Digisol DG-GS1550 Management Manual
  1. Manuals
  2. Brands
  3. Digisol Manuals
  4. Switch
  5. DG-GS1550
  6. Management manual

Digisol DG-GS1550 Management Manual

Azteca 1000 web managed switch series
Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
Table of Contents

Advertisement

Quick Links

Download this manual
ta
Azteca 1000 Web Managed Switch Series
DG-GS1550
Layer 2 Gigabit Ethernet Web Managed Switch
MANAGEMENT GUIDE
v1.0
08-02-2012
As our products undergo continuous development the specifications are subject to change without prior notice

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the DG-GS1550 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Digisol DG-GS1550

Summary of Contents for Digisol DG-GS1550

  • Page 1 Azteca 1000 Web Managed Switch Series DG-GS1550 Layer 2 Gigabit Ethernet Web Managed Switch MANAGEMENT GUIDE v1.0 08-02-2012 As our products undergo continuous development the specifications are subject to change without prior notice...
  • Page 2 COPYRIGHT Copyright © 2010 by SNSL. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise, without the prior written permission of SNSL.
  • Page 3 MANAGEMENT GUIDE DG-GS1550 Gigabit Ethernet Switch Layer 2 Workgroup Switch with 46 10/100/1000BASE-T (RJ-45) Ports and 4 Combination Gigabit (RJ-45/SFP) Ports...

  • Page 4: About This Guide

    About This Guide Purpose This guide details the hardware features of the switch, including the physical and performance-related characteristics, and how to install the switch. Audience The guide is intended for use by network administrators who are responsible for installing and setting up network equipment;...

  • Page 5: Table Of Contents

    Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
  • Page 6 Contents Saving or Restoring Configuration Settings 3-22 Downloading Configuration Settings from a Server 3-23 Console Port Settings 3-24 Telnet Settings 3-26 Configuring Event Logging 3-28 System Log Configuration 3-28 Remote Log Configuration 3-29 Displaying Log Messages 3-31 Simple Mail Transfer Protocol 3-31 Resetting the System 3-33...
  • Page 7 Contents Configuring the SSH Server 3-78 Configuring 802.1X Port Authentication 3-79 Displaying 802.1X Global Settings 3-80 Configuring 802.1X Global Settings 3-81 Configuring Port Settings for 802.1X 3-82 Displaying 802.1X Statistics 3-85 Filtering IP Addresses for Management Access 3-86 General Security Measures 3-88 Configuring Port Security 3-89...
  • Page 8 Contents Configuring Remote Port Mirroring 3-136 Configuring Rate Limits 3-140 Rate Limit Configuration 3-140 Showing Port Statistics 3-141 Address Table Settings 3-146 Setting Static Addresses 3-146 Displaying the Address Table 3-147 Changing the Aging Time 3-148 Spanning Tree Algorithm Configuration 3-149 Displaying Global Settings for STA 3-151...
  • Page 9 Contents Setting the Service Weight for Traffic Classes 3-208 Layer 3/4 Priority Settings 3-209 Mapping Layer 3/4 Priorities to CoS Values 3-209 Selecting IP Precedence/DSCP Priority 3-209 Mapping IP Precedence 3-210 Mapping DSCP Priority 3-211 Mapping IP Port Priority 3-213 Quality of Service 3-214 Configuring Quality of Service Parameters...
  • Page 10 Contents Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups 4-10 General Commands 4-11...
  • Page 11 Contents show running-config 4-30 show system 4-32 show users 4-32 show version 4-33 Frame Size Commands 4-34 jumbo frame 4-34 File Management Commands 4-35 copy 4-36 delete 4-39 4-39 whichboot 4-40 boot system 4-41 Line Commands 4-42 line 4-42 login 4-43 password 4-44...
  • Page 12 Contents sntp poll 4-64 show sntp 4-64 clock timezone 4-65 calendar set 4-66 show calendar 4-66 Switch Cluster Commands 4-67 cluster 4-67 cluster commander 4-68 cluster ip-pool 4-69 cluster member 4-69 rcommand 4-70 show cluster 4-70 show cluster members 4-71 show cluster candidates 4-71 SNMP Commands...
  • Page 13 Contents radius-server timeout 4-95 show radius-server 4-95 TACACS+ Client 4-96 tacacs-server host 4-97 tacacs-server port 4-97 tacacs-server key 4-98 tacacs-server retransmit 4-98 tacacs-server timeout 4-99 show tacacs-server 4-99 AAA Commands 4-100 aaa group server 4-100 server 4-101 aaa accounting dot1x 4-102 aaa accounting exec 4-103...
  • Page 14 Contents dot1x max-req 4-124 dot1x port-control 4-124 dot1x operation-mode 4-125 dot1x re-authenticate 4-125 dot1x re-authentication 4-126 dot1x timeout quiet-period 4-127 dot1x timeout re-authperiod 4-127 dot1x timeout tx-period 4-128 dot1x timeout supp-timeout 4-128 dot1x intrusion-action 4-129 show dot1x 4-129 Management IP Filter Commands 4-132 management 4-132...
  • Page 15 Contents permit, deny (Extended ACL) 4-158 show ip access-list 4-160 ip access-group 4-160 show ip access-group 4-161 MAC ACLs 4-161 access-list mac 4-162 permit, deny (MAC ACL) 4-162 show mac access-list 4-164 mac access-group 4-164 show mac access-group 4-165 ACL Information 4-166 show access-list 4-166...
  • Page 16 Contents Rate Limit Commands 4-198 rate-limit 4-198 Address Table Commands 4-199 mac-address-table static 4-199 clear mac-address-table dynamic 4-200 show mac-address-table 4-201 mac-address-table aging-time 4-202 show mac-address-table aging-time 4-202 Spanning Tree Commands 4-203 spanning-tree 4-204 spanning-tree mode 4-204 spanning-tree forward-time 4-206 spanning-tree hello-time 4-206 spanning-tree max-age...
  • Page 17 Contents Editing VLAN Groups 4-230 vlan database 4-230 vlan 4-231 Configuring VLAN Interfaces 4-232 interface vlan 4-232 switchport mode 4-233 switchport acceptable-frame-types 4-234 switchport ingress-filtering 4-234 switchport native vlan 4-235 switchport allowed vlan 4-236 switchport forbidden vlan 4-237 Displaying VLAN Information 4-238 show vlan 4-238...
  • Page 18 Contents lldp holdtime-multiplier 4-262 lldp med-fast-start-count 4-263 lldp notification-interval 4-263 lldp refresh-interval 4-264 lldp reinit-delay 4-265 lldp tx-delay 4-265 lldp admin-status 4-266 lldp notification 4-266 lldp med-notification 4-267 lldp basic-tlv management-ip-address 4-268 lldp basic-tlv port-description 4-269 lldp basic-tlv system-capabilities 4-269 lldp basic-tlv system-description 4-270 lldp basic-tlv system-name...
  • Page 19 Contents show map ip port 4-292 show map ip precedence 4-293 show map ip dscp 4-293 Quality of Service Commands 4-295 class-map 4-296 match 4-297 rename 4-298 description 4-298 policy-map 4-299 class 4-299 4-300 police 4-301 service-policy 4-302 show class-map 4-303 show policy-map 4-303...
  • Page 20 Contents Multicast VLAN Registration Commands 4-323 mvr (Global Configuration) 4-323 mvr (Interface Configuration) 4-325 show mvr 4-326 Domain Name Service Commands 4-329 ip host 4-329 clear host 4-330 ip domain-name 4-330 ip domain-list 4-331 ip name-server 4-332 ip domain-lookup 4-333 show hosts 4-334 show dns...
  • Page 21 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-28 Table 3-5 Supported Notification Messages 3-48 Table 3-6 HTTPS System Support 3-72 Table 3-7 802.1X Statistics 3-85 Table 3-8 LACP Port Counters 3-125 Table 3-9...
  • Page 22 Tables Table 4-23 show snmp view - display description 4-81 Table 4-24 show snmp group - display description 4-84 Table 4-26 Authentication Commands 4-86 Table 4-25 show snmp user - display description 4-86 Table 4-27 User Access Commands 4-87 Table 4-28 Default Login Settings 4-87 Table 4-29...
  • Page 23 Tables Table 4-72 Traffic Segmentation Forwarding 4-243 Table 4-73 Private VLAN Commands 4-245 Table 4-74 Protocol-based VLAN Commands 4-250 Table 4-75 Voice VLAN Commands 4-254 Table 4-76 LLDP Commands 4-260 Table 4-77 Priority Commands 4-282 Table 4-78 Priority Commands (Layer 2) 4-282 Table 4-79 Default CoS Values to Egress Queues...
  • Page 24 Tables...
  • Page 25 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-12 Figure 3-4 Switch Information 3-13 Figure 3-5 Bridge Extension Configuration 3-15 Figure 3-6 Manual IP Configuration 3-17 Figure 3-7 DHCP IP Configuration 3-18 Figure 3-8 Bridge Extension Configuration 3-19 Figure 3-9 Copy Firmware...
  • Page 26 Figures Figure 3-43 AAA Authorization Settings 3-70 Figure 3-44 AAA Authorization Exec Settings 3-70 Figure 3-45 AAA Authorization Summary 3-71 Figure 3-46 HTTPS Settings 3-73 Figure 3-47 SSH Host-Key Settings 3-77 Figure 3-48 SSH Server Settings 3-78 Figure 3-49 802.1X Global Information 3-80 Figure 3-50 802.1X Global Configuration...
  • Page 27 Figures Figure 3-88 Configuring a Dynamic Address Table 3-147 Figure 3-89 Setting the Address Aging Time 3-148 Figure 3-90 Displaying Spanning Tree Information 3-153 Figure 3-91 Configuring Spanning Tree 3-157 Figure 3-92 Displaying Spanning Tree Port Information 3-160 Figure 3-93 Configuring Spanning Tree per Port 3-164 Figure 3-94...
  • Page 28 Figures Figure 3-133 Enabling IGMP Filtering and Throttling 3-233 Figure 3-134 IGMP Profile Configuration 3-234 Figure 3-135 IGMP Filter and Throttling Port Configuration 3-236 Figure 3-136 MVR Global Configuration 3-239 Figure 3-137 MVR Port Information 3-240 Figure 3-138 MVR Group IP Information 3-241 Figure 3-139 MVR Port Configuration 3-243...

  • Page 29: Chapter 1: Introduction

    Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.

  • Page 30: Description Of Software Features

    Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 256 using IEEE 802.1Q, port-based, protocol-based or private VLANs, and voice VLANs Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or Differentiated Services Code Point (DSCP), and TCP/UDP Port Qualify of Service Supports Differentiated Services (DiffServ) Link Layer Discovery Protocol Used to discover basic information about neighboring devices...
  • Page 31 Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 25 on the DG-GS1550. Storm Control – Broadcast, multicast and unknown unicast storm suppression prevents traffic from overwhelming the network.
  • Page 32 Introduction Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 4 Mbits for frame buffering.
  • Page 33 Description of Software Features Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093) is reserved for switch clustering. Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using four priority queues with strict or Weighted Round Robin Queuing.

  • Page 34: System Defaults

    Introduction System Defaults switch’s system defaults provided configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-22). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter Default...
  • Page 35 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only), “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: default view Group: public (read only) private (read/write) Port Configuration Admin Status Enabled Auto-negotiation...
  • Page 36 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Port Priority Disabled IP Settings IP Address DHCP assigned Subnet Mask...

  • Page 37: Chapter 2: Initial Configuration

    Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

  • Page 38: Required Connections

    Initial Configuration • Configure trunks up to 25 on the DG-GS1550 • Enable port mirroring • Set broadcast, multicast or unknown unicast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.

  • Page 39: Remote Connections

    Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see "Setting an IP Address"...

  • Page 40: Setting Passwords

    Press <Enter>. Note: ‘0’ specifies a password in plain text, ‘7’ specifies the password in encrypted form. Username: admin Password: CLI session with the DIGISOL 10/100/1000 is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password]...

  • Page 41: Dynamic Configuration

    Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1”...

  • Page 42: Enabling Snmp Management Access

    Initial Configuration If network connections are normally slow, type “ip dhcp restart” to re-start broadcasting service requests. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.”...

  • Page 43: Trap Receivers

    Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.

  • Page 44: Configuring Access For Snmp Version 3 Clients

    Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...

  • Page 45: Saving Configuration Settings

    Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 16 Mbytes of flash memory for system files.
  • Page 46 Initial Configuration 2-10...

  • Page 47: Chapter 3: Configuring The Switch

    Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).

  • Page 48: Navigating The Web Browser Interface

    Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.

  • Page 49: Configuration Options

    Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-117. DG-GS1550 Figure 3-2 Panel Display...

  • Page 50: Main Menu

    Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
  • Page 51 Navigating the Web Browser Interface Table 3-2 Main Menu (Continued) Menu Description Page Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-43 Users Configures SNMP v3 users on this switch 3-44 Remote Users Configures SNMP v3 users from a remote device 3-46 Groups Configures SNMP v3 groups...
  • Page 52 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Configuration Configures the global configuration setting 3-81 Port Configuration Sets parameters for individual ports 3-82 Statistics Displays protocol statistics for the selected port 3-85 Network Access 3-90 Configuration Configures global Network Access parameters 3-91 Port Configuration Configures Network Access parameters for individual ports...
  • Page 53 Navigating the Web Browser Interface Table 3-2 Main Menu (Continued) Menu Description Page RSPAN Configuration Mirrors data from remote switches over a dedicated VLAN 3-136 Rate Limit 3-140 Input Port Configuration Sets the input rate limit for each port 3-140 Input Trunk Configuration Sets the input rate limit for each trunk 3-140...
  • Page 54 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Static List Used to create or remove VLAN groups 3-177 Static Table Modifies the settings for an existing VLAN 3-180 Static Membership by Port Configures membership type for interfaces, including tagged, 3-182 untagged or forbidden Port Configuration...
  • Page 55 Navigating the Web Browser Interface Table 3-2 Main Menu (Continued) Menu Description Page IP Precedence/DSCP Priority Globally selects IP Precedence or DSCP Priority, or disables 3-209 Status both. IP Precedence Priority Sets IP Type of Service priority, mapping the precedence tag to 3-210 a class-of-service value IP DSCP Priority...
  • Page 56 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Trunk Information Displays MVR interface type, MVR operational and activity 3-240 status, and immediate leave status Group IP Information Displays the ports attached to an MVR multicast stream 3-241 Port Configuration Configures MVR interface type and immediate leave status 3-242...

  • Page 57: Basic Configuration

    Basic Configuration Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.

  • Page 58: Figure 3-3 System Information

    Console(config)#hostname R&D 5 4-18 Console(config)#snmp-server location WC 9 4-75 Console(config)#snmp-server contact Ted 4-75 Console(config)#exit Console#show system System Description: DG-GS1550 System OID String: 1.3.6.1.4.1.36293.1.1.1.15 System Information System Up Time: 0 days, 0 hours, 46 minutes, and 39.91 seconds System Name: [NONE] System Location:...

  • Page 59: Displaying Switch Hardware/Software Versions

    Basic Configuration Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
  • Page 60 Configuring the Switch CLI – Use the following command to display version information. Console#show version Unit 1 Serial Number: AA16002532 Hardware Version: EPLD Version: 3.02 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (Master) Unit ID: Loader Version: 1.0.0.4 Boot ROM Version:...

  • Page 61: Displaying Bridge Extension Capabilities

    Basic Configuration Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).

  • Page 62: Setting The Switch's Ip Address

    Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-227 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...

  • Page 63: Manual Configuration

    Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...

  • Page 64: Using Dhcp/Bootp

    Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.

  • Page 65: Enabling Jumbo Frames

    Basic Configuration Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.

  • Page 66: Managing Firmware

    Configuring the Switch Managing Firmware Just specify the method of file transfer, along with the file type and file names as required. By saving run-time code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. Only two copies of the system software (i.e., the run-time firmware) can be stored in the file directory on the switch.

  • Page 67: Figure 3-9 Copy Firmware

    Basic Configuration Web –Click System, File Management, Copy Operation. Select “tftp to file” as the file transfer method, enter the IP address of the TFTP server, set the file type to “opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply.

  • Page 68: Saving Or Restoring Configuration Settings

    Configuring the Switch CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch.

  • Page 69: Downloading Configuration Settings From A Server

    Basic Configuration Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.

  • Page 70: Console Port Settings

    Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-36 TFTP server ip address: 192.168.1.23 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.

  • Page 71: Figure 3-14 Console Port Settings

    Basic Configuration • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, 38400 baud, or Auto; Default: Auto) •...

  • Page 72: Telnet Settings

    Configuring the Switch CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-42 Console(config-line)#login local 4-43 Console(config-line)#password 0 secret 4-44...

  • Page 73: Figure 3-15 Enabling Telnet

    Basic Configuration • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. enter correct password, system shows prompt. (Default: No password) • Login –...

  • Page 74: Configuring Event Logging

    Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.

  • Page 75: Remote Log Configuration

    Basic Configuration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.

  • Page 76: Figure 3-17 Remote Logs

    Configuring the Switch • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.

  • Page 77: Displaying Log Messages

    Basic Configuration Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.

  • Page 78: Figure 3-19 Enabling And Configuring Smtp

    Configuring the Switch • SMTP Server – Specifies a new SMTP server address to add to the SMTP Server List. • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list.

  • Page 79: Resetting The System

    Basic Configuration CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.

  • Page 80: Setting The System Clock

    Configuring the Switch Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.

  • Page 81: Setting The Time Zone

    Basic Configuration Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 3-21 SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-63 Console(config)#sntp poll 60...

  • Page 82: Simple Network Management Protocol

    Configuring the Switch Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply. Figure 3-22 Setting the System Clock CLI - This example shows how to set the time zone for the system clock. Console(config)#clock timezone Atlantic hours 4 minute 0 before-UTC 4-65...
  • Page 83 Simple Network Management Protocol Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels.

  • Page 84: Enabling The Snmp Agent

    Configuring the Switch Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Figure 3-23 Enabling SNMP Agent Status CLI –...

  • Page 85: Specifying Trap Managers And Trap Types

    Simple Network Management Protocol Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-24 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw 4-74 Console(config)#...
  • Page 86 Configuring the Switch To send an inform to a SNMPv2c host, complete these steps: 1. Enable the SNMP agent (page 3-38). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 3-51). 4.

  • Page 87: Figure 3-25 Configuring Ip Trap Managers

    Simple Network Management Protocol • Enable Authentication Traps – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) • Enable Link-up and Link-down Traps – Issues a notification message whenever a port link is established or broken.

  • Page 88: Configuring Snmpv3 Management Access

    Configuring the Switch Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.

  • Page 89: Specifying A Remote Engine Id

    Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.

  • Page 90: Configuring Snmpv3 Users

    Configuring the Switch Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes •...

  • Page 91: Figure 3-28 Configuring Snmpv3 Users

    Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.

  • Page 92: Configuring Remote Snmpv3 Users

    Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.

  • Page 93: Figure 3-29 Configuring Remote Snmpv3 Users

    Simple Network Management Protocol Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.

  • Page 94: Configuring Snmpv3 Groups

    Configuring the Switch Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
  • Page 95 Simple Network Management Protocol Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, linkDown acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).

  • Page 96: Figure 3-30 Configuring Snmpv3 Groups

    Configuring the Switch Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.

  • Page 97: Setting Snmpv3 Views

    Simple Network Management Protocol Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...
  • Page 98 Configuring the Switch CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-80 Console(config)#exit Console#show snmp view 4-81 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...

  • Page 99: User Authentication

    User Authentication User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: •...

  • Page 100: Figure 3-32 Access Levels

    Configuring the Switch Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.

  • Page 101: Configuring Local/Remote Logon Authentication

    User Authentication Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
  • Page 102 Configuring the Switch Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...

  • Page 103: Figure 3-33 Authentication Settings

    User Authentication Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings 3-57...

  • Page 104: Configuring Encryption Keys

    Configuring the Switch CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-91 Console(config)#radius-server port 181 4-94 Console(config)#radius-server key green 4-94 Console(config)#radius-server retransmit 5 4-95 Console(config)#radius-server timeout 10 4-95 Console(config)#radius-server 1 host 192.168.1.25 4-93 Console(config)#end Console#show radius-server 4-95 Global Settings:...

  • Page 105: Figure 3-34 Encryption Key Settings

    User Authentication - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. •...

  • Page 106: Aaa Authorization And Accounting

    Configuring the Switch AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. •...

  • Page 107: Configuring Aaa Radius Group Settings

    User Authentication Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) •...

  • Page 108: Configuring Aaa Tacacs+ Group Settings

    Configuring the Switch Configuring AAA TACACS+ Group Settings The AAA TACACS+ Group Settings screen defines the configured TACACS+ servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the TACACS+ server group. (1-255 characters) •...

  • Page 109: Figure 3-37 Aaa Accounting Settings

    User Authentication The group names “radius” and “tacacs+” specifies all configured RADIUS and TACACS+ hosts (see "Configuring Local/Remote Logon Authentication" on page 3-55). Any other group name refers to a server group configured on the RADIUS or TACACS+ Group Settings pages. Web –...

  • Page 110: Aaa Accounting Update

    Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web –...

  • Page 111: Aaa Accounting 802.1X Port Settings

    User Authentication AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-61).

  • Page 112: Aaa Accounting Exec Command Privileges

    Configuring the Switch AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level.

  • Page 113: Aaa Accounting Exec Settings

    User Authentication AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.

  • Page 114: Figure 3-42 Aaa Accounting Summary

    Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary 3-68...

  • Page 115: Authorization Settings

    User Authentication CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-108 Accounting Type : dot1x Method List : default Group List : radius Interface Method List : tps-method Group List : tps-radius Interface Accounting Type : Exec...

  • Page 116: Authorization Exec Settings

    Configuring the Switch Web – Click Security, AAA, Authorization, Settings. To configure a new authorization method, specify a method name and a group name, select the service, then click Add. Figure 3-43 AAA Authorization Settings CLI – Specify the authorization method required and the server group. Console(config)#aaa authorization exec default group tacacs+ 4-107 Console(config)#...

  • Page 117: Authorization Summary

    User Authentication CLI – Specify the authorization method to use for Console and Telnet interfaces. Console(config)#line console 4-42 Console(config-line)#authorization exec tps-auth 4-108 Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec tps-auth Console(config-line)# Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied.

  • Page 118: Configuring Https

    Configuring the Switch Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.

  • Page 119: Replacing The Default Secure-Site Certificate

    User Authentication Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-46 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-110 Console(config)#ip http secure-port 443 4-111 Console(config)#...

  • Page 120: Configuring The Secure Shell

    Configuring the Switch Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
  • Page 121 User Authentication 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-36) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-53.) The clients are subsequently authenticated using these keys.

  • Page 122: Generating The Host Key Pair

    Configuring the Switch Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process.

  • Page 123: Figure 3-47 Ssh Host-Key Settings

    User Authentication Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-47 SSH Host-Key Settings CLI –...

  • Page 124: Configuring The Ssh Server

    Configuring the Switch Configuring the SSH Server The SSH server includes basic settings for authentication. Note: You must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) •...

  • Page 125: Configuring 802.1X Port Authentication

    User Authentication CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-115 Console(config)#ip ssh timeout 100 4-116 Console(config)#ip ssh authentication-retries 5 4-116...

  • Page 126: Displaying 802.1X Global Settings

    Configuring the Switch TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet.

  • Page 127: Configuring 802.1X Global Settings

    User Authentication CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-129 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 1/26 Console#...

  • Page 128: Configuring Port Settings For 802.1X

    Configuring the Switch Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.

  • Page 129: Figure 3-51 802.1X Port Configuration

    User Authentication Web – Click Security, 802.1X, Port Configuration. Modify the parameters required, and click Apply. Figure 3-51 802.1X Port Configuration 3-83...
  • Page 130 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see "show dot1x" on page 4-129. Console(config)#interface ethernet 1/2 4-167 Console(config-if)#dot1x port-control auto 4-124 Console(config-if)#dot1x re-authentication 4-126 Console(config-if)#dot1x max-req 5 4-124...

  • Page 131: Displaying 802.1X Statistics

    User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.

  • Page 132: Filtering Ip Addresses For Management Access

    Configuring the Switch CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-129 Eth 1/4 Rx: EAPOL EAPOL EAPOL EAPOL Start Logoff Invalid Total Resp/Id Resp/Oth LenError 1007 Last Last EAPOLVer EAPOLSrc 00-17-7C-94-34-DE Tx: EAPOL Total...

  • Page 133: Figure 3-53 Creating An Ip Filter List

    User Authentication Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-53 Creating an IP Filter List CLI –...

  • Page 134: General Security Measures

    Configuring the Switch General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.

  • Page 135: Configuring Port Security

    General Security Measures Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.

  • Page 136: Network Access ( Mac Address Authentication)

    Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-54 Configuring Port Security CLI –...

  • Page 137: Configuring The Mac Authentication Reauthentication Time

    General Security Measures • When enabled on a port interface, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated. On the RADIUS server, PAP username and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).

  • Page 138: Configuring Mac Authentication For Ports

    Configuring the Switch Web – Click Security, Network Access, Configuration. Figure 3-55 Network Access Configuration CLI – This example sets and displays the reauthentication time. Console(config)#mac-authentication reauth-time 3000 4-140 Console(config)#exit Console#show network-access interface ethernet 1/1 4-142 Global secure port information Reauthentication Time : 1800 --------------------------------------------------...

  • Page 139: Displaying Secure Mac Address Information

    General Security Measures Web – Click Security, Network Access, Port Configuration. Set the maximum number or MAC addresses that can be authenticated on each port, and click Apply. Figure 3-56 Network Access Port Configuration CLI – This example configures MAC authentication for port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access max-mac-count 10 4-137...

  • Page 140: Figure 3-57 Network Access Mac Address Information

    Configuring the Switch • RADIUS Server – The IP address of the RADIUS server that authenticated the MAC address. • Time – The time when the MAC address was last authenticated. • Attribute – Indicates a static or dynamic address. •...

  • Page 141: Mac Authentication

    General Security Measures MAC Authentication Each port’s MAC authentication settings are configured independently. Configuring MAC Authentication Parameters for Ports Use the MAC Authentication Port Configuration page to designate MAC authentication maximum MAC counts and the intrusion action for each port. Command Attributes •...

  • Page 142: Access Control Lists

    Configuring the Switch Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.

  • Page 143: Figure 3-59 Selecting Acl Type

    General Security Measures Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 3-59 Selecting ACL Type CLI –...

  • Page 144: Configuring A Standard Ip Acl

    Configuring the Switch Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.

  • Page 145: Configuring An Extended Ip Acl

    General Security Measures Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...

  • Page 146: Figure 3-61 Configuring Extended Ip Acls

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.

  • Page 147: Configuring A Mac Acl

    General Security Measures Configuring a MAC ACL Use this page to configure ACLs based on hardware addresses, packet format, and Ethernet type. Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host”...

  • Page 148: Figure 3-62 Configuring Mac Acls

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.

  • Page 149: Binding A Port To An Access Control List

    General Security Measures Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage •...

  • Page 150: Dhcp Snooping

    Configuring the Switch CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-167 Console(config-if)#ip access-group david in 4-160 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully...

  • Page 151: Dhcp Snooping Configuration

    General Security Measures * If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. * If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled.

  • Page 152: Dhcp Snooping Vlan Configuration

    Configuring the Switch CLI – This example first enables DHCP Snooping, and then enables DHCP Snooping MAC-Address Verification. Console(config)#ip dhcp snooping 4-144 Console(config)#ip dhcp snooping verify mac-address 4-148 Console(config)# DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific VLANs.

  • Page 153: Dhcp Snooping Information Option Configuration

    General Security Measures DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.

  • Page 154: Dhcp Snooping Port Configuration

    Configuring the Switch Web – Click DHCP Snooping, Information Option Configuration. Figure 3-66 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-148 Console(config)#ip dhcp snooping information policy replace 4-149 Console#show ip dhcp snooping 4-150...

  • Page 155: Dhcp Snooping Binding Information

    General Security Measures Web – Click DHCP Snooping, Port Configuration. Set any ports within the local network or firewall to trusted, and click Apply. Figure 3-67 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-147...

  • Page 156: Ip Source Guard

    Configuring the Switch • IP Address Type – Indicates an IPv4 address type. • Lease Time (Seconds) – The time for which this IP address is leased to the client. Web – Click DHCP Snooping, DHCP Snooping Binding Information. Figure 3-68 DHCP Snooping Binding Information CLI –...
  • Page 157 General Security Measures Command Usage • Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the SIP-MAC option to check these same parameters, plus the source MAC address.

  • Page 158: Configuring Static Binding For Ip Source Guard

    Configuring the Switch Web – Click IP Source Guard, Port Configuration. Set the required filtering type for each port and click Apply. Figure 3-69 IP Source Guard Port Configuration CLI – This example shows how to enable IP source guard on port 5 to check the source IP address for ingress packets against the binding table Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip...

  • Page 159: Figure 3-70 Static Ip Source Guard Binding Configuration

    General Security Measures - If there is an entry with the same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Command Attributes •...

  • Page 160: Displaying Information For Dynamic Ip Source Guard Bindings

    Configuring the Switch Displaying Information for Dynamic IP Source Guard Bindings Use the Dynamic Information page to display the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding. (Options: Port, VLAN, MAC Address, or IP Address) •...

  • Page 161: Port Configuration

    • Flow Control Status – Indicates the type of flow control currently in use. (IEEE 802.3x, Back-Pressure or None) • Autonegotiation – Shows if auto-negotiation is enabled or disabled. • Media Type – Media type used for the combo ports 45-48 (DG-GS1550). (Options: Copper-Forced, SFP-Forced, SFP-Preferred-Auto;...
  • Page 162 Configuring the Switch Configuration: • Name – Interface label. • Port admin – Shows if the interface is enabled or disabled (i.e., up or down). • Speed-duplex – Shows the current speed and duplex mode. (Auto, or fixed choice) • Capabilities – Specifies the capabilities to be advertised for a port during auto-negotiation.

  • Page 163: Configuring Interface Connections

    Port Configuration CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 4-175 Information of Eth 1/5 Basic Information: Port Type: 1000T Mac Address: 00-17-7C-12-31-24 Configuration: Name: Port Admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast Storm: Enabled...

  • Page 164: Figure 3-73 Port/Trunk Configuration

    10half, 10full, 100half, 100full; 1000BASE-T – 10half, 10full, 100half, 100full, 1000full; 1000BASE-SX/LX/ZX – 1000full) • Media Type – Media type used for the combo ports 45-48 (DG-GS1550). - Copper-Forced - Always uses the built-in RJ-45 port. - SFP-Forced - Always uses the SFP port (even if a module is not installed).

  • Page 165: Creating Trunk Groups

    • You can create up to 25 on the DG-GS1550, with up to eight ports per trunk. • The ports at both ends of a connection must be configured as trunk ports.

  • Page 166: Statically Configuring A Trunk

    Configuring the Switch • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.

  • Page 167: Enabling Lacp On Selected Ports

    Port Configuration CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-167 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-167 Console(config-if)#channel-group 2 4-181 Console(config-if)#exit Console(config)#interface ethernet 1/2...

  • Page 168: Figure 3-75 Lacp Trunk Configuration

    Configuring the Switch Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-26/50) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.

  • Page 169: Configuring Parameters For Lacp Group Members

    Port Configuration CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-167 Console(config-if)#lacp 4-182 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1 4-175...

  • Page 170: Figure 3-76 Lacp Port Configuration

    Configuring the Switch - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.

  • Page 171: Displaying Lacp Port Counters

    Port Configuration CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-167 Console(config-if)#lacp actor system-priority 3 4-183 Console(config-if)#lacp actor admin-key 120 4-184 Console(config-if)#lacp actor port-priority 128 4-186 Console(config-if)#exit Console(config)#interface ethernet 1/4...

  • Page 172: Figure 3-77 Lacp - Port Counters Information

    Configuring the Switch Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.

  • Page 173: Displaying Lacp Settings And Status For The Local Side

    Port Configuration Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.

  • Page 174: Figure 3-78 Lacp - Port Internal Information

    Configuring the Switch Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-78 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-187 Port channel : 1...

  • Page 175: Displaying Lacp Settings And Status For The Remote Side

    Port Configuration Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.

  • Page 176: Setting Broadcast Storm Thresholds

    Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-187 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-17-7C-CE-2A-20...

  • Page 177: Figure 3-80 Port Broadcast Control

    Port Configuration Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-80 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 packets per second for port 2.

  • Page 178: Setting Multicast Storm Thresholds

    Configuring the Switch Setting Multicast Storm Thresholds You can protect your network from excess multicast traffic by setting thresholds for each port. Any multicast packets exceeding the specified threshold will then be dropped. Command Usage • Multicast Storm Control is disabled by default. •...

  • Page 179: Setting Unknown Unicast Storm Thresholds

    Port Configuration CLI – Specify any interface, and then enter the threshold. The following example sets the multicast threshold at 600 packets per second for port 1. 4-167 Console(config)#interface ethernet 1/1 4-173 Console(config-if)#switchport multicast packet-rate 600 Console(config-if)# Setting Unknown Unicast Storm Thresholds You can protect your network from excess unknown unicast traffic by setting thresholds for each port.

  • Page 180: Configuring Local Port Mirroring

    Configuring the Switch Web – Click Configuration, Port, Port Unknown Unicast Control or Trunk Unknown Unicast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 3-82 Port Unknown Unicast Control CLI – Specify any interface, and then enter the threshold. The following example sets the unknown unicast threshold at 900 packets per second for port 1.

  • Page 181: Figure 3-83 Mirror Port Configuration

    Port Configuration • Target Port – The port that will mirror the traffic on the source port. (Range: 1-26/50) Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 3-83 Mirror Port Configuration CLI –...

  • Page 182: Configuring Remote Port Mirroring

    Configuring the Switch Configuring Remote Port Mirroring Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis at the destination port on a local switch. Traffic generated on specified source ports for each RSPAN session is carried over a user-specified RSPAN VLAN dedicated to that RSPAN session in all participating switches.
  • Page 183 Port Configuration 4. Set up the destination switch on the RSPAN Configuration page: a) Specify the mirror session, the switch’s role (Destination), the RSPAN VLAN, and the uplink ports. After specifying each uplink port, click Add to create an entry. b) Specify the mirror session, the destination port, whether or not the traffic exiting this port will be tagged or untagged.
  • Page 184 Configuring the Switch • Switch Role – Specifies the role this switch performs in mirroring traffic. - Source - Specifies this device as the source of remotely mirrored traffic. - Intermediate - Specifies this device as an intermediate switch, transparently passing mirrored traffic from one or more sources to one or more destinations.

  • Page 185: Figure 3-84 Rspan Configuration

    Port Configuration Web – Click Port, RSPAN Configuration. Configure the required settings for each switch participating in the RSPAN VLAN, then click Add. Figure 3-84 RSPAN Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port and traffic type.

  • Page 186: Configuring Rate Limits

    Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Packets that exceed the acceptable amount of traffic are dropped.

  • Page 187: Showing Port Statistics

    Port Configuration Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
  • Page 188 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
  • Page 189 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.

  • Page 190: Figure 3-86 Port Statistics

    Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-86 Port Statistics 3-144...
  • Page 191 Port Configuration CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-176 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 17027...

  • Page 192: Address Table Settings

    Configuring the Switch Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.

  • Page 193: Displaying The Address Table

    Address Table Settings Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.

  • Page 194: Changing The Aging Time

    Configuring the Switch CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-201 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-17-7C-48-82-93 1 Delete-on-reset Eth 1/ 1 00-17-7C-94-34-DE 2 Learned Console# Changing the Aging Time...

  • Page 195: Spanning Tree Algorithm Configuration

    Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
  • Page 196 Configuring the Switch MSTP – MSTP When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.

  • Page 197: Displaying Global Settings For Sta

    Spanning Tree Algorithm Configuration Once you specify the VLANs to include in a Multiple Spanning Tree Instance (MSTI), the protocol will automatically build an MSTI tree to maintain connectivity among each of the VLANs. MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree (CST).
  • Page 198 Configuring the Switch These additional parameters are only displayed for the CLI: • Spanning tree mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s) •...

  • Page 199: Figure 3-90 Displaying Spanning Tree Information

    Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Information. Figure 3-90 Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-223 Spanning-tree information --------------------------------------------------------------- Spanning Tree Mode: RSTP Spanning Tree Enabled/Disabled: Enabled...

  • Page 200: Configuring Global Settings For Sta

    Configuring the Switch Configuring Global Settings for STA Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
  • Page 201 Spanning Tree Algorithm Configuration • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
  • Page 202 Configuring the Switch • Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned.

  • Page 203: Figure 3-91 Configuring Spanning Tree

    Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-91 Configuring Spanning Tree 3-157...

  • Page 204: Displaying Interface Settings For Sta

    Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-204 Console(config)#spanning-tree mode mstp 4-204 Console(config)#spanning-tree priority 45056 4-208 Console(config)#spanning-tree hello-time 5 4-206 Console(config)#spanning-tree max-age 38 4-207 Console(config)#spanning-tree forward-time 20 4-206...
  • Page 205 Spanning Tree Algorithm Configuration • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port.

  • Page 206: Figure 3-92 Displaying Spanning Tree Port Information

    Configuring the Switch These additional parameters are only displayed for the CLI: • Admin Status – Shows if this interface is enabled. • External Admin Path Cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

  • Page 207: Configuring Interface Settings For Sta

    Spanning Tree Algorithm Configuration CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-223 1/ 5 information -------------------------------------------------------------- Admin Status: Enabled Role: Root State: Forwarding Admin Path Cost: 100000 Oper Path Cost: 100000 Priority: Designated Cost: Designated Port: 128.13...

  • Page 208: Table 3-12 Recommended Sta Path Cost Range

    Configuring the Switch The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.

  • Page 209: Table 3-14 Default Sta Path Costs

    Spanning Tree Algorithm Configuration Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001 Ethernet Half Duplex 2,000,000 Full Duplex 1,000,000 Trunk 500,000 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000 •...

  • Page 210: Figure 3-93 Configuring Spanning Tree Per Port

    Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-93 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-167 Console(config-if)#spanning-tree port-priority 0 4-215...

  • Page 211: Configuring Multiple Spanning Trees

    Spanning Tree Algorithm Configuration Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.

  • Page 212: Figure 3-94 Configuring Multiple Spanning Trees

    Configuring the Switch Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
  • Page 213 Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 4-223 Spanning-tree information --------------------------------------------------------------- Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: VLANs Configuration: Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.):...

  • Page 214: Displaying Interface Settings For Mstp

    Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes • MST Instance ID – Instance identifier to configure. (Default: 0) The other attributes are described under "Displaying Interface Settings for STA"...
  • Page 215 Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-223 Spanning Tree Information...

  • Page 216: Configuring Interface Settings For Mstp

    Configuring the Switch Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...

  • Page 217: Vlan Configuration

    VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-96 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...

  • Page 218: Assigning Ports To Vlans

    Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
  • Page 219 VLAN Configuration Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.

  • Page 220: Enabling Or Disabling Gvrp (Global Setting)

    Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.

  • Page 221: Displaying Basic Vlan Information

    VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...

  • Page 222: Displaying Current Vlans

    Configuring the Switch Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.

  • Page 223: Creating Vlans

    VLAN Configuration • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members. CLI –...

  • Page 224: Figure 3-100 Configuring A Vlan Static List

    Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-100 Configuring a VLAN Static List 3-178...
  • Page 225 VLAN Configuration CLI – This example creates a new VLAN. Console(config)#vlan database 4-230 Console(config-vlan)#vlan 2 name R&D media ethernet state active 4-231 Console(config-vlan)#end Console#show vlan Default VLAN ID : 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S)

  • Page 226: Adding Static Members To Vlans (Vlan Index)

    Configuring the Switch Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.

  • Page 227: Figure 3-101 Configuring A Vlan Static Table

    VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.

  • Page 228: Adding Static Members To Vlans (Port Index)

    Configuring the Switch Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...

  • Page 229: Configuring Vlan Behavior For Interfaces

    VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.

  • Page 230: Figure 3-103 Configuring Vlans Per Port

    Configuring the Switch • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.

  • Page 231: Configuring Ieee 802.1Q Tunneling

    VLAN Configuration Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. This is accomplished by inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network.
  • Page 232 Configuring the Switch customer’s network. The packet is sent as a normal IEEE 802.1Q-tagged frame, preserving the original VLAN numbers used in the customer’s network. Layer 2 Flow for Packets Coming into a Tunnel Access Port A QinQ tunnel port may receive either tagged or untagged packets. No matter how many tags the incoming packet has, it is treated as tagged packet.
  • Page 233 VLAN Configuration Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.

  • Page 234: Enabling Qinq Tunneling On The Switch

    Configuring the Switch • Static trunk port groups are compatible with QinQ tunnel ports as long as the QinQ configuration is consistent within a trunk port group. • The native VLAN (VLAN 1) is not normally added to transmitted frames. Avoiding using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration.

  • Page 235: Adding An Interface To A Qinq Tunnel

    VLAN Configuration incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port.

  • Page 236: Figure 3-105 Tunnel Port Configuration

    Configuring the Switch the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames (see "Displaying Basic VLAN Information" on page 3-175). Command Attributes Mode – Set the VLAN membership mode of the port. (Default: Normal) • None – The port operates in its normal VLAN mode. (This is the default.) •...
  • Page 237 VLAN Configuration CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode. Console(config)#interface ethernet 1/1 4-167 Console(config-if)#switchport dot1q-tunnel mode access 4-240 Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink...

  • Page 238: Traffic Segmentation

    Configuring the Switch Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Local traffic belonging to each client is isolated to the allocated downlink ports, and upstream traffic coming from the downlink ports can only be forwarded to, and from, uplink ports.

  • Page 239: Configuring Traffic Segmentation Uplinks And Downlinks

    VLAN Configuration CLI – This example enables traffic segmentation. Console(config)#pvlan 4-243 Console(config)#exit Console#show pvlan 4-244 Private VLAN status: Enabled Up-link Port: Down-link Port: Console# Configuring Traffic Segmentation Uplinks and Downlinks Use the Traffic Segmentation Session Configuration page to assign downlink and uplink ports.

  • Page 240: Private Vlans

    Configuring the Switch Private VLANs Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other hosts within the community VLAN and with any of the promiscuous ports in the associated primary VLAN.

  • Page 241: Configuring Private Vlans

    VLAN Configuration Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-108 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.

  • Page 242: Associating Vlans

    Configuring the Switch Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.

  • Page 243: Displaying Private Vlan Interface Information

    VLAN Configuration CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database 4-230 Console(config-vlan)#private-vlan 5 association 6 4-247 Console(config-vlan)#private-vlan 5 association 7 Console(config)# Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs.

  • Page 244: Configuring Private Vlan Interfaces

    Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.

  • Page 245: Protocol Vlans

    VLAN Configuration Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.

  • Page 246: Configuring Protocol Vlan Groups

    Configuring the Switch Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-177). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.

  • Page 247: Mapping Protocols To Vlans

    VLAN Configuration CLI – This example creates protocol group 1 for Ethernet frames using the IP protocol, and group 2 for Ethernet frames using the ARP protocol. Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip 4-251 Console(config)#protocol-vlan protocol-group 2 add frame-type ethernet protocol-type arp Console(config)# Mapping Protocols to VLANs Use the Protocol VLAN Port Configuration menu to map a Protocol VLAN Group to a...

  • Page 248: Figure 3-114 Protocol Vlan Port Configuration

    Configuring the Switch Web – Click VLAN, Protocol VLAN, Port Configuration. Figure 3-114 Protocol VLAN Port Configuration CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 2 to VLAN 2. Console(config)#interface ethernet 1/1 4-167 Console(config-if)#protocol-vlan protocol-group 3 vlan 2...

  • Page 249: Class Of Service Configuration

    Class of Service Configuration Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 250: Figure 3-115 Port Priority Configuration

    Configuring the Switch Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port.

  • Page 251: Mapping Cos Values To Egress Queues

    Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.

  • Page 252: Figure 3-116 Traffic Classes

    Configuring the Switch Web – Cli Select a port or trunk for the current mapping of ck Priority, Traffic Classes. CoS values to output queues to be displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-116 Traffic Classes CLI –...

  • Page 253: Selecting The Queue Mode

    Class of Service Configuration Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.

  • Page 254: Setting The Service Weight For Traffic Classes

    Configuring the Switch Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in "Mapping CoS Values to Egress Queues" on page 3-205, the traffic classes are mapped to one of the four egress queues provided for each port.

  • Page 255: Layer 3/4 Priority Settings

    Class of Service Configuration Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP/UDP port.

  • Page 256: Mapping Ip Precedence

    Configuring the Switch Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).

  • Page 257: Mapping Dscp Priority

    Class of Service Configuration CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings. Console(config)#map ip precedence 4-289 Console(config)#interface ethernet 1/1 4-167 Console(config-if)#map ip precedence 1 cos 0...

  • Page 258: Figure 3-121 Mapping Ip Dscp Priority Values

    Configuring the Switch Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS value to the selected DSCP Priority value. Note that “0” represents low priority and “7” represent high priority. Note: IP DSCP settings apply to all interfaces.

  • Page 259: Mapping Ip Port Priority

    Class of Service Configuration Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes •...

  • Page 260: Quality Of Service

    Configuring the Switch CLI* – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port. Console(config)#map ip port 4-288 Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0...

  • Page 261: Configuring Quality Of Service Parameters

    Quality of Service Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the “Class Map” to designate a class name for a specific category of traffic. 2. Edit the rules for each class to specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
  • Page 262 Configuring the Switch Class Configuration • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. •...

  • Page 263: Figure 3-124 Configuring Class Maps

    Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-124 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.

  • Page 264: Creating Qos Policies

    Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-215. - Open the Policy Map page, and click Add Policy.
  • Page 265 Quality of Service Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-215).

  • Page 266: Figure 3-125 Configuring Policy Maps

    Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-125 Configuring Policy Maps 3-220...

  • Page 267: Attaching A Policy Map To Ingress Queues

    Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 4-299 Console(config-pmap)#class rd_class#3 4-299...

  • Page 268: Multicast Filtering

    Configuring the Switch CLI - This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/5 4-167 Console(config-if)#service-policy input rd_policy#3 4-302 Console(config-if)# Multicast Filtering Multicasting used support real-time applications such videoconferencing streaming audio. A multicast server does not have to establish a separate connection with each client.

  • Page 269: Layer 2 Igmp (Snooping And Query)

    Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-224) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.

  • Page 270: Configuring Igmp Snooping And Query Parameters

    Configuring the Switch Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-231). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.

  • Page 271: Figure 3-127 Igmp Configuration

    Multicast Filtering Command Attributes • IGMP Status — When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.

  • Page 272: Enabling Igmp Immediate Leave

    Configuring the Switch CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 4-306 Console(config)#ip igmp snooping querier 4-310 Console(config)#ip igmp snooping query-count 10 4-311 Console(config)#ip igmp snooping query-interval 100 4-312 Console(config)#ip igmp snooping query-max-response-time 20 4-312 Console(config)#ip igmp snooping router-port-expire-time 300...

  • Page 273: Figure 3-128 Igmp Immediate Leave

    Multicast Filtering Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply.

  • Page 274: Displaying Interfaces Attached To A Multicast Router

    Configuring the Switch Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.

  • Page 275: Specifying Static Interfaces For A Multicast Router

    Multicast Filtering Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.

  • Page 276: Displaying Port Members Of Multicast Services

    Configuring the Switch Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094) •...

  • Page 277: Assigning Ports To Multicast Services

    Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in "Configuring IGMP Snooping and Query Parameters" on page 3-224. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.

  • Page 278: Igmp Filtering And Throttling

    Configuring the Switch CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 4-306 Console(config)#exit Console#show mac-address-table multicast vlan 1 4-309 VLAN M'cast IP addr.

  • Page 279: Configuring Igmp Filter Profiles

    Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile number by entering the number in text box and clicking Add. Enable the IGMP filter status, then click Apply. Figure 3-133 Enabling IGMP Filtering and Throttling CLI – This example enables IGMP filtering and creates a profile number, then displays the current status and the existing profile numbers.

  • Page 280: Figure 3-134 Igmp Profile Configuration

    Configuring the Switch • Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) • New Multicast Address Range List – Specifies multicast groups to include in the profile. Specify a multicast group range by entering a start and end IP address. Specify a single multicast group by entering the same IP address for the start and end of the range.

  • Page 281: Configuring Igmp Filtering And Throttling For Interfaces

    Multicast Filtering CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 4-317 Console(config-igmp-profile)#permit 4-317...

  • Page 282: Figure 3-135 Igmp Filter And Throttling Port Configuration

    Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-135 IGMP Filter and Throttling Port Configuration CLI –...

  • Page 283: Multicast Vlan Registration

    Multicast Filtering Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers. This protocol can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.

  • Page 284: Configuring Global Mvr Settings

    Configuring the Switch Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.

  • Page 285: Figure 3-136 Mvr Global Configuration

    Multicast Filtering Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-136 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.

  • Page 286: Displaying Mvr Interface Status

    Configuring the Switch Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.

  • Page 287: Displaying Port Members Of Multicast Groups

    Multicast Filtering Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN.

  • Page 288: Configuring Mvr Interface Status

    Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...

  • Page 289: Figure 3-139 Mvr Port Configuration

    Multicast Filtering - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) •...

  • Page 290: Assigning Static Multicast Groups To Interfaces

    Configuring the Switch Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...

  • Page 291: Configuring Domain Name Service

    Configuring Domain Name Service Configuring Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.

  • Page 292: Figure 3-141 Dns General Configuration

    Configuring the Switch Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-141 DNS General Configuration CLI - This example sets a default domain name and a domain list.

  • Page 293: Configuring Static Dns Host To Address Entries

    Configuring Domain Name Service Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.

  • Page 294: Figure 3-142 Dns Static Host Table

    Configuring the Switch Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-142 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.

  • Page 295: Displaying The Dns Cache

    Configuring Domain Name Service Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...

  • Page 296: Switch Clustering

    Configuring the Switch Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.

  • Page 297: Figure 3-145 Cluster Configuration

    Switch Clustering • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 16.

  • Page 298: Cluster Member Configuration

    CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-00-00-12-34-56 id 1 4-69 Console(config)#exit Console#show cluster candidates 4-71 Cluster Candidates: Role Description --------------- ----------------- -------------------------------------- ACTIVE MEMBER 00-00-00-12-34-56 DIGISOL DG-GS1550 Console# 3-252...

  • Page 299: Displaying Information On Cluster Members

    Web – Click Cluster, Member Information. Figure 3-147 Cluster Member Information CLI – This example shows information about cluster Member switches. Console#show cluster members 4-71 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-00-00-12-34-56 Description: DIGISOL DG-GS1550 Console# 3-253...

  • Page 300: Cluster Candidate Information

    • Description – The system description string of the Candidate switch. Web – Click Cluster, Candidate Information. Figure 3-148 Cluster Candidate Information CLI – This example shows information about cluster Candidate switches. Console#show cluster candidates 4-71 Cluster Candidates: Role Description --------------- ----------------- ---------------------------------------- ACTIVE MEMBER 00-00-00-12-34-56 DIGISOL DG-GS1550 Console# 3-254...

  • Page 301: Chapter 4: Command Line Interface

    When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the DG-GS1550 is opened. To end the CLI session, enter [Exit]. Console#...

  • Page 302: Telnet Connection

    When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the DG-GS1550 is opened. To end the CLI session, enter [Exit]. Vty-0# Note: You can open up to four sessions to the device via Telnet.

  • Page 303: Entering Commands

    Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.

  • Page 304: Showing Commands

    Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.

  • Page 305: Partial Keyword Lookup

    Entering Commands voice Shows the voice VLAN information Console#show The command “show interfaces ?” will display the following information: Console#show interfaces ? brief brief interface description counters Interface counters information protocol-vlan Protocol-VLAN information status Interface status information switchport Interface switchport information Console#show interfaces Show commands which display more than one page of information (e.g., show running-config) pause and require you to press the [Space] bar to continue...

  • Page 306: Understanding Command Modes

    “super” (page 4-88). To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CCLI session with the DG-GS1550 is opened. To end the CLI session, enter [Exit]. Console#...

  • Page 307: Configuration Commands

    Entering Commands Username: guest Password: [guest login password] CLI session with the DG-GS1550 is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.

  • Page 308: Table 4-2 Configuration Modes

    Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 4-2 Configuration Modes Mode Command Prompt Page Line line {console | vty} Console(config-line)# 4-42...

  • Page 309: Command Line Processing

    Entering Commands Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...

  • Page 310: Command Groups

    Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page General Basic commands for entering privileged access mode, restarting the 4-11 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation, 4-18...

  • Page 311: General Commands

    General Commands Table 4-4 Command Groups (Continued) Command Group Description Page Domain Name Service Configures DNS services 4-329 IP Interface Configures IP address for the switch 4-336 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration)

  • Page 312: Enable

    Command Line Interface enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See "Understanding Command Modes" on page 4-6. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.

  • Page 313: Configure

    General Commands Example Console#disable Console> Related Commands enable (4-12) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration, and Multiple Spanning Tree Configuration.

  • Page 314: Reload (Privileged Exec)

    Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.
  • Page 315 General Commands • reload in - An interval after which to reload the switch. - hours - The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) - minutes - The number of minutes, combined with the hours, before the switch resets.

  • Page 316: Show Reload

    Command Line Interface show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.

  • Page 317: Exit

    General Commands exit This command returns to the previous configuration mode or exit the configuration program. Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...

  • Page 318: System Management Commands

    Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-6 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-18 Banner Information...

  • Page 319: Banner Information Commands

    System Management Commands Example Console(config)#hostname RD#1 Console(config)# Banner Information Commands These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager.

  • Page 320: Banner Configure

    Command Line Interface banner configure This command is used to interactively specify administrative information for this device. Syntax banner configure Default Setting None Command Mode Global Configuration Command Usage The administrator can batch-input all details for the switch with one command. When the administrator finishes typing the company name and presses the enter key, the script prompts for the next piece of information, and so on, until all information has been entered.

  • Page 321: Banner Configure Company

    ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure company DIGISOL Console(config)# banner configure dc-power-info This command is use to configure DC power information displayed in the banner.

  • Page 322: Banner Configure Department

    Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure dc-power-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.

  • Page 323: Banner Configure Equipment-Info

    ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure equipment-info manufacturer-id DG-GS1550 floor 3 row 10 rack 15 shelf-rack 12 manufacturer DIGISOL Console(config)# banner configure equipment-location This command is used to configure the equipment location information displayed in the banner.

  • Page 324: Banner Configure Ip-Lan

    Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. banner configure equipment-location command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure equipment-location India Console(config)#...

  • Page 325: Banner Configure Lp-Number

    System Management Commands banner configure lp-number This command is used to configure the LP number information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure lp-number lp-num no banner configure lp-number lp-num - The LP number. (Maximum length: 32 characters) Default Setting None Command Mode...

  • Page 326: Banner Configure Mux

    Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure manager-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.

  • Page 327: Banner Configure Note

    System Management Commands banner configure note This command is used to configure the note displayed in the banner. Use the no form to restore the default setting. Syntax banner configure note note-info no banner configure note note-info - Miscellaneous information that does not fit the other banner categories, or any other information of importance to users of the switch CLI.

  • Page 328: System Status Commands

    Steve - 123-555-9876 Lamar - 123-555-3322 Station's information: 710_Network_Path,Indianapolis DIGISOL - DG-GS1550 Floor / Row / Rack / Sub-Rack 7 / 10 / 15 / 6 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3 / 15 / 24 / 48V-id_3.15.24.2...
  • Page 329 System Management Commands Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!”...

  • Page 330: Show Running-Config

    Command Line Interface vlan database VLAN 1 name DefaultVlan media ethernet state active VLAN 4093 media ethernet state active spanning-tree MST configuration interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 interface vlan 1 IP address DHCP line console line vty Console#...
  • Page 331 System Management Commands - Interface settings - IP address configured for the switch - Any configured settings for the console port and Telnet Example Console#show running-config building startup-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-17-7c-12-31-23_01</stackingMac> phymap 00-17-7c-12-31-23 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 clock timezone-predefined GMT-Greenwich-Mean-Time:Dublin,Edinburgh,Lisbon,London SNMP-server community private rw SNMP-server community public ro...

  • Page 332: Show System

    • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: DG-GS1550 System OID String: 1.3.6.1.4.1.36293.1.1.1.15 System Information System Up Time: 0 days, 0 hours, 44 minutes, and 29.51 seconds...

  • Page 333: Show Version

    System Management Commands Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14 VTY 0 admin 0:00:00 192.168.1.19 SSH 1 steve...

  • Page 334: Frame Size Commands

    Command Line Interface Frame Size Commands Table 4-10 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames 4-34 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled...

  • Page 335: File Management Commands

    System Management Commands File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from an TFTP server. By saving run-time code to a file on an TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.

  • Page 336: Copy

    Command Line Interface copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
  • Page 337 System Management Commands • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate"...
  • Page 338 Command Line Interface The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.

  • Page 339: Delete

    System Management Commands delete This command deletes a file or image. Syntax delete filename filename - Name of the configuration file or image name. Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. •...

  • Page 340: Whichboot

    Command Line Interface • File information is shown below: Table 4-12 File Directory Information Column Heading Description File name The name of the file. File type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started. Size The length of the file in bytes.

  • Page 341: Boot System

    System Management Commands boot system This command specifies the image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. •...

  • Page 342: Line Commands

    Command Line Interface Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 4-13 Line Commands Command Function...

  • Page 343: Login

    System Management Commands Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.

  • Page 344: Password

    Command Line Interface • This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. Example Console(config-line)#login local Console(config-line)# Related Commands username (4-87) password (4-44) password...

  • Page 345: Timeout Login Response

    System Management Commands timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.

  • Page 346: Password-Thresh

    Command Line Interface Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. •...

  • Page 347: Silent-Time

    System Management Commands Related Commands silent-time (4-47) timeout login response (4-13) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...

  • Page 348: Parity

    Command Line Interface Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.

  • Page 349: Speed

    System Management Commands speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps, or auto) Default Setting auto...

  • Page 350: Disconnect

    Command Line Interface Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage...

  • Page 351: Event Logging Commands

    System Management Commands Example To show all lines, enter this command: Console#show line Console Configuration: Password Threshold: 3 times Interactive Timeout: 600 sec Login Timeout: Disabled Silent Time: Disabled Baudrate: auto Databits: Parity: None Stopbits: VTY Configuration: Password Threshold: 3 times Interactive Timeout: 600 sec Login Timeout: 300 sec console#...

  • Page 352: Logging On

    Command Line Interface logging on This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers.

  • Page 353: Logging History

    System Management Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...

  • Page 354: Logging Host

    Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...

  • Page 355: Logging Trap

    System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.

  • Page 356: Show Logging

    Command Line Interface Related Commands show logging (4-56) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...

  • Page 357: Show Log

    System Management Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG Status: disable REMOTELOG Facility Type: local use 7 REMOTELOG Level Type: Debugging messages REMOTELOG Server IP Address: 1.2.3.4 REMOTELOG Server IP Address: 0.0.0.0 REMOTELOG Server IP Address: 0.0.0.0 REMOTELOG Server IP Address: 0.0.0.0 REMOTELOG Server IP Address: 0.0.0.0...

  • Page 358: Smtp Alert Commands

    Command Line Interface Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [3] 00:00:54 2001-01-01 "STA root change notification."...

  • Page 359: Logging Sendmail Level

    System Management Commands Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.

  • Page 360: Logging Sendmail Source-Email

    Command Line Interface logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 0-41 characters) Default Setting None...

  • Page 361: Logging Sendmail

    System Management Commands logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...

  • Page 362: Time Commands

    Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

  • Page 363: Sntp Server

    System Management Commands Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status: Enabled SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0 Current server: 10.1.0.19 Console# Related Commands sntp server (4-63) sntp poll (4-64) show sntp (4-64)

  • Page 364: Sntp Poll

    Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...

  • Page 365: Clock Timezone

    System Management Commands clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-12 hours before; 0-13 hours after) •...

  • Page 366: Calendar Set

    Command Line Interface calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...

  • Page 367: Switch Cluster Commands

    System Management Commands Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.

  • Page 368: Cluster Commander

    Command Line Interface Command Mode Global Configuration Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.

  • Page 369: Cluster Ip-Pool

    System Management Commands cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.

  • Page 370: Rcommand

    There is no need to enter the username and password for access to the • Member switch CLI Example Vty-0#rcommand id 1 CLI session with the DG-GS1550 is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration.

  • Page 371: Show Cluster Members

    Console#show cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-17-7c-23-49-c0 Description: DIGISOL 10/100/1000 SPORT MANAGE Console# show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example Console#show cluster candidates...

  • Page 372: Snmp Commands

    Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...

  • Page 373: Snmp-Server

    SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.

  • Page 374: Snmp-Server Community

    Command Line Interface Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...

  • Page 375: Snmp-Server Contact

    SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string String that describes system...

  • Page 376: Snmp-Server Host

    Command Line Interface Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-75) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr •...
  • Page 377 SNMP Commands Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.

  • Page 378: Snmp-Server Enable Traps

    Command Line Interface exist, and the switch will not authorize SNMP access for the host. However, if you specify a V3 host with the “noauth” option, an SNMP user account will be generated, and the switch will authorize SNMP access for the host. Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)#...

  • Page 379: Snmp-Server Engine-Id

    SNMP Commands Related Commands snmp-server host (4-76) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} •...

  • Page 380: Show Snmp Engine-Id

    Command Line Interface Related Commands snmp-server host (4-76) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP EngineID: 8000002a8000000000e8666672 Local SNMP Engine Boots: 1 Remote SNMP EngineID IP Address 80000000030004e2b316c54321...

  • Page 381: Show Snmp View

    SNMP Commands Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.

  • Page 382: Snmp-Server Group

    Command Line Interface snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...

  • Page 383: Show Snmp Group

    SNMP Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...

  • Page 384: Snmp-Server User

    Command Line Interface Table 4-24 show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry.

  • Page 385: Show Snmp User

    SNMP Commands Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-79) to specify the engine ID for the remote device where the user resides.

  • Page 386: Authentication Commands

    Command Line Interface Table 4-25 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.

  • Page 387: User Account And Privilege Level Commands

    Authentication Commands User Account and Privilege Level Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-42), user authentication via a remote authentication server (page 4-86), and host access authentication for specific ports (page 4-122).

  • Page 388: Enable Password

    Command Line Interface Command Mode Global Configuration Command Usage • Privilege level 0 provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions. Level 15 provides full access to all commands. •...

  • Page 389: Privilege

    Authentication Commands Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (4-12) authentication enable (4-92) privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command...

  • Page 390: Show Privilege

    Command Line Interface Command Usage Due to system limitations in the current software, privilege commands (page 4-89) entered during the current switch session will not be stored properly in the running-config file (see show running-config on page 4-30). The privilege rerun command must therefore be used to correctly update these commands to the running-config file.

  • Page 391: Authentication Sequence

    Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 4-29 Authentication Sequence Command Function Mode Page...

  • Page 392: Authentication Enable

    Command Line Interface Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-87) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-12).

  • Page 393: Radius Client

    Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.

  • Page 394: Radius-Server Port

    Command Line Interface Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port-number no radius-server port port-number - RADIUS server UDP port used for authentication messages.

  • Page 395: Radius-Server Retransmit

    Authentication Commands radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) Default Setting Command Mode Global Configuration...

  • Page 396: Tacacs+ Client

    Command Line Interface Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings Communication Key with RADIUS Server: Auth-Port: 1812 Retransmit Times: Request Timeout: Sever 1: Server IP Address: 192.168.1.1 Communication Key with RADIUS Server: Auth-Port: 1812 Retransmit Times: Request Timeout: Radius server group: Group Name Member Index...

  • Page 397: Tacacs-Server Host

    Authentication Commands tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host host-ip-address [port port-number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...

  • Page 398: Tacacs-Server Key

    Command Line Interface Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.

  • Page 399: Tacacs-Server Timeout

    Authentication Commands tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.

  • Page 400: Aaa Commands

    Command Line Interface AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-32 AAA Commands Command Function Mode...

  • Page 401: Server

    Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) •...

  • Page 402: Aaa Accounting Dot1X

    Command Line Interface aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} •...

  • Page 403: Aaa Accounting Exec

    Authentication Commands aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} •...

  • Page 404: Aaa Accounting Commands

    Command Line Interface aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} •...

  • Page 405: Aaa Accounting Update

    Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...

  • Page 406: Accounting Exec

    Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec •...

  • Page 407: Aaa Authorization Exec

    Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax authorization exec {default method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name}...

  • Page 408: Authorization Exec

    Command Line Interface authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-107).

  • Page 409: Web Server Commands

    Authentication Commands Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.

  • Page 410: Ip Http Server

    Command Line Interface Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-110) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled...

  • Page 411: Ip Http Secure-Port

    Authentication Commands • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.

  • Page 412: Telnet Server Commands

    Command Line Interface Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...

  • Page 413: Secure Shell Commands

    Authentication Commands Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0.
  • Page 414 Command Line Interface Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206...

  • Page 415: Ip Ssh Server

    Authentication Commands d) The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e) The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.

  • Page 416: Ip Ssh Timeout

    Command Line Interface Related Commands ip ssh crypto host-key generate (4-118) show ssh (4-120) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds –...

  • Page 417: Ip Ssh Server-Key Size

    Authentication Commands Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-119) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...

  • Page 418: Ip Ssh Crypto Host-Key Generate

    Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...
  • Page 419 Authentication Commands Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. •...

  • Page 420: Show Ssh

    Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username...

  • Page 421: Show Public-Key

    Authentication Commands show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...

  • Page 422: 802.1X Port Authentication

    Command Line Interface 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).

  • Page 423: Dot1X Eapol-Pass-Through

    Authentication Commands Example Console(config)#dot1x system-auth-control Console(config)# dot1x eapol-pass-through This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the default. Syntax [no] dot1x eapol-pass-through Default Setting Discards all EAPOL frames when dot1x is globally disabled Command Mode Global Configuration...

  • Page 424: Dot1X Max-Req

    Command Line Interface dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax dot1x max-req count no dot1x max-req...

  • Page 425: Dot1X Operation-Mode

    Authentication Commands dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.

  • Page 426: Dot1X Re-Authentication

    Command Line Interface Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.

  • Page 427: Dot1X Timeout Quiet-Period

    Authentication Commands dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.

  • Page 428: Dot1X Timeout Tx-Period

    Command Line Interface dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.

  • Page 429: Dot1X Intrusion-Action

    Authentication Commands Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout supp-timeout 300 Console(config-if)# dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
  • Page 430 Command Line Interface Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface, including the following items: - Status –...
  • Page 431 Authentication Commands • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.

  • Page 432: Management Ip Filter Commands

    Command Line Interface Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 4-39 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-132 show management Displays the switch to be monitored or configured from a 4-133...

  • Page 433: Show Management

    Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...

  • Page 434: General Security Measures

    Command Line Interface General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.

  • Page 435: Port Security Commands

    General Security Measures Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
  • Page 436 Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.

  • Page 437: Network Access (Mac Address Authentication)

    General Security Measures Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.

  • Page 438: Network-Access Mode

    Command Line Interface Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.

  • Page 439: Network-Access Dynamic-Qos

    General Security Measures indicates untagged VLAN and “t” tagged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.” Example Console(config-if)#network-access mode mac-authentication Console(config-if)# network-access dynamic-qos Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default.

  • Page 440: Network-Access Guest-Vlan

    Command Line Interface Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access guest-vlan Use this command to assign all traffic on a port to a guest VLAN when network access (MAC authentication) or 802.1X authentication is rejected. Use the no form of this command to disable guest VLAN assignment.

  • Page 441: Mac-Authentication Intrusion-Action

    General Security Measures Default Setting 1800 Command Mode Global Configuration Command Usage • The reauthentication time is a global setting and applies to all ports. • When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected.

  • Page 442: Show Network-Access

    Command Line Interface Command Mode Interface Configuration Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# show network-access Use this command to display the MAC authentication settings for port interfaces. Syntax show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port • unit - Stack unit. (Range: 1) •...

  • Page 443: Show Network-Access Mac-Address-Table

    General Security Measures show network-access mac-address-table Use this command to display secure MAC address table entries. Syntax show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] • static - Specifies static address entries. • dynamic - Specifies dynamic address entries. •...

  • Page 444: Dhcp Snooping Commands

    Command Line Interface DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
  • Page 445 General Security Measures MAC address, IP address, lease time, VLAN identifier, and port identifier. • When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped.

  • Page 446: Ip Dhcp Snooping Vlan

    Command Line Interface Related Commands ip dhcp snooping vlan (4-146) ip dhcp snooping trust (4-147) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) Default Setting Disabled...

  • Page 447: Ip Dhcp Snooping Trust

    General Security Measures ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...

  • Page 448: Ip Dhcp Snooping Verify Mac-Address

    Command Line Interface ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function. Syntax [no] ip dhcp snooping verify mac-address Default Setting Enabled Command Mode...

  • Page 449: Ip Dhcp Snooping Information Policy

    General Security Measures • When the DHCP Snooping Information Option is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server, by the switch port to which they are connected rather than just their MAC address.

  • Page 450: Show Ip Dhcp Snooping

    Command Line Interface show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface...

  • Page 451: Ip Source Guard Commands

    General Security Measures IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping Commands"...
  • Page 452 Command Line Interface • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier.

  • Page 453: Ip Source-Guard Binding

    General Security Measures ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id •...

  • Page 454: Show Ip Source-Guard

    Command Line Interface Related Commands ip source-guard (4-151) ip dhcp snooping (4-144) ip dhcp snooping vlan (4-146) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ---------...

  • Page 455: Access Control List Commands

    Access Control List Commands Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.

  • Page 456: Access-List Ip

    Command Line Interface access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name • standard – Specifies an ACL that filters packets based on the source IP address.

  • Page 457: Permit, Deny (Standard Acl)

    Access Control List Commands permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...

  • Page 458: Permit, Deny (Extended Acl)

    Command Line Interface permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, or source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
  • Page 459 Access Control List Commands Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...

  • Page 460: Show Ip Access-List

    Command Line Interface Related Commands access-list ip (4-156) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl-name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. •...

  • Page 461: Show Ip Access-Group

    Access Control List Commands Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-160) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands...

  • Page 462: Access-List Mac

    Command Line Interface access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl-name acl-name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...
  • Page 463 Access Control List Commands [no] {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] [no] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [no] {permit | deny} untagged-802.3 {any | host source | source address-bitmask}...

  • Page 464: Mac Access-Group

    Command Line Interface Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-17-7c-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (4-162) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name –...

  • Page 465: Show Mac Access-Group

    Access Control List Commands Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (4-164) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands...

  • Page 466: Acl Information

    Command Line Interface ACL Information Table 4-49 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-166 show access-group Shows the ACLs assigned to each port 4-166 show access-list This command shows all ACLs and associated rules. Command Mode Privileged Exec Example...

  • Page 467: Interface Commands

    Interface Commands Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-50 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-167 mode description Adds a description to an interface configuration...

  • Page 468: Description

    Command Line Interface Default Setting None Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description...

  • Page 469: Speed-Duplex

    Interface Commands speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default. Syntax speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex •...

  • Page 470: Negotiation

    Command Line Interface negotiation This command enables autonegotiation for a given interface. Use the no form to disable autonegotiation. Syntax [no] negotiation Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.

  • Page 471: Flowcontrol

    Interface Commands • symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames.) Default Setting •...

  • Page 472: Media-Type

    Related Commands negotiation (4-170) capabilities (flowcontrol, symmetric) (4-170) media-type This command forces the port type selected for combination ports 45-48 (DG-GS1550). Use the no form to restore the default mode. Syntax media-type mode no media-type mode • copper-forced - Always uses the built-in RJ-45 port.

  • Page 473: Shutdown

    Interface Commands Default Setting sfp-preferred-auto Command Mode Interface Configuration (Ethernet - Ports 21-24/45-48) Example This forces the switch to use the built-in RJ-45 port for the combination port 21. Console(config)#interface ethernet 1/21 Console(config-if)#media-type copper-forced Console(config-if)# shutdown This command disables an interface. To restart a disabled interface, use the no form.

  • Page 474: Clear Counters

    Command Line Interface • rate - Threshold level as a rate; i.e., kilobits per second. (Range: 500-262143) Default Setting Broadcast Storm Control: Enabled, packet-rate limit: 500 pps Multicast Storm Control: Disabled Unknown Unicast Storm Control: Disabled Command Mode Interface Configuration (Ethernet) Command Usage When traffic exceeds the threshold specified for broadcast, multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the...

  • Page 475: Show Interfaces Brief

    Interface Commands Example The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# show interfaces brief This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports. Command Mode Privileged Exec Example...

  • Page 476: Show Interfaces Counters

    Command Line Interface Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Displaying Connection Status" on page 3-115. Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port Type: 1000T...

  • Page 477: Show Interfaces Switchport

    Interface Commands Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port Statistics" on page 3-141. Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550...
  • Page 478 Command Line Interface Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast Threshold: Enabled, 500 packets/second Multicast Threshold:...

  • Page 479: Table 4-51 Interfaces Switchport Statistics

    Interface Commands Table 4-51 Interfaces Switchport Statistics Field Description Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only (page 4-234). Native VLAN Indicates the default Port VLAN ID (page 4-235). Priority for untagged traffic Indicates the default priority for untagged frames (page 4-282). GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-228).

  • Page 480: Link Aggregation Commands

    Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 25 on the DG-GS1550. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.

  • Page 481: Channel-Group

    Link Aggregation Commands Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). •...

  • Page 482: Lacp

    Command Line Interface lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.

  • Page 483: Lacp System-Priority

    Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...

  • Page 484: Lacp Admin-Key (Ethernet Interface)

    Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.

  • Page 485: Lacp Admin-Key (Port Channel)

    Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.

  • Page 486: Lacp Port-Priority

    Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...

  • Page 487: Show Lacp

    Link Aggregation Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} • port-channel - Local identifier for a link aggregation group. (Range: 1-32) • counters - Statistics for LACP protocol messages. •...

  • Page 488: Table 4-54 Show Lacp Internal - Display Description

    Command Line Interface Console#show lacp 1 internal Port channel : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation,...

  • Page 489: Show Lacp Neighbors - Display Description

    Link Aggregation Commands Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...

  • Page 490: Show Lacp Sysid - Display Description

    Command Line Interface Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-17-7C-8F-2C-A7 32768 00-17-7C-8F-2C-A7 32768 00-17-7C-8F-2C-A7 32768 00-17-7C-8F-2C-A7 Console# Table 4-56 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group.

  • Page 491: Mirror Port Commands

    Mirror Port Commands Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-57 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-191 show port monitor Shows the configuration for a mirror port 4-192 port monitor...

  • Page 492: Show Port Monitor

    Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...

  • Page 493: Rspan Mirroring Commands

    RSPAN Mirroring Commands RSPAN Mirroring Commands Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port. Table 4-58 RSPAN Commands Command Function Mode Page vlan rspan Creates a VLAN dedicated to carrying RSPAN traffic 4-231 rspan source Specifies the source port and traffic type to be mirrored...

  • Page 494: Rspan Source

    Command Line Interface has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports. • IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured.

  • Page 495: Rspan Destination

    RSPAN Mirroring Commands • The source port and destination port cannot be configured on the same switch. Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination...

  • Page 496: Rspan Remote Vlan

    Command Line Interface Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.

  • Page 497: No Rspan Session

    RSPAN Mirroring Commands switchport allowed vlan command (page 4-236). Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note that the show vlan command (page 4-238) will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3:...

  • Page 498: Rate Limit Commands

    Command Line Interface Command Mode Privileged Exec Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) : None RX Only : None TX Only : None BOTH : None Destination Port (monitor port) : Eth 1/2 Destination Tagged Mode : Untagged Switch Role : Destination...

  • Page 499: Address Table Commands

    Address Table Commands Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 1000 Console(config-if)# Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 4-60 Address Table Commands Command...

  • Page 500: Clear Mac-Address-Table Dynamic

    Command Line Interface Default Setting No static addresses are defined. The default mode is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table.

  • Page 501: Show Mac-Address-Table

    Address Table Commands show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...

  • Page 502: Mac-Address-Table Aging-Time

    Command Line Interface mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-30000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...

  • Page 503: Spanning Tree Commands

    Spanning Tree Commands Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-61 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-204 spanning-tree mode...

  • Page 504: Spanning-Tree

    Command Line Interface Table 4-61 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Re-checks the appropriate BPDU format 4-223 protocol-migration show spanning-tree Shows spanning tree configuration for the common 4-223 spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree show spanning-tree mst Shows the multiple spanning tree configuration...
  • Page 505 Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.

  • Page 506: Spanning-Tree Forward-Time

    Command Line Interface spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].

  • Page 507: Spanning-Tree Max-Age

    Spanning Tree Commands Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-206) spanning-tree max-age (4-207) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds.

  • Page 508: Spanning-Tree Priority

    Command Line Interface spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...

  • Page 509: Spanning-Tree Transmission-Limit

    Spanning Tree Commands Command Usage • The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 4-214) takes precedence over port priority (page 4-215).

  • Page 510: Mst Vlan

    Command Line Interface Related Commands mst vlan (4-210) mst priority (4-211) name (4-211) revision (4-212) max-hops (4-212) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.

  • Page 511: Mst Priority

    Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) •...

  • Page 512: Revision

    Command Line Interface Command Usage The MST region name and revision number (page 4-212) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.

  • Page 513: Spanning-Tree Spanning-Disabled

    Spanning Tree Commands Default Setting Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.

  • Page 514: Spanning-Tree Cost

    Command Line Interface spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 1-200,000,000) (Range: 0 for auto-configuration, 1-65535 for short path cost method24, 1-200,000,000 for long path cost method) Table 4-62 Recommended STA Path Cost Range...

  • Page 515: Spanning-Tree Port-Priority

    Spanning Tree Commands Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.

  • Page 516: Spanning-Tree Edge-Port

    Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.

  • Page 517: Spanning-Tree Portfast

    Spanning Tree Commands edge delay time expires without receiving any RSTP or MSTP BPDUs. Note that edge delay time (802.1D-2004 17.20.4) equals the protocol migration time if a port's link type is point-to-point; otherwise it equals the spanning-tree’s maximum age (page 4-207). An interface cannot function as an edge port under the following conditions: - If spanning tree mode is set to STP (page 4-204), edge-port mode can be manually enabled or set to auto, but will have no effect.

  • Page 518: Spanning-Tree Link-Type

    Command Line Interface • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time. Fast forwarding can achieve quicker convergence for end-node workstations and servers, and also overcome other STA related timeout problems.

  • Page 519: Spanning-Tree Loopback-Detection

    Spanning Tree Commands Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point Console(config-if)# spanning-tree loopback-detection This command enables the detection and response to Spanning Tree loopback BPDU packets on the port. Use the no form to disable this feature. Syntax spanning-tree loopback-detection no spanning-tree loopback-detection Default Setting Enabled...

  • Page 520: Spanning-Tree Loopback-Detection Trap

    Command Line Interface Command Usage • If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: - The port receives any other BPDU except for it’s own, or; - The port’s link status changes to link down and then link up again, or;...

  • Page 521: Spanning-Tree Mst Cost

    Spanning Tree Commands spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...

  • Page 522: Spanning-Tree Mst Port-Priority

    Command Line Interface Related Commands spanning-tree mst port-priority (4-222) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority •...

  • Page 523: Spanning-Tree Protocol-Migration

    Spanning Tree Commands spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) •...
  • Page 524 Command Line Interface Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).

  • Page 525: Show Spanning-Tree Mst Configuration

    Spanning Tree Commands --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin Status: Enabled Role: Root State: Forwarding External Admin Path Cost: 100000 Internal Admin Path Cost: 100000 External Oper Path Cost: 100000 Internal Oper Path Cost: 100000 Priority: Designated Cost: Designated Port: 128.13 Designated Root: 32768.0.00177CF8D8C6...

  • Page 526: Vlan Commands

    Command Line Interface VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.

  • Page 527: Bridge-Ext Gvrp

    VLAN Commands bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.

  • Page 528: Switchport Gvrp

    Command Line Interface switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.

  • Page 529: Garp Timer

    VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} •...

  • Page 530: Show Garp Timer

    Command Line Interface show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting Shows all GARP timers.

  • Page 531: Vlan

    VLAN Commands Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.

  • Page 532: Configuring Vlan Interfaces

    Command Line Interface Command Usage • no vlan vlan-id deletes the VLAN. • no vlan vlan-id name removes the VLAN name. • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. One extra, unmanageable VLAN (VLAN ID 4093) is maintained for switch clustering.

  • Page 533: Switchport Mode

    VLAN Commands Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-173) switchport mode This command configures the VLAN membership mode for a port.

  • Page 534: Switchport Acceptable-Frame-Types

    Command Line Interface Related Commands switchport acceptable-frame-types (4-234) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...

  • Page 535: Switchport Native Vlan

    VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).

  • Page 536: Switchport Allowed Vlan

    Command Line Interface Example The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default.

  • Page 537: Switchport Forbidden Vlan

    VLAN Commands Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.

  • Page 538: Displaying Vlan Information

    Command Line Interface Displaying VLAN Information Table 4-69 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-238 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-175 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-177...

  • Page 539: Configuring Ieee 802.1Q Tunneling

    VLAN Commands Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).

  • Page 540: Dot1Q-Tunnel System-Tunnel-Control

    Command Line Interface reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode.

  • Page 541: Switchport Dot1Q-Tunnel Tpid

    VLAN Commands • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. •...

  • Page 542: Show Dot1Q-Tunnel

    Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (4-177) show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end...

  • Page 543: Configuring Port-Based Traffic Segmentation

    VLAN Commands Configuring Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Local traffic belonging to each client is isolated to the allocated downlink ports, and upstream traffic coming from the downlink ports can only be forwarded to, and from, uplink ports.

  • Page 544: Pvlan Up-Link/Down-Link

    Command Line Interface Example Console(config)#pvlan Console(config)# pvlan up-link/down-link This command configures uplink/downlink ports for traffic-segmentation client sessions. Use the no form to restore a port to normal operating mode. Syntax pvlan [up-link interface-list down-link interface-list] no pvlan • up-link - Specifies an uplink interface. •...

  • Page 545: Configuring Private Vlans

    VLAN Commands Example Console#show pvlan Private VLAN status: Enabled Up-link port: Ethernet 1/12 Down-link port: Ethernet 1/5 Ethernet 1/6 Ethernet 1/7 Ethernet 1/8 Console# Configuring Private VLANs Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs –...

  • Page 546: Private-Vlan

    Command Line Interface To configure primary/community associated groups, follow these steps: Use the private-vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community groups. Use the private-vlan association command to map the community VLAN(s) to the primary VLAN.

  • Page 547: Private Vlan Association

    VLAN Commands Example Console(config)#vlan database Console(config-vlan)#private-vlan 2 primary Console(config-vlan)#private-vlan 3 community Console(config)# private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id...

  • Page 548: Switchport Mode Private-Vlan

    Command Line Interface switchport mode private-vlan Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. Syntax switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan • host – This port type can subsequently be assigned to a community VLAN. •...

  • Page 549: Switchport Private-Vlan Mapping

    VLAN Commands Command Usage All ports assigned to a secondary (i.e., community) VLAN can pass traffic between group members, but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN. Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan host-association 3 Console(config-if)# switchport private-vlan mapping...

  • Page 550: Configuring Protocol-Based Vlans

    Command Line Interface Default Setting None Command Mode Privileged Executive Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.

  • Page 551: Protocol-Vlan Protocol-Group (Configuring Groups)

    VLAN Commands Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivity to the switch. If lost in this manner, network access can be regained by removing the offending Protocol VLAN rule via the console.

  • Page 552: Show Protocol-Vlan Protocol-Group

    Command Line Interface Default Setting No protocol groups are mapped for any interface. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-231), these interfaces will admit traffic of any protocol type into the associated VLAN.

  • Page 553: Show Interfaces Protocol-Vlan Protocol-Group

    VLAN Commands Example This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group ProtocolGroup ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces.

  • Page 554: Configuring Voice Vlans

    Command Line Interface Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.

  • Page 555: Voice Vlan Aging

    VLAN Commands devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. • Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.

  • Page 556: Voice Vlan Mac-Address

    Command Line Interface voice vlan mac-address This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list. Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address •...

  • Page 557: Switchport Voice Vlan

    VLAN Commands switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan • manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.

  • Page 558: Switchport Voice Vlan Security

    Command Line Interface Command Mode Interface Configuration Command Usage • When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command on page 4-256). MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.

  • Page 559: Switchport Voice Vlan Priority

    VLAN Commands switchport voice vlan priority This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority •...

  • Page 560: Lldp Commands

    Command Line Interface Example Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority -------- -------- -------- --------- -------- Eth 1/ 1 Auto Enabled Eth 1/ 2 Disabled Disabled OUI...
  • Page 561 LLDP Commands Table 4-76 LLDP Commands (Continued) Command Function Mode Page lldp notification-interval Configures the allowed interval for sending SNMP 4-263 notifications about LLDP changes lldp refresh-interval Configures the periodic transmit interval for LLDP 4-264 advertisements lldp reinit-delay Configures the delay before attempting to re-initialize after 4-265 LLDP ports are disabled or the link goes down lldp tx-delay...

  • Page 562: Lldp

    Command Line Interface Table 4-76 LLDP Commands (Continued) Command Function Mode Page lldp med-tlv Configures an LLDP-MED-enabled port to advertise its 4-275 med-cap Media Endpoint Device capabilities lldp med-tlv Configures an LLDP-MED-enabled port to advertise its 4-276 network-policy network policy configuration show lldp config Shows LLDP configuration settings for all ports 4-276...

  • Page 563: Lldp Med-Fast-Start-Count

    LLDP Commands Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp med-fast-start-count This command specifies the amount of MED Fast Start LLDPDUs to transmit during...

  • Page 564: Lldp Refresh-Interval

    Command Line Interface Default Setting 5 seconds Command Mode Global Configuration Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.

  • Page 565: Lldp Reinit-Delay

    LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP. (Range: 1 - 10 seconds) Default Setting 2 seconds...

  • Page 566: Lldp Admin-Status

    Command Line Interface • This attribute must comply with the following rule:  (4 * tx-delay)  refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status...

  • Page 567: Lldp Med-Notification

    LLDP Commands the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 4-76). • Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.

  • Page 568: Lldp Basic-Tlv Management-Ip-Address

    Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-notification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode...

  • Page 569: Lldp Basic-Tlv Port-Description

    LLDP Commands lldp basic-tlv port-description This command configures an LLDP-enabled port to advertise its port description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.

  • Page 570: Lldp Basic-Tlv System-Description

    Command Line Interface lldp basic-tlv system-description This command configures an LLDP-enabled port to advertise the system description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type,...

  • Page 571: Lldp Dot1-Tlv Proto-Ident

    LLDP Commands lldp dot1-tlv proto-ident This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature. Syntax dot1-tlv proto-ident [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface.

  • Page 572: Lldp Dot1-Tlv Pvid

    Command Line Interface lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv pvid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see "switchport native...

  • Page 573: Lldp Dot3-Tlv Link-Agg

    LLDP Commands lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature. Syntax dot3-tlv link-agg [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the IEEE 802.3 aggregated port identifier if this interface is currently a link aggregation member.

  • Page 574: Lldp Dot3-Tlv Max-Frame

    Command Line Interface lldp dot3-tlv max-frame This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv max-frame Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to the jumbo frame command (page 4-34) for information on configuring the maximum frame size for this switch.

  • Page 575: Lldp Med-Tlv Location

    LLDP Commands lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax med-tlv location [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.

  • Page 576: Lldp Med-Tlv Network-Policy

    Command Line Interface lldp med-tlv network-policy This command configures an LLDP-MED-enabled port to advertise its network policy configuration. Use the no form to disable this feature. Syntax med-tlv network-policy [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
  • Page 577 LLDP Commands Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |Admin Status Notification Enabled --------- + ----------- --------------------...

  • Page 578: Show Lldp Info Local-Device

    LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-17-7C-0C-8F-EE System Name System Description : DG-GS1550 System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.226.232 (IPv4) LLDP Port Information Interface |PortID Type...

  • Page 579: Show Lldp Info Remote-Device

    LLDP Commands show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit.
  • Page 580 Command Line Interface Example Console#show lldp info remote-device LLDP Remote Devices Information Interface | ChassisId PortId SysName --------- + ----------------- ----------------- --------------------- Eth 1/1 | 00-01-02-03-04-05 00-01-02-03-04-06 Console#show lldp info remote-device detail ethernet 1/1 LLDP Remote Devices Information Detail --------------------------------------------------------------- Local PortName : Eth 1/1 Chassis Type...

  • Page 581: Show Lldp Info Statistics

    LLDP Commands show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.

  • Page 582: Class Of Service Commands

    Command Line Interface Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 583: Queue Mode

    Class of Service Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...

  • Page 584: Queue Bandwidth

    Command Line Interface Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and then default switchport priority.

  • Page 585: Queue Cos-Map

    Class of Service Commands Default Setting Weights 1, 2, 4, 8 are assigned to queues 0-3 respectively. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • WRR controls bandwidth sharing at the egress port by defining scheduling weights. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.

  • Page 586: Show Queue Mode

    Command Line Interface Default Setting This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.

  • Page 587: Show Queue Bandwidth

    Class of Service Commands show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map.

  • Page 588: Priority Commands (Layer 3 And 4)

    Command Line Interface Priority Commands (Layer 3 and 4) Table 4-80 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip port Enables TCP/UDP class of service mapping 4-288 map ip port Maps TCP/UDP socket to a class of service 4-289 map ip precedence Enables IP precedence class of service mapping...

  • Page 589: Map Ip Port (Interface Configuration)

    Class of Service Commands map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number •...

  • Page 590: Map Ip Precedence (Interface Configuration)

    Command Line Interface Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...

  • Page 591: Map Ip Dscp (Interface Configuration)

    Class of Service Commands Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP DSCP, and default switchport priority. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point...

  • Page 592: Show Map Ip Port

    Command Line Interface Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues.

  • Page 593: Show Map Ip Dscp

    Class of Service Commands show map ip precedence This command shows the IP precedence priority map. Syntax show map ip precedence [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) •...
  • Page 594 Command Line Interface Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands...

  • Page 595: Quality Of Service Commands

    Quality of Service Commands Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet Note:...

  • Page 596: Class-Map

    Command Line Interface Use the set command to modify the QoS value for matching traffic class, and use the policer command to monitor the average flow and burst rate, and drop any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate.

  • Page 597: Match

    Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name dscp dscp ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.

  • Page 598: Rename

    Command Line Interface rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name Name class policy map. (Range: 1-16 characters) Command Mode Class Map Configuration Policy Map Configuration Example Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9 Console(config-cmap)# description This command specifies the description of a class map or policy map.

  • Page 599: Policy-Map

    Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.

  • Page 600: Set

    Command Line Interface Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.

  • Page 601: Police

    Quality of Service Commands Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.

  • Page 602: Service-Policy

    Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.

  • Page 603: Show Class-Map

    Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps. Command Mode Privileged Exec Example...

  • Page 604: Show Policy-Map Interface

    Command Line Interface Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface...

  • Page 605: Multicast Filtering Commands

    Multicast Filtering Commands Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.

  • Page 606: Ip Igmp Snooping

    Command Line Interface ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static...

  • Page 607: Ip Igmp Snooping Version

    Multicast Filtering Commands ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...

  • Page 608: Ip Igmp Snooping Immediate-Leave

    Command Line Interface Command Usage • This function is only effective if IGMP snooping is enabled. • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. •...

  • Page 609: Show Ip Igmp Snooping

    Multicast Filtering Commands • This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave. Console(config)#interface vlan 1 Console(config-if)#ip igmp snooping immediate-leave Console(config-if)# show ip igmp snooping This command shows the IGMP snooping configuration.

  • Page 610: Igmp Query Commands (Layer 2)

    Command Line Interface Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr.

  • Page 611: Ip Igmp Snooping Query-Count

    Multicast Filtering Commands Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 4-307). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)#...

  • Page 612: Ip Igmp Snooping Query-Interval

    Command Line Interface ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.

  • Page 613: Ip Igmp Snooping Router-Port-Expire-Time

    Multicast Filtering Commands Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (4-307) ip igmp snooping router-port-expire-time This command configures the querier timeout. Use the no form to restore the default.

  • Page 614: Static Multicast Routing Commands

    Command Line Interface Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 4-87 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port 4-314 show ip igmp snooping mrouter Shows multicast router ports 4-315...

  • Page 615: Show Ip Igmp Snooping Mrouter

    Multicast Filtering Commands show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...

  • Page 616: Igmp Filtering And Throttling Commands

    Command Line Interface IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.

  • Page 617: Ip Igmp Profile

    Multicast Filtering Commands • The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic. Example Console(config)#ip igmp filter Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode.

  • Page 618: Range

    Command Line Interface • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.

  • Page 619: Ip Igmp Max-Groups

    Multicast Filtering Commands Command Mode Interface Configuration Command Usage • The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. • Only one profile can be assigned to an interface. •...

  • Page 620: Ip Igmp Max-Groups Action

    Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-group 10 Console(config-if)# ip igmp max-groups action This command sets the IGMP throttling action for an interface on the switch. Syntax ip igmp max-groups action {replace | deny} • replace - The new multicast group replaces an existing group. •...

  • Page 621: Show Ip Igmp Profile

    Multicast Filtering Commands Command Mode Privileged Exec Example Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.

  • Page 622: Show Ip Igmp Throttle Interface

    Command Line Interface show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26/50) •...

  • Page 623: Multicast Vlan Registration Commands

    Multicast Filtering Commands Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
  • Page 624 Command Line Interface Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.

  • Page 625: Mvr (Interface Configuration)

    Multicast Filtering Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.

  • Page 626: Show Mvr

    Command Line Interface • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.

  • Page 627: Table 4-90 Show Mvr - Display Description

    Multicast Filtering Commands Default Setting Displays global configuration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN.

  • Page 628: Table 4-92 Show Mvr Members - Display Description

    Command Line Interface Table 4-91 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE”...

  • Page 629: Ip Host

    Domain Name Service Commands Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.

  • Page 630: Clear Host

    Command Line Interface Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device.

  • Page 631: Ip Domain-List

    Domain Name Service Commands Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (4-331) ip name-server (4-332) ip domain-lookup (4-333) ip domain-list This command defines a list of domain names that can be appended to incomplete...

  • Page 632: Ip Name-Server

    Command Line Interface Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List:...

  • Page 633: Ip Domain-Lookup

    Domain Name Service Commands Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55...

  • Page 634: Show Hosts

    Command Line Interface Related Commands ip domain-name (4-330) ip name-server (4-332) show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.

  • Page 635: Show Dns Cache

    Domain Name Service Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache FLAG TYPE DOMAIN Address www.times.com 199.239.136.200 Address a1116.x.akamai.net 61.213.189.120 Address a1116.x.akamai.net 61.213.189.104 CNAME graphics8.nytimes.com POINTER TO:2 CNAME graphics478.nytimes.com.edgesui 19 POINTER TO:2 Console#...

  • Page 636: Ip Interface Commands

    Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.

  • Page 637: Ip Default-Gateway

    IP Interface Commands Command Usage • You must assign an IP address to this device to gain management access over the network. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.

  • Page 638: Ip Dhcp Restart

    Command Line Interface Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (4-339) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage •...

  • Page 639: Show Ip Redirects

    IP Interface Commands Example Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console# Related Commands show ip redirects (4-339) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode...

  • Page 640: Show Arp

    Command Line Interface - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable. - Network or host unreachable - The gateway found no corresponding entry in the route table.

  • Page 641: Clear Arp-Cache

    IP Interface Commands clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# 4-341...
  • Page 642 Command Line Interface 4-342...

  • Page 643: Appendix A: Software Specifications

    Appendix A: Software Specifications Software Features Management Authentication Local, RADIUS, TACACS, Port Authentication (802.1X), AAA, HTTPS, SSH, IP Filter General Security Measures Local, RADIUS, TACACS, Port (802.1X, MAC Authentication), Port Authentication (802.1X), MAC Authentication, Port Security, DHCP Snooping, IP Source Guard Access Control Lists 128 ACLS (96 MAC rules, 96 IP rules) DHCP Client...

  • Page 644: Management Features

    Software Specifications Strict or Weighted Round Robin queueing CoS configured by VLAN tag or port Layer 3/4 priority mapping: IP Port, IP Precedence, IP DSCP Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client DHCP Snooping...

  • Page 645: Management Information Bases

    Management Information Bases IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging DHCP Client (RFC 2131) DHCP Options (RFC 2132) HTTPS IGMP (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support IGMP Proxy (RFC 4541)
  • Page 646 Software Specifications RADIUS Accounting Server MIB (RFC 2621) RADIUS Authentication Client MIB (RFC 2618) RMON MIB (RFC 2819) RMON II Probe Configuration Group (RFC 2021, partial implementation) SNMP Community MIB (RFC 3584) SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415)

  • Page 647: Appendix B: Troubleshooting

    Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...

  • Page 648: Using System Logs

    Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.

  • Page 649: Glossary

    Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol (ARP) converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
  • Page 650 Glossary DHCP Option 82 A relay option for sending information about the requesting client (or an intermediate relay agent) in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server. This information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients.
  • Page 651 Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
  • Page 652 Glossary which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services.
  • Page 653 Glossary Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken.
  • Page 654 Glossary Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN.
  • Page 655 Glossary Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server.
  • Page 656 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.

  • Page 657: Index

    Index IP Extended 3-96, 3-99, 4-155, Numerics 4-158 802.1Q tunnel 3-185, 4-239 IP Standard 3-96, 3-98, 4-155, access 3-190, 4-240 4-157 configuration, guidelines 3-188 MAC 3-101, 4-161, 4-162–4-164 configuration, limitations 3-187 address table 3-146, 4-199 description 3-185 aging time 3-148, 4-202 ethernet type 3-189, 4-241 authentication interface configuration 3-189,...
  • Page 658 Index queue mode 3-207, 4-283 DSCP traffic class weights 3-208, 4-284, enabling 3-209, 4-290 4-287 mapping priorities 3-211, 4-291 dynamic addresses, displaying 3-147, 4-201 dynamic QoS assignment 4-139 default gateway, configuration 3-16, 4-337 default priority, ingress port 3-203, 4-283 edge port, STA 3-160, 3-163, 4-216 default settings, system 1-6 encryption DHCP 3-18, 4-336...
  • Page 659 Index IEEE 802.1w 3-149, 4-204 public 3-74, 4-113 IEEE 802.1X 3-79, 4-122 user public, importing 4-36 IGMP key pair filter profiles, configuration 3-233, host 3-74, 4-113 4-316 host, generating 3-76, 4-118 filter, parameters 3-233, 4-316 filtering & throttling, creating profile 3-232, 4-317 LACP filtering &...
  • Page 660 Index log-in, web interface 3-2 multicast storm, threshold 3-132, logon authentication 3-53, 4-86 4-173 encryption keys 3-58, 4-94, 4-98 multicast, filtering and throttling 3-232, RADIUS client 3-56, 4-93 4-316 RADIUS server 3-56, 4-93 multicast, static router port 3-229, sequence 3-56, 4-91, 4-92 4-191, 4-314 settings 3-56, 4-91 TACACS+ client 3-55, 4-96...
  • Page 661 Index configuring 3-115, 4-167 Quality of Service See QoS duplex mode 3-118, 4-169 queue weights 3-208, 4-284, 4-287 flow control 3-118, 4-171 forced selection on combo ports 3-118, 4-172 RADIUS mirroring local traffic 3-134 logon authentication 3-56, 4-91, mirroring remote traffic 3-136, 4-193 4-93 multicast storm threshold 3-132, settings 3-56, 4-93...
  • Page 662 Index SNTP, setting the system clock 3-34, switch settings 4-62–4-64 restoring 3-22, 4-35 software saving 4-35 displaying version 3-13, 4-33 system clock downloading 3-20, 4-36 setting 3-34, 4-62 Spanning Tree Protocol See STA setting manually 3-34, 4-66 specifications, software A-1 setting the time zone 3-35, 4-65 SSH 3-74, 4-113 setting with SNTP 3-34, 4-62–4-64...
  • Page 663 Index displaying basic information 3-175, voice VLANs 4-254 4-227 detecting VoIP devices 4-254 displaying port members 3-176, enabling for ports 4-257–4-259 4-238 identifying client devices 4-256 egress mode 3-184, 4-233 VoIP traffic 4-254 interface configuration 3-183, ports, configuring 4-257–4-259 4-234–4-237 telephony OUI, configuring 4-256 private 3-194, 4-245 voice VLAN, configuring 4-254...
  • Page 664 Index Index-8...

Table of Contents