. update YNTAX aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Page 761 Chapter 23: Authentication Commands EFAULT ETTING Authorization is not enabled No servers are specified OMMAND Global Configuration OMMAND SAGE This command performs authorization to determine if a user is allowed • to run an Exec shell. • AAA authentication must be enabled before authorization is enabled. If this command is issued without a specified named method, the •...
Page 762 Chapter 23: Authentication Commands YNTAX [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server. EFAULT ETTING None OMMAND Server Group Configuration OMMAND SAGE When specifying the index for a RADIUS server, that server index must •...
Page 763 Chapter 23: Authentication Commands This command applies an accounting method to entered CLI commands. accounting Use the no form to disable accounting for entered CLI commands. commands YNTAX accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands. (Range: 0-15) default - Specifies the default method list created with the accounting commands command.
Page 764 Chapter 23: Authentication Commands Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to local console, Telnet or authorization exec SSH connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec default - Specifies the default method list created with the authorization exec command.
Page 765: Web Server
Chapter 23: Authentication Commands Web Server interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show accounting Accounting Type: dot1x Method List : default Group List : radius Interface : Eth 1/1 Method List...
Page 766 Chapter 23: Authentication Commands Web Server YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#ip http port 769 Console(config)# ELATED OMMANDS ip http server (777)
Page 767 Chapter 23: Authentication Commands Web Server YNTAX ip http secure-port port_number no ip http secure-port port_number – The TCP port used for HTTPS. (Range: 1-65535) EFAULT ETTING OMMAND Global Configuration OMMAND SAGE • You cannot configure the HTTP and HTTPS servers to use the same port.
Page 768 Chapter 23: Authentication Commands Web Server When you start HTTPS, the connection is established in this way: • The client authenticates the server using the server’s digital • certificate. The client and server negotiate a set of security protocols to use for •...
Page 769: Telnet Server
Chapter 23: Authentication Commands Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 23-10: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 770 Chapter 23: Authentication Commands Telnet Server This command specifies the TCP port number used by the Telnet interface. ip telnet port Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 771: Secure Shell
Chapter 23: Authentication Commands Secure Shell Telnet Service Port: 23 Telnet Max Session: 8 Console# ECURE HELL This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 772 Chapter 23: Authentication Commands Secure Shell use public key or password authentication, you still have to generate authentication keys on the switch and enable the SSH server. To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair.
Page 773 Chapter 23: Authentication Commands Secure Shell If a match is found, the connection is allowed. To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.
Page 774 Chapter 23: Authentication Commands Secure Shell The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch.
Page 775 Chapter 23: Authentication Commands Secure Shell The SSH server uses DSA or RSA for key exchange when the client first • establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 776 Chapter 23: Authentication Commands Secure Shell no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING 10 seconds OMMAND Global Configuration OMMAND SAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
Page 777 Chapter 23: Authentication Commands Secure Shell YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. EFAULT ETTING Generates both the DSA and RSA key pairs. OMMAND Privileged Exec OMMAND SAGE...
Page 778 Chapter 23: Authentication Commands Secure Shell OMMAND SAGE This command clears the host key from volatile memory (RAM). Use • the no ip ssh save host-key command to clear the host key from flash memory. The SSH server must be disabled before you can execute this •...
Page 779 Chapter 23: Authentication Commands Secure Shell Server Key Size : 768 bits Console# This command shows the public key for the specified user or for the host. show public-key YNTAX show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) EFAULT ETTING Shows all public keys.
Page 780 Chapter 23: Authentication Commands Secure Shell OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started ADMIN ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 23-12: show ssh - display description Field Description Connection The session number. (Range: 0-3) Version The Secure Shell version number.
Page 781: Port Authentication
Chapter 23: Authentication Commands 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 782 Chapter 23: Authentication Commands 802.1X Port Authentication Table 23-13: 802.1X Port Authentication Commands (Continued) Command Function Mode Display Information Commands show dot1x Shows all dot1x related information General Commands This command sets all configurable dot1x authenticator global and port dot1x default settings to their default values.
Page 783 Chapter 23: Authentication Commands 802.1X Port Authentication YNTAX [no] dot1x eapol-pass-through EFAULT ETTING Discards all EAPOL frames when dot1x is globally disabled OMMAND Global Configuration OMMAND SAGE When this device is functioning as intermediate node in the network • and does not need to perform dot1x authentication, the dot1x eapol pass-through command can be used to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the...
Page 784 Chapter 23: Authentication Commands 802.1X Port Authentication Authenticator Commands This command sets the port’s response to a failed authentication, either to dot1x block all traffic, or to assign all traffic for the port to a guest VLAN. Use the intrusion-action no form to reset the default.
Page 785 Chapter 23: Authentication Commands 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# This command sets the maximum number of times the switch port will dot1x max-req retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 786 Chapter 23: Authentication Commands 802.1X Port Authentication EFAULT Single-host OMMAND Interface Configuration OMMAND SAGE The “max-count” parameter specified by this command is only effective • if the dot1x mode is set to “auto” by the dot1x port-control command. In “multi-host” mode, only one host connected to a port needs to pass •...
Page 787 Chapter 23: Authentication Commands 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# This command enables periodic re-authentication for a specified port. Use dot1x the no form to disable re-authentication. re-authentication YNTAX [no] dot1x re-authentication OMMAND Interface Configuration OMMAND SAGE The re-authentication process verifies the connected client’s user ID...
Page 788 Chapter 23: Authentication Commands 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# This command sets the time period after which a connected client must be dot1x timeout re-authenticated. Use the no form of this command to reset the default. re-authperiod YNTAX dot1x timeout re-authperiod seconds...
Page 789 Chapter 23: Authentication Commands 802.1X Port Authentication switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information. It may also send other EAP-request frames to the client during an active connection as required for reauthentication.
Page 790 Chapter 23: Authentication Commands 802.1X Port Authentication OMMAND SAGE The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked.
Page 791 Chapter 23: Authentication Commands 802.1X Port Authentication YNTAX dot1x max-start count no dot1x max-start count - Specifies the maximum number of EAP start frames. (Range: 1-65535) EFAULT OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# This command enables dot1x supplicant mode on a port. Use the no form dot1x pae to disable dot1x supplicant mode on a port.
Page 792 Chapter 23: Authentication Commands 802.1X Port Authentication XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#dot1x pae supplicant Console(config-if)# This command sets the time that a supplicant port waits for a response dot1x timeout from the authenticator. Use the no form to restore the default setting. auth-period YNTAX dot1x timeout auth-period seconds...
Page 793 Chapter 23: Authentication Commands 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# This command sets the time that a supplicant port waits before resending dot1x timeout an EAPOL start frame to the authenticator. Use the no form to restore the start-period default setting.
Page 794 Chapter 23: Authentication Commands 802.1X Port Authentication Global 802.1X Parameters – Shows whether or not 802.1X port • authentication is globally enabled on the switch (page 794). Authenticator Parameters – Shows whether or not EAPOL pass-through • is enabled (page 793).
Page 795 Chapter 23: Authentication Commands 802.1X Port Authentication Intrusion Action– Shows the port response to intrusion when • authentication fails (page 795). Supplicant– MAC address of authorized client. • Authenticator PAE State Machine • State – Current state (including initialize, disconnected, connecting, •...
Page 796: Management Ip Filter
Chapter 23: Authentication Commands Management IP Filter 802.1X Supplicant is disabled on port 1/1 802.1X Authenticator is enabled on port 50 Reauthentication : Enabled Reauth Period : 3600 Quiet Period : 60 TX Period : 30 Supplicant Timeout : 30 Server Timeout : 10 Reauth Max Retries...
Page 797 Chapter 23: Authentication Commands Management IP Filter YNTAX [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] all-client - Adds IP address(es) to all groups. http-client - Adds IP address(es) to the web group. snmp-client - Adds IP address(es) to the SNMP group. telnet-client - Adds IP address(es) to the Telnet group.
Page 798 Chapter 23: Authentication Commands Management IP Filter This command displays the client IP addresses that are allowed show management management access to the switch through various protocols. YNTAX show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group.
Page 799: Pppoe Intermediate Agent
Chapter 23: Authentication Commands PPPoE Intermediate Agent NTERMEDIATE GENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers. Table 23-15: PPPoE Intermediate Agent Commands Command Function Mode...
Page 800 Chapter 23: Authentication Commands PPPoE Intermediate Agent designated by the pppoe intermediate-agent trust command. The BRAS detects the presence of the subscriber’s circuit-ID tag inserted by the switch during the PPPoE discovery phase, and sends this tag as a NAS- port-ID attribute in PPPoE authentication and AAA accounting requests to a RADIUS server.
Page 801 Chapter 23: Authentication Commands PPPoE Intermediate Agent XAMPLE Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# This command enables the PPPoE IA on an interface. Use the no form to pppoe disable this feature. intermediate-agent port-enable YNTAX [no] pppoe intermediate-agent port-enable EFAULT ETTING Disabled OMMAND...
Page 802 Chapter 23: Authentication Commands PPPoE Intermediate Agent OMMAND SAGE The PPPoE server extracts the Line-ID tag from PPPoE discovery stage • messages, and uses the Circuit-ID field of that tag as a NAS-Port-ID attribute in AAA access and accounting requests. The switch intercepts PPPoE discovery frames from the client and •...
Page 803 Chapter 23: Authentication Commands PPPoE Intermediate Agent XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# This command enables the stripping of vendor tags from PPPoE Discovery pppoe packets sent from a PPPoE server. Use the no form to disable this feature. intermediate-agent vendor-tag strip YNTAX...
Page 804 Consoleshow pppoe intermediate-agent info interface ethernet 1/1 Interface PPPoE IA Trusted Vendor-Tag Strip Admin Circuit-ID Admin Remote-ID Oper Circuit-ID Oper Remote-ID --------- -------- ------- ---------------- ------------ ---------------- Eth 1/2 SSE-G2252 SSE-G2252 SSE-G2252 SSE-G2252 Console# This command displays statistics for the PPPoE Intermediate Agent. show pppoe...
Page 805 Chapter 23: Authentication Commands PPPoE Intermediate Agent interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-16) OMMAND Privileged Exec XAMPLE Console#show pppoe intermediate-agent statistics interface ethernet 1/1 Eth 1/1 statistics ---------------------------------------------------------------------------- Received : PADI...
Page 806: General Security Measures
Chapter 24: General Security Measures ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes.
Page 807: Port Security
Chapter 24: General Security Measures Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 808 Chapter 24: General Security Measures Port Security snooping is enabled and mac-learning is disabled, then only incoming traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 809 Chapter 24: General Security Measures Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE The default maximum number of MAC addresses allowed on a secure • port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 810 Chapter 24: General Security Measures Port Security XAMPLE The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap ELATED OMMANDS show interfaces status (936) shutdown (928) mac-address-table static (1014) Use this command to save the MAC addresses that port security has...
Page 811 Chapter 24: General Security Measures Port Security XAMPLE This example shows the port security settings and number of secure addresses for all ports. Console#show port security Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Port Summary Port Port Security Port Status Intrusion Action...
Page 812 Chapter 24: General Security Measures Port Security Current MAC Count MAC Filter : Disabled Last Intrusion MAC : NA Last Time Detected Intrusion MAC : NA Console# This example shows information about a detected intrusion. Console#show port security interface ethernet 1/2 Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Details...
Page 813: Network Access (Mac Address Authentication)
Chapter 24: General Security Measures Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 814 Chapter 24: General Security Measures Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored network-access in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
Page 815 Chapter 24: General Security Measures Network Access (MAC Address Authentication) OMMAND SAGE Specified addresses are exempt from network access authentication. • This command is different from configuring static addresses with the • mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
Page 816 Chapter 24: General Security Measures Network Access (MAC Address Authentication) Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
Page 817 Chapter 24: General Security Measures Network Access (MAC Address Authentication) Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# Use this command to enable dynamic VLAN assignment for an network-access authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan EFAULT ETTING...
Page 818 Chapter 24: General Security Measures Network Access (MAC Address Authentication) YNTAX network-access guest-vlan vlan-id no network-access guest-vlan vlan-id - VLAN ID (Range: 1-4094) EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND SAGE • The VLAN to be used as the guest VLAN must be defined and set as active (See the vlan database command).
Page 819 Chapter 24: General Security Measures Network Access (MAC Address Authentication) YNTAX network-access link-detection link-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
Page 820 Chapter 24: General Security Measures Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# Use this command to detect link-up and link-down events. When either network-access event is detected, the switch can shut down the port, send an SNMP trap, link-detection or both.
Page 821 Chapter 24: General Security Measures Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 822 Chapter 24: General Security Measures Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from • the secure MAC address table. Static VLAN assignments are not restored. • The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Page 823 Chapter 24: General Security Measures Network Access (MAC Address Authentication) no mac-authentication intrusion-action EFAULT ETTING Block Traffic OMMAND Interface Con figuration XAMPLE Console(config-if)#mac-authentication intrusion-action block-traffic Console(config-if)# Use this command to set the maximum number of MAC addresses that can mac-authentication be authenticated on a port via MAC authentication.
Page 824 Chapter 24: General Security Measures Network Access (MAC Address Authentication) interface - Specifies a port interface. ethernet unit/port unit - Unit number. (Range: 1) port - Port number. (Range: 1-52) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear network-access mac-address-table interface ethernet 1/1 Console# Use this command to display the MAC authentication settings for port show...
Page 825 Chapter 24: General Security Measures Network Access (MAC Address Authentication) Detection Action : Trap Console# Use this command to display secure MAC address table entries. show network-access mac-address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries.
Page 826: Web Authentication
Chapter 24: General Security Measures Web Authentication Use this command to display information for entries in the MAC filter show tables. network-access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 827 Chapter 24: General Security Measures Web Authentication Table 24-6: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port and (Port) forces the users to re-authenticate web-auth re-authenticate (IP)
Page 828 Chapter 24: General Security Measures Web Authentication EFAULT ETTING 60 seconds OMMAND Global Configuration XAMPLE Console(config)#web-auth quiet-period 120 Console(config)# This command defines the amount of time a web-authentication session web-auth remains valid. When the session timeout has been reached, the host is session-timeout logged off and must re-authenticate itself the next time data transmission takes place.
Page 829 Chapter 24: General Security Measures Web Authentication OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active. XAMPLE Console(config)#web-auth system-auth-control Console(config)# This command enables web authentication for an interface. Use the no web-auth form to restore the default.
Page 830 Chapter 24: General Security Measures Web Authentication XAMPLE Console#web-auth re-authenticate interface ethernet 1/2 Console# This command ends the web authentication session associated with the web-auth designated IP address and forces the user to re-authenticate. re-authenticate (IP) YNTAX web-auth re-authenticate interface interface ip interface - Specifies a port interface.
Page 831 Chapter 24: General Security Measures Web Authentication YNTAX show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-52) OMMAND Privileged Exec XAMPLE Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary...
Page 832: Dhcpv4 Snooping
Chapter 24: General Security Measures DHCPv4 Snooping DHCP NOOPING DHCPv4 snooping allows a switch to protect a network from rogue DHCPv4 servers or other devices which send port-related information to a DHCPv4 server. This information can be useful in tracking an IP address back to a physical port.
Page 833 Chapter 24: General Security Measures DHCPv4 Snooping OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are • received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
Page 834 Chapter 24: General Security Measures DHCPv4 Snooping If a DHCP packet from a client passes the filtering criteria above, it • will only be forwarded to trusted ports in the same VLAN. If a DHCP packet is from server is received on a trusted port, it will •...
Page 835 Chapter 24: General Security Measures DHCPv4 Snooping ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface). encode - Indicates encoding in ASCII or hexadecimal. string - An arbitrary string inserted into the remote identifier field.
Page 836 Chapter 24: General Security Measures DHCPv4 Snooping Console(config)#ip dhcp snooping information option Console(config)# This command sets the DHCP snooping information option policy for DHCP ip dhcp snooping client packets that include Option 82 information. Use the no form to information policy restore the default setting.
Page 837 Chapter 24: General Security Measures DHCPv4 Snooping EFAULT ETTING Disabled OMMAND ODES Global Configuration XAMPLE This example sets the DHCP snooping rate limit to 100 packets per second. Console(config)#ip dhcp snooping limit rate 100 Console(config)# This command verifies the client’s hardware address stored in the DHCP ip dhcp snooping packet against the source MAC address in the Ethernet header.
Page 838 Chapter 24: General Security Measures DHCPv4 Snooping vlan-id - ID of a configured VLAN (Range: 1-4094) EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE When DHCP snooping is enabled globally using the ip dhcp snooping • command, and enabled on a VLAN with this command, DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust...
Page 839 Chapter 24: General Security Measures DHCPv4 Snooping OMMAND SAGE DHCP provides a relay mechanism for sending information about the • switch and its DHCP clients to the DHCP server. DHCP Option 82 allows compatible DHCP servers to use the information when assigning IP addresses, to set other services or policies for clients.
Page 840 Chapter 24: General Security Measures DHCPv4 Snooping This command configures the specified interface as trusted. Use the no ip dhcp snooping form to restore the default setting. trust YNTAX [no] ip dhcp snooping trust EFAULT ETTING All interfaces are untrusted OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND...
Page 841 Chapter 24: General Security Measures DHCPv4 Snooping YNTAX clear ip dhcp snooping binding [mac-address vlan vlan-id] mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) vlan-id - ID of a configured VLAN (Range: 1-4094) OMMAND Privileged Exec XAMPLE Console#clear ip dhcp snooping binding 11-22-33-44-55-66 vlan 1 Console# This command removes all dynamically learned snooping entries from flash clear ip dhcp...
Page 842 Chapter 24: General Security Measures DHCPv4 Snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping Status: disabled DHCP Snooping Information Option Status: disabled DHCP Snooping Information Option Sub-option Format: extra subtype included DHCP Snooping Information Option Remote ID: MAC Address (hex encoded) DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source MAC-Address: enabled...
Page 843: Dhcpv6 Snooping
Chapter 24: General Security Measures DHCPv6 Snooping DHCP NOOPING DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port.
Page 844 Chapter 24: General Security Measures DHCPv6 Snooping specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping table will be dropped. When enabled, DHCPv6 messages entering an untrusted interface are • filtered based upon dynamic entries learned via DHCPv6 snooping. Table entries are only learned for trusted interfaces.
Page 845 Chapter 24: General Security Measures DHCPv6 Snooping If a DHCPv6 Reply packet is received from a server on a trusted • port, it will be processed in the following manner: Check if IPv6 address in IA option is found in binding table: •If yes, continue to C.
Page 846 Chapter 24: General Security Measures DHCPv6 Snooping This command enables the insertion of remote-id option 37 information ipv6 dhcp snooping into DHCPv6 client messages. Remote-id option information such as the option remote-id port attached to the client, DUID, and VLAN ID is used by the DHCPv6 server to assign preassigned configuration data specific to the DHCPv6 client.
Page 847 Chapter 24: General Security Measures DHCPv6 Snooping When this switch inserts Option 37 information in DHCPv6 client • request packets, the switch’s MAC address (hexadecimal) is used for the remote ID. XAMPLE This example enables the DHCPv6 Snooping Remote-ID Option. Console(config)#ipv6 dhcp snooping option remote-id Console(config)# This command sets the remote-id option policy for DHCPv6 client packets...
Page 848 Chapter 24: General Security Measures DHCPv6 Snooping This command enables DHCPv6 snooping on the specified VLAN. Use the ipv6 dhcp snooping no form to restore the default setting. vlan YNTAX [no] ipv6 dhcp snooping vlan {vlan-id | vlan-range} vlan-id - ID of a configured VLAN (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Page 849 Chapter 24: General Security Measures DHCPv6 Snooping count - Maximum number of entries. (Range: 1-5) EFAULT ETTING OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE This example sets the maximum number of binding entries to 1. Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 dhcp snooping max-binding 1 Console(config-if)# This command configures the specified interface as trusted.
Page 850 Chapter 24: General Security Measures DHCPv6 Snooping XAMPLE This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ipv6 dhcp snooping trust Console(config-if)# ELATED OMMANDS ipv6 dhcp snooping (854) ipv6 dhcp snooping vlan (859) This command clears DHCPv6 snooping binding table entries from RAM. clear ipv6 dhcp Use this command without any optional keywords to clear all entries from snooping binding...
Page 851 Chapter 24: General Security Measures DHCPv6 Snooping OMMAND Privileged Exec XAMPLE Console#show ipv6 dhcp snooping Global DHCPv6 Snooping status: disabled DHCPv6 Snooping remote-id option status: disabled DHCPv6 Snooping remote-id policy: drop DHCPv6 Snooping is configured on the following VLANs: Interface Trusted Max-binding Current-binding...
Page 852: Ipv4 Source Guard
Chapter 24: General Security Measures IPv4 Source Guard Server Packet: Advertise, Reply, Reconfigure Relay Packet: Relay-forward, Relay-reply State Client Server Relay Total -------- -------- -------- -------- -------- Received Sent Droped Console# OURCE UARD IP Source Guard is a security feature that filters IPv4 traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic entries in the DHCPv4 Snooping table when enabled (see “DHCPv4 Snooping”...
Page 853 Chapter 24: General Security Measures IPv4 Source Guard mode - Specifies the binding mode. acl - Adds binding to ACL table. mac - Adds binding to MAC address mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4094) ip-address - A valid unicast IP address, including classful types A, B or C.
Page 854 Chapter 24: General Security Measures IPv4 Source Guard Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config-if)# ELATED OMMANDS ip source-guard (865) ip dhcp snooping (843) ip dhcp snooping vlan (848) This command configures the switch to filter inbound traffic based on ip source-guard source IP address, or source IP address and corresponding MAC address.
Page 855 Chapter 24: General Security Measures IPv4 Source Guard Static addresses entered in the source guard binding table with the • source-guard binding command are automatically configured with an infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP server itself. If the IP source guard is enabled, an inbound packet’s IP address (sip •...
Page 856 Chapter 24: General Security Measures IPv4 Source Guard mode - Specifies the learning mode. acl - Searches for addresses in the ACL table. mac - Searches for addresses in the MAC address table. number - The maximum number of IP addresses that can be mapped to an interface in the binding table.
Page 857 Chapter 24: General Security Measures IPv4 Source Guard XAMPLE This command sets the binding table mode for the specified interface to MAC mode: Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard mode mac Console(config-if)# This command remove all blocked records. clear ip source-guard binding blocked YNTAX clear ip source-guard binding blocked...
Page 858 Chapter 24: General Security Measures IPv4 Source Guard This command shows the source guard binding table. show ip source-guard binding YNTAX show ip source-guard binding [dhcp-snooping | static [acl | mac] | blocked [vlan vlan-id | interface interface] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 843)
Page 859 Chapter 24: General Security Measures IPv6 Source Guard OURCE UARD IPv6 Source Guard is a security feature that filters IPv6 traffic on non- routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping”...
Page 860 Chapter 24: General Security Measures IPv6 Source Guard OMMAND Global Configuration OMMAND SAGE Table entries include an associated MAC address, IPv6 global unicast • address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6-Snooping), VLAN identifier, and port identifier. Traffic filtering is based only on the source IPv6 address, VLAN ID, and •...
Page 861: Ipv6 Source Guard
Chapter 24: General Security Measures IPv6 Source Guard This command configures the switch to filter inbound traffic based on the ipv6 source-guard source IP address stored in the binding table. Use the no form to disable this function. YNTAX ipv6 source-guard sip no ipv6 source-guard EFAULT ETTING...
Page 862 Chapter 24: General Security Measures IPv6 Source Guard entry type is static IPv6 source guard binding, the packet will be forwarded. If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard • will check the VLAN ID, source IP address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, dynamic ND snooping binding, or dynamic DHCPv6 snooping binding, the packet will be forwarded.
Page 863 Chapter 24: General Security Measures IPv6 Source Guard entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. IPv6 source guard maximum bindings must be set to a value higher • than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Page 864: Arp Inspection
Chapter 24: General Security Measures ARP Inspection This command shows the IPv6 source guard binding table. show ipv6 source-guard binding YNTAX show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 854) static - Shows static entries configured with the...
Page 865 Chapter 24: General Security Measures ARP Inspection This section describes commands used to configure ARP Inspection. Table 24-12: ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Inspection globally on the switch ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs GC ip arp inspection log-buffer Sets the maximum number of entries saved in a log logs...
Page 866 Chapter 24: General Security Measures ARP Inspection When ARP Inspection is disabled globally, it becomes inactive for all • VLANs, including those where ARP Inspection is enabled. When ARP Inspection is disabled, all ARP request and reply packets • bypass the ARP Inspection engine and their manner of switching matches that of all other packets.
Page 867 Chapter 24: General Security Measures ARP Inspection any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked. If static mode is not enabled, packets are first validated against the • specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database.
Page 868 Chapter 24: General Security Measures ARP Inspection before a message is sent, the oldest entry will be replaced with the newest one. The switch generates a system message on a rate-controlled basis • determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer.
Page 869 Chapter 24: General Security Measures ARP Inspection XAMPLE Console(config)#ip arp inspection validate dst-mac Console(config)# This command enables ARP Inspection for a specified VLAN or range of ip arp inspection VLANs. Use the no form to disable this function. vlan YNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Page 870 Chapter 24: General Security Measures ARP Inspection This command sets a rate limit for the ARP packets received on a port. Use ip arp inspection the no form to restore the default setting. limit YNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Page 871 Chapter 24: General Security Measures ARP Inspection XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# This command displays the global configuration settings for ARP show ip Inspection. arp inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval...
Page 872 Chapter 24: General Security Measures ARP Inspection This command shows information about entries stored in the log, including show ip the associated VLAN, port, and address components. arp inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 873: Denial Of Service Protection
Chapter 24: General Security Measures Denial of Service Protection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# ENIAL OF ERVICE ROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 874 Chapter 24: General Security Measures Denial of Service Protection rate – Maximum allowed rate. (Range: 64-2000 kbits/second) EFAULT ETTING Disabled, 1000 kbits/second OMMAND Global Configuration XAMPLE Console(config)#dos-protection echo-chargen 65 Console(config)# This command protects against DoS smurf attacks in which a perpetrator dos-protection generates a large amount of spoofed ICMP Echo Request traffic to the smurf...
Page 875 Chapter 24: General Security Measures Denial of Service Protection EFAULT ETTING Disabled, 1000 kbits/second OMMAND Global Configuration XAMPLE Console(config)#dos-protection tcp-flooding 65 Console(config)# This command protects against DoS TCP-null-scan attacks in which a TCP dos-protection NULL scan message is used to identify listening TCP ports. The scan uses a tcp-null-scan series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Page 876 Chapter 24: General Security Measures Denial of Service Protection XAMPLE Console(config)#dos-protection syn-fin-scan Console(config)# This command protects against DoS attacks in which the UDP or TCP dos-protection source port or destination port is set to zero. This technique may be used tcp-udp-port-zero as a form of DoS attack, or it may just indicate a problem with the source device.
Page 877 Chapter 24: General Security Measures Denial of Service Protection XAMPLE Console(config)#dos-protection tcp-xmas-scan Console(config)# This command protects against DoS UDP-flooding attacks in which a dos-protection perpetrator sends a large number of UDP packets (with or without a udp-flooding spoofed-Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet.
Page 878: Port-Based Traffic Segmentation
Chapter 24: General Security Measures Port-based Traffic Segmentation OMMAND Global Configuration XAMPLE Console(config)#dos-protection win-nuke 65 Console(config)# This command shows the configuration settings for the DoS protection show commands. dos-protection OMMAND Privileged Exec XAMPLE Console#show dos-protection Global DoS Protection: Echo/Chargen Attack : Disabled, 1000 kilobits per second Smurf Attack : Enabled...
Page 879 Chapter 24: General Security Measures Port-based Traffic Segmentation Table 24-14: Commands for Configuring Traffic Segmentation Command Function Mode traffic-segmentation Specifies whether or not traffic can be forwarded uplink-to-uplink between uplink ports assigned to different client sessions show traffic-segmentation Displays the configured traffic segments This command enables traffic segmentation.
Page 880 Chapter 24: General Security Measures Port-based Traffic Segmentation When traffic segmentation is disabled, all ports operate in normal • forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol. • Enter the traffic-segmentation command without any parameters to enable traffic segmentation.
Page 881 Chapter 24: General Security Measures Port-based Traffic Segmentation YNTAX [no] traffic-segmentation [session session-id] {uplink interface-list [downlink interface-list] | downlink interface-list} session-id – Traffic segmentation session. (Range: 1-4) uplink – Specifies an uplink interface. downlink – Specifies a downlink interface. interface ethernet unit/port unit - Unit identifier.
Page 882 Chapter 24: General Security Measures Port-based Traffic Segmentation This command specifies whether or not traffic can be forwarded between traffic-segmentation uplink ports assigned to different client sessions. Use the no form to uplink-to-uplink restore the default. YNTAX [no] traffic-segmentation uplink-to-uplink {blocking | forwarding} blocking –...
Page 883 Chapter 24: General Security Measures Port-based Traffic Segmentation – 894 –...
Page 884: Access Control Lists
Chapter 25: Access Control Lists IPv4 ACLs CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type).
Page 885 Chapter 25: Access Control Lists IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 886 Chapter 25: Access Control Lists IPv4 ACLs in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range. (Range: 1-16 characters) counter – Enables counter for ACL statistics. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE If an ACL is already bound to a port and you bind a different ACL to it, the...
Page 887 Chapter 25: Access Control Lists IPv4 ACLs OMMAND SAGE New rules are appended to the end of the list. • Address bit masks are similar to a subnet mask, containing four • integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 888 Chapter 25: Access Control Lists IPv4 ACLs no {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] [control-flag control-flags flag-bitmask] protocol-number – A specific protocol number. (Range: 0-255) source –...
Page 889 Chapter 25: Access Control Lists IPv4 ACLs The control-code bitmask is a decimal number (representing an • equivalent bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0”...
Page 890 Chapter 25: Access Control Lists IPv4 ACLs Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port Console(config-ext-acl)# This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control- flag 2 2 Console(config-ext-acl)# ELATED OMMANDS...
Page 891 Chapter 25: Access Control Lists IPv4 ACLs ELATED OMMANDS show ip access-list (902) Time Range (711) This command shows the ports assigned to IP ACLs. show ip access-group OMMAND Privileged Exec XAMPLE Console#show ip access-group Interface ethernet 1/2 IP access-list david in Global IP access-list david in Console#...
Page 892 Chapter 25: Access Control Lists IPv6 ACLs 6 ACL The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 893 Chapter 25: Access Control Lists IPv6 ACLs An ACL can contain up to 64 rules. • XAMPLE Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# ELATED OMMANDS permit, deny (Standard IPv6 ACL) (905) permit, deny (Extended IPv6 ACL) (906) ipv6 access-group (Interface Configuration) (907) show ipv6 access-list (909) This command binds an IPv6 ACL to all ports for ingress traffic.
Page 894 Chapter 25: Access Control Lists IPv6 ACLs This command adds a rule to a Standard IPv6 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IPv6 ACL) form to remove a rule. YNTAX {permit | deny} {any | host source-ipv6-address |...
Page 895 Chapter 25: Access Control Lists IPv6 ACLs This command adds a rule to an Extended IPv6 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, or (Extended IPv6 ACL) next header type. Use the no form to remove a rule. YNTAX {permit | deny} {any | host source-ipv6-address |...
Page 896 Chapter 25: Access Control Lists IPv6 ACLs a packet. There are a small number of such extension headers, each identified by a distinct Next Header value. IPv6 supports the values defined for the IPv4 Protocol field in RFC 1700, including these commonly used headers: : Hop-by-Hop Options (RFC 2460) : TCP Upper-layer Header (RFC 1700)
Page 897 Chapter 25: Access Control Lists IPv6 ACLs YNTAX ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range.
Page 898: Mac Acls
Chapter 25: Access Control Lists MAC ACLs ELATED OMMANDS ipv6 access-group (Interface Configuration) (907) This command displays the rules for configured IPv6 ACLs. show ipv6 access-list YNTAX show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended –...
Page 899 Chapter 25: Access Control Lists MAC ACLs Table 25-5: MAC ACL Commands Command Function Mode show mac access-group Shows port assignments for MAC ACLs show mac access-list Displays the rules for configured MAC ACLs This command enters MAC ACL configuration mode. Rules can be added to access-list mac filter packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 900 Chapter 25: Access Control Lists MAC ACLs YNTAX mac access-group acl-name in [time-range time-range-name] [counter] no mac access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range.
Page 901 Chapter 25: Access Control Lists MAC ACLs no {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [cos cos cos-bitmask] [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}}...
Page 902 Chapter 25: Access Control Lists MAC ACLs no {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype ethertype [ethertype-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol]...
Page 903 Chapter 25: Access Control Lists MAC ACLs vid – VLAN ID. (Range: 1-4094) vid-bitmask – VLAN bitmask. (Range: 1-4095) ethertype – A specific Ethernet protocol number. (Range: 0-ffff hex) ethertype-bitmask – Protocol bitmask. (Range: 0-ffff hex) protocol - IP protocol or IPv6 next header. (Range: 0-255) For information on next headers, see permit, deny (Extended IPv6 ACL).
Page 904 Chapter 25: Access Control Lists MAC ACLs This command binds a MAC ACL to a port. Use the no form to remove the mac access-group port. (Interface Configuration) YNTAX mac access-group acl-name in [time-range time-range-name] [counter] acl-name – Name of the ACL. (Maximum length: 32 characters) in –...
Page 905: Arp Acls
Chapter 25: Access Control Lists ARP ACLs ELATED OMMANDS mac access-group (Interface Configuration) (915) This command displays the rules for configured MAC ACLs. show mac access-list YNTAX show mac access-list [acl-name] acl-name – Name of the ACL. (Maximum length: 32 characters) OMMAND Privileged Exec XAMPLE...
Page 906 Chapter 25: Access Control Lists ARP ACLs EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing • ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 907 Chapter 25: Access Control Lists ARP ACLs ip-address-bitmask – IPv4 number representing the address bits to match. source-mac – Source MAC address. destination-mac – Destination MAC address range with bitmask. mac-address-bitmask – Bitmask for MAC address (in hexadecimal format). log - Logs a packet when it matches the access control entry. EFAULT ETTING None...
Page 908: Acl Information
Chapter 25: Access Control Lists ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 25-7: ACL Information Commands Command Function Mode clear access-list Clears hit counter for rules in all ACLs, or in a specified hardware counters ACL.
Page 909 Chapter 25: Access Control Lists ACL Information IP access-list david MAC access-list jerry This command shows all ACLs and associated rules. show access- Console# list YNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp –...
Page 910 Chapter 26: Interface Commands NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 26-1: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode...
Page 911: Interface Commands
Chapter 26: Interface Commands Table 26-1: Interface Commands (Continued) Command Function Mode transceiver-threshold Sets thresholds for the transceiver power level of the rx-power received signal which can be used to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver temperature which temperature can be used to trigger an alarm or warning message transceiver-threshold...
Page 912 Chapter 26: Interface Commands XAMPLE To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)#shutdown This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 913 Chapter 26: Interface Commands 10full - Supports 10 Mbps full-duplex operation 10half - Supports 10 Mbps half-duplex operation flowcontrol - Supports flow control EFAULT ETTING 100BASE-FX: 100full (SFP) 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The 1000BASE-T standard does not support forced mode.
Page 914 Chapter 26: Interface Commands EFAULT ETTING None OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 915 Chapter 26: Interface Commands This command enables flow control. Use the no form to disable flow flowcontrol control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should •...
Page 916 Chapter 26: Interface Commands no history name name - A symbolic name for this entry in the sampling table. (Range: 1-32 characters) interval - The interval for sampling statistics. (Range: 1-1440 minutes. buckets - The number of samples to take. (Range: 1-96) EFAULT ETTING 15min - 15 minute interval, 96 buckets...
Page 917 Chapter 26: Interface Commands This command enables auto-negotiation for a given interface. Use the no negotiation form to disable auto-negotiation. YNTAX [no] negotiation EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should •...
Page 918 Chapter 26: Interface Commands OMMAND SAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. XAMPLE The following example disables port 5.
Page 919 Chapter 26: Interface Commands XAMPLE The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (928) capabilities (923) This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port...
Page 920 Chapter 26: Interface Commands OMMAND Privileged Exec XAMPLE In this example, “Default” means that the packets are not discarded. Console#show discard Port PVST -------- ------- ------- Eth 1/ 1 Default Default Eth 1/ 2 Default Default Eth 1/ 3 Default Default Eth 1/ 4 Default Default Eth 1/ 5 Default Default Eth 1/ 6 Default Default...
Page 921 Chapter 26: Interface Commands EFAULT ETTING Shows the counters for all interfaces. OMMAND Normal Exec, Privileged Exec OMMAND SAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk Statistics”...
Page 922 Chapter 26: Interface Commands ===== Port Utilization (recent 300 seconds) ===== 0 Octets input per second 0 Packets input per second 0.00 % Input utilization 0 Octets output per second 0 Packets output per second 0.00 % Output utilization Console# This command displays statistical history for the specified interfaces.
Page 923 Chapter 26: Interface Commands Interval : 900 second(s) Buckets Requested : 96 Buckets Granted : 27 Status : Active Current Entries Start Time Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- ------------ 00d 06:45:01 0.00 34973 Discards Errors ------------- ------------- Octets Output Unicast...
Page 924 Chapter 26: Interface Commands Start Time Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- ------------ 00d 06:52:36 0.00 Discards Errors ------------- ------------- Octets Output Unicast Multicast Broadcast ------ --------------- ------------- ------------- ------------- 0.00 Errors ------------- Previous Entries Start Time Octets Input Unicast Multicast...
Page 925 Chapter 26: Interface Commands 00d 06:52:38 00d 06:52:39 00d 06:52:40 00d 06:52:41 Console# This command displays the status for an interface. show interfaces status YNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-16) vlan vlan-id (Range: 1-4094) EFAULT...
Page 926 Chapter 26: Interface Commands Port Operation Status : Up Operation Speed-duplex : 100full Up Time : 0w 0d 1h 15m 6s (4506 seconds) Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames) MAC Learning Status : Enabled Console# This command displays the administrative and operational status of the...
Page 927 Chapter 26: Interface Commands Table 26-2: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled Threshold it also shows the threshold level (page 984). Multicast Shows if multicast storm suppression is enabled or disabled; if enabled it Threshold also shows the threshold level (page...
Page 928 Chapter 26: Interface Commands XAMPLE Console(config)interface ethernet 1/52 Console(config-if)#transceiver-monitor Console# This command uses default threshold settings obtained from the transceiver- transceiver to determine when an alarm or warning message should be threshold-auto sent. Use the no form to disable this feature. YNTAX transceiver-threshold-auto EFAULT...
Page 929 Chapter 26: Interface Commands OMMAND Interface Configuration (SFP Ports) OMMAND SAGE If trap messages are enabled with the transceiver-monitor command, • and a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
Page 930 Chapter 26: Interface Commands threshold-value – The power threshold of the received signal. (Range: -4000 - 820 in units of 0.01 dBm) EFAULT ETTING High Alarm: -3.00 dBm HIgh Warning: -3.50 dBm Low Warning: -21.00 dBm Low Alarm: -21.50 dBm OMMAND Interface Configuration (SFP Ports) OMMAND...
Page 931 Chapter 26: Interface Commands threshold-value – The threshold of the transceiver temperature. (Range: -12800 - 12800 in units of 0.01 Celsius) EFAULT ETTING  High Alarm: 75.00  HIgh Warning: 70.00  Low Alarm: -123.00  Low Warning: 0.00 OMMAND Interface Configuration (SFP Ports) OMMAND SAGE...
Page 932 Chapter 26: Interface Commands EFAULT ETTING High Alarm: -9.00 dBm HIgh Warning: -9.50 dBm Low Warning: -21.00 dBm Low Alarm: -21.50 dBm OMMAND Interface Configuration (SFP Ports) OMMAND SAGE The threshold value is the power ratio in decibels (dB) of the measured •...
Page 933 Chapter 26: Interface Commands EFAULT ETTING High Alarm: 3.50 Volts HIgh Warning: 3.45 Volts Low Warning: 3.15 Volts Low Alarm: 3.10 Volts OMMAND Interface Configuration (SFP Ports) OMMAND SAGE Refer to the Command Usage section under the transceiver-threshold • current command for more information on configuring transceiver thresholds.
Page 934 Chapter 26: Interface Commands diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm thresholds.
Page 935 Chapter 26: Interface Commands OMMAND SAGE The switch can display diagnostic information for SFP modules which • support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power,...
Page 936 Chapter 26: Interface Commands cable fault by sending a signal through the cable and reading the signal that is reflected back. However, note that TDR can only determine if a link is valid or faulty. • This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long.
Page 937 Chapter 26: Interface Commands Eth 1/ 1 GE OK (0) OK (0) 2014-05-08 12:12:50 Console# This command shows the results of a cable diagnostics test. show cable- diagnostics YNTAX show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 938 Chapter 26: Interface Commands YNTAX [no] power-save OMMAND Interface Configuration (Ethernet, Ports 1-48) OMMAND SAGE IEEE 802.3 defines the Ethernet standard and subsequent power • requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Page 939 Chapter 26: Interface Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#power-save Console(config-if)# This command shows the configuration settings for power savings. show power-save YNTAX show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-48) OMMAND Privileged Exec XAMPLE...
Page 940: Link Aggregation Commands
Chapter 27: Link Aggregation Commands GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 941 Chapter 27: Link Aggregation Commands The ports at both ends of a connection must be configured as trunk • ports. All ports in a trunk must be configured in an identical manner, including • communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings.
Page 942 Chapter 27: Link Aggregation Commands src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address. EFAULT ETTING src-dst-mac OMMAND Global Configuration OMMAND SAGE •...
Page 943 Chapter 27: Link Aggregation Commands XAMPLE Console(config)#port-channel load-balance dst-ip Console(config)# This command adds a port to a trunk. Use the no form to remove a port channel-group from a trunk. YNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-16) EFAULT ETTING The current port will be added to this trunk.
Page 944 Chapter 27: Link Aggregation Commands OMMAND Interface Configuration (Ethernet) OMMAND SAGE The ports on both ends of an LACP trunk must be configured for full • duplex, either by forced mode or auto-negotiation. A trunk formed with another switch using LACP will automatically be •...
Page 945 Chapter 27: Link Aggregation Commands Active Member Ports : Eth1/13, Eth1/14 Console# This command configures a port's LACP administration key. Use the no lacp admin-key form to restore the default setting. (Ethernet Interface) YNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link.
Page 946 Chapter 27: Link Aggregation Commands YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link. (Range: 0-65535) EFAULT ETTING...
Page 947 Chapter 27: Link Aggregation Commands priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. (Range: 0-65535) EFAULT ETTING 32768 OMMAND Interface Configuration (Ethernet) OMMAND SAGE Port must be configured with the same system priority to join the same •...
Page 948 Chapter 27: Link Aggregation Commands If the port channel admin key (lacp admin key - Port Channel) is not • set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key Ethernet Interface) used by the interfaces that joined the group.
Page 949 Chapter 27: Link Aggregation Commands When a dynamic port-channel is torn down, the configured timeout • value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used. XAMPLE Console(config)#interface port-channel 1 Console(config-if)#lacp timeout short Console(config-if)# Trunk Status Display Commands This command displays LACP information.
Page 950 Chapter 27: Link Aggregation Commands Table 27-2: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
Page 951 Chapter 27: Link Aggregation Commands Table 27-3: show lacp internal - display description (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; •...
Page 952 Chapter 27: Link Aggregation Commands Table 27-4: show lacp neighbors - display description (Continued) Field Description Partner Oper Operational port number assigned to this aggregation port by the port’s Port Number protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner.
Page 953 Chapter 27: Link Aggregation Commands XAMPLE Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console# – 964 –...
Page 954: Power Over Ethernet Commands
Chapter 28: Power over Ethernet Commands OWER OVER THERNET OMMANDS The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-48 on the SSE-G2252P. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
Page 955 Chapter 28: Power over Ethernet Commands OMMAND SAGE The switch automatically detects attached PoE devices by periodically • transmitting test voltages that over the Gigabit Ethernet copper-media ports. When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device.
Page 956 Chapter 28: Power over Ethernet Commands OMMAND Global Configuration OMMAND SAGE Setting a maximum power budget for the switch enables power to be • centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the •...
Page 957 Chapter 28: Power over Ethernet Commands Console(config-if)#no power inline Console(config-if)# ELATED OMMANDS time-range (712) This command limits the power allocated to specific ports. Use the no form power inline to restore the default setting. maximum allocation YNTAX power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port.
Page 958 Chapter 28: Power over Ethernet Commands YNTAX power inline priority priority no power inline priority priority - The power priority for the port. Options: 1 (critical), 2 (high), or 3 (low) EFAULT ETTING 3 (low) OMMAND Interface Configuration OMMAND SAGE If the power demand from devices connected to the switch exceeds the •...
Page 959 Chapter 28: Power over Ethernet Commands This command binds a time-range to a port during which PoE is supplied to power inline the attached device. Use the no form to remove this binding. time-range YNTAX power inline time-range time-range-name no power inline time-range time-range-name - Name of the time range.
Page 960 Chapter 28: Power over Ethernet Commands Eth 1/ 6 Enabled 34200 mW 0 mW Low Eth 1/ 7 Enabled 34200 mW 0 mW Low Eth 1/ 8 Enabled 34200 mW 0 mW Low Eth 1/ 9 Enabled 34200 mW 0 mW Low Eth 1/10 Enabled 34200 mW...
Page 961 Chapter 28: Power over Ethernet Commands Use this command to display the current power status for the switch. show power mainpower OMMAND Privileged Exec XAMPLE This example shows the maximum available PoE power and maximum allocated PoE power for the SSE-G2252P. Console#show power mainpower Unit 1 PoE Status PoE Maximum Available Power...
Page 962: Port Mirroring Commands
Chapter 29: Port Mirroring Commands Local Port Mirroring Commands IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 963 Chapter 29: Port Mirroring Commands Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) EFAULT ETTING No mirror session is defined.
Page 964 Chapter 29: Port Mirroring Commands Local Port Mirroring Commands ACL-based mirroring is only used for ingress traffic. To mirror an ACL, • follow these steps: Use the access-list command (page 895) to add an ACL. Use the access-group command to add a mirrored port to access control list.
Page 965: Rspan Mirroring Commands
Chapter 29: Port Mirroring Commands RSPAN Mirroring Commands OMMAND SAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). XAMPLE The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor...
Page 966 Chapter 29: Port Mirroring Commands RSPAN Mirroring Commands Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
Page 967 Chapter 29: Port Mirroring Commands RSPAN Mirroring Commands YNTAX [no] rspan session session-id source interface interface-list [rx | tx | both] session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror sessions is allowed, including both local and remote mirroring.
Page 968 Chapter 29: Port Mirroring Commands RSPAN Mirroring Commands YNTAX rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring.
Page 969 Chapter 29: Port Mirroring Commands RSPAN Mirroring Commands Use this command to specify the RSPAN VLAN, switch role (source, rspan remote vlan intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. YNTAX [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface...
Page 970 Chapter 29: Port Mirroring Commands RSPAN Mirroring Commands show vlan command will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. XAMPLE The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)#...
Page 971 Chapter 29: Port Mirroring Commands RSPAN Mirroring Commands XAMPLE Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) : None RX Only : None TX Only : None BOTH : None Destination Port (monitor port) : Eth 1/2 Destination Tagged Mode : Untagged Switch Role : Destination...
Page 972: Congestion Control Commands
Chapter 30: Congestion Control Commands Rate Limit Commands ONGESTION ONTROL OMMANDS The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 973: Storm Control Commands
Chapter 30: Congestion Control Commands Storm Control Commands EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Page 974 Chapter 30: Congestion Control Commands Storm Control Commands YNTAX switchport {broadcast | multicast | unknown-unicast} packet-rate rate no switchport {broadcast | multicast | unknown-unicast} broadcast - Specifies storm control for broadcast traffic. multicast - Specifies storm control for multicast traffic. unicast - Specifies storm control for unknown unicast traffic.
Page 975: Automatic Traffic Control Commands
Chapter 30: Congestion Control Commands Automatic Traffic Control Commands XAMPLE The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# ELATED OMMANDS show interfaces switchport (937) UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for...
Page 976 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands Table 30-4: ATC Commands (Continued) Command Function Mode snmp-server Sends a trap when broadcast traffic falls IC (Port) enable port-traps atc beneath the lower threshold after a storm broadcast-control- control response has been triggered and the release release timer expires snmp-server...
Page 977 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands When traffic exceeds the alarm fire threshold and the apply timer • expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged. • Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires.
Page 978 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands YNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. seconds - The interval after the upper threshold has been exceeded at which to apply the control response.
Page 979 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands OMMAND Global Configuration OMMAND SAGE This command sets the delay after which the control response can be terminated. The auto-traffic-control auto-control-release command must be used to enable or disable the automatic release of a control response of rate-limiting.
Page 980 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# This command sets the control action to limit ingress traffic or shut down auto-traffic-control the offending port. Use the no form to restore the default setting. action YNTAX auto-traffic-control {broadcast | multicast} action...
Page 981 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast action shutdown Console(config-if)# This command sets the lower threshold for ingress traffic beneath which a auto-traffic-control control response for rate limiting will be released after the Release Timer alarm-clear- expires, if so configured by the auto-traffic-control auto-control-release...
Page 982 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands This command sets the upper threshold for ingress traffic beyond which a auto-traffic-control storm control response is triggered after the apply timer expires. Use the alarm-fire-threshold no form to restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold...
Page 983 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. OMMAND Interface Configuration (Ethernet) OMMAND SAGE This command can be used to automatically stop a control response of •...
Page 984 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands SNMP Trap Commands This command sends a trap when broadcast traffic falls beneath the lower snmp-server threshold after a storm control response has been triggered. Use the no enable port-traps form to disable this trap. atc broadcast- alarm-clear YNTAX...
Page 985 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands This command sends a trap when broadcast traffic exceeds the upper snmp-server threshold for automatic storm control and the apply timer expires. Use the enable port-traps no form to disable this trap. atc broadcast- control-apply YNTAX...
Page 986 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control release-timer (989) This command sends a trap when multicast traffic falls beneath the lower snmp-server threshold after a storm control response has been triggered. Use the no enable port-traps form to disable this trap. atc multicast-alarm- clear YNTAX...
Page 987 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands This command sends a trap when multicast traffic exceeds the upper snmp-server threshold for automatic storm control and the apply timer expires. Use the enable port-traps no form to disable this trap. atc multicast- control-apply YNTAX...
Page 988 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control release-timer (989) ATC Display Commands This command shows global configuration settings for automatic storm show control. auto-traffic-control OMMAND Privileged Exec XAMPLE Console#show auto-traffic-control Storm-control: Broadcast Apply-timer (sec) : 300 release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300...
Page 989 Chapter 30: Congestion Control Commands Automatic Traffic Control Commands Console# – 1000 –...
Page 990: Loopback Detection Commands
Chapter 31: Loopback Detection Commands OOPBACK ETECTION OMMANDS The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Page 991 Chapter 31: Loopback Detection Commands YNTAX [no] loopback-detection EFAULT ETTING Disabled OMMAND Global Configuration Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Page 992 Chapter 31: Loopback Detection Commands OMMAND SAGE When the response to a detected loopback condition is set to block user • traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. When the response to a detected loopback condition is set to block user •...
Page 993 Chapter 31: Loopback Detection Commands XAMPLE Console(config)#loopback-detection recover-time 120 Console(config-if)# This command specifies the interval at which to transmit loopback loopback-detection detection control frames. Use the no form to restore the default setting. transmit-interval YNTAX loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Page 994 Chapter 31: Loopback Detection Commands OMMAND Global Configuration OMMAND SAGE Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. XAMPLE Console(config)#loopback-detection trap both Console(config)# This command releases all interfaces currently shut down by the loopback loopback-detection detection feature.
Page 995 Chapter 31: Loopback Detection Commands Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------- Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled Console#show loopback-detection ethernet 1/1 Loopback Detection Information of Eth 1/1 Admin State : Enabled Oper State : Normal...
Page 996: Unidirectional Link Detection Commands
Chapter 32: UniDirectional Link Detection Commands IRECTIONAL ETECTION OMMANDS The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache.
Page 997 Chapter 32: UniDirectional Link Detection Commands If the link is deemed anything other than bidirectional at the end of the detection phase, this curve becomes a flat line with a fixed value of Mfast (7 seconds). If the link is instead deemed bidirectional, the curve will use Mfast for the first four subsequent message transmissions and then transition to an Mslow value for all other steady-state transmissions.
Page 998 Chapter 32: UniDirectional Link Detection Commands information cannot always be associated to an actual malfunction of the link, this mode is optional and is recommended only in certain scenarios (typically only on point-to-point links where no communication failure between two neighbors is admissible). XAMPLE This example enables UDLD aggressive mode on port 1.
Page 999 Chapter 32: UniDirectional Link Detection Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#udld port Console(config-if)# The following shows how a trunk can be configured to use UDLD prior to any menber ports being assigned. Console(config)#interface port-channel 1 Console(config-if)#udld port Console(config-if)#end Console#show interfaces switchport port-channel 1 Trunk 1, which has no member, could not be configured or displayed.
Page 1000 Chapter 32: UniDirectional Link Detection Commands Console#show udld interface ethernet 1/1 Interface UDLD Mode Oper State Msg Invl Port State Timeout --------- -------- ---------- ------------------------------------- -------- Eth 1/ 1 Enabled Aggressive Advertisement 15 s Bidirectional Console# Table 32-2: show udld - display description Field Description Message Interval...

This manual is also suitable for:

Sse-g2252p

Supermicro SSE-G2252 User Manual

I Getting Started

1 Introduction

2 Initial Switch Configuration

Web Configuration

3 Using the Web Interface

4 Basic Management Tasks

5 Interface Configuration

6 Vlan Configuration

7 Address Table Settings

8 Spanning Tree Algorithm

9 Congestion Control

10 Class of Service

11 Quality of Service

12 Voip Traffic Configuration

13 Security Measures

14 Basic Administration Protocols

15 Multicast Filtering

16 Ip Configuration

17 Ip Services

18 General Ip Routing

Command Line Interface

19 General Commands

20 System Management Commands

21 Snmp Commands

22 Remote Monitoring Commands

23 Authentication Commands

Quick Links

Related Manuals for Supermicro SSE-G2252

Summary of Contents for Supermicro SSE-G2252