Page 1 ECS3510-26P Management Guide 26-Port Fast Ethernet Layer 2 Switch www.edge-core.com...
Page 3 ANAGEMENT UIDE ECS3510-28P G IGABIT THERNET WITCH Layer 2 Managed Switch with 24 10/100BASE-TX (RJ-45) PoE Ports, and 2 Gigabit SFP Ports ECS3510-28P E052013/ST-R01 149100000220A...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment.
Page 6 BOUT UIDE This section summarizes the changes in each revision of this guide. EVISION ISTORY 2013 R EVISION This is the first version of this guide. This guide is valid for software release v1.0.0.0. – 6 –...
Page 7: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access Managing System Files...
Page 8 ONTENTS Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting The Start-Up File Showing System Files...
Page 9 ONTENTS Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Configuring Trunk Mirroring Saving Power Traffic Segmentation Enabling Traffic Segmentation Configuring Uplink and Downlink Ports VLAN Trunking...
Page 10 ONTENTS Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP ONGESTION ONTROL Rate Limiting Storm Control Automatic Traffic Control Setting the ATC Timers Configuring ATC Thresholds and Responses 10 C LASS OF ERVICE...
Page 11 ONTENTS Configuring User Accounts Web Authentication Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports Configuring Port Link Detection Configuring a MAC Address Filter Displaying Secure MAC Address Information Configuring HTTPS Configuring Global Settings for HTTPS...
Page 12 ONTENTS Configuring Port Supplicant Settings for 802.1X Displaying 802.1X Statistics IP Source Guard Configuring Ports for IP Source Guard Configuring Static Bindings for IP Source Guard Displaying Information for Dynamic IP Source Guard Bindings DHCP Snooping DHCP Snooping Global Configuration DHCP Snooping VLAN Configuration Configuring Ports for DHCP Snooping Displaying DHCP Snooping Binding Information...
Page 13 ONTENTS Specifying Trap Managers Remote Monitoring Configuring RMON Alarms Configuring RMON Events Configuring RMON History Samples Configuring RMON Statistical Samples Switch Clustering Configuring General Settings for Clusters Cluster Member Configuration Managing Cluster Members Setting A Time Range 15 IP C ONFIGURATION Using the Ping Function Address Resolution Protocol...
Page 14 ONTENTS Assigning Interfaces to Multicast Services Setting IGMP Snooping Status per Interface Displaying Multicast Groups Discovered by IGMP Snooping Filtering and Throttling IGMP Groups Enabling IGMP Filtering and Throttling Configuring IGMP Filter Profiles Configuring IGMP Filtering and Throttling for Interfaces Multicast VLAN Registration Configuring Global MVR Settings Configuring MVR Interface Status...
Page 15 ONTENTS enable quit show history configure disable reload (Privileged Exec) show reload exit 20 S YSTEM ANAGEMENT OMMANDS Device Designation hostname System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show tech-support show users show version Frame Size jumbo frame...
Page 16 ONTENTS Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect terminal show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email...
Page 17 ONTENTS show sntp Manual Configuration Commands clock summer-time clock timezone clock timezone-predefined calendar set show calendar Time Range time-range absolute periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 21 SNMP C OMMANDS General SNMP Commands...
Page 18 ONTENTS show snmp engine-id show snmp group show snmp user show snmp view Notification Log Commands snmp-server notify-filter show nlm oper-status show snmp notify-filter 22 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics...
Page 19 ONTENTS tacacs-server port show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-port ip http secure-server Telnet Server...
Page 20 ONTENTS 802.1X Port Authentication General Commands dot1x default dot1x eapol-pass-through dot1x system-auth-control Authenticator Commands dot1x intrusion-action dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate Supplicant Commands dot1x identity profile dot1x max-start dot1x pae supplicant...
Page 21 ONTENTS network-access dynamic-vlan network-access guest-vlan network-access link-detection network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control...
Page 22 ONTENTS show ip dhcp snooping binding IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding show ip source-guard show ip source-guard binding ARP Inspection ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust...
Page 23 ONTENTS ARP ACLs access-list arp permit, deny (ARP ACL) show arp access-list ACL Information show access-group show access-list 26 I NTERFACE OMMANDS Interface Configuration interface alias capabilities description flowcontrol giga-phy-mode negotiation shutdown speed-duplex switchport packet-rate clear counters show interfaces brief show interfaces counters show interfaces status show interfaces switchport...
Page 24 ONTENTS lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) Trunk Status Display Commands show lacp 28 P IRRORING OMMANDS Local Port Mirroring Commands port monitor show port monitor RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 29 R...
Page 25 ONTENTS snmp-server enable port-traps atc multicast-control-release ATC Display Commands show auto-traffic-control show auto-traffic-control interface 31 A DDRESS ABLE OMMANDS mac-address-table aging-time mac-address-table static clear mac-address-table dynamic show mac-address-table show mac-address-table aging-time show mac-address-table count 32 S PANNING OMMANDS spanning-tree spanning-tree cisco-prestandard spanning-tree forward-time spanning-tree hello-time spanning-tree max-age...
Page 26 ONTENTS spanning-tree mst cost spanning-tree mst port-priority spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree loopback-detection release spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 33 VLAN C OMMANDS GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer...
Page 27 ONTENTS Configuring Port-based Traffic Segmentation traffic-segmentation show traffic-segmentation Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs voice vlan voice vlan aging...
Page 28 ONTENTS show qos map dscp-mutation show qos map phb-queue show qos map trust-mode 35 Q UALITY OF ERVICE OMMANDS class-map description match rename policy-map class police flow police srtcm-color police trtcm-color set cos set ip dscp set phb service-policy show class-map show policy-map show policy-map interface 36 M...
Page 29 ONTENTS ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static show ip igmp snooping show ip igmp snooping mrouter show ip igmp snooping group Static Multicast Routing ip igmp snooping vlan mrouter...
Page 30 ONTENTS lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv max-frame lldp med-location civic-addr lldp med-notification lldp med-tlv ext-poe lldp med-tlv inventory lldp med-tlv location...
Page 31 ONTENTS 39 DHCP C OMMANDS DHCP Client DHCP for IPv4 ip dhcp client class-id ip dhcp restart client DHCP for IPv6 ipv6 dhcp client rapid-commit vlan ipv6 dhcp restart client vlan show ip dhcp client-identifier show ipv6 dhcp duid show ipv6 dhcp vlan 40 IP I NTERFACE OMMANDS...
Page 32 ONTENTS show ipv6 mtu show ipv6 mtu show ipv6 traffic clear ipv6 traffic ping6 Neighbor Discovery clear ipv6 neighbors show ipv6 neighbors ECTION PPENDICES OFTWARE PECIFICATIONS Software Features Management Features Standards Management Information Bases ROUBLESHOOTING Problems Accessing the Management Interface Using System Logs ICENSE NFORMATION...
Page 33: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 34 IGURES Figure 32: Configuring Remote Port Mirroring (Source) Figure 33: Configuring Remote Port Mirroring (Intermediate) Figure 34: Configuring Remote Port Mirroring (Destination) Figure 35: Showing Port Statistics (Table) Figure 36: Showing Port Statistics (Chart) Figure 37: Performing Cable Tests Figure 38: Configuring Static Trunks Figure 39: Creating Static Trunks Figure 40: Configuring Connection Parameters for a Static Trunk Figure 41: Showing Information for Static Trunks...
Page 35 IGURES Figure 68: Showing Dynamic VLANs Registered on the Switch Figure 69: Showing the Members of a Dynamic VLAN Figure 70: QinQ Operational Concept Figure 71: Enabling QinQ Tunneling Figure 72: Adding an Interface to a QinQ Tunnel Figure 73: Configuring Protocol VLANs Figure 74: Displaying Protocol VLANs Figure 75: Assigning Interfaces to Protocol VLANs Figure 76: Showing the Interface to Protocol Group Mapping...
Page 36 IGURES Figure 104: Displaying Members of an MST Instance Figure 105: Configuring MSTP Interface Settings Figure 106: Displaying MSTP Interface Settings Figure 107: Configuring Rate Limits Figure 108: Configuring Storm Control Figure 109: Storm Control by Limiting the Traffic Rate Figure 110: Storm Control by Shutting Down a Port Figure 111: Configuring ATC Timers Figure 112: Configuring ATC Interface Attributes...
Page 37 IGURES Figure 140: Configuring Remote Authentication Server (TACACS+) Figure 141: Configuring AAA Server Groups Figure 142: Showing AAA Server Groups Figure 143: Configuring Global Settings for AAA Accounting Figure 144: Configuring AAA Accounting Methods Figure 145: Showing AAA Accounting Methods Figure 146: Configuring AAA Accounting Service for 802.1X Service Figure 147: Configuring AAA Accounting Service for Exec Service Figure 148: Displaying a Summary of Applied AAA Accounting Methods...
Page 38 IGURES Figure 176: Configuring a MAC ACL Figure 177: Configuring a ARP ACL Figure 178: Binding a Port to an ACL Figure 179: Configuring Global Settings for ARP Inspection Figure 180: Configuring VLAN Settings for ARP Inspection Figure 181: Configuring Interface Settings for ARP Inspection Figure 182: Displaying Statistics for ARP Inspection Figure 183: Displaying the ARP Inspection Log Figure 184: Creating an IP Address Filter for Management Access...
Page 39 IGURES Figure 212: Showing the Civic Address for an LLDP Interface Figure 213: Displaying Local Device Information for LLDP (General) Figure 214: Displaying Local Device Information for LLDP (Port) Figure 215: Displaying Remote Device Information for LLDP (Port) Figure 216: Displaying Remote Device Information for LLDP (Port Details) Figure 217: Displaying LLDP Device Statistics (General) Figure 218: Displaying LLDP Device Statistics (Port) Figure 219: Showing the Switch’s PoE Budget...
Page 40 IGURES Figure 248: Configuring an RMON Statistical Sample Figure 249: Showing Configured RMON Statistical Samples Figure 250: Showing Collected RMON Statistical Samples Figure 251: Configuring a Switch Cluster Figure 252: Configuring a Cluster Members Figure 253: Showing Cluster Members Figure 254: Showing Cluster Candidates Figure 255: Managing a Cluster Member Figure 256: Setting the Name of a Time Range Figure 257: Showing a List of Time Ranges...
Page 41 IGURES Figure 284: Configuring a Static Interface for a Multicast Router Figure 285: Showing Static Interfaces Attached a Multicast Router Figure 286: Showing Current Interfaces Attached a Multicast Router Figure 287: Assigning an Interface to a Multicast Service Figure 288: Showing Static Interfaces Assigned to a Multicast Service Figure 289: Showing Current Interfaces Assigned to a Multicast Service Figure 290: Configuring IGMP Snooping on an Interface Figure 291: Showing Interface Settings for IGMP Snooping...
Page 42 IGURES – 42 –...
Page 43: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Remote Device Configuration Information Table 11: Recommended STA Path Cost Range...
Page 44 ABLES Table 32: Supported Notification Messages Table 33: Address Resolution Protocol Table 34: Show IPv6 Neighbors - display description Table 35: Show IPv6 Statistics - display description Table 36: Show MTU - display description Table 37: General Command Modes Table 38: Configuration Command Modes Table 39: Keystroke Commands Table 40: Command Group Index Table 41: General Commands...
Page 45 ABLES Table 68: TACACS+ Client Commands Table 69: AAA Commands Table 70: Web Server Commands Table 71: HTTPS System Support Table 72: Telnet Server Commands Table 73: Secure Shell Commands Table 74: show ssh - display description Table 75: 802.1X Port Authentication Commands Table 76: Management IP Filter Commands Table 77: General Security Commands Table 78: Management IP Filter Commands...
Page 46 ABLES Table 104: Address Table Commands Table 105: Spanning Tree Commands Table 106: Recommended STA Path Cost Range Table 107: Default STA Path Costs Table 108: VLAN Commands Table 109: GVRP and Bridge Extension Commands Table 110: Commands for Editing VLAN Groups Table 111: Commands for Configuring VLAN Interfaces Table 112: Commands for Displaying VLAN Information Table 113:...
Page 47 ABLES Table 140: DHCP Client Commands Table 141: IP Interface Commands Table 142: IPv4 Interface Commands Table 143: Basic IP Configuration Commands Table 144: Address Resolution Protocol Commands Table 145: IPv6 Configuration Commands Table 146: show ipv6 interface - display description Table 147: show ipv6 mtu - display description Table 148: show ipv6 mtu - display description Table 149: show ipv6 traffic - display description...
Page 48 ABLES – 48 –...
Page 49: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 51 ◆...
Page 50 | Getting Started ECTION – 50 –...
Page 51: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 52: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 256 using IEEE 802.1Q, port-based, protocol-based, voice VLANs, and QinQ tunnel...
Page 53 | Introduction HAPTER Description of Software Features Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access. MAC address filtering and IP source guard also provide authentication for port access.
Page 54 | Introduction HAPTER Description of Software Features A static address can be assigned to a specific interface on this switch. TATIC Static addresses are bound to the assigned interface and will not be DDRESSES moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 55 | Introduction HAPTER Description of Software Features even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). The switch supports up to 256 VLANs. A Virtual LAN is a collection of IRTUAL network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Page 56 | Introduction HAPTER Description of Software Features to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Differentiated Services (DiffServ) provides policy-based management UALITY OF ERVICE mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis.
Page 57: System Defaults
| Introduction HAPTER System Defaults YSTEM EFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
Page 58 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled...
Page 59 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Disabled Proxy service BOOTP Disabled Multicast Filtering IGMP Snooping (Layer 2) Snooping: Disabled Querier: Disabled IGMP Proxy Reporting...
Page 60 | Introduction HAPTER System Defaults – 60 –...
Page 61: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 62: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 256 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 63: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows ■ keys. Once you have set up the terminal correctly, the console login screen will be displayed.
Page 64: Basic Configuration
| Initial Switch Configuration HAPTER Basic Configuration ASIC ONFIGURATION The CLI program provides two different command levels — normal access ONSOLE level (Normal Exec) and privileged access level (Privileged Exec). The ONNECTION commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Page 65: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Username: admin Password: CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING AN management access through the network.
Page 66 | Initial Switch Configuration HAPTER Basic Configuration To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask”...
Page 67 | Initial Switch Configuration HAPTER Basic Configuration example, followed by the “link-local” command parameter. Then press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-Local Address: FE80::260:3EFF:FE11:6700/64 Global Unicast Address(es): (None) Joined Group Address(es):...
Page 68 | Initial Switch Configuration HAPTER Basic Configuration Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway”...
Page 69 | Initial Switch Configuration HAPTER Basic Configuration To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. At the interface-configuration mode prompt, use one of the following commands: To obtain IP settings via DHCP, type “ip address dhcp”...
Page 70 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): (None) Joined group address(es): FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Page 71: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration Console# Information passed on to the switch from a DHCP server may also include a OWNLOADING A configuration file to be downloaded and the TFTP servers where that file ONFIGURATION can be accessed. If the Factory Default Configuration file is used to EFERENCED BY A provision the switch at startup, in addition to requesting IP configuration DHCP S...
Page 72: Table 4: Options 55 And 124 Statements
| Initial Switch Configuration HAPTER Basic Configuration DHCP client request sent by this switch includes a “parameter request list” asking for this information. Besides, the client request also includes a “vendor class identifier” that allows the DHCP server to identify the device, and select the appropriate configuration file for download.
Page 73: Enabling Snmp Management Access
| Initial Switch Configuration HAPTER Basic Configuration The switch can be configured to accept management commands from SNMP NABLING Simple Network Management Protocol (SNMP) applications such as Edge- ANAGEMENT CCESS Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps.
Page 74 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings.
Page 75: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)# For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to "Simple Network Management Protocol"...
Page 76: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Configuration commands only modify the running configuration file and are AVING OR not saved when the switch is rebooted.
Page 77 | Initial Switch Configuration HAPTER Managing System Files Console#copy file startup-config Console#copy tftp startup-config TFTP server IP address: 192.168.0.4 Source configuration file name: startup-rd.cfg Startup configuration file name [startup1.cfg]: Success. Console# – 77 –...
Page 78 | Initial Switch Configuration HAPTER Managing System Files – 78 –...
Page 79: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 81 ◆ "Basic Management Tasks" on page 97 ◆...
Page 80 | Web Configuration ECTION – 80 –...
Page 81: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6.x or above, or Mozilla Firefox 4.x or above).
Page 82: Navigating The Web Browser Interface
| Using the Web Interface HAPTER Navigating the Web Browser Interface Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. Connection to the web interface is not supported for HTTPS using an IPv6 link local address.
Page 83: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 84: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 85 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics Cable Test Performs cable diagnostics for selected port to diagnose any cable faults (short, open etc.) and report the cable length Trunk Static...
Page 86 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Session Configures the uplink and down-link ports for a segmented group of ports VLAN Trunking Allows unknown VLAN groups to pass through the specified interface VLAN Virtual LAN...
Page 87 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page MAC Address Static Configures static entries in the address table Show Displays static entries in the address table Dynamic Configure Aging Sets timeout for dynamically learned entries Show Dynamic MAC Displays dynamic entries in the address table...
Page 88 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Auto Traffic Control Sets thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port Configure Global Sets the time to apply the control response after traffic has exceeded the upper threshold, and the time to release the control...
Page 89 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page VoIP Voice over IP Configure Global Configures auto-detection of VoIP traffic, sets the Voice VLAN, and VLAN aging time Configure OUI Maps the OUI in the source MAC address of ingress packets to the VoIP device manufacturer Show...
Page 90 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Information Shows the configured authorization methods, and the methods applied to specific interfaces User Accounts Configures user names, passwords, and access levels Show Shows authorized users Modify...
Page 91 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes Show Rule Shows the rules specified for an ACL Configure Interface Binds a port to the specified ACL and time range ARP Inspection...
Page 92 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Remote Configures the logging of messages to a remote logging process SMTP Sends an SMTP client message to a participating server Configure Server Configures a list of recipient SMTP servers Adds a recipient SMTP server...
Page 93 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure View Add View Adds an SNMP v3 view of the OID MIB Show View Shows configured SNMP v3 views Add OID Subtree Specifies a part of the subtree for the selected view Show OID Subtree...
Page 94 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Details History Shows sampled data for each entry in the history group Statistics Shows sampled data for each entry in the history group Cluster Configure Global Globally enables clustering for the switch;...
Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IP Service Domain Name Service General Configure Global Enables DNS lookup; defines the default domain name appended to incomplete host names Add Domain Name Defines a list of domain names that can be appended to incomplete host names...
Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows IGMP snooping settings per VLAN interface Forwarding Entry Displays the current multicast groups learned through IGMP Snooping Filter Configure General Enables IGMP filtering for the switch Configure Profile...
Page 97: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 98: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS These parameters are displayed: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. System Up Time – Length of time the management agent has been ◆...
Page 99: Figure 4: General Switch Information
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS The following parameters are displayed: Main Board Information Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ ◆ Hardware Version – Hardware version of the main board. Internal Power Status –...
Page 100: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for Layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Page 101: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 102: Managing System Files
| Basic Management Tasks HAPTER Managing System Files NTERFACE To view Bridge Extension information: Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System >...
Page 103 | Basic Management Tasks HAPTER Managing System Files ARAMETERS The following parameters are displayed: Copy Type – The firmware copy operation includes these options: ◆ FTP Upgrade – Copies a file from an FTP server to the switch. ■ FTP Download – Copies a file from the switch to an FTP server. ■...
Page 104: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files If FTP or TFTP Upgrade is used, enter the IP address of the file server. If FTP Upgrade is used, enter the user name and password for your account on the FTP server. Set the file type to Operation Code or Loader.
Page 105: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) The maximum number of user-defined configuration files is limited only by available flash memory space.
Page 106: Showing System Files
| Basic Management Tasks HAPTER Managing System Files Mark the operation code or configuration file to be used at startup Then click Apply. Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Use the System >...
Page 107: Automatic Operation Code Upgrade
| Basic Management Tasks HAPTER Managing System Files Figure 10: Displaying System Files Use the System > File (Automatic Operation Code Upgrade) page to UTOMATIC automatically download an operation code file when a file newer than the PERATION currently installed one is discovered on the file server. After the file is PGRADE transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Page 108 | Basic Management Tasks HAPTER Managing System Files The switch-based search function is case-insensitive in that it will ◆ accept a file name in upper or lower case (i.e., the switch will accept ECS4110-24T_OP.BIX from the server even though ECS4110-24T_Op.bix was requested). However, keep in mind that the file systems of many operating systems such as Unix and most Unix- like systems (FreeBSD, NetBSD, OpenBSD, and most Linux distributions, etc.) are case-sensitive, meaning that two files in the...
Page 109 | Basic Management Tasks HAPTER Managing System Files must not be included since it is automatically appended by the switch. (Options: ftp, tftp) The following syntax must be observed: tftp://host[/filedir]/ tftp:// – Defines TFTP protocol for the server connection. ■ host –...
Page 110: Figure 11: Configuring Automatic Code Upgrade
| Basic Management Tasks HAPTER Managing System Files The image file is in the “switch-opcode” directory, relative to the TFTP root. tftp://192.168.0.1/switches/opcode/ ■ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented:...
Page 111: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.0.1.5; new version 1.1.2.0 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image...
Page 112: Setting The Sntp Polling Interval
| Basic Management Tasks HAPTER Setting the System Clock Day – Sets the day of the month. (Range: 1-31) ◆ Year – Sets the year. (Range: 1970-2037) ◆ NTERFACE To manually set the system clock: Click System, then Time. Select Configure General from the Step list. Select Manually from the Maintain Type list.
Page 113: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Select SNTP from the Maintain Type list. Modify the polling interval if required. Click Apply Figure 13: Setting the Polling Interval for SNTP Use the System > Time (Configure Time Server) page to specify the IP SNTP PECIFYING address for up to three SNTP time servers.
Page 114: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Figure 14: Specifying SNTP Time Servers Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 115: Configuring Summer Time
| Basic Management Tasks HAPTER Setting the System Clock NTERFACE To set your local time zone: Click System, then Time. Select Configure Time Zone from the Action list. Set the offset for your time zone relative to the UTC in hours and minutes using either a predefined or custom definition.
Page 116: Figure 16: Summer Time Settings
| Basic Management Tasks HAPTER Setting the System Clock ARAMETERS The following parameters are displayed: Summer Time in Effect – Indicates whether or not Summer Time ◆ settings are currently is use. ◆ Status – Enables or disables Summer Time settings. Name –...
Page 117: Configuring The Console Port
| Basic Management Tasks HAPTER Configuring the Console Port ONFIGURING THE ONSOLE Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 118: Figure 17: Console Port Settings
| Basic Management Tasks HAPTER Configuring the Console Port Due to a hardware limitation, the terminal program connected to the console port must be set to 8 data bits when using Auto baud rate detection. The password for the console connection can only be configured through the CLI (see "password"...
Page 119: Configuring Telnet Settings
| Basic Management Tasks HAPTER Configuring Telnet Settings ONFIGURING ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 120: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization NTERFACE To configure parameters for the console port: Click System, then Telnet. Specify the connection parameters as required. Click Apply Figure 18: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization.
Page 121: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization Figure 19: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES "show memory" on page 527 ◆ ARAMETERS The following parameters are displayed: ◆...
Page 122: Resetting The System
| Basic Management Tasks HAPTER Resetting the System NTERFACE To display memory utilization: Click System, then Memory Status. Figure 20: Displaying Memory Utilization ESETTING THE YSTEM Use the System > Reload menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)"...
Page 123 | Basic Management Tasks HAPTER Resetting the System Refresh – Refreshes reload information. Changes made through the ◆ console or to system time may need to be refreshed to display the current settings. Cancel – Cancels the current settings shown in this field. ◆...
Page 124: Figure 21: Restarting The Switch (Immediately)
| Basic Management Tasks HAPTER Resetting the System Save Current Settings Save – Click this button to save the current configuration settings. ◆ Use Factory Default Settings and Reboot Factory Default Settings & Reboot – Click this button to restore the ◆...
Page 125: Figure 22: Restarting The Switch (In)
| Basic Management Tasks HAPTER Resetting the System Figure 22: Restarting the Switch (In) Figure 23: Restarting the Switch (At) – 125 –...
Page 126: Figure 24: Restarting The Switch (Regularly)
| Basic Management Tasks HAPTER Resetting the System Figure 24: Restarting the Switch (Regularly) – 126 –...
Page 127: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
Page 128 | Interface Configuration HAPTER Port Configuration OMMAND SAGE ◆ Auto-negotiation must be disabled before you can configure or force an RJ-45 interface to use the Speed/Duplex mode or Flow Control options. When using auto-negotiation, the optimal settings will be negotiated ◆...
Page 129 | Interface Configuration HAPTER Port Configuration FC - Flow control can eliminate frame loss by “blocking” traffic from ■ end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full- duplex operation.
Page 130: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Figure 25: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 131: Displaying Connection Status
| Interface Configuration HAPTER Port Configuration Figure 26: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES "show interfaces status"...
Page 132: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration NTERFACE To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 27: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING OCAL port to a target port for real-time analysis.
Page 133: Figure 29: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration MAC Address Mirroring" on page 200), the target port cannot be set to the same target ports as that used for port mirroring by this command. When traffic matches the rules for both port mirroring, and for ◆...
Page 134: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 30: Displaying Local Port Mirror Sessions Use the Interface > RSPAN page to mirror traffic from remote switches for ONFIGURING EMOTE analysis at a destination port on the local switch.
Page 135 | Interface Configuration HAPTER Port Configuration source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section). Configuration Guidelines ◆ Take the following step to configure an RSPAN session: Use the VLAN Static List (see "Configuring VLAN Groups"...
Page 136 | Interface Configuration HAPTER Port Configuration still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. Port Security – If port security is enabled on any port, that port ■ cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port.
Page 137: Figure 32: Configuring Remote Port Mirroring (Source)
| Interface Configuration HAPTER Port Configuration Destination Port – Specifies the destination port to monitor the ◆ traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
Page 138: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 33: Configuring Remote Port Mirroring (Intermediate) Figure 34: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the...
Page 139: Table 7: Port Statistics
| Interface Configuration HAPTER Port Configuration CLI R EFERENCES ◆ "show interfaces counters" on page 740 ARAMETERS These parameters are displayed: Table 7: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters.
Page 140 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size.
Page 141: Figure 35: Showing Port Statistics (Table)
| Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Utilization Statistics Received Octet Rate Number of octets entering this interface in kbits per second. Received Packet Rate Number of packets entering this interface in packets per second. Received Utilization The input utilization rate for this interface.
Page 142: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Page 143 | Interface Configuration HAPTER Port Configuration OMMAND SAGE ◆ Cable diagnostics are performed using Time Domain Reflectometry (TDR) test methods. TDR analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. This cable test is only accurate for Gigabit Ethernet cables 0 - 250 ◆...
Page 144: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration NTERFACE To test the cable attached to a port: Click Interface, Port, Cable Test. Click Test for any port to start the cable test. Figure 37: Performing Cable Tests RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Page 145: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration OMMAND SAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Page 146: Figure 39: Creating Static Trunks
| Interface Configuration HAPTER Trunk Configuration note that the static trunks on this switch are Cisco EtherChannel compatible. To avoid creating a loop in the network, be sure you add a static trunk ◆ via the configuration interface before connecting the ports, and also disconnect the ports before removing a static trunk via the configuration interface.
Page 147: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration Figure 40: Configuring Connection Parameters for a Static Trunk To show the static trunks configured on the switch: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 41: Showing Information for Static Trunks Use the Interface >...
Page 148 | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. If the target switch has also enabled LACP on the connected ports, the ◆...
Page 149 | Interface Configuration HAPTER Trunk Configuration By default, the Actor Admin Key is determined by port's link speed, and copied to Oper Key. The Partner Admin Key is assigned to zero, and the Oper Key is set based upon LACP PDUs received from the Partner. System Priority –...
Page 150: Figure 43: Configuring The Lacp Aggregator Admin Key
| Interface Configuration HAPTER Trunk Configuration NTERFACE To configure the admin key for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Aggregator from the Step list. Set the Admin Key for the required LACP group. Click Apply. Figure 43: Configuring the LACP Aggregator Admin Key To enable LACP for a port: Click Interface, Trunk, Dynamic.
Page 151: Figure 45: Configuring Lacp Parameters On A Port
| Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 45: Configuring LACP Parameters on a Port To configure the connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 152: Figure 46: Configuring Connection Parameters For A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration Figure 46: Configuring Connection Parameters for a Dynamic Trunk To show the connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Show from the Action list. Figure 47: Showing Connection Parameters for Dynamic Trunks To show the port members of dynamic trunks: Click Interface, Trunk, Dynamic.
Page 153: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 756 ◆...
Page 154: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP port counters: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Counters. Select a group member from the Port list. Figure 49: Displaying LACP Port Counters Use the Interface >...
Page 155 | Interface Configuration HAPTER Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; ◆ Defaulted –...
Page 156: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP settings and status for the local side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Internal. Select a group member from the Port list. Figure 50: Displaying LACP Port Internal Information Use the Interface >...
Page 157: Figure 51: Displaying Lacp Port Remote Information
| Interface Configuration HAPTER Trunk Configuration Table 10: LACP Remote Device Configuration Information (Continued) Parameter Description Partner Oper Operational port number assigned to this aggregation port by the Port Number port’s protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner.
Page 158: Configuring Trunk Mirroring
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Mirror page to mirror traffic from any source ONFIGURING RUNK trunk to a target port for real-time analysis. You can then attach a logic IRRORING analyzer or RMON probe to the target port and study the traffic crossing the source trunk in a completely unobtrusive manner.
Page 159: Saving Power
| Interface Configuration HAPTER Saving Power Select Add from the Action List. Specify the source trunk. Specify the monitor port. Specify the traffic type to be mirrored. Click Apply. Figure 53: Configuring Trunk Mirroring To display the configured mirror sessions: Click Interface, Trunk, Mirror.
Page 160 | Interface Configuration HAPTER Saving Power Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity. The power-saving methods provided by this switch include: ◆...
Page 161: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation Click Apply. Figure 55: Enabling Power Savings RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports.
Page 162: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Figure 56: Enabling Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 163: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking Select Uplink or Downlink in the Direction list to add a group member. Click Apply. Figure 57: Configuring Members for Traffic Segmentation VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
Page 164 | Interface Configuration HAPTER VLAN Trunking in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. VLAN trunking is mutually exclusive with the “access”...
Page 165: Figure 59: Configuring Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking Figure 59: Configuring VLAN Trunking – 165 –...
Page 166 | Interface Configuration HAPTER VLAN Trunking – 166 –...
Page 167: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 168: Figure 60: Vlan Compliant And Vlan Non-Compliant Devices
| VLAN Configuration HAPTER IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 256 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit or ◆...
Page 169 | VLAN Configuration HAPTER IEEE 802.1Q VLANs receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame. Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers.
Page 170: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 61: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 171: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Status – Enables or disables the specified VLAN. ◆ Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring ◆ Remote Port Mirroring" on page 134). NTERFACE To create VLAN groups: Click VLAN, Static. Select Configure VLAN from the Action list.
Page 172 | VLAN Configuration HAPTER IEEE 802.1Q VLANs ARAMETERS These parameters are displayed: Modify VLAN and Member Ports VLAN – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ ◆ Status – Enables or disables the specified VLAN. Remote VLAN –...
Page 173 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Ingress Filtering – Determines how to process frames tagged for ◆ VLANs for which the ingress port is not a member. (Default: Disabled) Ingress filtering only affects tagged frames. ■ If ingress filtering is disabled and a port receives frames tagged for ■...
Page 174: Figure 63: Configuring Static Members By Vlan Index
| VLAN Configuration HAPTER IEEE 802.1Q VLANs The PVID, acceptable frame type, and ingress filtering parameters for each interface within the specified range must be configured on either the Modify VLAN and Member Ports or Edit Member by Interface page. NTERFACE To configure static members by the VLAN index: Click VLAN, Static.
Page 175: Figure 64: Configuring Static Vlan Members By Interface
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 64: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Action list. Set the Interface type to display as Port or Trunk. Enter an interface range.
Page 176: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES "GVRP and Bridge Extension Commands" on page 822 ◆...
Page 177: Figure 66: Configuring Global Status Of Gvrp
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN –...
Page 178: Figure 67: Configuring Gvrp For An Interface
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 67: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 68: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
Page 179: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 180: Figure 70: Qinq Operational Concept
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 70: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel...
Page 181 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) ◆...
Page 182 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If ◆ the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
Page 183: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON THE Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
Page 184: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 71: Enabling QinQ Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.
Page 185: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To add an interface to a QinQ tunnel: Click VLAN, Tunnel. Select Configure Interface from the Step list. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. Click Apply.
Page 186: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs Then map the protocol for each interface to the appropriate VLAN using the Configure Interface (Add) page. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Page 187: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Click Apply. Figure 73: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 74: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the...
Page 188: Figure 75: Assigning Interfaces To Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs If the frame is untagged and the protocol type matches, the frame ■ is forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the ■ frame is forwarded to the default VLAN for this interface. ARAMETERS These parameters are displayed: Interface –...
Page 189: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk. Figure 76: Showing the Interface to Protocol Group Mapping IP S VLAN...
Page 190: Figure 77: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs The IP subnet cannot be a broadcast or multicast IP address. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are ◆ supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ARAMETERS These parameters are displayed: IP Address –...
Page 191: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs To show the configured IP subnet VLANs: Click VLAN, IP Subnet. Select Show from the Action list. Figure 78: Showing IP Subnet VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses.
Page 192: Figure 79: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs Priority – The priority assigned to untagged ingress traffic. ◆ (Range: 0-7, where 7 is the highest priority; Default: 0) NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field.
Page 193: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 194: Figure 81: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring NTERFACE To configure VLAN mirroring: Click VLAN, Mirror. Select Add from the Action list. Select the source VLAN, and select a target port. Click Apply. Figure 81: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror.
Page 195: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 196 | Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed: VLAN – ID of configured VLAN. (Range: 1-4093) ◆ Interface – Port or trunk associated with the device assigned a static ◆ address. MAC Address – Physical address of a device mapped to this interface. ◆...
Page 197: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Figure 84: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
Page 198: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table ISPLAYING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 199: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table Figure 86: Displaying the Dynamic MAC Address Table LEARING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. CLI R EFERENCES "clear mac-address-table dynamic"...
Page 200: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring Figure 87: Clearing Entries in the Dynamic MAC Address Table MAC A ONFIGURING DDRESS IRRORING Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis.
Page 201: Figure 88: Mirroring Packets Based On The Source Mac Address
| Address Table Settings HAPTER Configuring MAC Address Mirroring NTERFACE To mirror packets based on a MAC address: Click MAC Address, Mirror. Select Add from the Action list. Specify the source MAC address and destination port. Click Apply. Figure 88: Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: Click MAC Address, Mirror.
Page 202 | Address Table Settings HAPTER Configuring MAC Address Mirroring – 202 –...
Page 203: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 204: Figure 90: Stp Root Ports And Designated Ports
| Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 90: STP Root Ports and Designated Ports Designated Root...
Page 205: Figure 91: Mstp Region, Internal Spanning Tree, Multiple Spanning Tree
| Spanning Tree Algorithm HAPTER Overview Figure 91: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees"...
Page 206: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 207: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Time Left – Time remaining before the shutdown expires. ◆ Release Mode – Configures the interface for automatic or manual ◆ loopback release. (Default: Auto) Release – Allows an interface to be manually released from discard ◆...
Page 208 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 209 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default. ■ MSTP: Multiple Spanning Tree (IEEE 802.1s) ■ Priority – Bridge priority is used in selecting the root device, root port, ◆...
Page 210 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Forward Delay – The maximum time (in seconds) this device will wait ◆ before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 211: Figure 94: Configuring Global Settings For Sta (Stp)
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section. Click Apply Figure 94: Configuring Global Settings for STA (STP) Figure 95: Configuring Global Settings for STA (RSTP) –...
Page 212: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 96: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 213: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network. Root Path Cost – The path cost from the root port on this switch to ◆...
Page 214 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES ◆ "Spanning Tree Commands" on page 795 ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Admin Edge Status for all ports – Since end nodes cannot cause ◆...
Page 215: Table 11: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Priority – Defines the priority used for this port in the Spanning Tree ◆ Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 216 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Guard – STA allows a bridge with a lower bridge identifier (or ◆ same identifier and lower MAC address) to take over as the root bridge at any time. Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location.
Page 217: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 98: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 218 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging ■ device is always forwarding. If two ports of a switch are connected to the same segment and ■...
Page 219: Figure 99: Sta Port Roles
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 99: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 220: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 795 ◆...
Page 221: Figure 101: Creating An Mst Instance
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 222: Figure 103: Adding A Vlan To An Mst Instance
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 223: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 795 ◆...
Page 224: Figure 105: Configuring Mstp Interface Settings
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 11 on page 215. The default path costs are listed in Table 12 on page 215. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.
Page 225: Figure 106: Displaying Mstp Interface Settings
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Show Information from the Action list. Figure 106: Displaying MSTP Interface Settings –...
Page 226 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP – 226 –...
Page 227: Congestion Control
ONGESTION ONTROL The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 228: Table 13: Effective Rate Limit
| Congestion Control HAPTER Rate Limiting For example, a Gigabit port has a 10 ms window size, so there are 100 scales per second, each scale having a bandwidth of 10 Mbps, and using an inter-packet gap of 20 bytes. Therefore, when the rate limit is set at 64 kbit/s, each scale has a shared bandwidth of 80 bytes.
Page 229: Storm Control
| Congestion Control HAPTER Storm Control Due to a chip limitation, the switch supports only one limit for both ingress rate limiting and storm control (including broadcast unknown unicast, multicast, and broadcast storms). ARAMETERS These parameters are displayed: Port – Displays the port number. ◆...
Page 230 | Congestion Control HAPTER Storm Control You can protect your network from traffic storms by setting a threshold for broadcast, multicast or unknown unicast traffic. Any packets exceeding the specified threshold will then be dropped. CLI R EFERENCES "switchport packet-rate" on page 737 ◆...
Page 231: Figure 108: Configuring Storm Control
| Congestion Control HAPTER Storm Control Multicast – Specifies storm control for multicast traffic. ◆ Broadcast – Specifies storm control for broadcast traffic. ◆ Status – Enables or disables storm control. (Default: Disabled) ◆ Rate – Threshold level as a rate; i.e., kilobits per second. ◆...
Page 232: Automatic Traffic Control
| Congestion Control HAPTER Automatic Traffic Control UTOMATIC RAFFIC ONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI R EFERENCES ◆...
Page 233: Setting The Atc Timers
| Congestion Control HAPTER Automatic Traffic Control The traffic control response of rate limiting can be released ◆ automatically or manually. The control response of shutting down a port can only be released manually. Figure 110: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided.
Page 234: Figure 111: Configuring Atc Timers
| Congestion Control HAPTER Automatic Traffic Control been shut down by a control response, it must be manually re-enabled using the Manual Control Release (see page 235). ARAMETERS These parameters are displayed: Broadcast Apply Timer – The interval after the upper threshold has ◆...
Page 235: Configuring Atc Thresholds And Responses
| Congestion Control HAPTER Automatic Traffic Control Use the Traffic > Congestion Control > Auto Traffic Control (Configure ONFIGURING Interface) page to set the storm control mode (broadcast or multicast), the HRESHOLDS AND traffic thresholds, the control response, to automatically release a response ESPONSES of rate limiting, or to send related SNMP trap messages.
Page 236 | Congestion Control HAPTER Automatic Traffic Control Alarm Fire Threshold – The upper threshold for ingress traffic beyond ◆ which a storm control response is triggered after the Apply Timer expires. (Range: 1-255 kilo-packets per second; Default: 128 Kpps) Once the traffic rate exceeds the upper threshold and the Apply Timer expires, a trap message will be sent if configured by the Trap Storm Fire attribute.
Page 237: Figure 112: Configuring Atc Interface Attributes
| Congestion Control HAPTER Automatic Traffic Control NTERFACE To configure the response timers for automatic storm control: Click Traffic, Congestion Control, Automatic Storm Control. Select Configure Interface from the Step field. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send.
Page 238 | Congestion Control HAPTER Automatic Traffic Control – 238 –...
Page 239: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 240: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, ◆...
Page 241 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a ◆...
Page 242: Figure 114: Setting The Queue Mode (Strict)
| Class of Service HAPTER Layer 2 Queue Settings Weight – Sets a weight for each queue which is used by the WRR ◆ scheduler. (Range: 1-255; Default: Weights 1, 2, 4 and 6 are assigned to queues 0 - 3 respectively) NTERFACE To configure the queue mode: Click Traffic, Priority, Queue.
Page 243: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 116: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...
Page 244: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES "qos map phb-queue" on page 865 ◆ OMMAND SAGE Egress packets are placed into the hardware queues according to the ◆...
Page 245: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 117: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Figure 118: Showing CoS Values to Egress Queue Mapping 3/4 P AYER RIORITY...
Page 246: Setting Priority Processing To Dscp Or Cos
| Class of Service HAPTER Layer 3/4 Priority Settings The default settings used for mapping priority values from ingress traffic to internal DSCP values are used to determine the hardware queues used for egress traffic, not to replace the priority values. These defaults are designed to optimize priority services for the majority of network applications.
Page 247: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Set the trust mode. Click Apply. Figure 119: Setting the Trust Mode Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in APPING NGRESS incoming packets to per-hop behavior and drop precedence values for DSCP V ALUES TO internal priority processing.
Page 248: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ PHB – Per-hop behavior, or the priority used for this router hop. ◆ (Range: 0-7) Drop Precedence – Drop precedence used for Random Early Detection ◆...
Page 249: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list. Figure 121: Showing DSCP to DSCP Internal Mapping Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in APPING incoming packets to per-hop behavior and drop precedence values for RIORITIES TO...
Page 250: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: CoS – CoS value in ingress packets. (Range: 0-7) ◆ CFI – Canonical Format Indicator. Set to this parameter to “0” to ◆ indicate that the MAC address information carried in the frame is in canonical format.
Page 251: Figure 123: Showing Cos To Dscp Internal Mapping
| Class of Service HAPTER Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Figure 123: Showing CoS to DSCP Internal Mapping – 251 –...
Page 252 | Class of Service HAPTER Layer 3/4 Priority Settings – 252 –...
Page 253: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 254: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 255: Figure 124: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the ◆...
Page 256: Figure 125: Showing Class Maps
| Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 125: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 257: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 127: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 258 | Quality of Service HAPTER Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
Page 259 | Quality of Service HAPTER Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B ≥ 0, the ■...
Page 260 | Quality of Service HAPTER Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: If Tp(t)-B <...
Page 261 | Quality of Service HAPTER Creating QoS Policies Add Rule Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification ◆ upon which a policy can act. Action – This attribute is used to set an internal QoS value in hardware ◆...
Page 262 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum ■ rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any ■ change to the DSCP service level. Violate –...
Page 263 | Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether traffic that exceeds the maximum ■ rate (CIR) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of ■...
Page 264: Figure 128: Configuring A Policy Map
| Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum ■ rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any ■ change to the DSCP service level. Exceed –...
Page 265: Figure 129: Showing Policy Maps
| Quality of Service HAPTER Creating QoS Policies To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 129: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
Page 266: Figure 130: Adding Rules To A Policy Map
| Quality of Service HAPTER Creating QoS Policies Figure 130: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 131: Showing the Rules for a Policy Map –...
Page 267: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI R EFERENCES "Quality of Service Commands" on page 869 ◆...
Page 268 | Quality of Service HAPTER Attaching a Policy Map to a Port – 268 –...
Page 269: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 270: Configuring Voip Traffic
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic IP T ONFIGURING RAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 271: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI Figure 133: Configuring a Voice VLAN ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses.
Page 272: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Enter a description for the devices. Click Apply. Figure 134: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list.
Page 273 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs" on page 171). ARAMETERS These parameters are displayed: Mode – Specifies if the port will be added to the Voice VLAN when VoIP ◆...
Page 274: Figure 136: Configuring Port Settings For A Voice Vlan
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports be removed from voice VLAN when VoIP traffic is no longer received on the port. Alternatively, if you clear the MAC address table manually, then the switch will also start counting down the Remaining Age. NTERFACE To configure VoIP traffic settings for a port: Click Traffic, VoIP.
Page 275: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 276: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source ◆ address cannot be identified via DHCP snooping. DoS Protection – Protects against Denial-of-Service attacks. ◆ The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 277: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use.
Page 278: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting TACACS – User authentication is performed using a TACACS+ ■ server only. [authentication sequence] – User authentication is performed by up ■ to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication.
Page 279 | Security Measures HAPTER AAA Authorization and Accounting packet from the client to the server, while TACACS+ encrypts the entire body of the packet. CLI R EFERENCES "RADIUS Client" on page 614 ◆ "TACACS+ Client" on page 618 ◆ "AAA" on page 621 ◆...
Page 280 | Security Measures HAPTER AAA Authorization and Accounting Authentication Retries – Number of times the switch tries to ■ authenticate logon access via the authentication server. (Range: 1-30; Default: 2) Set Key – Mark this box to set or modify the encryption key. ■...
Page 281: Figure 139: Configuring Remote Authentication Server (Radius)
| Security Measures HAPTER AAA Authorization and Accounting When specifying the priority sequence for a sever, the server index must already be defined (see "Configuring Local/Remote Logon Authentication" on page 277). NTERFACE To configure the parameters for RADIUS or TACACS+ authentication: Click Security, AAA, Server.
Page 282: Figure 140: Configuring Remote Authentication Server (Tacacs+)
| Security Measures HAPTER AAA Authorization and Accounting Figure 140: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list.
Page 283: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 142: Showing AAA Server Groups Use the Security >...
Page 284 | Security Measures HAPTER AAA Authorization and Accounting Exec – Administrative accounting for local console, Telnet, or SSH ■ connections. Method Name – Specifies an accounting method for service requests. ◆ The “default” methods are used for a requested service if no other methods have been defined.
Page 285: Figure 143: Configuring Global Settings For Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting Show Information – Statistics User Name - Displays a registered user name. ◆ Accounting Type - Displays the accounting service. ◆ Interface - Displays the receive port number through which this user ◆...
Page 286 | Security Measures HAPTER AAA Authorization and Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list. Select the accounting type (802.1X, Exec).
Page 287: Figure 146: Configuring Aaa Accounting Service For 802.1X Service
| Security Measures HAPTER AAA Authorization and Accounting To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list. Select the accounting type (802.1X, Exec).
Page 288: Figure 148: Displaying A Summary Of Applied Aaa Accounting Methods
| Security Measures HAPTER AAA Authorization and Accounting To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary. Figure 148: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting.
Page 289: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces. CLI R EFERENCES "AAA"...
Page 290 | Security Measures HAPTER AAA Authorization and Accounting Interface - Displays the console or Telnet interface to which these ◆ rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group:...
Page 291: Figure 152: Configuring Aaa Authorization Methods For Exec Service
| Security Measures HAPTER AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 152: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization.
Page 292: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 609 ◆ OMMAND SAGE The default guest name is “guest”...
Page 293: Figure 154: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts NTERFACE To configure user accounts: Click Security, User Accounts. Select Add from the Action list. Specify a user name, select the user's access level, then enter a password if required and confirm it. Click Apply.
Page 294: Web Authentication
| Security Measures HAPTER Web Authentication UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
Page 295: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication NTERFACE To configure global parameters for web authentication: Click Security, Web Authentication. Select Configure Global from the Step list. Enable web authentication globally on the switch, and adjust any of the protocol parameters as required. Click Apply.
Page 296: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To enable web authentication for a port: Click Security, Web Authentication. Select Configure Interface from the Step list. Set the status box to enabled for any port that requires web authentication, and click Apply Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate.
Page 297: Table 19: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
Page 298 | Security Measures HAPTER Network Access (MAC Address Authentication) Table 19: Dynamic QoS Profiles (Continued) Profile Attribute Syntax Example IP ACL ip-access-group-in=ip-acl-name ip-access-group-in=ipv4acl IPv6 ACL ipv6-access-group-in=ipv6-acl-name ipv6-access-group-in=ipv6acl MAC ACL mac-access-group-in=mac-acl-name mac-access-group-in=macAcl Multiple profiles can be specified in the Filter-ID attribute by using a ◆...
Page 299 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC address authentication is configured on a per-port basis, however ONFIGURING LOBAL there are two configurable parameters that apply globally to all ports on ETTINGS FOR the switch. Use the Security > Network Access (Configure Global) page to ETWORK CCESS configure MAC address authentication aging and reauthentication time.
Page 300: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure aging status and reauthentication time for MAC address authentication: Click Security, Network Access. Select Configure Global from the Step list. Enable or disable aging for secure addresses, and modify the reauthentication time as required.
Page 301 | Security Measures HAPTER Network Access (MAC Address Authentication) Network Access Max MAC Count – Sets the maximum number of ◆ MAC addresses that can be authenticated on a port interface via all forms of authentication (including Network Access and IEEE 802.1X). (Range: 1-1024;...
Page 302: Figure 159: Configuring Interface Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) Click Apply. Figure 159: Configuring Interface Settings for Network Access Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION occurs.
Page 303: Figure 160: Configuring Link Detection For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 304: Configuring A Mac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC ◆ addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 305 | Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.
Page 306: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 163: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 307: Table 20: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 6.x or above, or Mozilla Firefox 4.x or above. The following web browsers and operating systems currently support ◆...
Page 308: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Figure 164: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 309: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell Private Key Source File Name – Name of private key file stored on ◆ the TFTP server. Private Password – Password stored in the private key file. This ◆ password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
Page 310 | Security Measures HAPTER Configuring the Secure Shell station clients, and ensures that data traveling over the network arrives unaltered. You need to install an SSH client on the management station to access the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients.
Page 311 | Security Measures HAPTER Configuring the Secure Shell 37187721199696317813662774141689851320491172048303392543241016 37997592371449011938006090253948408482717819437228840253311595 2134861022902978982721353267131629432532818915045306393916643 steve@192.168.1.19 Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch.
Page 312: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. The client sends a signature generated using the private key to the switch.
Page 313: Figure 166: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell The server key is a private key that is never shared outside the ■ switch. The host key is shared with the SSH client, and is fixed at 1024 bits. ■ NTERFACE To configure the SSH server: Click Security, SSH.
Page 314: Figure 167: Generating The Ssh Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed: Host-Key Type – The key type used to generate the host key pair ◆ (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both; Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data...
Page 315: Figure 168: Showing The Ssh Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell Select Show from the Action list. Select the host-key type to clear. Click Clear. Figure 168: Showing the SSH Host Key Pair Use the Security > SSH (Configure User Key - Copy) page to upload a MPORTING user’s public key to the switch.
Page 316: Figure 169: Copying The Ssh User's Public Key
| Security Measures HAPTER Configuring the Secure Shell TFTP Server IP Address – The IP address of the TFTP server that ◆ contains the public key file you wish to import. Source File Name – The public key file to upload. ◆...
Page 317: Access Control Lists
| Security Measures HAPTER Access Control Lists Figure 170: Showing the SSH User’s Public Key CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type).
Page 318 | Security Measures HAPTER Access Control Lists Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in TCAM, where “n”...
Page 319: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists NTERFACE To show information on TCAM utilization: Click Security, ACL. Select Configure ACL from the Step list. Select Show TCAM from the Action list. Figure 171: Showing TCAM Utilization Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R...
Page 320: Figure 172: Creating An Acl
| Security Measures HAPTER Access Control Lists NTERFACE To configure the name and type of an ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add from the Action list. Fill in the ACL Name field, and select the ACL type. Click Apply.
Page 321 | Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of rules which permit or ◆...
Page 322: Table 21: Priority Bits Processed By Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Figure 174: Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES "permit, deny, redirect-to (Extended IPv4 ACL)"...
Page 323 | Security Measures HAPTER Access Control Lists Interface – The unit and port to which a packet is redirected. ◆ (This switch does not support stacking, so the unit is fixed at 1.) Source/Destination Address Type – Specifies the source or ◆...
Page 324: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Both SYN and ACK valid, use control-code 18, control bit mask 18 ■ SYN valid and ACK invalid, use control-code 2, control bit mask 18 ■ Time Range – Name of a time range. ◆...
Page 325 | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and MAC ACL Ethernet type. CLI R EFERENCES "permit, deny, redirect-to (MAC ACL)"...
Page 326: Configuring A Mac Acl
| Security Measures HAPTER Access Control Lists Time Range – Name of a time range. ◆ NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list.
Page 327 | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ARP ACL ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 328: Figure 177: Configuring A Arp Acl
| Security Measures HAPTER Access Control Lists Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny). Select the packet type (Request, Response, All). Select the address type (Any, Host, or IP).
Page 329: Figure 178: Binding A Port To An Acl
| Security Measures HAPTER Access Control Lists OMMAND SAGE ◆ This switch supports ACLs for ingress filtering only. You only bind one ACL to any port for ingress filtering. ◆ ARAMETERS These parameters are displayed: Type – Selects the type of ACLs to bind to a port. ◆...
Page 330: Arp Inspection
| Security Measures HAPTER ARP Inspection ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination.
Page 331 | Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Configure General) page to enable ARP ONFIGURING LOBAL inspection globally for the switch, to validate address information in each ETTINGS FOR packet, and configure logging. NSPECTION CLI R EFERENCES "ARP Inspection"...
Page 332 | Security Measures HAPTER ARP Inspection If the log buffer is full, the oldest entry will be replaced with the newest ◆ entry. ARAMETERS These parameters are displayed: ARP Inspection Status – Enables ARP Inspection globally. ◆ (Default: Disabled) ARP Inspection Validation – Enables extended ARP Inspection ◆...
Page 333: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 179: Configuring Global Settings for ARP Inspection Use the Security > ARP Inspection (Configure VLAN) page to enable ARP VLAN ONFIGURING inspection for any VLAN and to specify the ARP ACL to use. ETTINGS FOR NSPECTION CLI R...
Page 334: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection ARP Inspection ACL Name ◆ ARP ACL – Allows selection of any configured ARP ACLs. ■ (Default: None) Static – When an ARP ACL is selected, and static mode also ■ selected, the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database.
Page 335: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection By default, all untrusted ports are subject to ARP packet rate limiting, and all trusted ports are exempt from ARP packet rate limiting. Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded, while those arriving on untrusted interfaces are subject to all configured ARP inspection tests.
Page 336: Table 22: Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or NSPECTION dropped for various reasons. TATISTICS CLI R EFERENCES "show ip arp inspection statistics" on page 707 ◆...
Page 337: Table 23: Arp Inspection Log
| Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Statistics from the Action list. Figure 182: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated NSPECTION...
Page 338: Displaying The Arp Inspection Log
| Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Log from the Action list. Figure 183: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
Page 339: Figure 184: Creating An Ip Address Filter For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or ◆ by specifying both the start address and end address. ARAMETERS These parameters are displayed: Mode ◆ Web –...
Page 340: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 185: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 341 | Security Measures HAPTER Configuring Port Security If port security is enabled, and the maximum number of allowed ◆ addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
Page 342: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 186: Setting the Maximum Address Count for Port Security To enable port security: Click Security, Port Security. Set the action to take when an invalid address is detected on a port. Mark the check box in the Security Status column to enable security.
Page 343: Figure 188: Configuring Port Security
| Security Measures HAPTER Configuring 802.1X Port Authentication remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server.
Page 344 | Security Measures HAPTER Configuring 802.1X Port Authentication The RADIUS server and 802.1X client support EAP. (The switch only ◆ supports EAPOL in order to pass the EAP packets from the server to the client.) The RADIUS server and client also have to support the same EAP ◆...
Page 345: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication Confirm Profile Password – This field is used to confirm the dot1x ◆ supplicant password. NTERFACE To configure global settings for 802.1X: Click Security, Port Authentication. Select Configure Global from the Step list. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required.
Page 346 | Security Measures HAPTER Configuring 802.1X Port Authentication clients through the remote authenticator (see "Configuring Port Supplicant Settings for 802.1X" on page 349). This switch can be configured to serve as the authenticator on selected ◆ ports by setting the Control Mode to Auto on this configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page.
Page 347 | Security Measures HAPTER Configuring 802.1X Port Authentication MAC-Based – Allows multiple hosts to connect to this port, with ■ each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
Page 348 | Security Measures HAPTER Configuring 802.1X Port Authentication Intrusion Action – Sets the port’s response to a failed authentication. ◆ Block Traffic – Blocks all non-EAP traffic on the port. (This is the ■ default setting.) Guest VLAN – All traffic for the port is assigned to a guest VLAN. ■...
Page 349: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 190: Configuring Interface Settings for 802.1X Port Authenticator Use the Security > Port Authentication (Configure Interface – Supplicant) ONFIGURING page to configure 802.1X port settings for supplicant requests issued from UPPLICANT ETTINGS a port to an authenticator on another device.
Page 350 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 344) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...
Page 351: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 191: Configuring Interface Settings for 802.1X Port Supplicant Use the Security >...
Page 352 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 24: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
Page 353: Figure 192: Showing Statistics For 802.1X Port Authenticator
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 192: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: Click Security, Port Authentication.
Page 354: Ip Source Guard
| Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 355 | Security Measures HAPTER IP Source Guard If DHCP snooping is enabled, IP source guard will check the VLAN ■ ID, source IP address, port number, and source MAC address (for the SIP-MAC option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
Page 356: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard Figure 194: Setting the Filter Type for IP Source Guard Use the Security > IP Source Guard > Static Configuration page to bind a ONFIGURING TATIC static address to a port. Table entries include a MAC address, IP address, INDINGS FOR lease time, entry type (Static, Dynamic), VLAN identifier, and port OURCE...
Page 357 | Security Measures HAPTER IP Source Guard MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B ◆ or C. Show VLAN – VLAN to which this entry is bound. ◆...
Page 358: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard Figure 196: Displaying Static Bindings for IP Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface. NFORMATION FOR IP S YNAMIC OURCE...
Page 359: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 197: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully...
Page 360 | Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed ◆ by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an ◆...
Page 361 | Security Measures HAPTER DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its ◆ DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 362: Dhcp Snooping Global Configuration
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP S NOOPING DHCP Snooping globally on the switch, or to configure MAC Address LOBAL Verification. ONFIGURATION CLI R EFERENCES "DHCP Snooping" on page 685 ◆...
Page 363: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping Figure 198: Configuring Global Settings for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or DHCP S NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...
Page 364: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click IP Service, DHCP, Snooping. Select Configure VLAN from the Step list. Enable DHCP Snooping on any existing VLAN. Click Apply Figure 199: Configuring DHCP Snooping on a VLAN Use the IP Service >...
Page 365: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click IP Service, DHCP, Snooping. Select Configure Interface from the Step list. Set any ports within the local network or firewall to trusted. Click Apply Figure 200: Configuring the Port Mode for DHCP Snooping Use the IP Service >...
Page 366: Dos Protection
| Security Measures HAPTER DoS Protection dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
Page 367: Figure 202: Setting Action For Packets With Layer 4 Port Set To Zero
| Security Measures HAPTER DoS Protection ARAMETERS These parameters are displayed: TCP/UDP Port-Zero Status – Protects against DoS attacks in which ◆ the UDP or TCP source port or destination port is set to zero. This technique may be used as a form of DoS attack, or it may just indicate a problem with the source device.
Page 368 | Security Measures HAPTER DoS Protection – 368 –...
Page 369: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 370: Table 25: Logging Levels
| Basic Administration Protocols HAPTER Configuring Event Logging The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM. CLI R EFERENCES "Event Logging"...
Page 371: Figure 203: Configuring Settings For System Memory Logs
| Basic Administration Protocols HAPTER Configuring Event Logging NTERFACE To configure the logging of error messages to system memory: Click Administration, Log, System. Select Configure Global from the Step list. Enable or disable system logging, set the level of event messages to be logged to flash memory and RAM.
Page 372: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 204: Showing Error Messages Logged to System Memory Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations. You can also limit the event ONFIGURATION messages sent to only those messages below a specified level.
Page 373: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging NTERFACE To configure the logging of error messages to remote servers: Click Administration, Log, Remote. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. Click Apply.
Page 374: Figure 206: Configuring General Settings For Smtp Alert Messages
| Basic Administration Protocols HAPTER Configuring Event Logging identifies the switch, or the address of an administrator responsible for the switch. Email Destination Address – Specifies the email recipients of alert ◆ messages. You can specify up to five recipients. Configure Server Host Name/IP Address –...
Page 375: Figure 207: Specifying Smtp Servers
| Basic Administration Protocols HAPTER Configuring Event Logging To specify SMTP servers: Click Administration, Log, SMTP. Select Configure Server from the Step list. Select Add from the Action list. Specify the host name or IP address of an SMTP server. If authentication is enabled, specify the name and password for a user configured on the SMTP server.
Page 376: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 377 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) ≤ Transmission Interval Reinitialization Delay –...
Page 378: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 209: Configuring LLDP Timing Attributes Use the Administration > LLDP (Configure Interface – Configure General) LLDP ONFIGURING page to specify the message attributes for individual interfaces, including NTERFACE whether messages are transmitted, received, or both transmitted and TTRIBUTES received, whether SNMP notifications are sent, and the type of information advertised.
Page 379 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol MED Notification – Enables the transmission of SNMP trap ◆ notifications about LLDP-MED changes. (Default: Enabled) Basic Optional TLVs – Configures basic information included in the ◆ TLV field of advertised messages. Management Address –...
Page 380 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the ■ VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 167). VLAN Name – The name of all VLANs to which this interface has ■...
Page 381 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol MED-Location Civic Address – Configures information for the ◆ location of the attached device included in the MED TLV field of advertised messages, including the country and the device type. Country – The two-letter ISO 3166 country code in capital ASCII ■...
Page 382: Configuring Lldp Interface Civic-Address
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 210: Configuring LLDP Interface Attributes Use the Administration > LLDP (Configure Interface – Add CA-Type) page LLDP ONFIGURING to specify the physical location of the device attached to an interface. NTERFACE IVIC DDRESS...
Page 383: Figure 211: Configuring The Civic Address For An Lldp Interface
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 26: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519 Floor Room 509B Any number of CA type and value pairs can be specified for the civic...
Page 384: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol To show the physical location of the attached device: Click Administration, LLDP. Select Configure Interface from the Step list. Select Show CA-Type from the Action list. Select an interface from the Port or Trunk list. Figure 212: Showing the Civic Address for an LLDP Interface Use the Administration >...
Page 385: Table 27: Chassis Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 27: Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Interface alias IfAlias (IETF RFC 2863) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’...
Page 386: Figure 213: Displaying Local Device Information For Lldp (General)
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Interface Settings The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. Port/Trunk Description – A string that indicates the port or trunk ◆...
Page 387: Displaying Lldp Remote Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE EVICE which are advertising information through LLDP, or to display detailed NFORMATION information about an LLDP-enabled device connected to a specific port on the local switch.
Page 388 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 29: Port ID Subtype (Continued) ID Basis Reference Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863)
Page 389: Table 30: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port Details – 802.3 Extension Port Information Remote Port Auto-Neg Supported – Shows whether the given port ◆ (associated with remote system) supports auto-negotiation. Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ◆...
Page 390 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Power Pairs – “Signal” means that the signal pairs only are ◆ in use, and “Spare” means that the spare pairs only are in use. Remote Power MDI Supported – Shows whether MDI power is ◆...
Page 391: Figure 215: Displaying Remote Device Information For Lldp (Port)
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 215: Displaying Remote Device Information for LLDP (Port) Figure 216: Displaying Remote Device Information for LLDP (Port Details) – 391 –...
Page 392: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces. CLI R EFERENCES "show lldp info statistics"...
Page 393: Power Over Ethernet
| Basic Administration Protocols HAPTER Power Over Ethernet NTERFACE To display statistics for LLDP-capable devices attached to the switch: Click Administration, LLDP. Select Show Device Statistics from the Step list. Select General, Port, or Trunk. Figure 217: Displaying LLDP Device Statistics (General) Figure 218: Displaying LLDP Device Statistics (Port) OWER THERNET...
Page 394: Displaying The Switch's Overall Poe Power Budget
| Basic Administration Protocols HAPTER Power Over Ethernet The switch’s power management enables individual port power to be controlled within the switch’s power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its power budget.
Page 395: Setting The Port Poe Power Budget
| Basic Administration Protocols HAPTER Power Over Ethernet NTERFACE To set the overall PoE power budget for switch: Click Administration, PoE. Select Configure Global from the Step list. Figure 219: Showing the Switch’s PoE Budget Use the Administration > PoE (Configure Interface) page to set the ETTING maximum power provided to a port.
Page 396 | Basic Administration Protocols HAPTER Power Over Ethernet If a device is connected to a low-priority port and causes the switch ■ to exceed its budget, power to this port is not turned on. If a device is connected to a critical or high-priority port and would ■...
Page 397: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 220: Setting a Port’s PoE Budget IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Page 398: Table 31: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write)
Page 399: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine) page to change the local engine ID. If you want to change the default engine ID, it must be changed before configuring other parameters. Use the Administration >...
Page 400: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 221: Configuring Global Settings for SNMP Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE OCAL change the local engine ID. An SNMPv3 engine is an independent SNMP NGINE agent that resides on the switch.
Page 401: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 222: Configuring the Local Engine ID for SNMP Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A EMOTE page to configure a engine ID for a remote management station. To allow NGINE management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device...
Page 402: Setting Snmpv3 Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 223: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: Click Administration, SNMP. Select Configure Engine from the Step list. Select Show Remote Engine from the Action list. Figure 224: Showing Remote Engine IDs for SNMP Use the Administration >...
Page 403: Figure 225: Creating An Snmp View
| Basic Administration Protocols HAPTER Simple Network Management Protocol Type – Indicates if the object identifier of a branch within the MIB tree ◆ is included or excluded from the SNMP view. Add OID Subtree View Name – Lists the SNMP views configured in the Add View page. ◆...
Page 404: Figure 226: Showing Snmp Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 226: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Add OID Subtree from the Action list. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view.
Page 405: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 228: Showing the OID Subtree Configured for SNMP Views Use the Administration > SNMP (Configure Group) page to add an SNMPv3 ONFIGURING group which can be used to set the access policy for its assigned users, SNMP ROUPS restricting them to specific read, write, and notify views.
Page 406 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 32: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer...
Page 407 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 32: Supported Notification Messages (Continued) Model Level Group Private Traps swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.38.2.1.0.1 This trap is sent when the power state changes. swFanFailureTrap 1.3.6.1.4.1.259.10.1.38.2.1.0.17 This trap is sent when the fan fails. swFanRecoverTrap 1.3.6.1.4.1.259.10.1.38.2.1.0.18 This trap is sent when fan failure has...
Page 408 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 32: Supported Notification Messages (Continued) Model Level Group swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.38.2.1.0.108 This notification indicates that the CPU utilization has fallen from cpuUtiRisingThreshold to cpuUtiFallingThreshold. swMemoryUtiRisingThresholdNotification 1.3.6.1.4.1.259.10.1.38.2.1.0.109 This notification indicates that the memory utilization has risen from memoryUtiFallingThreshold to memoryUtiRisingThreshold.
Page 409: Figure 229: Creating An Snmp Group
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 410: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 411: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 232: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify...
Page 412 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters ◆...
Page 413: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 234: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from...
Page 414 | Basic Administration Protocols HAPTER Simple Network Management Protocol Security Level – The following security levels are only used for the ◆ groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in ■ SNMP communications.
Page 415: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 235: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 236: Showing Remote SNMPv3 Users Use the Administration >...
Page 416 | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE ◆ Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt.
Page 417 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 2c IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications using SNMP v1, v2c, ◆...
Page 418 | Basic Administration Protocols HAPTER Simple Network Management Protocol Retry times – The maximum number of times to resend an ■ inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) Local User Name – The name of a local user which is used to identify ◆...
Page 419: Figure 237: Configuring Trap Managers (Snmpv1)
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 237: Configuring Trap Managers (SNMPv1) Figure 238: Configuring Trap Managers (SNMPv2c) Figure 239: Configuring Trap Managers (SNMPv3) To show configured notification managers: Click Administration, SNMP. Select Configure Trap from the Step list. –...
Page 420: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring Select Show from the Action list. Figure 240: Showing Notification Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 421 | Basic Administration Protocols HAPTER Remote Monitoring OMMAND SAGE ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made. ARAMETERS These parameters are displayed: Index – Index to this entry. (Range: 1-65535) ◆...
Page 422: Figure 241: Configuring An Rmon Alarm
| Basic Administration Protocols HAPTER Remote Monitoring Owner – Name of the person who created this entry. (Range: 1-127 ◆ characters) NTERFACE To configure an RMON alarm: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Alarm.
Page 423: Configuring Rmon Events
| Basic Administration Protocols HAPTER Remote Monitoring Figure 242: Showing Configured RMON Alarms Use the Administration > RMON (Configure Global - Add - Event) page to RMON ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager.
Page 424: Figure 243: Configuring An Rmon Event
| Basic Administration Protocols HAPTER Remote Monitoring Log and Trap – Logs the event and sends a trap message. ■ Community – A password-like community string sent with the trap ◆ operation to SNMP v1 and v2c hosts. Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see "Setting Community Access Strings"...
Page 425: Configuring Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring Select Show from the Action list. Click Event. Figure 244: Showing Configured RMON Events Use the Administration > RMON (Configure Interface - Add - History) page RMON ONFIGURING to collect statistics on a physical interface to monitor network utilization, ISTORY AMPLES packet types, and errors.
Page 426: Figure 245: Configuring An Rmon History Sample
| Basic Administration Protocols HAPTER Remote Monitoring ARAMETERS These parameters are displayed: Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 ◆...
Page 427: Figure 246: Showing Configured Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History. Figure 246: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON.
Page 428: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring Figure 247: Showing Collected RMON History Samples Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates.
Page 429: Figure 248: Configuring An Rmon Statistical Sample
| Basic Administration Protocols HAPTER Remote Monitoring Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 248: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON.
Page 430: Switch Clustering
| Basic Administration Protocols HAPTER Switch Clustering Select Show Details from the Action list. Select a port from the list. Click Statistics. Figure 250: Showing Collected RMON Statistical Samples WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit.
Page 431: Configuring General Settings For Clusters
| Basic Administration Protocols HAPTER Switch Clustering manually selected by the administrator through the management station. There can be up to 100 candidates and 36 member switches in one ◆ cluster. A switch can only be a member of one cluster. ◆...
Page 432: Cluster Member Configuration
| Basic Administration Protocols HAPTER Switch Clustering Number of Members – The current number of Member switches in the ◆ cluster. Number of Candidates – The current number of Candidate switches ◆ discovered in the network that are available to become Members. NTERFACE To configure a switch cluster: Click Administration, Cluster.
Page 433: Figure 252: Configuring A Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering NTERFACE To configure cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Add from the Action list. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate.
Page 434: Managing Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering Figure 254: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING LUSTER switch in the cluster. EMBERS CLI R EFERENCES "Switch Clustering" on page 575 ◆ ARAMETERS These parameters are displayed: Member ID –...
Page 435: Settinga Time Range
| Basic Administration Protocols HAPTER Setting A Time Range Figure 255: Managing a Cluster Member ETTING ANGE Use the Administration > Time Range page to sets a time range for ACLs. CLI R EFERENCES ◆ "Time Range" on page 572 OMMAND SAGE If both an absolute rule and one or more periodic rules are configured for...
Page 436: Figure 256: Setting The Name Of A Time Range
| Basic Administration Protocols HAPTER Setting A Time Range NTERFACE To configure a time range: Click Administration, Time Range. Select Add from the Action list. Enter the name of a time range. Click Apply. Figure 256: Setting the Name of a Time Range To show a list of time ranges: Click Administration, Time Range.
Page 437: Figure 258: Add A Rule To A Time Range
| Basic Administration Protocols HAPTER Setting A Time Range Figure 258: Add a Rule to a Time Range To show the rules configured for a time range: Click Administration, Time Range. Select Show Rule from the Action list. Figure 259: Showing the Rules Configured for a Time Range –...
Page 438 | Basic Administration Protocols HAPTER Setting A Time Range – 438 –...
Page 439: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 440 | IP Configuration HAPTER Using the Ping Function OMMAND SAGE ◆ Use the ping command to see if another site on the network can be reached. The following are some results of the ping command: ◆ Normal response - The normal response occurs in one to ten ■...
Page 441: Address Resolution Protocol
| IP Configuration HAPTER Address Resolution Protocol DDRESS ESOLUTION ROTOCOL The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this switch (or any standards-based switch/router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
Page 442: Displaying Arp Entries
| IP Configuration HAPTER Address Resolution Protocol The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the switch may tie up resources by repeating ARP requests for addresses recently flushed from the table. When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address.
Page 443: Setting The Switch's Ip Address (Ip Version 4)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) ’ IP A (IP V ETTING THE WITCH DDRESS ERSION Use the System > IP page to configure an IPv4 address for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Page 444: Figure 263: Configuring A Static Ipv4 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static address for the switch: Click System, IP. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway.
Page 445: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address.
Page 446: Configuring Ipv6 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) An IPv6 default gateway must be defined if the management station ■ is located in a different IPv6 segment. An IPv6 default gateway can only be successfully set when a ■...
Page 447 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: VLAN – ID of a configured VLAN which is to be used for management ◆ access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 448 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ND DAD Attempts – The number of consecutive neighbor solicitation ◆ messages sent on an interface during duplicate address detection. (Range: 0-600, Default: 3) Configuring a value of 0 disables duplicate address detection. ■...
Page 449: Figure 266: Configuring General Settings For An Ipv6 Interface
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) (M flag) and Other Stateful Configuration flag (O flag) received in Router Advertisement messages will determine the information this switch should attempt to acquire from the DHCPv6 server as described below.
Page 450: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an ONFIGURING AN IPv6 interface for management access over the network. DDRESS CLI R EFERENCES "IPv6 Interface" on page 970 ◆...
Page 451 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: VLAN – ID of a configured VLAN which is to be used for management ◆ access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 452: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■...
Page 453 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) IP Address – An IPv6 address assigned to this interface. ◆ In addition to the unicast addresses assigned to an interface, a host is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope).
Page 454: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the configured IPv6 addresses: Click IP, IPv6 Configuration. Select Show IPv6 Address from the Action list. Select a VLAN from the list. Figure 268: Showing Configured IPv6 Addresses Use the IP >...
Page 455: Figure 269: Showing Ipv6 Neighbors
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 34: Show IPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: Incomplete - Address resolution is being carried out on the entry. ◆...
Page 456: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 983 ◆...
Page 457 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 35: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 458 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 35: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
Page 459 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 35: Show IPv6 Statistics - display description (Continued) Field Description ICMPv6 Transmitted Output The total number of ICMP messages which this interface attempted to send. Note that this counter includes all those counted by icmpOutErrors.
Page 460 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 270: Showing IPv6 Statistics (IPv6) Figure 271: Showing IPv6 Statistics (ICMPv6) –...
Page 461: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 272: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 462 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 462 –...
Page 463: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 359. DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network.
Page 464: Configuring A List Of Domain Names
| IP Services HAPTER Configuring a List of Domain Names NTERFACE To configure general settings for DNS: Click IP Service, DNS, General. Select Configure Global from the Action list. Enable domain lookup, and set the default domain name. Click Apply. Figure 274: Configuring General Settings for DNS ONFIGURING A IST OF...
Page 465: Figure 275: Configuring A List Of Domain Names For Dns
| IP Services HAPTER Configuring a List of Domain Names ARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) NTERFACE To create a list domain names: Click IP Service, DNS, General.
Page 466: Configuring A List Of Name Servers
| IP Services HAPTER Configuring a List of Name Servers ONFIGURING A IST OF ERVERS Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order. CLI R EFERENCES "ip name-server"...
Page 467: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Configuring Static DNS Host to Address Entries To show the list name servers: Click IP Service, DNS, General. Select Show Name Servers from the Action list. Figure 278: Showing the List of Name Servers for DNS DNS H ONFIGURING TATIC...
Page 468: Displaying The Dns Cache
| IP Services HAPTER Displaying the DNS Cache Click Apply. Figure 279: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 280: Showing Static Entries in the DNS Table DNS C ISPLAYING THE...
Page 469: Figure 281: Showing Entries In The Dns Cache
| IP Services HAPTER Displaying the DNS Cache Flag – The flag is always “4” indicating a cache entry and therefore ◆ unreliable. Type – This field includes CNAME which specifies the host address for ◆ the owner, and ALIAS which specifies an alias. IP –...
Page 470 | IP Services HAPTER Displaying the DNS Cache – 470 –...
Page 471: Multicast
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP – Configuring snooping and query parameters. ◆ Filtering and Throttling – Filtering specified multicast service, or ◆ throttling the maximum of multicast groups allowed on an interface. Multicast VLAN Registration (MVR) –...
Page 472: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 473 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP snooping will not function unless a multicast router port is enabled on the switch. This can accomplished in one of two ways. A static router port can be manually configured (see "Specifying Static Interfaces for a Multicast Router"...
Page 474: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic intelligently. Based on the IGMP query and NOOPING AND UERY report messages, the switch forwards multicast traffic only to the ports ARAMETERS that request it.
Page 475 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy ◆ Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 476 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred.
Page 477: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Snooping Version – Sets the protocol version for compatibility ◆ with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
Page 478 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) CLI R EFERENCES ◆ "Static Multicast Routing" on page 906 OMMAND SAGE IGMP Snooping must be enabled globally on the switch (see "Configuring IGMP Snooping and Query Parameters" on page 474) before a multicast router port can take effect.
Page 479: Figure 284: Configuring A Static Interface For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 284: Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 480: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) SSIGNING page to statically assign a multicast service to an interface. NTERFACES TO ULTICAST ERVICES Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters"...
Page 481: Figure 287: Assigning An Interface To A Multicast Service
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 287: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
Page 482: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Interface (Configure) page to IGMP ETTING configure IGMP snooping attributes for a VLAN. To configure snooping NOOPING TATUS globally, refer to "Configuring IGMP Snooping and Query Parameters" on NTERFACE page 474.
Page 483 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast Router Termination – These messages are sent when a router ◆ stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: Multicast forwarding is disabled on an interface. ■...
Page 484 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period.
Page 485 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) in report and leave messages sent upstream from the multicast router port. Interface Version – Sets the protocol version for compatibility with ◆ other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
Page 486: Figure 290: Configuring Igmp Snooping On An Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Query Address – A static source address for locally generated ◆ query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 487: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show from the Action list. Figure 291: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping.
Page 488: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 292: Showing Multicast Groups Learned by IGMP Snooping IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 489: Configuring Igmp Filter Profiles
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed: IGMP Filter Status – Enables IGMP filtering and throttling globally for ◆ the switch. (Default: Disabled) NTERFACE To enable IGMP filtering and throttling on the switch: Click Multicast, IGMP Snooping, Filter.
Page 490: Figure 294: Creating An Igmp Filtering Profile
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Add Multicast Group Range Profile ID – Selects an IGMP profile to configure. ◆ Start Multicast IP Address – Specifies the starting address of a ◆ range of multicast groups. End Multicast IP Address – Specifies the ending address of a range ◆...
Page 491: Figure 296: Adding Multicast Groups To An Igmp Filtering Profile
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add Multicast Group Range from the Action list. Select the profile to configure, and add a multicast group address or range of addresses.
Page 492: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Use the Multicast > IGMP Snooping > Filter (Configure Interface) page to IGMP ONFIGURING assign and IGMP filter profile to interfaces on the switch, or to throttle ILTERING AND multicast traffic by limiting the maximum number of multicast groups an HROTTLING FOR interface can join at the same time.
Page 493: Multicast Vlan Registration
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure IGMP filtering or throttling for a port or trunk: Click Multicast, IGMP Snooping, Filter. Select Configure Interface from the Step list. Select a profile to assign to an interface, then set the maximum number of allowed multicast groups and the throttling response.
Page 494 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 299: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE ◆ General Configuration Guidelines for MVR: Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see "Configuring Global MVR Settings"...
Page 495: Configuring Global Mvr Settings
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure General) page to enable MVR globally ONFIGURING LOBAL on the switch, select the VLAN that will serve as the sole channel for MVR S ETTINGS common multicast streams supported by the service provider, and assign the multicast group address for each of these services to the MVR VLAN.
Page 496: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure global settings for MVR: Click Multicast, MVR. Select Configure General from the Step list. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to participating hosts. Click Apply.
Page 497 | Multicast Filtering HAPTER Multicast VLAN Registration One or more interfaces may be configured as MVR source ports. A ◆ source port is able to both receive and send data for configured MVR groups or for groups which have been statically assigned (see "Assigning Static MVR Multicast Groups to Interfaces"...
Page 498: Assigning Static Mvr Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. Immediate Leave – Configures the switch to immediately remove an ◆ interface from a multicast stream as soon as it receives a leave message for that group.
Page 499: Figure 302: Assigning Static Mvr Groups To A Port
| Multicast Filtering HAPTER Multicast VLAN Registration Only IGMP version 2 or 3 hosts can issue multicast join or leave ◆ messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned. The MVR VLAN cannot be specified as the receiver VLAN for static ◆...
Page 500: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration Select the port for which to display this information. Figure 303: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast ISPLAYING groups either statically or dynamically assigned to the MVR receiver groups ECEIVER ROUPS...
Page 501 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 304: Displaying MVR Receiver Groups – 501 –...
Page 502 | Multicast Filtering HAPTER Multicast VLAN Registration – 502 –...
Page 503: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "General Commands" on page 517 ◆ "System Management Commands" on page 525 ◆ "SNMP Commands"...
Page 504 | Command Line Interface ECTION "Class of Service Commands" on page 857 ◆ "Quality of Service Commands" on page 869 ◆ "Multicast Filtering Commands" on page 887 ◆ "LLDP Commands" on page 921 ◆ "Domain Name Service Commands" on page 945 ◆...
Page 505: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit]. Console# – 505 –...
Page 506: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit]. Vty-0# – 506 –...
Page 507: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 508: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 509: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands snmp Simple Network Management Protocol configuration and statistics sntp Simple Network Time Protocol configuration spanning-tree Spanning-tree configuration Secure shell server connections startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system System information tacacs-server TACACS server information...
Page 510: Using Command History
| Using the Command Line Interface HAPTER Entering Commands The CLI maintains a history of commands that have been entered. You can SING OMMAND scroll back through the history of commands by pressing the up arrow key. ISTORY Any command displayed in the history list can be executed again, or first modified and then executed.
Page 511: Configuration Commands
Entering Commands To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the ECS3510-26P is opened.
Page 512: Table 38: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands Policy Map Configuration - Creates a DiffServ policy map for multiple ◆ interfaces. Time Range - Sets a time range for use by other functions, such as ◆ Access Control Lists. VLAN Configuration - Includes the command to create VLAN groups.
Page 513: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 514: Cli Command Groups
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 40: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
Page 515 | Using the Command Line Interface HAPTER CLI Command Groups Table 40: Command Group Index (Continued) Command Group Description Page Quality of Service Configures Differentiated Services Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router;...
Page 516 | Using the Command Line Interface HAPTER CLI Command Groups – 516 –...
Page 517: General Commands
ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 41: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 518: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload (Global delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 519: Enable
| General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 520: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (522) enable password (610) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 521: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 522: Disable
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 523: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 524 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 524 –...
Page 525: System Management Commands
YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 42: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...
Page 526: Hostname
| System Management Commands HAPTER System Status This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 527: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status This command shows utilization parameters for TCAM (Ternary Content show access-list Addressable Memory), including the number policy control entries in use, tcam-utilization the number of free entries, and the overall percentage of TCAM in use. OMMAND Privileged Exec OMMAND...
Page 528: Show Process Cpu
| System Management Commands HAPTER System Status This command shows the CPU utilization parameters. show process cpu OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# This command displays the configuration information currently in use. show running-config OMMAND...
Page 529: Show Startup-Config
| System Management Commands HAPTER System Status username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active spanning-tree mst configuration interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 qos map dscp-mutation 6 0 from 46 interface vlan 1...
Page 530: Show System
The POST results should all display “PASS.” If any POST test indicates ◆ “FAIL,” contact your distributor for assistance. XAMPLE Console#show system System Description : ECS3510-26P Managed FE POE Switch System OID String : 1.3.6.1.4.1.259.10.1.38.104 System Information System Up Time : 0 days, 7 hours, 20 minutes, and 43.30 seconds...
Page 531: Show Tech-Support
XAMPLE Console#show tech-support Show System: System Description : ECS3510-26P Managed FE POE Switch System OID String : 1.3.6.1.4.1.259.10.1.38.104 System Information System Up Time : 0 days, 1 hours, 28 minutes, and 51.70 seconds...
Page 532: Show Version
| System Management Commands HAPTER System Status XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key --------- --------- ---------- admin 15 None guest 0 None steve Online Users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14...
Page 533: Frame Size
| System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 45: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames This command enables support for Layer 2 jumbo frames for Gigabit jumbo frame Ethernet ports.
Page 534: File Management
| System Management Commands HAPTER File Management ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 535: General Commands
| System Management Commands HAPTER File Management General Commands This command specifies the file or image used to start up the system. boot system YNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code.
Page 536: Copy
| System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 537 | System Management Commands HAPTER File Management The Boot ROM cannot be uploaded or downloaded from the FTP/TFTP ◆ server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the ◆...
Page 538: System Management Commands
| System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 539: Delete
| System Management Commands HAPTER File Management This command deletes a file or image. delete YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE ◆ If the file type is used for system startup, then this file cannot be deleted.
Page 540: Whichboot
| System Management Commands HAPTER File Management OMMAND SAGE ◆ If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 47: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file.
Page 541: Automatic Code Upgrade Commands
| System Management Commands HAPTER File Management XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------...
Page 542: Upgrade Opcode Path
| System Management Commands HAPTER File Management It then restarts the system to start using the new image. Any changes made to the default setting can be displayed with the ◆ show running-config show startup-config commands. XAMPLE Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of...
Page 543: Show Upgrade
| System Management Commands HAPTER File Management The name for the new image stored on the TFTP server must be ◆ ECS4110-24T_Op.bix . However, note that file name is not to be included in this command. When specifying a TFTP server, the following syntax must be used, ◆...
Page 544: Table 48: Line Commands
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 545: Databits
| System Management Commands HAPTER Line EFAULT ETTING There is no default line. OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 546: Exec-Timeout
| System Management Commands HAPTER Line XAMPLE To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# ELATED OMMANDS parity (548) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout...
Page 547: Login
| System Management Commands HAPTER Line This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 548: Parity
| System Management Commands HAPTER Line This command defines the generation of a parity bit. Use the no form to parity restore the default setting. YNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING...
Page 549: Password-Thresh
| System Management Commands HAPTER Line OMMAND SAGE ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns...
Page 550: Silent-Time
| System Management Commands HAPTER Line XAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# ELATED OMMANDS silent-time (550) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Page 551: Stopbits
| System Management Commands HAPTER Line EFAULT ETTING auto OMMAND Line Configuration OMMAND SAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
Page 552: Timeout Login Response
| System Management Commands HAPTER Line This command sets the interval that the system waits for a user to log into timeout login the CLI. Use the no form to restore the default setting. response YNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 553: Terminal
| System Management Commands HAPTER Line XAMPLE Console#disconnect 1 Console# ELATED OMMANDS show ssh (644) show users (531) This command configures terminal settings, including escape-character, terminal lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting. YNTAX terminal {escape-character {ASCII-number | character} | history [size size] | length length | terminal-type {ansi-bbs |...
Page 554: Show Line
| System Management Commands HAPTER Line XAMPLE This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line.
Page 555: Table 49: Event Logging Commands
| System Management Commands HAPTER Event Logging VENT OGGING This section describes commands used to configure event logging on the switch. Table 49: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory based...
Page 556: Table 50: Logging Levels
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 557: Logging Host
| System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. EFAULT ETTING None...
Page 558: Logging Trap
| System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (556) logging trap (558) clear log (558) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 559: Show Log
| System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (559) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 560: Table 51: Show Logging Flash/Ram - Display Description
| System Management Commands HAPTER Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 561: Table 52: Show Logging Trap - Display Description
| System Management Commands HAPTER SMTP Alerts Remote Log Server IP Address : 1.2.3.4 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console# Table 52: show logging trap - display description Field...
Page 562: Logging Sendmail Host
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail the no form to remove an SMTP server. host YNTAX [no] logging sendmail host host [username username password password auth-basic] host - IP address or alias of an SMTP server that will be sent alert messages for event handling.
Page 563: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts This command sets the severity threshold used to trigger alert messages. logging sendmail Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page 556).
Page 564: Logging Sendmail Source-Email
| System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# This command sets the email address used for the “From” field in alert logging sendmail messages. Use the no form to restore the default value. source-email YNTAX logging sendmail source-email email-address no logging sendmail source-email email-address - The source email address used in alert messages.
Page 565: Table 54: Time Commands
| System Management Commands HAPTER Time SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 566: Sntp Poll
| System Management Commands HAPTER Time OMMAND SAGE ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 567: Show Sntp
| System Management Commands HAPTER Time ELATED OMMANDS sntp client (565) This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 568: Manual Configuration Commands
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# Manual Configuration Commands This command sets the start, end, and offset times of summer time clock summer-time...
Page 569: Clock Timezone
| System Management Commands HAPTER Time OMMAND Global Configuration OMMAND SAGE In some countries or regions, clocks are adjusted through the summer ◆ months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
Page 570: Clock Timezone-Predefined
| System Management Commands HAPTER Time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. XAMPLE Console(config)#clock timezone Japan hours 8 minute 0 after-UTC Console(config)# ELATED OMMANDS...
Page 571: Calendar Set
| System Management Commands HAPTER Time This command sets the system clock. It may be used if there is no time calendar set server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
Page 572: Time Range
| System Management Commands HAPTER Time Range Summer Time in Effect : No Console# ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 55: Time Range Commands Command Function Mode...
Page 573: Absolute
| System Management Commands HAPTER Time Range This command sets the time range for the execution of a command. Use absolute the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Page 574: Periodic
| System Management Commands HAPTER Time Range This command sets the time range for the periodic execution of a periodic command. Use the no form to remove a previously specified time range. YNTAX [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend |...
Page 575: Show Time-Range
| System Management Commands HAPTER Switch Clustering This command shows configured time ranges. show time-range YNTAX show time-range [name] name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic Daily 01:01 to...
Page 576: Cluster
| System Management Commands HAPTER Switch Clustering then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. Clustered switches must be in the same Ethernet broadcast domain. In ◆ other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Page 577: Cluster Commander
| System Management Commands HAPTER Switch Clustering There can be up to 100 candidates and 36 member switches in one ◆ cluster. A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and ◆...
Page 578: Cluster Ip-Pool
| System Management Commands HAPTER Switch Clustering This command sets the cluster IP address pool. Use the no form to reset to cluster ip-pool the default address. YNTAX cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 579: Rcommand
There is no need to enter the username and password for access to the Member switch CLI. XAMPLE Console#rcommand id 1 CLI session with the ECS3510-26P is opened. To end the CLI session, enter [Exit]. Vty-0## This command shows the switch clustering configuration.
Page 580: Show Cluster Members
Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : ECS3510-26P Managed FE POE Switch Console# This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec...
Page 581: Snmp Commands
SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 582: General Snmp Commands
| SNMP Commands HAPTER General SNMP Commands Table 57: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs ATC Trap Commands...
Page 583: Snmp-Server Community
| SNMP Commands HAPTER General SNMP Commands XAMPLE Console(config)#snmp-server Console(config)# This command defines community access strings used to authorize snmp-server management access by clients using SNMP v1 or v2c. Use the no form to community remove the specified community string. YNTAX snmp-server community string [ro | rw] no snmp-server community string...
Page 584: Snmp-Server Location
| SNMP Commands HAPTER General SNMP Commands OMMAND Global Configuration XAMPLE Console(config)#snmp-server contact Paul Console(config)# ELATED OMMANDS snmp-server location (584) This command sets the system location string. Use the no form to remove snmp-server the location string. location YNTAX snmp-server location text no snmp-server location text - String that describes the system location.
Page 585: Snmp Target Host Commands
| SNMP Commands HAPTER SNMP Target Host Commands XAMPLE Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled Link-up-down : Enabled SNMP Communities : 1. public, and the access level is read-only 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name...
Page 586: Snmp-Server Host
| SNMP Commands HAPTER SNMP Target Host Commands OMMAND SAGE ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 587 | SNMP Commands HAPTER SNMP Target Host Commands community-string - Password-like community string sent with the notification operation to SNMP V1 and V2c hosts. Although you can set this string using the snmp-server host command by itself, we recommend defining it with the snmp-server community command prior to using the snmp-server host command.
Page 588 | SNMP Commands HAPTER SNMP Target Host Commands To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 582). Create a view with the required notification messages (page 592). Create a group that includes the required notify view (page 590).
Page 589: Snmpv3 Commands
| SNMP Commands HAPTER SNMPv3 Commands SNMPv3 Commands This command configures an identification string for the SNMPv3 engine. snmp-server Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
Page 590: Snmp-Server Group
| SNMP Commands HAPTER SNMPv3 Commands XAMPLE Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engineID remote 9876543210 192.168.1.19 Console(config)# ELATED OMMANDS snmp-server host (586) This command adds an SNMP group, mapping SNMP users to SNMP views. snmp-server group Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}...
Page 591: Snmp-Server User
| SNMP Commands HAPTER SNMPv3 Commands For additional information on the notification messages supported by ◆ this switch, see Table 32, "Supported Notification Messages," on page 406. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command.
Page 592: Snmp-Server View
| SNMP Commands HAPTER SNMPv3 Commands OMMAND SAGE ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch.
Page 593: Show Snmp Engine-Id
| SNMP Commands HAPTER SNMPv3 Commands EFAULT ETTING defaultview (includes access to the entire MIB tree) OMMAND Global Configuration OMMAND SAGE Views are used in the snmp-server group command to restrict user ◆ access to specified portions of the MIB tree. The predefined view “defaultview”...
Page 594: Show Snmp Group
| SNMP Commands HAPTER SNMPv3 Commands Table 58: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device.
Page 595: Show Snmp User
| SNMP Commands HAPTER SNMPv3 Commands Console# Table 59: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view.
Page 596: Show Snmp View
| SNMP Commands HAPTER Notification Log Commands Table 60: show snmp user - display description (Continued) Field Description Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. This command shows information on the SNMP views.
Page 597: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Notification Log Commands OMMAND Global Configuration OMMAND SAGE Notification logging is enabled by default, but will not start recording ◆ information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. Disabling logging with this command does not delete the entries stored ◆...
Page 598: Show Nlm Oper-Status
| SNMP Commands HAPTER Notification Log Commands Given the service provided by the NLM, individual MIBs can now bear ◆ less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Page 599: Show Snmp Notify-Filter
| SNMP Commands HAPTER Notification Log Commands Oper-Status: Operational Console# This command displays the configured notification logs. show snmp notify-filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Note that the last entry is a default filter created when a trap host is initially created.
Page 600 | SNMP Commands HAPTER Notification Log Commands – 600 –...
Page 601: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 602: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 603: Rmon Event
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and ◆ the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 604: Rmon Collection History
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm ◆ triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.
Page 605: Rmon Collection Rmon1
| Remote Monitoring Commands HAPTER show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
Page 606: Show Rmon Alarms
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0...
Page 607: Show Rmon Statistics
| Remote Monitoring Commands HAPTER 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 This command shows the information collected for all configured entries in show rmon the statistics group.
Page 608 | Remote Monitoring Commands HAPTER – 608 –...
Page 609: Authentication
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 610: Enable Password
| Authentication Commands HAPTER User Accounts After initially logging onto the system, you should set the Privileged Exec enable password password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 611: Username
| Authentication Commands HAPTER User Accounts This command adds named users, requires authentication at login, username specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Page 612: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 66: Authentication Sequence Commands Command Function Mode...
Page 613: Authentication Login
| Authentication Commands HAPTER Authentication Sequence XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (610) This command defines the login authentication method and precedence. authentication login Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login...
Page 614: Radius Client
| Authentication Commands HAPTER RADIUS Client ELATED OMMANDS username - for setting the local user names and passwords (611) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 615: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client This command sets the RADIUS server network port. Use the no form to radius-server restore the default. auth-port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 616: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS encryption key. Use the no form to restore radius-server key the default.
Page 617: Radius-Server Timeout
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication radius-server requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...
Page 618: Tacacs+ Client
| Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout Radius Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C...
Page 619: Tacacs-Server Key
| Authentication Commands HAPTER TACACS+ Client port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Page 620: Tacacs-Server Port
| Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 621: Table 69: Aaa Commands
| Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 69: AAA Commands Command Function Mode...
Page 622: Aaa Accounting Dot1X
| Authentication Commands HAPTER group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters) EFAULT ETTING Accounting is not enabled...
Page 623: Aaa Accounting Exec
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 624: Aaa Accounting Update
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 625: Aaa Authorization Exec
| Authentication Commands HAPTER Using the command without specifying an interim interval enables ◆ updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service.
Page 626: Aaa Group Server
| Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 627: Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 628: Authorization Exec
| Authentication Commands HAPTER XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to local console, Telnet or authorization exec SSH connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...
Page 629: Table 70: Web Server Commands
| Authentication Commands HAPTER Web Server user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show accounting Accounting Type: dot1x Method List : default Group List...
Page 630: Ip Http Port
| Authentication Commands HAPTER Web Server This command specifies the TCP port number used by the web browser ip http port interface. Use the no form to use the default port. YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Page 631: Ip Http Secure-Port
| Authentication Commands HAPTER Web Server This command specifies the UDP port number used for HTTPS connection to ip http secure-port the switch’s web interface. Use the no form to restore the default port. YNTAX ip http secure-port port_number no ip http secure-port port_number –...
Page 632: Table 71: Https System Support
| Authentication Commands HAPTER Web Server When you start HTTPS, the connection is established in this way: ◆ The client authenticates the server using the server’s digital ■ certificate. The client and server negotiate a set of security protocols to use for ■...
Page 633: Table 72: Telnet Server Commands
| Authentication Commands HAPTER Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 72: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 634: Ip Telnet Port
| Authentication Commands HAPTER Telnet Server This command specifies the TCP port number used by the Telnet interface. ip telnet port Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 635: Table 73: Secure Shell Commands
| Authentication Commands HAPTER Secure Shell This command displays the configuration settings for the Telnet server. show ip telnet OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE HELL...
Page 636 | Authentication Commands HAPTER Secure Shell Table 73: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 637 | Authentication Commands HAPTER Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 638: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell The client sends a signature generated using the private key to the switch. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.
Page 639: Ip Ssh Server-Key Size
| Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The SSH server supports up to four client sessions. The maximum ◆ number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server uses DSA or RSA for key exchange when the client first ◆...
Page 640: Ip Ssh Timeout
| Authentication Commands HAPTER Secure Shell This command configures the timeout for the SSH server. Use the no form ip ssh timeout to restore the default setting. YNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING...
Page 641: Ip Ssh Crypto Host-Key Generate
| Authentication Commands HAPTER Secure Shell XAMPLE Console#delete public-key admin dsa Console# This command generates the host key pair (i.e., public and private). ip ssh crypto host-key generate YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...
Page 642: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell This command clears the host key from memory (i.e. RAM). ip ssh crypto zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. EFAULT ETTING Clears both the DSA and RSA key.
Page 643: Show Public-Key
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (641) This command displays the connection settings used when authenticating show ip ssh client access to the SSH server. OMMAND Privileged Exec XAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 644: Table 74: Show Ssh - Display Description
| Authentication Commands HAPTER Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5...
Page 645: Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 646: General Commands
| Authentication Commands HAPTER 802.1X Port Authentication Table 75: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator Display Information Commands show dot1x Shows all dot1x related information General Commands...
Page 647: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# This command enables IEEE 802.1X port authentication globally on the dot1x switch.
Page 648: Dot1X Max-Req
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
Page 649: Dot1X Operation-Mode
| Authentication Commands HAPTER 802.1X Port Authentication This command allows hosts (clients) to connect to an 802.1X-authorized dot1x port. Use the no form with no keywords to restore the default to single operation-mode host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Page 650: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 651: Dot1X Timeout Quiet-Period
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# ELATED OMMANDS dot1x timeout re-authperiod (651) This command sets the time that a switch port waits after the maximum dot1x timeout request count (see page 648) has been exceeded before attempting to quiet-period acquire a new client.
Page 652: Dot1X Timeout Supp-Timeout
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout response to an EAP request from a client before re-transmitting an EAP supp-timeout packet.
Page 653: Dot1X Re-Authenticate
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT 30 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# This command forces re-authentication on all ports or a specific interface. dot1x re-authenticate YNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Page 654: Supplicant Commands
| Authentication Commands HAPTER 802.1X Port Authentication Supplicant Commands This command sets the dot1x supplicant user name and password. Use the dot1x identity no form to delete the identity settings. profile YNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.
Page 655: Dot1X Pae Supplicant
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# This command enables dot1x supplicant mode on a port. Use the no form dot1x pae to disable dot1x supplicant mode on a port. supplicant YNTAX [no] dot1x pae supplicant...
Page 656: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits for a response dot1x timeout from the authenticator. Use the no form to restore the default setting. auth-period YNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Page 657: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits before resending dot1x timeout an EAPOL start frame to the authenticator. Use the no form to restore the start-period default setting. YNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Page 658 | Authentication Commands HAPTER 802.1X Port Authentication Supplicant Parameters – Shows the supplicant user name used when ◆ the switch responds to an MD5 challenge from an authenticator (page 654). 802.1X Port Summary – Displays the port access control parameters ◆...
Page 659 | Authentication Commands HAPTER 802.1X Port Authentication Request Count– Number of EAP Request packets sent to the ■ Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP ■ Success, Failure or Request packet received from the Authentication Server.
Page 660: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch. Table 76: Management IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management...
Page 661: Show Management
| Authentication Commands HAPTER Management IP Filter IP address can be configured for SNMP, web, and Telnet access ◆ respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. When entering addresses for the same group (i.e., SNMP, web, or ◆...
Page 662: Authentication Commands
| Authentication Commands HAPTER Management IP Filter TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# – 662 –...
Page 663: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 664: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 665 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE The default maximum number of MAC addresses allowed on a secure ◆ port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 666: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) ELATED OMMANDS show interfaces status (741) shutdown (736) mac-address-table static (790) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Page 667: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Table 79: Network Access Commands (Continued) Command Function Mode show network-access mac- Displays information for entries in the secure MAC address-table address table show network-access mac- Displays information for entries in the MAC filter filter tables Use this command to enable aging for authenticated MAC addresses stored...
Page 668: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) mask - Specifies a MAC address bit mask for a range of addresses. EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE ◆...
Page 669: Network-Access Dynamic-Qos
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND SAGE ◆ The reauthentication time is a global setting and applies to all ports. When the reauthentication time expires for a secure MAC address it is ◆ reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected.
Page 670: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) While a port has an assigned dynamic QoS profile, any manual QoS ◆ configuration changes only take effect after all users have logged off of the port. Any configuration changes for dynamic QoS are not saved to the switch configuration file.
Page 671: Network-Access Guest-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)# Use this command to assign all traffic on a port to a guest VLAN when network-access 802.1x authentication is rejected.
Page 672: Network-Access Link-Detection Link-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# Use this command to detect link-down events. When detected, the switch network-access can shut down the port, send an SNMP trap, or both. Use the no form of link-detection this command to disable this feature.
Page 673: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
Page 674: Network-Access Max-Mac-Count
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the maximum number of MAC addresses that can network-access be authenticated on a port interface via all forms of authentication. Use the max-mac-count no form of this command to restore the default. YNTAX network-access max-mac-count count no network-access max-mac-count...
Page 675: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) Authenticated MAC addresses are stored as dynamic entries in the ◆ switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
Page 676: Mac-Authentication Intrusion-Action
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the intrusion-action default.
Page 677: Clear Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to clear entries from the secure MAC addresses table. clear network-access YNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 678: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC address Aging : Disabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Page 679: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication 00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. XAMPLE Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17...
Page 680: Table 81: Web Authentication
| General Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 612). Web authentication cannot be configured on trunk ports. Table 81: Web Authentication Command Function Mode...
Page 681: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth login-attempts 2 Console(config)# This command defines the amount of time a host must wait after exceeding web-auth the limit for failed login attempts, before it may attempt web quiet-period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 682: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# This command globally enables web authentication for the switch. Use the web-auth no form to restore the default. system-auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and...
Page 683: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth and forces the users to re-authenticate. re-authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 684: Show Web-Auth
| General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
Page 685: Table 82: Dhcp Snooping Commands
| General Security Measures HAPTER DHCP Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 686: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command enables DHCP snooping globally. Use the no form to restore ip dhcp snooping the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are ◆...
Page 687 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or ■ RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, ■...
Page 688: Ip Dhcp Snooping Information Option
| General Security Measures HAPTER DHCP Snooping This command enables the DHCP Option 82 information relay for the ip dhcp snooping switch. Use the no form to disable this function. information option YNTAX [no] ip dhcp snooping information option EFAULT ETTING Disabled OMMAND...
Page 689: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping This command sets the DHCP snooping information option policy for DHCP ip dhcp snooping client packets that include Option 82 information. information policy YNTAX ip dhcp snooping information policy {drop | keep | replace} drop - Drops the client’s request packet instead of relaying it.
Page 690: Ip Dhcp Snooping Vlan
| General Security Measures HAPTER DHCP Snooping XAMPLE This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# ELATED OMMANDS ip dhcp snooping (686) ip dhcp snooping vlan (690) ip dhcp snooping trust (691) This command enables DHCP snooping on the specified VLAN. Use the no ip dhcp snooping form to restore the default setting.
Page 691: Ip Dhcp Snooping Trust
| General Security Measures HAPTER DHCP Snooping This command configures the specified interface as trusted. Use the no ip dhcp snooping form to restore the default setting. trust YNTAX [no] ip dhcp snooping trust EFAULT ETTING All interfaces are untrusted OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND...
Page 692: Clear Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping This command removes all dynamically learned snooping entries from flash clear ip dhcp memory. snooping database flash OMMAND Privileged Exec XAMPLE Console(config)#ip dhcp snooping database flash Console(config)# This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory.
Page 693: Show Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command shows the DHCP snooping configuration settings. show ip dhcp snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface...
Page 694: Table 83: Ip Source Guard Commands
| General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 695 | General Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is ◆...
Page 696: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard This command configures the switch to filter inbound traffic based source ip source-guard IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...
Page 697: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: ◆ If DHCP snooping is disabled (see page 686), IP source guard will ■ check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 698: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 699: Table 84: Arp Inspection Commands
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 700: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 84: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...
Page 701: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use ip arp inspection the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 702: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 703: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 704: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection ◆ command, it becomes active only on those VLANs where it has been enabled with this command.
Page 705: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, ◆ the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 706: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection This command displays the global configuration settings for ARP show ip arp Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 707: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip arp the associated VLAN, port, and address components. inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 708: Table 85: Dos Protection Commands
| General Security Measures HAPTER Denial of Service Protection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# ENIAL OF ERVICE ROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 709 | General Security Measures HAPTER Denial of Service Protection XAMPLE Console(config)#flow tcp-udp-port-zero forward Console(config)# – 709 –...
Page 710 | General Security Measures HAPTER Denial of Service Protection – 710 –...
Page 711: Table 86: Access Control List Commands
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 712: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 713 | Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny, condition for packets emanating from the specified source. Use the no redirect-to form to remove a rule. (Standard IP ACL) YNTAX {permit | deny | redirect-to interface}...
Page 714: Permit, Deny, Redirect-To (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs ELATED OMMANDS access-list ip (712) Time Range (572) This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny, condition for packets with specific source or destination IP addresses, redirect-to protocol types, source or destination protocol ports, or TCP control codes.
Page 715 | Access Control Lists HAPTER IPv4 ACLs host – Keyword followed by a specific IP address. precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp – DSCP priority level. (Range: 0-63) sport – Protocol source port number.
Page 716: Table 88: Priority Bits Processed By Extended Ipv4 Acl
| Access Control Lists HAPTER IPv4 ACLs For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use “control-code 2 2” ■ Both SYN and ACK valid, use “control-code 18 18” ■...
Page 717: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs This command binds an IPv4 ACL to a port. Use the no form to remove the ip access-group port. YNTAX ip access-group acl-name in [time-range time-range-name] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
Page 718: Table 89: Mac Acl Commands
| Access Control Lists HAPTER MAC ACLs This command displays the rules for configured IPv4 ACLs. show ip access-list YNTAX show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name –...
Page 719: Access-List Mac
| Access Control Lists HAPTER MAC ACLs This command adds a MAC access list and enters MAC ACL configuration access-list mac mode. Use the no form to remove the specified ACL. YNTAX [no] access-list mac acl-name acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) EFAULT ETTING...
Page 720 | Access Control Lists HAPTER MAC ACLs The default is for Ethernet II packets. {permit | deny | redirect-to interface} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] [time-range time-range-name] no {permit | deny | redirect-to interface} tagged-eth2 {any | host source | source address-bitmask}...
Page 721 | Access Control Lists HAPTER MAC ACLs host – A specific MAC address. source – Source MAC address. destination – Destination MAC address range with bitmask. address-bitmask – Bitmask for MAC address (in hexadecimal format). vid – VLAN ID. (Range: 1-4095) vid-bitmask –...
Page 722: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs This command binds a MAC ACL to a port. Use the no form to remove the mac access-group port. YNTAX mac access-group acl-name in [time-range time-range-name] acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
Page 723: Table 90: Arp Acl Commands
| Access Control Lists HAPTER ARP ACLs This command displays the rules for configured MAC ACLs. show mac access-list YNTAX show mac access-list [acl-name] acl-name – Name of the ACL. (Maximum length: 16 characters) OMMAND Privileged Exec XAMPLE Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console#...
Page 724: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 725: Show Arp Access-List
| Access Control Lists HAPTER ARP ACLs destination-mac – Destination MAC address range with bitmask. mac-address-bitmask – Bitmask for MAC address (in hexadecimal format). log - Logs a packet when it matches the access control entry. EFAULT ETTING None OMMAND ARP ACL OMMAND SAGE...
Page 726: Table 91: Acl Information Commands
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 91: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules This command shows the port assignments of ACLs.
Page 727 | Access Control Lists HAPTER ACL Information XAMPLE Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2 MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6:...
Page 728 | Access Control Lists HAPTER ACL Information – 728 –...
Page 729: Table 92: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 92: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 730: Interface Configuration
| Interface Commands HAPTER Interface Configuration Table 92: Interface Commands (Continued) Command Function Mode Power Savings power-save Enables power savings mode on the specified port show power-save Shows the configuration settings for power savings Enabling hardware-level storm control with this command on a port will disable software-level automatic storm control on the same port if configured by the auto- traffic-control...
Page 731: Alias
| Interface Commands HAPTER Interface Configuration This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 732: Description
| Interface Commands HAPTER Interface Configuration EFAULT ETTING 100BASE-FX: 100full (SFP) 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The 1000BASE-T standard does not support forced mode. Auto- ◆...
Page 733: Flowcontrol
| Interface Commands HAPTER Interface Configuration OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 734: Giga-Phy-Mode
| Interface Commands HAPTER Interface Configuration XAMPLE The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (735) capabilities (flowcontrol, symmetric) (731) This command forces two connected ports into a master/slave giga-phy-mode configuration to enable 1000BASE-T full duplex for Gigabit ports.
Page 735: Negotiation
| Interface Commands HAPTER Interface Configuration XAMPLE This forces the switch port to master mode on port 24. Console(config)#interface ethernet 1/50 Console(config-if)#no negotiation Console(config-if)#speed-duplex 1000full Console(config-if)#giga-phy-mode master Console(config-if)# This command enables auto-negotiation for a given interface. Use the no negotiation form to disable auto-negotiation.
Page 736: Shutdown
| Interface Commands HAPTER Interface Configuration This command disables an interface. To restart a disabled interface, use shutdown the no form. YNTAX [no] shutdown EFAULT ETTING All interfaces are enabled. OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved.
Page 737 | Interface Commands HAPTER Interface Configuration OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The 1000BASE-T standard does not support forced mode. Auto- ◆ negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Page 738 | Interface Commands HAPTER Interface Configuration Multicast Storm Control: Disabled Unknown Unicast Storm Control: Disabled OMMAND Interface Configuration (Ethernet) OMMAND SAGE When traffic exceeds the threshold specified for broadcast and ◆ multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold.
Page 739: Clear Counters
| Interface Commands HAPTER Interface Configuration This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-12) EFAULT ETTING None OMMAND Privileged Exec...
Page 740: Show Interfaces Counters
| Interface Commands HAPTER Interface Configuration This command displays interface statistics. show interfaces counters YNTAX show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-12) EFAULT ETTING Shows the counters for all interfaces.
Page 741: Show Interfaces Status
| Interface Commands HAPTER Interface Configuration ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets...
Page 742: Show Interfaces Switchport
| Interface Commands HAPTER Interface Configuration XAMPLE Console#show interfaces status ethernet 1/25 Information of Eth 1/21 Port Type : 1000T MAC Address : B4-0E-DC-34-E6-3D Configuration: Name Port Admin : Up Speed-Duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Flow Control : Disabled VLAN Trunking...
Page 743: Table 93: Show Interfaces Switchport - Display Description
| Interface Commands HAPTER Interface Configuration XAMPLE This example shows the configuration setting for port 25. Console#show interfaces switchport ethernet 1/25 Information of Eth 1/21 Broadcast Threshold : Enabled, 500 packets/second Multicast Threshold : Disabled Unknown Unicast Threshold : Disabled LACP Status : Disabled Ingress Rate Limit...
Page 744: Show Interfaces Transceiver
| Interface Commands HAPTER Interface Configuration Table 93: show interfaces switchport - display description (Continued) Field Description 802.1Q-tunnel Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Mode Uplink (page 838). 802.1Q-tunnel Shows the Tag Protocol Identifier used for learning and switching packets TPID (page 839).
Page 745: Cable Diagnostics
| Interface Commands HAPTER Cable Diagnostics Length Link length supported for OM2 fiber, 550m Link length supported for OM1 fiber, 280m Vendor Name: SMC Networks Vendor OUI : 0 Vendor PN : SMC1GSFP-SX Vendor Rev : V1.1 Vendor SN : V1.1 Date code : 2009.5.19 Options...
Page 746: Show Cable-Diagnostics
| Interface Commands HAPTER Cable Diagnostics Ports are linked down while running cable diagnostics. ◆ To ensure more accurate measurement of the length to a fault, first ◆ disable power-saving mode (using the no power-save command) on the link partner before running cable diagnostics. XAMPLE Console#test cable-diagnostics interface ethernet 1/25 Console#show cable-diagnostics interface ethernet 1/25...
Page 747: Power Savings
| Interface Commands HAPTER Power Savings Power Savings This command enables power savings mode on the specified port. power-save YNTAX [no] power-save OMMAND Interface Configuration (Ethernet, Ports 25-26) OMMAND SAGE IEEE 802.3 defines the Ethernet standard and subsequent power ◆ requirements based on cable connections operating at 100 meters.
Page 748: Show Power-Save
| Interface Commands HAPTER Power Savings XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#power-save Console(config-if)# This command shows the configuration settings for power savings. show power-save YNTAX show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 25-26) OMMAND Privileged Exec XAMPLE...
Page 749: Table 94: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 750: Manual Configuration Commands
| Link Aggregation Commands HAPTER Manual Configuration Commands Any of the Fast Ethernet ports on the front panel can be trunked ◆ together, including ports of different media types. ◆ Any of the Gigabit Ethernet ports on the front panel can be trunked together, including ports of different media types.
Page 751: Dynamic Configuration Commands
| Link Aggregation Commands HAPTER Dynamic Configuration Commands XAMPLE The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands This command enables 802.3ad Link Aggregation Control Protocol (LACP) lacp for the current interface.
Page 752: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER Dynamic Configuration Commands Console#show interfaces status port-channel 1 Information of Trunk 1 Port Type : 100TX MAC Address : B4-0E-DC-39-F4-4D Configuration: Name Port Admin : Up Speed-Duplex : Auto Capabilities : 10half, 10full, 100half, 100full Flow Control : Disabled VLAN Trunking...
Page 753: Lacp Port-Priority
| Link Aggregation Commands HAPTER Dynamic Configuration Commands Once the remote side of a link has been established, LACP operational ◆ settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state.
Page 754: Lacp System-Priority
| Link Aggregation Commands HAPTER Dynamic Configuration Commands XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link.
Page 755: Lacp Admin-Key (Port Channel)
| Link Aggregation Commands HAPTER Dynamic Configuration Commands This command configures a port channel's LACP administration key string. lacp admin-key Use the no form to restore the default setting. (Port Channel) YNTAX lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Page 756: Table 95: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER Trunk Status Display Commands Trunk Status Display Commands This command displays LACP information. show lacp YNTAX show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-12) counters - Statistics for LACP protocol messages.
Page 757: Table 96: Show Lacp Internal - Display Description
| Link Aggregation Commands HAPTER Trunk Status Display Commands Table 95: show lacp counters - display description (Continued) Field Description LACPDUs Number of frames received that either (1) Carry the Slow Protocols Unknown Pkts Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 758: Table 97: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Trunk Status Display Commands Table 96: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired –...
Page 759: Table 98: Show Lacp Sysid - Display Description
| Link Aggregation Commands HAPTER Trunk Status Display Commands Table 97: show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner.
Page 760 | Link Aggregation Commands HAPTER Trunk Status Display Commands – 760 –...
Page 761: Table 99: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 762: Local Port Mirroring Commands
| Port Mirroring Commands HAPTER Local Port Mirroring Commands tx - Mirror transmitted packets. both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. EFAULT ETTING No mirror session is defined.
Page 763: Show Port Monitor
| Port Mirroring Commands HAPTER Local Port Mirroring Commands XAMPLE The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both Console(config-if)# This command displays mirror information. show port monitor YNTAX show port monitor [interface | vlan vlan-id | mac-address mac-address]...
Page 764: Table 101: Rspan Commands
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands RSPAN M IRRORING OMMANDS Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port. Table 101: RSPAN Commands Command Function Mode vlan rspan Creates a VLAN dedicated to carrying RSPAN traffic rspan source...
Page 765: Rspan Source
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands Local/Remote Mirror – The destination of a local mirror session (created ◆ with the port monitor command) cannot be used as the destination for RSPAN traffic. Only two mirror sessions are allowed. Both sessions can be allocated to remote mirroring, unless local mirroring is enabled (which is limited to a single session).
Page 766: Rspan Destination
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands both - Mirror both received and transmitted packets. EFAULT ETTING Both TX and RX traffic is mirrored OMMAND Global Configuration OMMAND SAGE One or more source ports can be assigned to the same RSPAN session, ◆...
Page 767: Rspan Remote Vlan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND Global Configuration OMMAND SAGE Only one destination port can be configured on the same switch per ◆ session, but a destination port can be configured on more than one switch for the same session. Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured ◆...
Page 768: No Rspan Session
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands destination - Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session. uplink - A port configured to receive or transmit remotely mirrored traffic.
Page 769: Show Rspan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND Global Configuration OMMAND SAGE The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database (see the vlan command). XAMPLE Console(config)#no rspan session 1 Console(config)# Use this command to displays the configuration settings for an RSPAN...
Page 770 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands – 770 –...
Page 771: Table 102: Rate Limit Commands
IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 772 | Rate Limit Commands HAPTER actually be 100 Kbps, or 1/5 of the 500 Kbps limit set by the storm control command. It is therefore not advisable to use both of these commands on the same interface. See the description of effective rate limiting in the Command Usage ◆...
Page 773: Table 103: Atc Commands
UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 103: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...
Page 774: A Utomatic T Raffic C Ontrol C Ommands
| Automatic Traffic Control Commands HAPTER Table 103: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...
Page 775: Figure 306: Storm Control By Shutting Down A Port
| Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release ◆ timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
Page 776: Threshold Commands
| Automatic Traffic Control Commands HAPTER Threshold Commands Threshold Commands This command sets the time at which to apply the control response after auto-traffic-control ingress traffic has exceeded the upper threshold. Use the no form to apply-timer restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer...
Page 777: Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER Threshold Commands seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 1-900 seconds) EFAULT ETTING 900 seconds OMMAND Global Configuration OMMAND SAGE This command sets the delay after which the control response can be terminated.
Page 778: Auto-Traffic-Control Action
| Automatic Traffic Control Commands HAPTER Threshold Commands XAMPLE This example enables automatic storm control for broadcast traffic on port Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# This command sets the control action to limit ingress traffic or shut down auto-traffic-control the offending port.
Page 779: Auto-Traffic-Control Alarm-Clear-Threshold
| Automatic Traffic Control Commands HAPTER Threshold Commands XAMPLE This example sets the control response for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast action shutdown Console(config-if)# This command sets the lower threshold for ingress traffic beneath which a auto-traffic-control control response for rate limiting will be released after the Release Timer alarm-clear-...
Page 780: Auto-Traffic-Control Alarm-Fire-Threshold
| Automatic Traffic Control Commands HAPTER Threshold Commands XAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# This command sets the upper threshold for ingress traffic beyond which a auto-traffic-control storm control response is triggered after the apply timer expires.
Page 781: Auto-Traffic-Control Auto-Control-Release
| Automatic Traffic Control Commands HAPTER Threshold Commands This command automatically releases a control response of rate-limiting auto-traffic-control after the time specified in the auto-traffic-control release-timer command auto-control-release has expired. YNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Page 782: Snmp Trap Commands
| Automatic Traffic Control Commands HAPTER SNMP Trap Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast control-release interface ethernet 1/1 Console#(config-if) SNMP Trap Commands This command sends a trap when broadcast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap.
Page 783: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Apply
| Automatic Traffic Control Commands HAPTER SNMP Trap Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-fire Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-fire-threshold (780) This command sends a trap when broadcast traffic exceeds the upper snmp-server enable threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap.
Page 784: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Clear
| Automatic Traffic Control Commands HAPTER SNMP Trap Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control- release Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-clear-threshold (779) auto-traffic-control action (778) auto-traffic-control release-timer (776) This command sends a trap when multicast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered.
Page 785: Snmp-Server Enable Port-Traps Atc Multicast-Control-Apply
| Automatic Traffic Control Commands HAPTER SNMP Trap Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-fire Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-fire-threshold (780) This command sends a trap when multicast traffic exceeds the upper snmp-server enable threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap.
Page 786: Atc Display Commands
| Automatic Traffic Control Commands HAPTER ATC Display Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control- release Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-clear-threshold (779) auto-traffic-control action (778) auto-traffic-control release-timer (776) ATC Display Commands This command shows global configuration settings for automatic storm show auto- control.
Page 787: Automatic Traffic Control Commands
| Automatic Traffic Control Commands HAPTER ATC Display Commands XAMPLE Console#show auto-traffic-control interface ethernet 1/1 Eth 1/1 Information ------------------------------------------------------------------------ Storm Control: Broadcast Multicast State: Disabled Disabled Action: rate-control rate-control Auto Release Control: Disabled Disabled Alarm Fire Threshold(Kpps): 128 Alarm Clear Threshold(Kpps):128 Trap Storm Fire: Disabled Disabled...
Page 788 | Automatic Traffic Control Commands HAPTER ATC Display Commands – 788 –...
Page 789: Table 104: Address Table Commands
DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 104: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 790: Mac-Address-Table Static
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# This command maps a static address to a destination port in a VLAN. Use mac-address-table the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 791: Clear Mac-Address-Table Dynamic
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# This command removes any learned entries from the forwarding database. clear mac-address-table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# This command shows classes of entries in the bridge-forwarding database.
Page 792: Show Mac-Address-Table Aging-Time
| Address Table Commands HAPTER OMMAND SAGE ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries ■ Config - Static entry ■...
Page 793: Show Mac-Address-Table Count
| Address Table Commands HAPTER This command shows the number of MAC addresses used and the number show of available MAC addresses for the overall system or for an interface. mac-address-table count YNTAX show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Page 794 | Address Table Commands HAPTER – 794 –...
Page 795: Table 105: Spanning Tree Commands
PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 105: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree Configures spanning tree operation to be compatible cisco-prestandard...
Page 796: Spanning-Tree
| Spanning Tree Commands HAPTER Table 105: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback- Enables BPDU loopback SNMP trap notification for a detection trap port spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST priority...
Page 797: Spanning-Tree Cisco-Prestandard
| Spanning Tree Commands HAPTER XAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# This command configures spanning tree operation to be compatible with spanning-tree Cisco prestandard versions. Use the no form to restore the default setting. cisco-prestandard [no] spanning-tree cisco-prestandard EFAULT...
Page 798: Spanning-Tree Hello-Time
| Spanning Tree Commands HAPTER OMMAND SAGE This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 799: Spanning-Tree Max-Age
| Spanning Tree Commands HAPTER This command configures the spanning tree bridge maximum age globally spanning-tree for this switch. Use the no form to restore the default. max-age YNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 800 | Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Spanning Tree Protocol ◆ This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 801: Spanning-Tree Pathcost Method
| Spanning Tree Commands HAPTER This command configures the path cost method used for Rapid Spanning spanning-tree Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method YNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.
Page 802: Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 803: Max-Hops
| Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE This command limits the maximum transmission rate for BPDUs. XAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# This command configures the maximum number of hops in the region max-hops before a BPDU is discarded. Use the no form to restore the default. YNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
Page 804: Mst Priority
| Spanning Tree Commands HAPTER This command configures the priority of a spanning tree instance. Use the mst priority no form to restore the default. YNTAX mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
Page 805: Name
| Spanning Tree Commands HAPTER OMMAND MST Configuration OMMAND SAGE Use this command to group VLANs into spanning tree instances. MSTP ◆ generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 806: Revision
| Spanning Tree Commands HAPTER XAMPLE Console(config-mstp)#name R&D Console(config-mstp)# ELATED OMMANDS revision (806) This command configures the revision number for this multiple spanning revision tree configuration of this switch. Use the no form to restore the default. YNTAX revision number number - Revision number of the spanning tree.
Page 807: Spanning-Tree Bpdu-Guard
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ This command filters all Bridge Protocol Data Units (BPDUs) that would otherwise be transmitted on an interface to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
Page 808: Table 106: Recommended Sta Path Cost Range
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-guard Console(config-if)# ELATED OMMANDS spanning-tree edge-port (809) spanning-tree spanning-disabled (816) This command configures the spanning tree path cost for the specified spanning-tree cost interface. Use the no form to restore the default auto-configuration mode. YNTAX spanning-tree cost cost no spanning-tree cost...
Page 809: Spanning-Tree Edge-Port
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 810: Spanning-Tree Link-Type
| Spanning Tree Commands HAPTER This command configures the link type for Rapid Spanning Tree and spanning-tree Multiple Spanning Tree. Use the no form to restore the default. link-type YNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Page 811: Spanning-Tree Loopback-Detection Action
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). Port Loopback Detection will not be active if Spanning Tree is disabled ◆...
Page 812: Spanning-Tree Loopback-Detection Release-Mode
| Spanning Tree Commands HAPTER This command configures the release mode for a port that was placed in spanning-tree the discarding state because a loopback BPDU was received. Use the no loopback-detection form to restore the default. release-mode YNTAX spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the...
Page 813: Spanning-Tree Loopback-Detection Trap
| Spanning Tree Commands HAPTER This command enables SNMP trap notification for Spanning Tree loopback spanning-tree BPDU detections. Use the no form to restore the default. loopback-detection trap YNTAX [no] spanning-tree loopback-detection trap EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap...
Page 814: Spanning-Tree Mst Port-Priority
| Spanning Tree Commands HAPTER This command is used by the multiple spanning-tree algorithm to ◆ determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. Use the no spanning-tree mst cost command to specify auto- ◆...
Page 815: Spanning-Tree Port-Priority
| Spanning Tree Commands HAPTER ELATED OMMANDS spanning-tree mst cost (813) This command configures the priority for the specified interface. Use the spanning-tree no form to restore the default. port-priority YNTAX spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) EFAULT ETTING OMMAND...
Page 816: Spanning-Tree Spanning-Disabled
| Spanning Tree Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE A bridge with a lower bridge identifier (or same identifier and lower ◆ MAC address) can take over as the root bridge at any time. When Root Guard is enabled, and the switch receives a superior BPDU ◆...
Page 817: Spanning-Tree Loopback-Detection Release
| Spanning Tree Commands HAPTER This command manually releases a port placed in discarding state by spanning-tree loopback-detection. loopback-detection release YNTAX spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-12) OMMAND Privileged Exec...
Page 818: Show Spanning-Tree
| Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree protocol-migration eth 1/5 Console# This command shows the configuration for the common spanning tree show spanning-tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst [instance-id]] interface...
Page 819: Spanning Tree Commands
| Spanning Tree Commands HAPTER XAMPLE Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance VLANs Configured : 1-4093 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.)
Page 820: Show Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER This command shows the configuration of the multiple spanning tree. show spanning-tree mst configuration OMMAND Privileged Exec XAMPLE Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4093 Console# –...
Page 821: Table 108: Vlan Commands
VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 822: Table 109: Gvrp And Bridge Extension Commands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 823: Garp Timer
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command sets the values for the join, leave and leaveall timers. Use garp timer the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 824: Switchport Forbidden Vlan
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command configures forbidden VLANs. Use the no form to remove the switchport list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 825: Show Bridge-Ext
| VLAN Commands HAPTER GVRP and Bridge Extension Commands OMMAND SAGE GVRP cannot be enabled for ports set to Access mode using the switchport mode command. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# This command shows the configuration for bridge extension commands. show bridge-ext EFAULT ETTING...
Page 826: Show Gvrp Configuration
| VLAN Commands HAPTER GVRP and Bridge Extension Commands EFAULT ETTING Shows all GARP timers. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join Timer: 20 centiseconds Leave Timer: 60 centiseconds Leaveall Timer: 1000 centiseconds Console# ELATED...
Page 827: Table 110: Commands For Editing Vlan Groups
| VLAN Commands HAPTER Editing VLAN Groups VLAN G DITING ROUPS Table 110: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs vlan Configures a VLAN, including VID, name and state This command enters VLAN database mode.
Page 828: Vlan
| VLAN Commands HAPTER Editing VLAN Groups This command configures a VLAN. Use the no form to restore the default vlan settings or delete a VLAN. YNTAX vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Page 829: Table 111: Commands For Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# ELATED OMMANDS show vlan (835) VLAN I ONFIGURING NTERFACES...
Page 830: Switchport Acceptable-Frame-Types
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# ELATED OMMANDS shutdown (736) interface (730)
Page 831: Switchport Allowed Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces This command configures VLAN groups on the selected interface. Use the switchport allowed no form to restore the default. vlan YNTAX switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add.
Page 832: Switchport Ingress-Filtering
| VLAN Commands HAPTER Configuring VLAN Interfaces This command enables ingress filtering for an interface. Use the no form to switchport ingress- restore the default. filtering YNTAX [no] switchport ingress-filtering EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Ingress filtering only affects tagged frames.
Page 833: Switchport Native Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. EFAULT ETTING Access mode, with the PVID set to VLAN 1. OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Access mode is mutually exclusive with VLAN trunking (see the vlan-...
Page 834: Vlan-Trunking
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# This command allows unknown VLAN groups to pass through the specified vlan-trunking interface.
Page 835: Table 112: Commands For Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information interface, then that interface cannot be set to access mode, and vice versa. To prevent loops from forming in the spanning tree, all unknown VLANs ◆ will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode).
Page 836: Table 113: 802.1Q Tunneling Commands
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling EFAULT ETTING Shows all VLANs. OMMAND Normal Exec, Privileged Exec XAMPLE The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S)
Page 837: Dot1Q-Tunnel System-Tunnel-Control
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling General Configuration Guidelines for QinQ Configure the switch to QinQ mode (dot1q-tunnel system-tunnel- control). Create a SPVLAN (vlan). Configure the QinQ tunnel access port to dot1Q-tunnel access mode (switchport dot1q-tunnel mode). Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 838: Switchport Dot1Q-Tunnel Mode
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND SAGE QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. XAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)# ELATED OMMANDS show dot1q-tunnel (840) show interfaces switchport (742) This command configures an interface as a QinQ tunnel port. Use the no switchport form to disable QinQ on the interface.
Page 839: Switchport Dot1Q-Tunnel Tpid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling ELATED OMMANDS show dot1q-tunnel (840) show interfaces switchport (742) This command sets the Tag Protocol Identifier (TPID) value of a tunnel switchport port. Use the no form to restore the default setting. dot1q-tunnel tpid YNTAX switchport dot1q-tunnel tpid tpid...
Page 840: Table 114: Commands For Configuring Traffic Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation This command displays information about QinQ tunnel ports. show dot1q-tunnel OMMAND Privileged Exec XAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
Page 841: Show Traffic-Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation EFAULT ETTING Disabled globally No segmented port groups are defined. OMMAND Global Configuration OMMAND SAGE Traffic segmentation provides port-based security and isolation ◆ between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).
Page 842: Table 115: Protocol-Based Vlan Commands
| VLAN Commands HAPTER Configuring Protocol-based VLANs Ethernet 1/8 Console# VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 843: Protocol-Vlan Protocol-Group (Configuring Groups)
| VLAN Commands HAPTER Configuring Protocol-based VLANs This command creates a protocol group, or to add specific protocols to a protocol-vlan group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.
Page 844: Show Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this ◆ command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 845: Show Interfaces Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# This command shows the mapping from protocol groups to VLANs for the show interfaces selected interfaces.
Page 846: Table 116: Ip Subnet Vlan Commands
| VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Page 847: Show Subnet-Vlan
| VLAN Commands HAPTER Configuring IP Subnet VLANs is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. The IP subnet cannot be a broadcast or multicast IP address. ◆...
Page 848: Table 117: Mac Based Vlan Commands
| VLAN Commands HAPTER Configuring MAC Based VLANs MAC B VLAN ONFIGURING ASED When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Page 849: Table 118: Voice Vlan Commands
| VLAN Commands HAPTER Configuring Voice VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are ◆ supported concurrently, priority is applied in this sequence, and then port-based VLANs last. XAMPLE The following example assigns traffic from source MAC address 00-00-00- 11-22-33 to VLAN 10.
Page 850: Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs Table 118: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings This command enables VoIP traffic detection and defines the Voice VLAN voice vlan...
Page 851: Voice Vlan Aging
| VLAN Commands HAPTER Configuring Voice VLANs This command sets the Voice VLAN ID time out. Use the no form to restore voice vlan aging the default. YNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) EFAULT ETTING...
Page 852: Voice Vlan Mac-Address
| VLAN Commands HAPTER Configuring Voice VLANs This command specifies MAC address ranges to add to the OUI Telephony voice vlan mac- list. Use the no form to remove an entry from the list. address YNTAX voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP...
Page 853: Switchport Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs This command specifies the Voice VLAN mode for ports. Use the no form to switchport voice disable the Voice VLAN feature on the port. vlan YNTAX switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
Page 854: Switchport Voice Vlan Rule
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND Interface Configuration OMMAND SAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. XAMPLE The following example sets the CoS priority to 5 on port 1.
Page 855: Switchport Voice Vlan Security
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# This command enables security filtering for VoIP traffic on a port. Use the switchport voice no form to disable filtering on a port.
Page 856 | VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule...
Page 857: Table 119: Priority Commands
LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 858: Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) This command sets the scheduling mode used for processing each of the queue mode class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Page 859: Queue Weight
| Class of Service Commands HAPTER Priority Commands (Layer 2) response time for software applications assigned a specific priority value. ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing.
Page 860: Switchport Priority Default
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. Console(config)#queue weight 1 2 3 4 Console(config)# ELATED OMMANDS queue mode (858) show queue weight (861)
Page 861: Show Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# ELATED OMMANDS show interfaces switchport (742) This command shows the current queue mode.
Page 862: Table 121: Priority Commands (Layer 3 And 4)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 121: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 863: Table 122: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) EFAULT ETTING Table 122: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) OMMAND Interface Configuration (Port, Static Aggregation) OMMAND...
Page 864: Table 123: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command maps DSCP values in incoming packets to per-hop behavior qos map and drop precedence values for priority processing. Use the no form to dscp-mutation restore the default settings. YNTAX qos map dscp-mutation phb drop-precedence from dscp0 ...
Page 865: Table 124: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. Random Early Detection starts dropping yellow and red packets when ◆...
Page 866: Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# This command sets QoS mapping to DSCP or CoS. Use the no form to qos map trust-mode restore the default setting.
Page 867: Show Qos Map Cos-Dscp
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows ingress CoS/CFI to internal DSCP map. show qos map cos-dscp YNTAX show qos map cos-dscp OMMAND Privileged Exec XAMPLE Console#show qos map cos-dscp CoS-DSCP Map. (x,y),x: phb,y: drop precedence: : CFI --------------------------------- (0,0)
Page 868: Show Qos Map Phb-Queue
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) (7,0) (7,1) (7,0) (7,3) Console# This command shows internal per-hop behavior to hardware queue map. show qos map phb-queue YNTAX show qos map phb-queue OMMAND Privileged Exec XAMPLE Console#show qos map phb-queue phb-queue map: phb:...
Page 869: Table 125: Quality Of Service Commands
UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 870: Class-Map
| Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an...
Page 871: Description
| Quality of Service Commands HAPTER OMMAND SAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. One or more class maps can be assigned to a policy map (page 873).
Page 872: Match
| Quality of Service Commands HAPTER This command defines the criteria used to classify traffic. Use the no form match to delete the matching criteria. YNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list.
Page 873: Rename
| Quality of Service Commands HAPTER This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Page 874: Class
| Quality of Service Commands HAPTER OMMAND SAGE ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. A policy map can contain multiple class statements that can be applied ◆...
Page 875: Police Flow
| Quality of Service Commands HAPTER set ip dscp command sets the IP DSCP value in matching packets. ■ (This modifies packet priority in the IP header.) police commands define parameters such as the maximum ■ throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
Page 876 | Quality of Service Commands HAPTER OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and ◆ the committed-burst cannot exceed 16 Mbytes. Policing is based on a token bucket, where bucket depth (i.e., the ◆...
Page 877: Police Srtcm-Color
| Quality of Service Commands HAPTER This command defines an enforcer for classified traffic based on a single police srtcm-color rate three color meter (srTCM). Use the no form to remove a policer. YNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp}...
Page 878 | Quality of Service Commands HAPTER The srTCM as defined in RFC 2697 meters a traffic stream and ◆ processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). The PHB label is composed of five bits, three bits for per-hop behavior, ◆...
Page 879: Police Trtcm-Color
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst...
Page 880 | Quality of Service Commands HAPTER violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action.
Page 881 | Quality of Service Commands HAPTER When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■...
Page 882 | Quality of Service Commands HAPTER OMMAND SAGE ◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets. The set cos and set phb command function at the same level of ◆...
Page 883 | Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set ip dscp command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
Page 884: Service-Policy
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
Page 885: Show Class-Map
| Quality of Service Commands HAPTER This command displays the QoS class maps which define matching criteria show class-map used for classifying traffic. YNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) EFAULT ETTING Displays all class maps. OMMAND Privileged Exec XAMPLE...
Page 886: Show Policy-Map Interface
| Quality of Service Commands HAPTER Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# This command displays the service policy assigned to the specified show policy-map interface. interface YNTAX show policy-map interface interface input interface...
Page 887: Table 126: Multicast Filtering Commands
ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 888 | Multicast Filtering Commands HAPTER IGMP Snooping Table 127: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Floods unregistered multicast traffic into the attached unregistered-data-flood VLAN ip igmp snooping Specifies how often the upstream interface should unsolicited-report- transmit unsolicited IGMP reports (when proxy interval reporting is enabled) ip igmp snooping version...
Page 889: Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping This command enables IGMP snooping globally on the switch or on a ip igmp snooping selected VLAN interface. Use the no form to disable it. YNTAX [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Disabled...
Page 890: Ip Igmp Snooping Querier
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Page 891: Ip Igmp Snooping Router-Port-Expire-Time
| Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with the Maximum Response...
Page 892: Ip Igmp Snooping Tcn-Flood
| Multicast Filtering Commands HAPTER IGMP Snooping This command enables flooding of multicast traffic if a spanning tree ip igmp snooping topology change notification (TCN) occurs. Use the no form to disable tcn-flood flooding. YNTAX [no] ip igmp snooping tcn-flood EFAULT ETTING Disabled...
Page 893: Ip Igmp Snooping Tcn-Query-Solicit
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# This command instructs the switch to send out an IGMP general query ip igmp snooping solicitation when a spanning tree topology change notification (TCN) tcn-query-solicit occurs.
Page 894: Ip Igmp Snooping Unsolicited-Report-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Page 895: Ip Igmp Snooping Version
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the IGMP snooping version. Use the no form to ip igmp snooping restore the default. version YNTAX ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093) 1 - IGMP Version 1 2 - IGMP Version 2...
Page 896: Ip Igmp Snooping Vlan General-Query-Suppression
| Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Global: Disabled VLAN: Disabled OMMAND Global Configuration OMMAND SAGE If version exclusive is disabled on a VLAN, then this setting is based on ◆ the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
Page 897 | Multicast Filtering Commands HAPTER IGMP Snooping This command immediately deletes a member port of a multicast service if ip igmp snooping a leave packet is received at that port and immediate-leave is enabled for vlan immediate- the parent VLAN. Use the no form to restore the default. leave YNTAX [no] ip igmp snooping vlan vlan-id immediate-leave...
Page 898: Ip Igmp Snooping Vlan Last-Memb-Query-Count
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the number of IGMP proxy group-specific or ip igmp snooping group-and-source-specific query messages that are sent out before the vlan last-memb- system assumes there are no more local members. Use the no form to query-count restore the default.
Page 899 | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group- specific query message, and starts a timer.
Page 900: Ip Igmp Snooping Vlan Mrd
| Multicast Filtering Commands HAPTER IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. This command may also be used to disable multicast router solicitation ◆ messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN.
Page 901: Ip Igmp Snooping Vlan Query-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set. When IGMP Proxy Reporting is enabled, the source address is based on the following criteria: ◆...
Page 902: Ip Igmp Snooping Vlan Query-Resp-Intvl
| Multicast Filtering Commands HAPTER IGMP Snooping This command applies when the switch is serving as the querier ◆ (page 890), or as a proxy host when IGMP snooping proxy reporting is enabled (page 889). XAMPLE Console(config)#ip igmp snooping vlan 1 proxy-query-interval 150 Console(config)# This command configures the maximum time the system waits for a ip igmp snooping...
Page 903 | Multicast Filtering Commands HAPTER IGMP Snooping This command adds a port to a multicast group. Use the no form to ip igmp snooping remove the port. vlan static YNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface ethernet unit/port...
Page 904: Show Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP snooping : Disabled Router port expire time : 300 s Router alert check : Disabled Tcn flood : Disabled Tcn query solicit : Disabled Unregistered data flood...
Page 905: Show Ip Igmp Snooping Group
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Console# This command shows known multicast group, source, and host port show ip igmp...
Page 906: Table 128: Static Multicast Interface Commands
| Multicast Filtering Commands HAPTER Static Multicast Routing TATIC ULTICAST OUTING This section describes commands used to configure static multicast routing on the switch. Table 128: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Page 907: Table 129: Igmp Filtering And Throttling Commands
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE The following shows how to configure port 11 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# IGMP F ILTERING AND HROTTLING In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Page 908: Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE ◆ IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses;...
Page 909: Permit, Deny
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command sets the access mode for an IGMP filter profile. Use the no permit, deny form to delete a profile number. YNTAX {permit | deny} EFAULT ETTING Deny OMMAND IGMP Profile Configuration OMMAND SAGE Each profile has only one access mode;...
Page 910: Ip Igmp Filter (Interface Configuration)
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# This command assigns an IGMP filtering profile to an interface on the ip igmp filter switch. Use the no form to remove a profile from an interface. (Interface Configuration) YNTAX...
Page 911: Ip Igmp Max-Groups Action
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling EFAULT ETTING OMMAND Interface Configuration (Ethernet) OMMAND SAGE IGMP throttling sets a maximum number of multicast groups that a port ◆ can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions;...
Page 912: Show Ip Igmp Filter
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# This command displays the global and interface settings for IGMP filtering. show ip igmp filter YNTAX show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier.
Page 913: Show Ip Igmp Throttle Interface
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# This command displays the interface settings for IGMP throttling. show ip igmp throttle interface YNTAX...
Page 914: Table 130: Multicast Vlan Registration Commands
| Multicast Filtering Commands HAPTER Multicast VLAN Registration VLAN R ULTICAST EGISTRATION This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network.
Page 915 | Multicast Filtering Commands HAPTER Multicast VLAN Registration EFAULT ETTING MVR is disabled. No MVR group address is defined. The default number of contiguous addresses is 0. MVR VLAN ID is 1. OMMAND Global Configuration OMMAND SAGE Use the mvr group command to statically configure all multicast group ◆...
Page 916: Mvr Type
| Multicast Filtering Commands HAPTER Multicast VLAN Registration OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Immediate leave applies only to receiver ports. When enabled, the ◆ receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the...
Page 917: Mvr Vlan Group
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Receiver ports can belong to different VLANs, but should not normally ◆ be configured as a member of the MVR VLAN. IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN.
Page 918: Show Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration OMMAND SAGE ◆ Multicast groups can be statically assigned to a receiver port using this command. The IP address range from 224.0.0.0 to 239.255.255.255 is used for ◆ multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
Page 919: Table 131: Show Mvr - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration XAMPLE The following shows the global MVR settings: Console#show mvr MVR Config Status : Enabled MVR Running Status : Active MVR Multicast VLAN MVR Group Address : 225.0.0.5 MVR Group Count : 10 Console# Table 131: show mvr - display description Field...
Page 920: Table 133: Show Mvr Members - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Forwarding Entry Count:1 Group Address Source Address VLAN Forwarding Port ------------- -------------- ---- -------------- 225.0.0.9...
Page 921: Table 134: Lldp Commands
LLDP C OMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Page 922 | LLDP Commands HAPTER Table 134: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system- Configures an LLDP-enabled port to advertise its name system name lldp dot1-tlv Configures an LLDP-enabled port to advertise proto-ident the supported protocols lldp dot1-tlv proto-vid Configures an LLDP-enabled port to advertise port related VLAN information lldp dot1-tlv pvid...
Page 923: Lldp
| LLDP Commands HAPTER This command enables LLDP globally on the switch. Use the no form to lldp disable LLDP. YNTAX [no] lldp EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#lldp Console(config)# This command configures the time-to-live (TTL) value sent in LLDP lldp advertisements.
Page 924: Lldp Med-Fast-Start-Count
| LLDP Commands HAPTER This command specifies the amount of MED Fast Start LLDPDUs to transmit lldp med-fast-start- during the activation process of the LLDP-MED Fast Start mechanism. count YNTAX lldp med-fast-start-count packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) EFAULT ETTING...
Page 925: Lldp Refresh-Interval
| LLDP Commands HAPTER should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. XAMPLE Console(config)#lldp notification-interval 30 Console(config)# This command configures the periodic transmit interval for LLDP lldp refresh-interval advertisements.
Page 926: Lldp Tx-Delay
| LLDP Commands HAPTER OMMAND SAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. XAMPLE Console(config)#lldp reinit-delay 10 Console(config)# This command configures a delay between the successive transmission of lldp tx-delay advertisements initiated by a change in local LLDP MIB variables.
Page 927: Lldp Admin-Status
| LLDP Commands HAPTER This command enables LLDP transmit, receive, or transmit and receive lldp admin-status mode on the specified port. Use the no form to disable this feature. YNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.
Page 928: Lldp Basic-Tlv Port-Description
| LLDP Commands HAPTER enterprise specific or other starting points for the search, such as the Interface or Entity MIB. Since there are typically a number of different addresses associated ◆ with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
Page 929: Lldp Basic-Tlv System-Capabilities
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise its system lldp basic-tlv capabilities. Use the no form to disable this feature. system-capabilities YNTAX [no] lldp basic-tlv system-capabilities EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The system capabilities identifies the primary function(s) of the system and...
Page 930: Lldp Basic-Tlv System-Name
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise the system lldp basic-tlv name. Use the no form to disable this feature. system-name YNTAX [no] lldp basic-tlv system-name EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The system name is taken from the sysName object in RFC 3418, which...
Page 931: Lldp Dot1-Tlv Proto-Vid
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise port-based lldp dot1-tlv protocol VLAN information. Use the no form to disable this feature. proto-vid YNTAX [no] lldp dot1-tlv proto-vid EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises the port-based protocol VLANs configured on this...
Page 932: Lldp Dot1-Tlv Vlan-Name
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise its VLAN lldp dot1-tlv name. Use the no form to disable this feature. vlan-name YNTAX [no] lldp dot1-tlv vlan-name EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises the name of all VLANs to which this interface has...
Page 933: Lldp Dot3-Tlv Max-Frame
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise its maximum lldp dot3-tlv frame size. Use the no form to disable this feature. max-frame YNTAX [no] lldp dot3-tlv max-frame EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Refer to...
Page 934: Table 135: Lldp Med Location Ca Types
| LLDP Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use this command without any keywords to advertise location ◆ identification details. Use the ca-type to advertise the physical location of the device, that is ◆ the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776.
Page 935: Lldp Med-Notification
| LLDP Commands HAPTER Console(config-if)#lldp med-location civic-addr 18 Avenue Console(config-if)#lldp med-location civic-addr 19 320 Console(config-if)#lldp med-location civic-addr 27 5 Console(config-if)#lldp med-location civic-addr 28 509B Console(config-if)#lldp med-location civic-addr country US Console(config-if)#lldp med-location civic-addr what 2 Console(config-if)# This command enables the transmission of SNMP trap notifications about lldp LLDP-MED changes.
Page 936: Lldp Med-Tlv Ext-Poe
| LLDP Commands HAPTER This command configures an LLDP-MED-enabled port to advertise and lldp med-tlv ext-poe accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature. YNTAX [no] lldp med-tlv ext-poe EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE...
Page 937: Lldp Med-Tlv Location
| LLDP Commands HAPTER This command configures an LLDP-MED-enabled port to advertise its lldp med-tlv location location identification details. Use the no form to disable this feature. YNTAX [no] lldp med-tlv location EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises location identification details.
Page 938: Lldp Med-Tlv Network-Policy
| LLDP Commands HAPTER This command configures an LLDP-MED-enabled port to advertise its lldp med-tlv network policy configuration. Use the no form to disable this feature. network-policy YNTAX [no] lldp med-tlv network-policy EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises network policy configuration information, aiding in...
Page 939: Show Lldp Config
| LLDP Commands HAPTER Information about additional changes in LLDP neighbors that occur ◆ between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 940: Show Lldp Info Local-Device
| LLDP Commands HAPTER Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.3 specific TLVs Advertised:...
Page 941: Show Lldp Info Remote-Device
Console#show lldp info local-device LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name ECS3510-26P System Description Managed FE POE Switch System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.101 (IPv4)
Page 942 | LLDP Commands HAPTER OMMAND Privileged Exec XAMPLE Note that an IP phone or other end-node device which advertises LLDP- MED capabilities must be connected to the switch for information to be displayed in the “Device Class” field. Console#show lldp info remote-device LLDP Remote Devices Information Interface Chassis ID Port ID...
Page 943: Show Lldp Info Statistics
| LLDP Commands HAPTER This command shows statistics based on traffic received through all show lldp info attached LLDP-enabled interfaces. statistics YNTAX show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 944 | LLDP Commands HAPTER – 944 –...
Page 945: Table 136: Address Table Commands
OMAIN ERVICE OMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server...
Page 946: Ip Domain-Lookup
| Domain Name Service Commands HAPTER OMMAND Global Configuration OMMAND SAGE Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this ◆ switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 947: Ip Domain-Name
| Domain Name Service Commands HAPTER If all name servers are deleted, DNS will automatically be disabled. ◆ XAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp...
Page 948 | Domain Name Service Commands HAPTER Name Server List: Console# ELATED OMMANDS ip domain-list (945) ip name-server (949) ip domain-lookup (946) This command creates a static entry in the DNS table that maps a host ip host name to an IPv4 address. Use the no form to remove an entry. YNTAX [no] ip host name address name - Name of an IPv4 host.
Page 949: Ip Name-Server
| Domain Name Service Commands HAPTER This command specifies the address of one or more domain name servers ip name-server to use for name-to-address resolution. Use the no form to remove a name server from this list. YNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server.
Page 950: Ipv6 Host
| Domain Name Service Commands HAPTER This command creates a static entry in the DNS table that maps a host ipv6 host name to an IPv6 address. Use the no form to remove an entry. YNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host.
Page 951: Clear Host
| Domain Name Service Commands HAPTER This command deletes dynamic entries from the DNS table. clear host YNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. EFAULT ETTING None OMMAND Privileged Exec OMMAND...
Page 952: Table 137: Show Dns Cache - Display Description
| Domain Name Service Commands HAPTER This command displays entries in the DNS cache. show dns cache OMMAND Privileged Exec XAMPLE Console#show dns cache Flag Type IP Address Domain ------- ------- ------- --------------- ------- -------- 4 Host 209.131.36.158 115 www-real.wa1.b.yahoo.com 4 CNAME POINTER TO:3 115 www.yahoo.com...
Page 953: Table 138: Show Hosts - Display Description
| Domain Name Service Commands HAPTER Table 138: show hosts - display description Field Description The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address”...
Page 954 | Domain Name Service Commands HAPTER – 954 –...
Page 955: Table 139: Dhcp Commands
DHCP C OMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. Table 139: DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP C LIENT Use the commands in this section to allow the switch’s VLAN interfaces to dynamically acquire IP address information.
Page 956: Ip Dhcp Restart Client
| DHCP Commands HAPTER DHCP for IPv4 hex - A hexadecimal value. (Range: 1-64 characters) EFAULT ETTING Class identifier option enabled, with the name Edge-Core OMMAND Interface Configuration (VLAN) OMMAND SAGE Use this command without a keyword to restore the default setting.
Page 957: Dhcp For Ipv6
| DHCP Commands HAPTER DHCP for IPv6 If the BOOTP or DHCP server has been moved to a different domain, ◆ the network portion of the address provided to the client will be based on this new domain. XAMPLE In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit...
Page 958: Ipv6 Dhcp Restart Client Vlan
| DHCP Commands HAPTER DHCP for IPv6 specified interface will include the rapid commit option in all solicit messages. XAMPLE Console(config)#ipv6 dhcp client rapid-commit vlan 2 Console(config)# This command submits a DHCPv6 client request. ipv6 dhcp restart client vlan YNTAX ipv6 dhcp restart client vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers...
Page 959: Show Ip Dhcp Client-Identifier
OMMAND Privileged Exec XAMPLE Console#show ip dhcp client-identifier Interface mode client-identifier --------- ---- ----------------- VLAN1 TEXT Edge-Core VLAN2 TEXT bill VLAN3 TEXT steve Console# This command shows the DHCP Unique Identifier for this switch. show ipv6 dhcp duid OMMAND Privileged Exec...
Page 960: Show Ipv6 Dhcp Vlan
| DHCP Commands HAPTER DHCP for IPv6 XAMPLE Console#show ipv6 dhcp duid DHCPv6 Unique Identifier (DUID): 0001-0001-4A8158B4-00E00C0000FD Console# This command shows DHCPv6 information for the specified interface(s). show ipv6 dhcp vlan YNTAX show ipv6 dhcp vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Page 961: Table 141: Ip Interface Commands
IP I NTERFACE OMMANDS An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 962: Table 143: Basic Ip Configuration Commands
| IP Interface Commands HAPTER IPv4 Interface This section describes commands used to configure IP addresses for VLAN ASIC interfaces on the switch. ONFIGURATION Table 143: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this router can reach other subnetworks...
Page 963: Ip Default-Gateway
| IP Interface Commands HAPTER IPv4 Interface If bootp or dhcp options are selected, the system will immediately ◆ start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP. IP is enabled but will not function until a BOOTP or DHCP reply has been received.
Page 964: Show Ip Default-Gateway
| IP Interface Commands HAPTER IPv4 Interface XAMPLE The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# ELATED OMMANDS ip address (962)ipv6 default-gateway (971) This command shows the IPv4 default gateway configured for this device. show ip default-gateway EFAULT...
Page 965: Show Ip Traffic
| IP Interface Commands HAPTER IPv4 Interface This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols. show ip traffic OMMAND Privileged Exec XAMPLE Console#show ip traffic IP Statistics: IP received 7845 total received header errors unknown protocols address errors discards 7845 delivers...
Page 966: Traceroute
| IP Interface Commands HAPTER IPv4 Interface input errors 9897 output Console# This command shows the route packets take to the specified destination. traceroute YNTAX traceroute host host - IP address or alias of the host. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE...
Page 967: Ping
| IP Interface Commands HAPTER IPv4 Interface XAMPLE Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.1, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------- 20 ms <10 ms <10 ms 192.168.0.1 Trace completed.
Page 968: Table 144: Address Resolution Protocol Commands
| IP Interface Commands HAPTER IPv4 Interface If necessary, local devices can also be specified in the DNS static host table (page 948). XAMPLE Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms...
Page 969: Clear Arp-Cache
| IP Interface Commands HAPTER IPv4 Interface OMMAND SAGE ◆ When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. The aging time determines how long dynamic entries remain in the ◆...
Page 970: Table 145: Ipv6 Configuration Commands
| IP Interface Commands HAPTER IPv6 Interface XAMPLE This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------- 10.1.0.0 FF-FF-FF-FF-FF-FF other VLAN1 10.1.0.254 00-00-AB-CD-00-00 other VLAN1 10.1.0.255 FF-FF-FF-FF-FF-FF other...
Page 971: Interface Address Configuration And Utilities
| IP Interface Commands HAPTER Interface Address Configuration and Utilities Table 145: IPv6 Configuration Commands (Continued) Command Function Mode Neighbor Discovery clear ipv6 neighbors Deletes all dynamic entries in the IPv6 neighbor discovery cache show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache Interface Address Configuration and Utilities This command sets an IPv6 default gateway to use when the destination is...
Page 972: Ipv6 Address
| IP Interface Commands HAPTER Interface Address Configuration and Utilities XAMPLE The following example defines a default gateway for this device: Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780 Console(config)# ELATED OMMANDS show ipv6 default-gateway (979) ip default-gateway (963) This command configures an IPv6 global unicast address and enables IPv6 ipv6 address on an interface.
Page 973: Ipv6 Address Autoconfig
| IP Interface Commands HAPTER Interface Address Configuration and Utilities XAMPLE This example specifies a full IPv6 address and prefix length. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::72/96 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled, AUTOCONFIG is disabled Link-Local Address: FE80::B60E:DCFF:FE34:E63C/64 Global Unicast Address(es):...
Page 974: Ipv6 Address Eui-64
| IP Interface Commands HAPTER Interface Address Configuration and Utilities If a duplicate address is detected, a warning message is sent to the ◆ console. When DHCPv6 is restarted, the switch may attempt to acquire an IP ◆ address prefix through stateful address autoconfiguration. If the router advertisements have the “other stateful configuration”...
Page 975 | IP Interface Commands HAPTER Interface Address Configuration and Utilities EFAULT ETTING No IPv6 addresses are defined OMMAND Interface Configuration (VLAN) OMMAND SAGE The prefix must be formatted according to RFC 2373 “IPv6 Addressing ◆ Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 976: Ipv6 Address Link-Local
| IP Interface Commands HAPTER Interface Address Configuration and Utilities XAMPLE This example uses the network prefix of 2001:0DB8:0:1::/64, and specifies that the EUI-64 interface identifier be used in the lower 64 bits of the address. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:0DB8:0:1::/64 eui-64 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up...
Page 977: Ipv6 Enable
| IP Interface Commands HAPTER Interface Address Configuration and Utilities The address specified with this command replaces a link-local address ◆ that was automatically generated for the interface. You can configure multiple IPv6 global unicast addresses per interface, ◆ but only one link-local address per interface. If a duplicate address is detected, a warning message is sent to the ◆...
Page 978: Ipv6 Mtu
| IP Interface Commands HAPTER Interface Address Configuration and Utilities OMMAND SAGE ◆ This command enables IPv6 on the current VLAN interface and automatically generates a link-local unicast address. The address prefix uses FE80, and the host portion of the address is generated by converting the switch’s MAC address to modified EUI-64 format (see page 974).
Page 979: Show Ipv6 Default-Gateway
| IP Interface Commands HAPTER Interface Address Configuration and Utilities EFAULT ETTING 1500 bytes OMMAND Interface Configuration (VLAN) OMMAND SAGE IPv6 routers do not fragment IPv6 packets forwarded from other ◆ routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented.
Page 980: Table 146: Show Ipv6 Interface - Display Description
| IP Interface Commands HAPTER Interface Address Configuration and Utilities This command displays the usability and configured settings for IPv6 show ipv6 interface interfaces. YNTAX show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface.
Page 981: Show Ipv6 Mtu
| IP Interface Commands HAPTER Interface Address Configuration and Utilities Table 146: show ipv6 interface - display description (Continued) Field Description Link-local Shows the link-local address assigned to this interface address Global unicast Shows the global unicast address(es) assigned to this interface address(es) Joined group In addition to the unicast addresses assigned to an interface, a host is also...
Page 982: Table 147: Show Ipv6 Mtu - Display Description
| IP Interface Commands HAPTER Interface Address Configuration and Utilities XAMPLE The following example shows the MTU cache for this device: Console#show ipv6 mtu Since Destination Address 1400 00:04:21 5000:1::3 1280 00:04:50 FE80::203:A0FF:FED6:141D Console# Table 147: show ipv6 mtu - display description Field Description Adjusted MTU contained in the ICMP packet-too-big message returned...
Page 983: Show Ipv6 Traffic
| IP Interface Commands HAPTER Interface Address Configuration and Utilities This command displays statistics about IPv6 traffic passing through this show ipv6 traffic switch. OMMAND Normal Exec, Privileged Exec XAMPLE The following example shows statistics for all IPv6 unicast and multicast traffic, as well as ICMP, UDP and TCP statistics: Console#show ipv6 traffic IPv6 Statistics:...
Page 984: Table 149: Show Ipv6 Traffic - Display Description
| IP Interface Commands HAPTER Interface Address Configuration and Utilities 0 neighbor advertisement messages 0 redirect messages 0 group membership response messages 0 group membership reduction messages UDP Statistics: 0 input 0 no port errors 0 other errors 0 output Console# Table 149: show ipv6 traffic - display description Field...
Page 985 | IP Interface Commands HAPTER Interface Address Configuration and Utilities Table 149: show ipv6 traffic - display description (Continued) Field Description reassembly failed The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are...
Page 986 | IP Interface Commands HAPTER Interface Address Configuration and Utilities Table 149: show ipv6 traffic - display description (Continued) Field Description redirect messages The number of Redirect messages received by the interface. group membership query The number of ICMPv6 Group Membership Query messages messages received by the interface.
Page 987: Clear Ipv6 Traffic
| IP Interface Commands HAPTER Interface Address Configuration and Utilities Table 149: show ipv6 traffic - display description (Continued) Field Description other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
Page 988: Neighbor Discovery
| IP Interface Commands HAPTER Neighbor Discovery OMMAND SAGE ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. The same link-local address may be used by different interfaces/nodes ◆...
Page 989: Table 150: Show Ipv6 Neighbors - Display Description
| IP Interface Commands HAPTER Neighbor Discovery This command displays information in the IPv6 neighbor discovery cache. show ipv6 neighbors YNTAX show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4093) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,”...
Page 990 | IP Interface Commands HAPTER Neighbor Discovery Table 150: show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: INCMP (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
Page 991 ECTION PPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 993 "Troubleshooting" on page 997 ◆ "License Information" on page 999 ◆ – 991 –...
Page 992 | Appendices ECTION – 992 –...
Page 993 OFTWARE PECIFICATIONS OFTWARE EATURES Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port ANAGEMENT Security, IP Filter, DHCP Snooping UTHENTICATION Access Control Lists (512 rules), Port Authentication (802.1X), MAC LIENT CCESS Authentication, Port Security, DHCP Snooping, IP Source Guard ONTROL 100BASE-TX: 10/100 Mbps, half/full duplex ONFIGURATION 100BASE-FX: 100 Mbps at full duplex (SFP)
Page 994: Management Features
| Software Specifications PPENDIX Management Features Up to 256 groups; port-based, protocol-based, tagged (802.1Q), VLAN S UPPORT private VLANs, voice VLANs, IP subnet, MAC-based, GVRP for automatic VLAN learning Supports four levels of priority LASS OF ERVICE Strict, Shaped Deficit Weighted Round Robin, or strict-WRR queuing Layer 3/4 priority mapping: IP DSCP DiffServ (IPv4/v6) supports class maps, policy maps, and service policies UALITY OF...
Page 995: Standards
| Software Specifications PPENDIX Standards TANDARDS IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet...
Page 996: Management Information Bases
| Software Specifications PPENDIX Management Information Bases Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.3ad)
Page 997: Table 151: Troubleshooting Chart
ROUBLESHOOTING ROBLEMS CCESSING THE ANAGEMENT NTERFACE Table 151: Troubleshooting Chart Symptom Action Cannot connect using Be sure the switch is powered up. ◆ Telnet, web browser, or Check network cabling between the management station and ◆ SNMP software the switch. Check that you have a valid network connection to the switch ◆...
Page 998: Using System Logs
| Troubleshooting PPENDIX Using System Logs SING YSTEM If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 999: The Gnu General Public License
ICENSE NFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 1000: License Information
| License Information PPENDIX The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 1001 | License Information PPENDIX The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 1002 | License Information PPENDIX The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.

Edge-Core ECS3510-26P Management Manual

About this Guide

Contents

Figures

Tables

Sectioni

Getting Started

1 Introduction

2 Initial Switch Configuration

Ection

Web Configuration

3 Using the Web Interface

4 Basic

5 Interface Configuration

6 Vlan Configuration

7 Address Table Settings

8 Spanning Tree Algorithm

9 Congestion Control

10 Class of Service

11 Quality of Service

12 Oip Traffic Configuration

13 Security Measures

14 Basic Administration Protocols

Quick Links

Related Manuals for Edge-Core ECS3510-26P

Summary of Contents for Edge-Core ECS3510-26P