Digisol DG-GS4528SE Management Manual
  1. Manuals
  2. Brands
  3. Digisol Manuals
  4. Switch
  5. DG-GS4528SE
  6. Management manual

Digisol DG-GS4528SE Management Manual

Dg-gs4500se series mustang 4000 switch series 28 port layer 2
Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Management Guide
MUSTANG 4000 SWITCH SERIES
DG-GS4500SE Series
28 Port Layer 2+Gigabit Ethernet Switch
MANAGEMENT GUIDE
V1.0
2013-10-01
As our products undergo continuous development the specifications are subject to change without prior notice

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the DG-GS4528SE and is the answer not in the manual?

Questions and answers

Related Manuals for Digisol DG-GS4528SE

Summary of Contents for Digisol DG-GS4528SE

  • Page 1 Management Guide MUSTANG 4000 SWITCH SERIES DG-GS4500SE Series 28 Port Layer 2+Gigabit Ethernet Switch MANAGEMENT GUIDE V1.0 2013-10-01 As our products undergo continuous development the specifications are subject to change without prior notice...
  • Page 2 A N A G E M E N T U I D E DG-GS4528SE G IGABIT THERNET WITCH Layer 2+ Gigabit Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports...

  • Page 3: About This Guide

    BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).

  • Page 4: Table Of Contents

    ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features IP Routing Address Resolution Protocol System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server...

  • Page 5: Contents

    ONTENTS Connecting to the Web Interface Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting The Start-Up File...
  • Page 6 ONTENTS Performing Cable Diagnostics Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Saving Power Sampling Traffic Flows Configuring sFlow Global Settings Configuring sFlow Interface Settings Traffic Segmentation...
  • Page 7 ONTENTS Configuring MAC Address Mirroring PANNING LGORITHM Overview Configuring Loopback Detection Configuring Global Settings for STA Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP ONGESTION ONTROL Rate Limiting...
  • Page 8 ONTENTS AAA (Authentication, Authorization and Accounting) Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization Configuring User Accounts Web Authentication Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports Configuring Port Link Detection...
  • Page 9 ONTENTS Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Configuring Port Security Configuring 802.1X Port Authentication Configuring 802.1X Global Settings Configuring Port Authenticator Settings for 802.1X Configuring Port Supplicant Settings for 802.1X...
  • Page 10 ONTENTS Setting the Local Engine ID Specifying a Remote Engine ID Setting SNMPv3 Views Configuring SNMPv3 Groups Setting Community Access Strings Configuring Local SNMPv3 Users Configuring Remote SNMPv3 Users Specifying Trap Managers Creating SNMP Notification Logs Showing SNMP Statistics Remote Monitoring Configuring RMON Alarms Configuring RMON Events Configuring RMON History Samples...
  • Page 11 ONTENTS Displaying Remote MEPs Displaying Details for Remote MEPs Displaying the Link Trace Cache Displaying Fault Notification Settings Displaying Continuity Check Errors OAM Configuration Enabling OAM on Local Ports Displaying Statistics for OAM Messages Displaying the OAM Event Log Displaying the Status of Remote Interfaces Configuring a Remote Loop Back Test Displaying Results of Remote Loop Back Testing 15 M...
  • Page 12 ONTENTS Configuring MVR6 Domain Settings Configuring MVR6 Group Address Profiles Configuring MVR6 Interface Status Assigning Static MVR6 Multicast Groups to Interfaces Displaying MVR6 Receiver Groups Displaying MVR6 Statistics 16 IP C ONFIGURATION Setting the Switch’s IP Address (IP Version 4) Setting the Switch’s IP Address (IP Version 6) Configuring the IPv6 Default Gateway Configuring IPv6 Interface Settings...
  • Page 13 ONTENTS Configuring IP Routing Interfaces Configuring Local and Remote Interfaces Using the Ping Function Using the Trace Route Function Address Resolution Protocol Basic ARP Configuration Configuring Static ARP Addresses Displaying Dynamic or Local ARP Entries Displaying ARP Statistics Configuring Static Routes Displaying the Routing Table 19 U NICAST...
  • Page 14 ONTENTS Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Showing Status Information CLI Command Groups 21 G ENERAL OMMANDS prompt reload (Global Configuration) enable quit show history...
  • Page 15 ONTENTS banner configure note show banner System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show tech-support show users show version show watchdog watchdog software Frame Size jumbo frame File Management General Commands boot system copy delete...
  • Page 16 ONTENTS login parity password password-thresh silent-time speed stopbits timeout login response disconnect terminal show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email...
  • Page 17 ONTENTS ntp client ntp server show ntp Manual Configuration Commands clock timezone calendar set show calendar Time Range time-range absolute periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 23 SNMP C OMMANDS General SNMP Commands...
  • Page 18 ONTENTS show snmp engine-id show snmp group show snmp user show snmp view Notification Log Commands snmp-server notify-filter show nlm oper-status show snmp notify-filter Additional Trap Commands memory process cpu 24 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events...
  • Page 19 ONTENTS privilege show privilege Authentication Sequence authentication enable authentication login RADIUS Client radius-server acct-port radius-server auth-port radius-server host radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit tacacs-server timeout show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec...
  • Page 20 ONTENTS ip http secure-port ip http secure-server Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh...
  • Page 21 ONTENTS Supplicant Commands dot1x identity profile dot1x max-start dot1x pae supplicant dot1x timeout auth-period dot1x timeout held-period dot1x timeout start-period Information Display Commands show dot1x Management IP Filter management show management PPPoE Intermediate Agent pppoe intermediate-agent pppoe intermediate-agent format-type pppoe intermediate-agent port-enable pppoe intermediate-agent port-format-type pppoe intermediate-agent trust pppoe intermediate-agent vendor-tag strip...
  • Page 22 ONTENTS network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary...
  • Page 23 ONTENTS ipv6 dhcp snooping vlan ipv6 dhcp snooping max-binding ipv6 dhcp snooping trust clear ipv6 dhcp snooping binding clear ipv6 dhcp snooping database flash show ipv6 dhcp snooping show ipv6 dhcp snooping binding show ipv6 dhcp snooping statistics IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding...
  • Page 24 ONTENTS show dos-protection 28 A CCESS ONTROL ISTS IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs access-list ipv6 permit, deny (Standard IPv6 ACL) permit, deny (Extended IPv6 ACL) show ipv6 access-list ipv6 access-group show ipv6 access-group...
  • Page 25 ONTENTS flowcontrol media-type negotiation shutdown speed-duplex switchport packet-rate clear counters show interfaces brief show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver Cable Diagnostics test cable-diagnostics show cable-diagnostics Power Savings power-save show power-save 30 L GGREGATION OMMANDS Manual Configuration Commands port channel load-balance channel-group...
  • Page 26 ONTENTS RSPAN Mirroring Commands rspan source 1000 rspan destination 1001 rspan remote vlan 1002 no rspan session 1003 show rspan 1004 32 R 1005 IMIT OMMANDS rate-limit 1005 33 A 1007 UTOMATIC RAFFIC ONTROL OMMANDS Threshold Commands 1010 auto-traffic-control apply-timer 1010 auto-traffic-control release-timer 1010...
  • Page 27 ONTENTS show loopback-detection 1026 35 U 1029 IRECTIONAL ETECTION OMMANDS udld message-interval 1029 udld aggressive 1030 udld port 1031 show udld 1032 36 A 1035 DDRESS ABLE OMMANDS mac-address-table aging-time 1035 mac-address-table static 1036 clear mac-address-table dynamic 1037 show mac-address-table 1037 show mac-address-table aging-time 1038...
  • Page 28 ONTENTS spanning-tree loopback-detection action 1058 spanning-tree loopback-detection release-mode 1059 spanning-tree loopback-detection trap 1060 spanning-tree mst cost 1060 spanning-tree mst port-priority 1061 spanning-tree port-bpdu-flooding 1062 spanning-tree port-priority 1062 spanning-tree root-guard 1063 spanning-tree spanning-disabled 1064 spanning-tree loopback-detection release 1064 spanning-tree protocol-migration 1065 show spanning-tree 1066 show spanning-tree mst configuration...
  • Page 29 ONTENTS erps forced-switch 1091 erps manual-switch 1093 show erps 1095 39 VLAN C 1101 OMMANDS GVRP and Bridge Extension Commands 1102 bridge-ext gvrp 1102 garp timer 1103 switchport forbidden vlan 1104 switchport gvrp 1104 show bridge-ext 1105 show garp timer 1106 show gvrp configuration 1106...
  • Page 30 ONTENTS switchport vlan-translation 1128 show vlan-translation 1129 Configuring Port-based Traffic Segmentation 1130 traffic-segmentation 1130 traffic-segmentation session 1132 traffic-segmentation uplink/downlink 1132 traffic-segmentation uplink-to-uplink 1133 show traffic-segmentation 1134 Configuring Protocol-based VLANs 1134 protocol-vlan protocol-group (Configuring Groups) 1135 protocol-vlan protocol-group (Configuring Interfaces) 1136 show protocol-vlan protocol-group 1137 show interfaces protocol-vlan protocol-group...
  • Page 31 ONTENTS qos map cos-dscp 1154 qos map dscp-mutation 1156 qos map phb-queue 1157 qos map trust-mode 1158 show qos map cos-dscp 1159 show qos map dscp-mutation 1159 show qos map phb-queue 1160 show qos map trust-mode 1161 41 Q 1163 UALITY OF ERVICE OMMANDS...
  • Page 32 ONTENTS ip igmp snooping unsolicited-report-interval 1191 ip igmp snooping version 1192 ip igmp snooping version-exclusive 1192 ip igmp snooping vlan general-query-suppression 1193 ip igmp snooping vlan immediate-leave 1194 ip igmp snooping vlan last-memb-query-count 1195 ip igmp snooping vlan last-memb-query-intvl 1195 ip igmp snooping vlan mrd 1196 ip igmp snooping vlan proxy-address...
  • Page 33 ONTENTS mvr proxy-query-interval 1218 mvr priority 1219 mvr proxy-switching 1219 mvr robustness-value 1221 mvr source-port-mode dynamic 1221 mvr upstream-source-ip 1222 mvr vlan 1223 mvr immediate-leave 1223 mvr type 1224 mvr vlan group 1225 show mvr 1226 show mvr associated-profile 1227 show mvr interface 1228 show mvr members...
  • Page 34 ONTENTS lldp 1253 lldp holdtime-multiplier 1253 lldp med-fast-start-count 1254 lldp notification-interval 1254 lldp refresh-interval 1255 lldp reinit-delay 1255 lldp tx-delay 1256 lldp admin-status 1257 lldp basic-tlv management-ip-address 1257 lldp basic-tlv port-description 1258 lldp basic-tlv system-capabilities 1259 lldp basic-tlv system-description 1259 lldp basic-tlv system-name 1260 lldp dot1-tlv proto-ident...
  • Page 35 ONTENTS ethernet cfm ais ma 1281 ethernet cfm ais period 1282 ethernet cfm ais suppress alarm 1282 ethernet cfm domain 1283 ethernet cfm enable 1285 ma index name 1286 ma index name-format 1287 ethernet cfm mep 1288 ethernet cfm port-enable 1289 clear ethernet cfm ais mpid 1289...
  • Page 36 ONTENTS show ethernet cfm linktrace-cache 1310 Loopback Operations 1311 ethernet cfm loopback 1311 Fault Generator Operations 1312 mep fault-notify alarm-time 1312 mep fault-notify lowest-priority 1313 mep fault-notify reset-time 1315 show ethernet cfm fault-notify-generator 1315 Delay Measure Operations 1316 ethernet cfm delay-measure two-way 1316 45 OAM C 1319...
  • Page 37 ONTENTS show hosts 1336 47 DHCP C 1339 OMMANDS DHCP Client 1339 DHCP for IPv4 1340 ip dhcp client class-id 1340 ip dhcp restart client 1341 DHCP for IPv6 1342 ipv6 dhcp client rapid-commit vlan 1342 ipv6 dhcp restart client vlan 1343 show ipv6 dhcp duid 1344...
  • Page 38 ONTENTS ipv6 address link-local 1367 ipv6 enable 1368 ipv6 mtu 1369 show ipv6 default-gateway 1370 show ipv6 interface 1370 show ipv6 mtu 1372 show ipv6 traffic 1373 clear ipv6 traffic 1377 ping6 1378 traceroute6 1379 Neighbor Discovery 1380 ipv6 hop-limit 1380 ipv6 nd dad attempts 1381...
  • Page 39 ONTENTS redistribute 1400 timers basic 1402 version 1403 ip rip authentication mode 1404 ip rip authentication string 1405 ip rip receive version 1405 ip rip receive-packet 1406 ip rip send version 1407 ip rip send-packet 1408 ip rip split-horizon 1408 clear ip rip route 1409 show ip protocols rip...

  • Page 40: Figures

    IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
  • Page 41 IGURES Figure 32: Configuring Local Port Mirroring Figure 33: Configuring Local Port Mirroring Figure 34: Displaying Local Port Mirror Sessions Figure 35: Configuring Remote Port Mirroring Figure 36: Configuring Remote Port Mirroring (Source) Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Figure 39: Showing Port Statistics (Table) Figure 40: Showing Port Statistics (Chart)
  • Page 42 IGURES Figure 68: Modifying Settings for Static VLANs Figure 69: Showing Static VLANs Figure 70: Configuring Static Members by VLAN Index Figure 71: Configuring Static VLAN Members by Interface Figure 72: Configuring Static VLAN Members by Interface Range Figure 73: Configuring Global Status of GVRP Figure 74: Configuring GVRP for an Interface Figure 75: Showing Dynamic VLANs Registered on the Switch Figure 76: Showing the Members of a Dynamic VLAN...
  • Page 43 IGURES Figure 104: Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree 231 Figure 105: Configuring Port Loopback Detection Figure 106: Configuring Global Settings for STA (STP) Figure 107: Configuring Global Settings for STA (RSTP) Figure 108: Configuring Global Settings for STA (MSTP) Figure 109: Displaying Global Settings for STA Figure 110: Configuring Interface Settings for STA Figure 111: STA Port Roles...
  • Page 44 IGURES Figure 140: Adding Rules to a Class Map Figure 141: Showing the Rules for a Class Map Figure 142: Configuring a Policy Map Figure 143: Showing Policy Maps Figure 144: Adding Rules to a Policy Map Figure 145: Showing the Rules for a Policy Map Figure 146: Attaching a Policy Map to a Port Figure 147: Configuring a Voice VLAN Figure 148: Configuring an OUI Telephony List...
  • Page 45 IGURES Figure 176: Configuring a MAC Address Filter for Network Access Figure 177: Showing the MAC Address Filter Table for Network Access Figure 178: Showing Addresses Authenticated for Network Access Figure 179: Configuring HTTPS Figure 180: Downloading the Secure-Site Certificate Figure 181: Configuring the SSH Server Figure 182: Generating the SSH Host Key Pair Figure 183: Showing the SSH Host Key Pair...
  • Page 46 IGURES Figure 212: Configuring Global Settings for 802.1X Port Authentication Figure 213: Configuring Interface Settings for 802.1X Port Authenticator Figure 214: Configuring Interface Settings for 802.1X Port Supplicant Figure 215: Showing Statistics for 802.1X Port Authenticator Figure 216: Showing Statistics for 802.1X Port Supplicant Figure 217: Protecting Against DoS Attacks Figure 218: Setting the Filter Type for IP Source Guard Figure 219: Configuring Static Bindings for IP Source Guard...
  • Page 47 IGURES Figure 248: Adding an OID Subtree to an SNMP View Figure 249: Showing the OID Subtree Configured for SNMP Views Figure 250: Creating an SNMP Group Figure 251: Showing SNMP Groups Figure 252: Setting Community Access Strings Figure 253: Showing Community Access Strings Figure 254: Configuring Local SNMPv3 Users Figure 255: Showing Local SNMPv3 Users Figure 256: Configuring Remote SNMPv3 Users...
  • Page 48 IGURES Figure 284: Sub-ring without Virtual Channel Figure 285: Creating an ERPS Ring Figure 286: Creating an ERPS Ring Figure 287: Showing Configured ERPS Rings Figure 288: Blocking an ERPS Ring Port Figure 289: Single CFM Maintenance Domain Figure 290: Multiple CFM Maintenance Domains Figure 291: Configuring Global Settings for CFM Figure 292: Configuring Interfaces for CFM Figure 293: Configuring Maintenance Domains...
  • Page 49 IGURES Figure 320: Multicast Filtering Concept Figure 321: Configuring General Settings for IGMP Snooping Figure 322: Configuring a Static Interface for a Multicast Router Figure 323: Showing Static Interfaces Attached a Multicast Router Figure 324: Showing Current Interfaces Attached a Multicast Router Figure 325: Assigning an Interface to a Multicast Service Figure 326: Showing Static Interfaces Assigned to a Multicast Service Figure 327: Configuring IGMP Snooping on a VLAN...
  • Page 50 IGURES Figure 356: Configuring an MVR6 Group Address Profile Figure 357: Displaying MVR6 Group Address Profiles Figure 358: Assigning an MVR6 Group Address Profile to a Domain Figure 359: Showing MVR6 Group Address Profiles Assigned to a Domain Figure 360: Configuring Interface Settings for MVR6 Figure 361: Assigning Static MVR6 Groups to a Port Figure 362: Showing the Static MVR6 Groups Assigned to a Port Figure 363: Displaying MVR6 Receiver Groups...
  • Page 51 IGURES Figure 392: Configuring Interface Settings for PPPoE Intermediate Agent Figure 393: Showing PPPoE Intermediate Agent Statistics Figure 394: Virtual Interfaces and Layer 3 Routing Figure 395: Pinging a Network Device Figure 396: Tracing the Route to a Network Device Figure 397: Proxy ARP Figure 398: Configuring General Settings for ARP Figure 399: Configuring Static ARP Entries...
  • Page 52 IGURES Figure 428: Sub-ring without Virtual Channel 1086 Figure 429: Configuring VLAN Trunking 1115 Figure 430: Mapping QinQ Service VLAN to Customer VLAN 1121 Figure 431: Configuring VLAN Translation 1129 – 53 –...

  • Page 53: Tables

    ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Remote Device Configuration Information Table 11: Traffic Segmentation Forwarding...
  • Page 54 ABLES Table 32: ERPS Request/State Priority Table 33: Remote MEP Priority Levels Table 34: MEP Defect Descriptions Table 35: OAM Operation State Table 36: Remote Loopback Status Table 37: ShowIPv6 Neighbors - display description Table 38: Show IPv6 Statistics - display description Table 39: Show MTU - display description Table 40: Options 60, 66 and 67 Statements Table 41: Options 55 and 124 Statements...
  • Page 55 ABLES Table 68: show snmp user - display description Table 69: show snmp view - display description Table 70: RMON Commands Table 71: sFlow Commands Table 72: Authentication Commands Table 73: User Access Commands Table 74: Default Login Settings Table 75: Authentication Sequence Commands Table 76: RADIUS Client Commands Table 77: TACACS+ Client Commands Table 78: AAA Commands...
  • Page 56 ABLES Table 104: ARP ACL Commands Table 105: ACL Information Commands Table 106: Interface Commands Table 107: show interfaces switchport - display description Table 108: Link Aggregation Commands Table 109: show lacp counters - display description Table 110: show lacp internal - display description Table 111: show lacp neighbors - display description Table 112: show lacp sysid - display description Table 113: Port Mirroring Commands...
  • Page 57 ABLES Table 140: Protocol-based VLAN Commands 1135 Table 141: IP Subnet VLAN Commands 1138 Table 142: MAC Based VLAN Commands 1140 Table 143: Voice VLAN Commands 1142 Table 144: Priority Commands 1149 Table 145: Priority Commands (Layer 2) 1149 Table 146: Priority Commands (Layer 3 and 4) 1154 Table 147: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence 1155...
  • Page 58 ABLES Table 176: show ethernet cfm maintenance-points remote detail - display 1296 Table 177: show ethernet cfm errors - display description 1302 Table 178: show ethernet cfm linktrace-cache - display description 1310 Table 179: Remote MEP Priority Levels 1314 Table 180: MEP Defect Descriptions 1314 Table 181: show fault-notify-generator - display description 1316...

  • Page 59: Sectioni

    ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 63 "Initial Switch Configuration"...

  • Page 60: Key Features

    NTRODUCTION switch provides a broad range of features for Layer 2 switching and This Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

  • Page 61: Description Of Software Features

    | Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description IP Version 4 and 6 Supports IPv4 and IPv6 addressing and management IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm...
  • Page 62 | Introduction HAPTER Description of Software Features This switch authenticates management access via the console port, Telnet, UTHENTICATION or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
  • Page 63 | Introduction HAPTER Description of Software Features Ports can be combined into an aggregate connection. Trunks can be RUNKING manually set up or dynamically configured using Link Aggregation Control Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail.
  • Page 64 | Introduction HAPTER Description of Software Features to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.

  • Page 65: Ip Routing

    | Introduction HAPTER Description of Software Features This feature is designed for service providers carrying traffic for multiple IEEE 802.1Q customers across their networks. QinQ tunneling is used to maintain UNNELING customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.

  • Page 66: Address Resolution Protocol

    | Introduction HAPTER Description of Software Features Static Routing – Traffic is automatically routed between any IP interfaces configured on the switch. Routing to statically configured hosts or subnet addresses is provided based on next-hop entries specified in the static routing table.

  • Page 67: System Defaults

    | Introduction HAPTER System Defaults YSTEM EFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
  • Page 68 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Congestion Control Rate Limiting Disabled Storm Control Broadcast: Enabled (64 kbits/sec) Multicast: Disabled Unknown Unicast: Disabled...
  • Page 69 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway Not configured DHCP Client: Enabled Proxy service: Disabled BOOTP Disabled Enabled Cache Timeout: 20 minutes Proxy: Disabled Unicast Routing Disabled...

  • Page 70: Initial Switch Configuration

    NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.

  • Page 71: Required Connections

    | Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 4093 IEEE 802.1Q VLANs Enable GVRP automatic VLAN registration Configure IP routing for unicast traffic Configure IGMP multicast filtering Upload and download system firmware or configuration files via HTTP (using the web interface) or FTP/TFTP (using the command line or web...

  • Page 72: Remote Connections

    | Initial Switch Configuration HAPTER Connecting to the Switch Set the data format to 8 data bits, 1 stop bit, and no parity. Set flow control to none. Set the emulation mode to VT100. When using HyperTerminal, select Terminal keys, not Windows keys.

  • Page 73: Basic Configuration

    | Initial Switch Configuration HAPTER Basic Configuration ASIC ONFIGURATION The CLI program provides two different command levels — normal access ONSOLE level (Normal Exec) and privileged access level (Privileged Exec). The ONNECTION commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.

  • Page 74: Setting An Ip Address

    | Initial Switch Configuration HAPTER Basic Configuration Username: admin Password: CLI session with the DG-GS4528SE is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING AN management access through the network.
  • Page 75 | Initial Switch Configuration HAPTER Basic Configuration To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask”...
  • Page 76 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): (None) Joined group address(es): ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
  • Page 77 | Initial Switch Configuration HAPTER Basic Configuration Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway”...
  • Page 78 | Initial Switch Configuration HAPTER Basic Configuration To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. At the interface-configuration mode prompt, use one of the following commands: To obtain IP settings via DHCP, type “ip address dhcp”...
  • Page 79 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::200:e8ff:fe94:4000%2/64 Global unicast address(es): 2001:db8:2222:7273::/64, subnet is 2001:db8:2222:7273::/64 Joined group address(es): ff02::1:ff94:4000 ff02::1:ff00:0 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.

  • Page 80: Downloading A Configuration File Referenced By Adhcp Server

    | Initial Switch Configuration HAPTER Basic Configuration ff02::1:ff00:0 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console#...

  • Page 81: Table 3: Options 60, 66 And 67 Statements

    | Initial Switch Configuration HAPTER Basic Configuration Note the following DHCP client behavior: The bootup configuration file received from a TFTP server is stored on the switch with the original file name. If this file name already exists in the switch, the file is overwritten. If the name of the bootup configuration file is the same as the Factory Default Configuration file, the download procedure will be terminated, and the switch will not send any further DHCP client requests.

  • Page 82: Enabling Snmp Management Access

    | Initial Switch Configuration HAPTER Basic Configuration The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.conf file). In the “Vendor class” section, the server will always send Option 66 and 67 to tell switch to download the “test” configuration file from server 192.168.255.101.
  • Page 83 | Initial Switch Configuration HAPTER Basic Configuration MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see "Setting SNMPv3 Views" on page 438). SNMP OMMUNITY TRINGS VERSION C CLIENTS Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch.
  • Page 84 | Initial Switch Configuration HAPTER Basic Configuration ECEIVERS You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...

  • Page 85: Managing System Files

    | Initial Switch Configuration HAPTER Managing System Files ANAGING YSTEM ILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
  • Page 86 | Initial Switch Configuration HAPTER Managing System Files contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup”...

  • Page 87: Ection

    ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 93 "Basic Management Tasks" on page 113 "Interface Configuration"...

  • Page 88: Using The Web Interface

    SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6.x or above, or Mozilla Firefox 3.6.2/4/5).

  • Page 89: Navigating The Web Browser Interface

    Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page This manual covers the DG-GS4528SE Gigabit Ethernet switches, the DG-GS4528FSE Gigabit Ethernet Fiber Switch. Other than the difference in port types, there are no other significant differences.

  • Page 90: Configuration Options

    ISPLAY set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Figure 2: Front Panel Indicators DG-GS4528SE DG-GS4528FSE – 95 –...

  • Page 91: Main Menu

    | Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
  • Page 92 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Information Displays port connection status Mirror Sets the source and target ports for mirroring Show Shows the configured mirror sessions Statistics Shows Interface, Etherlike, and RMON port statistics Chart...
  • Page 93 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Chart Shows Interface, Etherlike, and RMON port statistics Green Ethernet Adjusts the power provided to ports based on the length of the cable used to connect to other devices RSPAN Mirrors traffic from remote switches for analysis at a destination...
  • Page 94 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows the protocol groups mapped to each VLAN IP Subnet Maps IP subnet traffic to a VLAN Show Shows IP subnet to VLAN mapping MAC-Based Maps traffic with specified source MAC address to a VLAN Show...
  • Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Configures global settings for an MST instance Add Member Adds VLAN members for an MST instance Show Member Adds or deletes VLAN members for an MST instance Show Information Displays MSTP values used for the bridge Configure Interface...
  • Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Policy Creates a policy map to apply to multiple interfaces Show Shows configured policy maps Modify Modifies the name of a policy map Add Rule Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic...
  • Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Authorization Enables authorization of requested services Configure Method Configures authorization for various service types Show Shows the authorization settings used for various service types Configure Service Sets the authorization method applied used for the console port, and for Telnet...
  • Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Access Control Lists Configure Time Range Configures the time to apply an ACL Specifies the name of a time range Show Shows the name of configured time ranges Add Rule...
  • Page 99 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page DoS Protection Protects against Denial-of-Service attacks IP Source Guard Filters IP traffic based on static entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table Port Configuration Enables IP source guard and selects filter type per port...
  • Page 100 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Engine Set Engine ID Sets the SNMP v3 engine ID on this switch Add Remote Engine Sets the SNMP v3 engine ID for a remote device Show Remote Engine Shows configured engine ID for remote devices Configure View...
  • Page 101 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface History Periodically samples statistics on a physical interface Statistics Enables collection of statistics on a physical interface Show History Shows sampling parameters for each entry in the history group Statistics...
  • Page 102 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure MEP Configures Maintenance End Points Configures MEPs at the domain boundary to provide management access for each maintenance association Show Shows list of configured maintenance end points Configure Remote MEP...
  • Page 103 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Ping Sends ICMP echo request packets to another node on the network Trace Route Shows the route packets take to the specified destination Address Resolution Protocol Configure General...
  • Page 104 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Domain Name Defines a list of domain names that can be appended to incomplete host names Show Domain Names Shows the configured domain name list Add Name Server Specifies IP address of name servers for dynamic lookup...
  • Page 105 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Interface Configure VLAN Configures IGMP snooping per VLAN interface Show VLAN Information Shows IGMP snooping settings per VLAN interface Configure Port Configures the interface to drop IGMP query packets or all multicast data packets Configure Trunk...
  • Page 106 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Statistics Show Query Statistics Shows statistics for query-related messages Show VLAN Statistics Shows statistics for protocol messages and number of active groups Show Port Statistics Shows statistics for protocol messages and number of active...
  • Page 107 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Network Sets the network interfaces that will use RIP Show Shows the network interfaces that will use RIP Passive Interface Stops RIP broadcast and multicast messages from being sent on specified network interfaces Show...

  • Page 108: Basic Management Tasks

    ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, including contact information. Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions Configuring Support for Jumbo Frames – Enables support for jumbo frames.

  • Page 109: Displaying System Information

    | Basic Management Tasks HAPTER Displaying System Information ISPLAYING YSTEM NFORMATION Use the System > General page to identify the system by displaying information such as the device name, location and contact information. CLI R EFERENCES "System Management Commands" on page 703 "SNMP Commands"...

  • Page 110: Displaying Hardware/Software Versions

    | Basic Management Tasks HAPTER Displaying Hardware/Software Versions ISPLAYING ARDWARE OFTWARE ERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI R EFERENCES "System Management Commands"...

  • Page 111: Configuring Support For Jumbo Frames

    | Basic Management Tasks HAPTER Configuring Support for Jumbo Frames NTERFACE To view hardware and software version information. Click System, then Switch. Figure 4: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for layer 2 jumbo frames.

  • Page 112: Displaying Bridge Extension Capabilities

    | Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities NTERFACE To configure support for jumbo frames: Click System, then Capability. Enable or disable support for jumbo frames. Click Apply. Figure 5: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System >...
  • Page 113 | Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to "VLAN Configuration"...

  • Page 114: Managing System Files

    | Basic Management Tasks HAPTER Managing System Files ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System > File (Copy) page to upload/download firmware or OPYING ILES VIA configuration settings using FTP, TFTP or HTTP.
  • Page 115 | Basic Management Tasks HAPTER Managing System Files File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server.

  • Page 116: Saving The Running Configuration To A Local File

    | Basic Management Tasks HAPTER Managing System Files Figure 7: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch.

  • Page 117: Setting The Start-Up File

    | Basic Management Tasks HAPTER Managing System Files NTERFACE To save the running configuration file: Click System, then File. Select Copy from the Action list. Select Running-Config from the Copy Type list. Select the current startup file on the switch to overwrite or specify a new file name.

  • Page 118: Showing System Files

    | Basic Management Tasks HAPTER Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Use the System > File (Show) page to show the files in the system HOWING YSTEM directory, or to delete a file.

  • Page 119: Automatic Operation Code Upgrade

    | Basic Management Tasks HAPTER Managing System Files Use the System > File (Automatic Operation Code Upgrade) page to UTOMATIC automatically download an operation code file when a file newer than the PERATION currently installed one is discovered on the file server. After the file is PGRADE transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
  • Page 120 | Basic Management Tasks HAPTER Managing System Files Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
  • Page 121 | Basic Management Tasks HAPTER Managing System Files ftp://[username[:password@]]host[/filedir]/ ftp:// – Defines FTP protocol for the server connection. username – Defines the user name for the FTP connection. If the user name is omitted, then “anonymous” is the assumed user name for the connection.
  • Page 122 | Basic Management Tasks HAPTER Managing System Files ftp://switches:upgrade@192.168.0.1/switches/opcode/ The user name is “switches” and the password is “upgrade”. The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the FTP root. NTERFACE To configure automatic code upgrade: Click System, then File.

  • Page 123: Setting The System Clock

    | Basic Management Tasks HAPTER Setting the System Clock ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.

  • Page 124: Setting The Sntp Polling Interval

    | Basic Management Tasks HAPTER Setting the System Clock Figure 12: Manually Setting the System Clock Use the System > Time (Configure General - SNTP) page to set the polling SNTP ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R...

  • Page 125: Configuring Ntp

    | Basic Management Tasks HAPTER Setting the System Clock Figure 13: Setting the Polling Interval for SNTP Use the System > Time (Configure General - NTP) page to configure NTP ONFIGURING authentication and show the polling interval at which the switch will query the specified time servers.

  • Page 126: Configuring Time Servers

    | Basic Management Tasks HAPTER Setting the System Clock Figure 14: Configuring NTP Use the System > Time (Configure Time Server) pages to specify the IP ONFIGURING address for NTP/SNTP time servers, or to set the authentication key for ERVERS NTP time servers.
  • Page 127 | Basic Management Tasks HAPTER Setting the System Clock Figure 15: Specifying SNTP Time Servers NTP T PECIFYING ERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI R EFERENCES "ntp server"...
  • Page 128 | Basic Management Tasks HAPTER Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: Click System, then Time. Select Configure Time Server from the Step list. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List NTP A PECIFYING...
  • Page 129 | Basic Management Tasks HAPTER Setting the System Clock NTERFACE To add an entry to NTP authentication key list: Click System, then Time. Select Configure Time Server from the Step list. Select Add NTP Authentication Key from the Action list. Enter the index number and MD5 authentication key string.

  • Page 130: Setting The Time Zone

    | Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Zone) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.

  • Page 131: Configuring The Console Port

    | Basic Management Tasks HAPTER Configuring the Console Port ONFIGURING THE ONSOLE Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
  • Page 132 | Basic Management Tasks HAPTER Configuring the Console Port The password for the console connection can only be configured through the CLI (see "password" on page 738). Password checking can be enabled or disabled for logging in to the console connection (see "login"...

  • Page 133: Configuring Telnet Settings

    | Basic Management Tasks HAPTER Configuring Telnet Settings ONFIGURING ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.

  • Page 134: Displaying Cpu Utilization

    | Basic Management Tasks HAPTER Displaying CPU Utilization Password checking can be enabled or disabled for login to the console connection (see "login" on page 737). You can select authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts.

  • Page 135: Displaying Memory Utilization

    | Basic Management Tasks HAPTER Displaying Memory Utilization NTERFACE To display CPU utilization: Click System, then CPU Utilization. Change the update interval if required. Note that the interval is changed as soon as a new setting is selected. Figure 23: Displaying CPU Utilization ISPLAYING EMORY TILIZATION...

  • Page 136: Resetting The System

    | Basic Management Tasks HAPTER Resetting the System NTERFACE To display memory utilization: Click System, then Memory Status. Figure 24: Displaying Memory Utilization ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)"...
  • Page 137 | Basic Management Tasks HAPTER Resetting the System System Reload Configuration Reset Mode – Restarts the switch immediately or at the specified time(s). Immediately – Restarts the system immediately. In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.) hours –...
  • Page 138 | Basic Management Tasks HAPTER Resetting the System NTERFACE To restart the switch: Click System, then Reset. Select the required reset mode. For any option other than to reset immediately, fill in the required parameters Click Apply. When prompted, confirm that you want reset the switch. Figure 25: Restarting the Switch (Immediately) Figure 26: Restarting the Switch (In) –...
  • Page 139 | Basic Management Tasks HAPTER Resetting the System Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 144 –...

  • Page 140: Interface Configuration

    NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on the local switch.
  • Page 141 | Interface Configuration HAPTER Port Configuration OMMAND SAGE Auto-negotiation must be disabled before you can configure or force a Gigabit RJ-45 interface to use the Speed/Duplex mode or Flow Control options. When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities.
  • Page 142 | Interface Configuration HAPTER Port Configuration Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.The following capabilities are supported.

  • Page 143: Configuring By Port Range

    | Interface Configuration HAPTER Port Configuration Click Apply. Figure 29: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.

  • Page 144: Displaying Connection Status

    | Interface Configuration HAPTER Port Configuration Figure 30: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES "show interfaces status"...

  • Page 145: Configuring Local Port Mirroring

    | Interface Configuration HAPTER Port Configuration NTERFACE To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 31: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING OCAL port to a target port for real-time analysis.
  • Page 146 | Interface Configuration HAPTER Port Configuration MAC Address Mirroring" on page 226), the target port cannot be set to the same target ports as that used for port mirroring by this command. When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring.

  • Page 147: Configuring Remote Port Mirroring

    | Interface Configuration HAPTER Port Configuration To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 34: Displaying Local Port Mirror Sessions Use the Interface > RSPAN page to mirror traffic from remote switches for ONFIGURING analysis at a destination port on the local switch.
  • Page 148 | Interface Configuration HAPTER Port Configuration OMMAND SAGE Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in "Configuring Local Port Mirroring" on page 150), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section).
  • Page 149 | Interface Configuration HAPTER Port Configuration IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
  • Page 150 | Interface Configuration HAPTER Port Configuration dynamically add port members to an RSPAN VLAN. Also, note that the VLAN > Static (Show) page will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Type –...

  • Page 151: Showing Port Or Trunk Statistics

    | Interface Configuration HAPTER Port Configuration Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the...

  • Page 152: Table 7: Port Statistics

    | Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed: Table 7: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
  • Page 153 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Alignment Errors The number of alignment errors (missynchronized data packets). FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check.
  • Page 154 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Utilization Statistics Input Octets in kbits per Number of octets entering this interface in kbits/second. second Input Packets per second Number of packets entering this interface per second. Input Utilization The input utilization rate for this interface.

  • Page 155: Performing Cable Diagnostics

    | Interface Configuration HAPTER Port Configuration To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
  • Page 156 | Interface Configuration HAPTER Port Configuration CLI R EFERENCES "Interface Commands" on page 961 OMMAND SAGE Cable diagnostics are performed using Digital Signal Processing (DSP) test methods. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. Cable diagnostics can only be performed on twisted-pair media.

  • Page 157: Trunk Configuration

    | Interface Configuration HAPTER Trunk Configuration NTERFACE To test the cable attached to a port: Click Interface, Port, Cable Test. Click Test for any port to start the cable test. Figure 41: Performing Cable Tests RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.

  • Page 158: Configuring A Static Trunk

    | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
  • Page 159 | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
  • Page 160 | Interface Configuration HAPTER Trunk Configuration To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member. Click Apply.

  • Page 161: Configuring A Dynamic Trunk

    | Interface Configuration HAPTER Trunk Configuration To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 46: Showing Information for Static Trunks Use the Interface > Trunk > Dynamic pages to set the administrative key ONFIGURING A for an aggregation group, enable LACP on a port, configure protocol YNAMIC...
  • Page 162 | Interface Configuration HAPTER Trunk Configuration All ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured).
  • Page 163 | Interface Configuration HAPTER Trunk Configuration Configure Aggregation Port - Actor/Partner Port – Port number. (Range: 1-28/52) Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG. (Range: 0-65535; Default –...
  • Page 164 | Interface Configuration HAPTER Trunk Configuration NTERFACE To configure the admin key for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Aggregator from the Step list. Set the Admin Key and timeout mode for the required LACP group. Click Apply. Figure 48: Configuring the LACP Aggregator Admin Key To enable LACP for a port: Click Interface, Trunk, Dynamic.
  • Page 165 | Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 50: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic.
  • Page 166 | Interface Configuration HAPTER Trunk Configuration To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Configure from the Action List. Modify the required interface settings. (See "Configuring by Port List" on page 145 for a description of the interface settings.) Click Apply.

  • Page 167: Displaying Lacp Port Counters

    | Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 990 ARAMETERS These parameters are displayed: Table 8: LACP Port Counters...

  • Page 168: Displaying Lacp Settings And Status For The Local Side

    | Interface Configuration HAPTER Trunk Configuration Figure 54: Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
  • Page 169 | Interface Configuration HAPTER Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Aggregation – The system considers this link to be aggregatable; Oper State i.e., a potential candidate for aggregation. (continued) Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate.

  • Page 170: Displaying Lacp Settings And Status For The Remote Side

    | Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation. FOR THE EMOTE CLI R...

  • Page 171: Saving Power

    | Interface Configuration HAPTER Saving Power Figure 56: Displaying LACP Port Remote Information AVING OWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI R EFERENCES "power-save" on page 978 "show power-save" on page 979 OMMAND SAGE IEEE 802.3 defines the Ethernet standard and subsequent power...
  • Page 172 | Interface Configuration HAPTER Saving Power is detected, the switch immediately turns on both the transmitter and receiver functions, and powers up the MAC interface. Power saving when there is a link partner: Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter.

  • Page 173: Sampling Traffic Flows

    | Interface Configuration HAPTER Sampling Traffic Flows Figure 57: Enabling Power Savings AMPLING RAFFIC LOWS The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.

  • Page 174: Configuring Sflow Global Settings

    | Interface Configuration HAPTER Sampling Traffic Flows Use the Interface > sFlow (Configure Global) page to enable sFlow globally ONFIGURING S for the switch. LOBAL ETTINGS CLI R EFERENCES "sflow" on page 803 ARAMETERS These parameters are displayed in the web interface: sFlow Global Status –...
  • Page 175 | Interface Configuration HAPTER Sampling Traffic Flows Receiver IP Address – IP address of the sFlow Collector. Receiver Port – The UDP port on which the sFlow Collector is listening for sFlow streams. (Range: 0-65534; Default: 6343) Timeout – The time that the sFlow process will continuously send samples to the Collector before resetting all sFlow port parameters.

  • Page 176: Traffic Segmentation

    | Interface Configuration HAPTER Traffic Segmentation Figure 59: Configuring Interface Settings for Traffic Flow Sampling RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
  • Page 177 | Interface Configuration HAPTER Traffic Segmentation Blocking – Blocks traffic between uplink ports assigned to different sessions. Forwarding – Forwards traffic between uplink ports assigned to different sessions. NTERFACE To enable traffic segmentation: Click Interface, Traffic Segmentation. Select Configure Global from the Step list. Mark the Status check box, and set the required uplink-to-uplink mode.

  • Page 178: Configuring Uplink And Downlink Ports

    | Interface Configuration HAPTER Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
  • Page 179 | Interface Configuration HAPTER Traffic Segmentation Interface – Displays a list of ports or trunks. Port – Port Identifier. (Range: 1-28/52) Trunk – Trunk Identifier. (Range: 1-16) NTERFACE To configure the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list.

  • Page 180: Vlan Trunking

    | Interface Configuration HAPTER VLAN Trunking VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking" on page 1114 OMMAND SAGE Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
  • Page 181 | Interface Configuration HAPTER VLAN Trunking ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. Port – Port Identifier. (Range: 1-28/52) Trunk – Trunk Identifier. (Range: 1-16) VLAN Trunking Status – Enables VLAN trunking on the selected interface.

  • Page 182: Vlan Configuration

    VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.

  • Page 183: Ieee 802.1Q Vlans

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN.
  • Page 184 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).

  • Page 185: Configuring Vlan Groups

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 66: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
  • Page 186 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring Remote Port Mirroring" on page 152). L3 Interface – Sets the interface to support Layer 3 configuration, and reserves memory space required to maintain additional information about this interface type.
  • Page 187 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 67: Creating Static VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name, operational status, or Layer 3 Interface status as required.

  • Page 188: Adding Static Members To Vlans

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Static pages to configure port members for the selected DDING TATIC VLAN index, interface, or a range of interfaces. Use the menus for editing VLAN EMBERS TO port members to configure the VLAN behavior for specific interfaces, including the mode of operation (Hybrid or 1Q Trunk), the default VLAN identifier (PVID), accepted frame types, and ingress filtering.
  • Page 189 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Acceptable Frame Type – Sets the interface to accept all frame types, including tagged or untagged frames, or only tagged frames. When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
  • Page 190 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. Port Range – Displays a list of ports. (Range: 1-28/52) Trunk Range –...
  • Page 191 | VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Action list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply. Figure 71: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static.

  • Page 192: Configuring Dynamic Vlan Registration

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 72: Configuring Static VLAN Members by Interface Range Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION...
  • Page 193 | VLAN Configuration HAPTER IEEE 802.1Q VLANs GVRP Timers – Timer settings must follow this rule: 2 x (join timer) < leave timer < leaveAll timer Join – The interval between transmitting requests/queries to participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) Leave –...
  • Page 194 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 73: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: Click VLAN, Dynamic. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk. Modify the GVRP status or timers for any interface.

  • Page 195: Ieee 802.1Q Tunneling

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 75: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN Members from the Action list. Figure 76: Showing the Members of a Dynamic VLAN IEEE 802.1Q T UNNELING...
  • Page 196 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging). A port configured to support QinQ tunneling must be set to tunnel port mode.
  • Page 197 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ tunnel port are processed in the following manner: An SPVLAN tag is added to all outbound packets on the SPVLAN interface, no matter how many tags they already have.
  • Page 198 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling If the ether-type of an incoming packet (single or double tagged) is equal to the TPID of the uplink port, no new VLAN tag is added. If the uplink port is not the member of the outer VLAN of the incoming packets, the packet will be dropped when ingress filtering is enabled.

  • Page 199: Enabling Qinq Tunneling On The Switch

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling General Configuration Guidelines for QinQ Enable Tunnel Status, and set the Tag Protocol Identifier (TPID) value of the tunnel access port (in the Ethernet Type field). This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.

  • Page 200: Creating Cvlan To Spvlan Mapping Entries

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port. The specified ethertype only applies to ports configured in Uplink mode (see "Adding an Interface to a QinQ Tunnel"...
  • Page 201 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel. Rather than relying on standard service paths and priority queuing, QinQ VLAN mapping can be used to further enhance service by defining a set of differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs.

  • Page 202: Adding An Interface To A Qinq Tunnel

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling To show the mapping table: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Show from the Action list. Select an interface from the Port list. Figure 80: Showing CVLAN to SPVLAN Mapping Entries The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2.
  • Page 203 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. Port – Port Identifier. (Range: 1-28/52) Trunk – Trunk Identifier. (Range: 1-16) Mode – Sets the VLAN membership mode of the port. None –...

  • Page 204: Protocol Vlans

    | VLAN Configuration HAPTER Protocol VLANs VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
  • Page 205 | VLAN Configuration HAPTER Protocol VLANs Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN (VLAN 1) that has been configured with the switch's administrative IP. IP Protocol Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivity to the switch.

  • Page 206: Mapping Protocol Groups To Interfaces

    | VLAN Configuration HAPTER Protocol VLANs Figure 83: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group.
  • Page 207 | VLAN Configuration HAPTER Protocol VLANs VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4093) Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority) NTERFACE To map a protocol group to a VLAN for a port or trunk: Click VLAN, Protocol.

  • Page 208: Configuring Ip Subnet Vlans

    | VLAN Configuration HAPTER Configuring IP Subnet VLANs Figure 85: Showing the Interface to Protocol Group Mapping IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
  • Page 209 | VLAN Configuration HAPTER Configuring IP Subnet VLANs ARAMETERS These parameters are displayed: IP Address – The IP address for a subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Subnet Mask – This mask identifies the host address bits of the IP subnet.

  • Page 210: Configuring Mac-Based Vlans

    | VLAN Configuration HAPTER Configuring MAC-based VLANs Figure 87: Showing IP Subnet VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
  • Page 211 | VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured.

  • Page 212: Configuring Vlan Mirroring

    | VLAN Configuration HAPTER Configuring VLAN Mirroring VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.

  • Page 213: Configuring Vlan Translation

    | VLAN Configuration HAPTER Configuring VLAN Translation NTERFACE To configure VLAN mirroring: Click VLAN, Mirror. Select Add from the Action list. Select the source VLAN, and select a target port. Click Apply. Figure 90: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror.
  • Page 214 | VLAN Configuration HAPTER Configuring VLAN Translation support this feature, then the switches directly connected to that device can be configured to swap the customer’s VLAN ID with the service provider’s VLAN ID for upstream traffic, or the service provider’s VLAN ID with the customer’s VLAN ID for downstream traffic.
  • Page 215 | VLAN Configuration HAPTER Configuring VLAN Translation Figure 93: Configuring VLAN Translation To show the mapping entries for VLANs translation: Click VLAN, Translation. Select Show from the Action list. Select a port, and enter the original and new VLAN IDs. Figure 94: Showing the Entries for VLAN Translation –...

  • Page 216: Address Table Settings

    DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
  • Page 217 | Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed: VLAN – ID of configured VLAN. (Range: 1-4093) Interface – Port or trunk associated with the device assigned a static address. MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.

  • Page 218: Changing The Aging Time

    | Address Table Settings HAPTER Changing the Aging Time Figure 96: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.

  • Page 219: Displaying The Dynamic Address Table

    | Address Table Settings HAPTER Displaying the Dynamic Address Table ISPLAYING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.

  • Page 220: Clearing The Dynamic Address Table

    | Address Table Settings HAPTER Clearing the Dynamic Address Table Figure 98: Displaying the Dynamic MAC Address Table LEARING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. CLI R EFERENCES "clear mac-address-table dynamic"...

  • Page 221: Configuring Mac Address Mirroring

    | Address Table Settings HAPTER Configuring MAC Address Mirroring Figure 99: Clearing Entries in the Dynamic MAC Address Table MAC A ONFIGURING DDRESS IRRORING Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis.
  • Page 222 | Address Table Settings HAPTER Configuring MAC Address Mirroring Target Port – The port that will mirror the traffic from the source port. (Range: 1-28/52) NTERFACE To mirror packets based on a MAC address: Click MAC Address, Mirror. Select Add from the Action list. Specify the source MAC address and destination port.
  • Page 223 PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback BPDUs. Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
  • Page 224 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 102: STP Root Ports and Designated Ports Designated Root...

  • Page 225: Spanning Tree Algorithm

    | Spanning Tree Algorithm HAPTER Overview Figure 103: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...

  • Page 226: Configuring Loopback Detection

    | Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
  • Page 227 | Spanning Tree Algorithm HAPTER Configuring Loopback Detection Shutdown Interval – The duration to shut down the interface. (Range: 60-86400 seconds; Default: 60 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired.

  • Page 228: Configuring Global Settings For Sta

    | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA ONFIGURING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI R EFERENCES "Spanning Tree Commands"...
  • Page 229 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. ARAMETERS These parameters are displayed: Basic Configuration of Global Settings...
  • Page 230 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the switch uses a backwards-compatible subset of RSTP to implement STP, and also apply to MSTP which is based on RSTP according to the standard: Path Cost Method –...
  • Page 231 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA RSTP does not depend on the forward delay timer in most cases. The port can transition to the forwarding state without having to rely on any timer configuration. To achieve fast convergence, RSTP relies on the use of edge ports, and automatic detection of point-to-point link types, both of which allow a port to directly transition to the forwarding state.
  • Page 232 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 106: Configuring Global Settings for STA (STP) Figure 107: Configuring Global Settings for STA (RSTP) – 238 –...

  • Page 233: Displaying Global Settings For Sta

    | Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 108: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.

  • Page 234: Configuring Interface Settings For Sta

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.

  • Page 235: Table 12: Recommended Sta Path Cost Range

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES "Spanning Tree Commands" on page 1041 ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled...

  • Page 236: Table 13: Default Sta Path Costs

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 13: Default STA Path Costs Port Type Short Path Cost Long Path Cost (IEEE 802.1D-1998) (802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Admin Link Type –...
  • Page 237 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 234), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting.

  • Page 238: Displaying Interface Settings For Sta

    | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 110: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
  • Page 239 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging device is always forwarding. If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
  • Page 240 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 111: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.

  • Page 241: Configuring Multiple Spanning Trees

    | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 1041 OMMAND SAGE MSTP generates a unique spanning tree for each instance.
  • Page 242 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
  • Page 243 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
  • Page 244 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.

  • Page 245: Configuring Interface Settings For Mstp

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 1041 ARAMETERS These parameters are displayed: MST ID –...
  • Page 246 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 241. The default path costs are listed in Table 13 on page 242. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.

  • Page 247: Congestion Control

    ONGESTION ONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.

  • Page 248: Storm Control

    | Congestion Control HAPTER Storm Control Rate – Sets the rate limit level. (Range: 64 - 1,000,000 kbits per second for Gigabit Ethernet ports; 64 - 10,000,000 kbits per second for 10 Gigabit Ethernet ports) NTERFACE To configure rate limits: Click Traffic, Rate Limit.
  • Page 249 | Congestion Control HAPTER Storm Control When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. Traffic storms can be controlled at the hardware level using Storm Control or at the software level using Automatic Traffic Control which...
  • Page 250 | Congestion Control HAPTER Storm Control NTERFACE To configure broadcast storm control: Click Traffic, Storm Control. Set the interface type to Port or Trunk. Set the Status field to enable or disable storm control. Set the required threshold beyond which the switch will start dropping packets.

  • Page 251: Automatic Traffic Control

    | Congestion Control HAPTER Automatic Traffic Control UTOMATIC RAFFIC ONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI R EFERENCES "Automatic Traffic Control Commands"...

  • Page 252: Setting The Atc Timers

    | Congestion Control HAPTER Automatic Traffic Control The traffic control response of rate limiting can be released automatically or manually. The control response of shutting down a port can only be released manually. Figure 124: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided.
  • Page 253 | Congestion Control HAPTER Automatic Traffic Control been shut down by a control response, it must be manually re-enabled using the Manual Control Release (see page 259). ARAMETERS These parameters are displayed in the web interface: Broadcast Apply Timer – The interval after the upper threshold has been exceeded at which to apply the control response to broadcast storms.

  • Page 254: Configuring Atc Thresholds And Responses

    | Congestion Control HAPTER Automatic Traffic Control Use the Traffic > Auto Traffic Control (Configure Interface) page to set the ONFIGURING storm control mode (broadcast or multicast), the traffic thresholds, the HRESHOLDS AND control response, to automatically release a response of rate limiting, or to ESPONSES send related SNMP trap messages.
  • Page 255 | Congestion Control HAPTER Automatic Traffic Control Once the traffic rate exceeds the upper threshold and the Apply Timer expires, a trap message will be sent if configured by the Trap Storm Fire attribute. Alarm Clear Threshold – The lower threshold for ingress traffic beneath which a control response for rate limiting will be released after the Release Timer expires, if so configured by the Auto Release Control attribute.
  • Page 256 | Congestion Control HAPTER Automatic Traffic Control Figure 126: Configuring ATC Interface Attributes – 262 –...

  • Page 257: Class Of Service

    LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 258: Layer 2 Queue Settings

    | Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.
  • Page 259 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
  • Page 260 | Class of Service HAPTER Layer 2 Queue Settings weighted service for the remaining queues. Use this parameter to specify the queues assigned to use strict priority. (Default: Disabled) Weight – Sets a weight for each queue which is used by the WRR scheduler.

  • Page 261: Mapping Cos Values To Egress Queues

    | Class of Service HAPTER Layer 2 Queue Settings Figure 130: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...

  • Page 262: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues

    | Class of Service HAPTER Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES "qos map phb-queue"...
  • Page 263 | Class of Service HAPTER Layer 2 Queue Settings Figure 131: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Select an interface. Figure 132: Showing CoS Values to Egress Queue Mapping –...

  • Page 264: Layer 3/4 Priority Settings

    | Class of Service HAPTER Layer 3/4 Priority Settings 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
  • Page 265 | Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: Port – Port identifier. (Range: 1-28/52) Trust Mode CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values.

  • Page 266: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values

    | Class of Service HAPTER Layer 3/4 Priority Settings This map is only used when the priority mapping mode is set to DSCP (see page 270), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP.
  • Page 267 | Class of Service HAPTER Layer 3/4 Priority Settings Set the PHB and drop precedence for any DSCP value. Click Apply. Figure 134: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list.
  • Page 268 | Class of Service HAPTER Layer 3/4 Priority Settings Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in APPING incoming packets to per-hop behavior and drop precedence values for RIORITIES TO priority processing. DSCP NTERNAL ALUES CLI R...

  • Page 269: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence

    | Class of Service HAPTER Layer 3/4 Priority Settings Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) NTERFACE To map CoS/CFI values to internal PHB/drop precedence: Click Traffic, Priority, CoS to DSCP.
  • Page 270 | Class of Service HAPTER Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Select a port. Figure 137: Showing CoS to DSCP Internal Mapping –...

  • Page 271: Quality Of Service

    UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...

  • Page 272: Configuring A Class Map

    | Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN, a CoS value, or a source port.
  • Page 273 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 characters) Add Rule Class Name – Name of the class map. Type – The criteria specified by the match command. (This field is set on the Add page.) ACL –...
  • Page 274 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 139: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.

  • Page 275: Creating Qos Policies

    | Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 141: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
  • Page 276 | Quality of Service HAPTER Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate”...
  • Page 277 | Quality of Service HAPTER Creating QoS Policies if Te(t)-B0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B0, the packet is green and Tc is decremented by B down to the minimum...
  • Page 278 | Quality of Service HAPTER Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
  • Page 279 | Quality of Service HAPTER Creating QoS Policies Add Rule Policy Name – Name of policy map. Class Name – Name of a class map that defines a traffic classification upon which a policy can act. Action – This attribute is used to set an internal QoS value in hardware for matching packets.
  • Page 280 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any change to the DSCP service level. Violate –...
  • Page 281 | Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether traffic that exceeds the maximum rate (CIR) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of conformance traffic.
  • Page 282 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any change to the DSCP service level. Exceed –...
  • Page 283 | Quality of Service HAPTER Creating QoS Policies To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 143: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
  • Page 284 | Quality of Service HAPTER Creating QoS Policies Figure 144: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 145: Showing the Rules for a Policy Map –...

  • Page 285: Attaching A Policy Map To A Port

    | Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. CLI R EFERENCES "Quality of Service Commands" on page 1163 OMMAND SAGE First define a class map, define a policy map, and then bind the service...
  • Page 286 | Quality of Service HAPTER Attaching a Policy Map to a Port Figure 146: Attaching a Policy Map to a Port – 292 –...

  • Page 287: Oip Traffic Configuration

    IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
  • Page 288 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES "Configuring Voice VLANs" on page 1142 OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...

  • Page 289: Configuring Telephony Oui

    | VoIP Traffic Configuration HAPTER Configuring Telephony OUI Figure 147: Configuring a Voice VLAN ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses.

  • Page 290: Configuring Voip Traffic Ports

    | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices. Click Apply. Figure 148: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP.
  • Page 291 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...
  • Page 292 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and the voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from voice VLAN when VoIP traffic is no longer received on the port.

  • Page 293: Security Measures

    ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.

  • Page 294: Aaa (Authentication, Authorization And Accounting)

    | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.

  • Page 295: Configuring Local/Remote Logon Authentication

    | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.

  • Page 296: Configuring Remote Logon Authentication Servers

    | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods).
  • Page 297 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) CLI R EFERENCES "RADIUS Client" on page 818 "TACACS+ Client" on page 822 "AAA" on page 826 OMMAND SAGE If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
  • Page 298 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Set Key – Mark this box to set or modify the encryption key. Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
  • Page 299 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) When specifying the priority sequence for a sever, the server index must already be defined (see "Configuring Local/Remote Logon Authentication" on page 301). NTERFACE To configure the parameters for RADIUS or TACACS+ authentication: Click Security, AAA, Server.
  • Page 300 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Figure 154: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list.

  • Page 301: Configuring Aaa Accounting

    | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 156: Showing AAA Server Groups Use the Security >...
  • Page 302 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Exec – Administrative accounting for local console, Telnet, or SSH connections. Privilege Level – The CLI privilege levels (0-15). This parameter only applies to Command accounting. Method Name – Specifies an accounting method for service requests. The “default”...
  • Page 303 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Show Information – Summary Accounting Type - Displays the accounting service. Method Name - Displays the user-defined or default accounting method. Server Group Name - Displays the accounting server group. Interface - Displays the port, console or Telnet interface to which these rules apply.
  • Page 304 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Select the accounting type (802.1X, Command, Exec). Specify the name of the accounting method and server group name. Click Apply. Figure 158: Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting.
  • Page 305 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list. Select the accounting type (802.1X, Command, Exec).
  • Page 306 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Figure 162: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.

  • Page 307: Configuring Aaa Authorization

    | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Figure 164: Displaying Statistics for AAA Accounting Sessions Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces.
  • Page 308 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Console Method Name – Specifies a user defined method name to apply to console connections. VTY Method Name – Specifies a user defined method name to apply to Telnet connections. Show Information Authorization Type - Displays the authorization service.
  • Page 309 | Security Measures HAPTER AAA (Authentication, Authorization and Accounting) Figure 166: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply.

  • Page 310: Configuring User Accounts

    | Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts and Privilege Levels" on page 812 OMMAND SAGE The default guest name is “guest”...
  • Page 311 | Security Measures HAPTER Configuring User Accounts NTERFACE To configure user accounts: Click Security, User Accounts. Select Add from the Action list. Specify a user name, select the user's access level, then enter a password if required and confirm it. Click Apply.

  • Page 312: Web Authentication

    | Security Measures HAPTER Web Authentication UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.

  • Page 313: Configuring Global Settings For Web Authentication

    | Security Measures HAPTER Web Authentication NTERFACE To configure global parameters for web authentication: Click Security, Web Authentication. Select Configure Global from the Step list. Enable web authentication globally on the switch, and adjust any of the protocol parameters as required. Click Apply.

  • Page 314: Configuring Interface Settings For Web Authentication

    | Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To enable web authentication for a port: Click Security, Web Authentication. Select Configure Interface from the Step list. Set the status box to enabled for any port that requires web authentication, and click Apply Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate.

  • Page 315: Table 19: Dynamic Qos Profiles

    | Security Measures HAPTER Network Access (MAC Address Authentication) to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
  • Page 316 | Security Measures HAPTER Network Access (MAC Address Authentication) Table 19: Dynamic QoS Profiles (Continued) Profile Attribute Syntax Example IP ACL ip-access-group-in=ip-acl-name ip-access-group-in=ipv4acl IPv6 ACL ipv6-access-group-in=ipv6-acl-name ipv6-access-group-in=ipv6acl MAC ACL mac-access-group-in=mac-acl-name mac-access-group-in=macAcl Multiple profiles can be specified in the Filter-ID attribute by using a semicolon to separate each profile.

  • Page 317: Configuring Global Settings For Network Access

    | Security Measures HAPTER Network Access (MAC Address Authentication) MAC address authentication is configured on a per-port basis, however ONFIGURING there are two configurable parameters that apply globally to all ports on LOBAL ETTINGS the switch. Use the Security > Network Access (Configure Global) page to ETWORK configure MAC address authentication aging and reauthentication time.

  • Page 318: Configuring Network Access For Ports

    | Security Measures HAPTER Network Access (MAC Address Authentication) Figure 173: Configuring Global Settings for Network Access Use the Security > Network Access (Configure Interface - General) page to ONFIGURING configure MAC authentication on switch ports, including enabling address ETWORK CCESS authentication, setting the maximum MAC count, and enabling dynamic ORTS...
  • Page 319 | Security Measures HAPTER Network Access (MAC Address Authentication) Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch.

  • Page 320: Configuring Port Link Detection

    | Security Measures HAPTER Network Access (MAC Address Authentication) Figure 174: Configuring Interface Settings for Network Access Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION occurs.

  • Page 321: Configuring Amac Address Filter

    | Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
  • Page 322 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...

  • Page 323: Displaying Secure Mac Address Information

    | Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.

  • Page 324: Configuring Https

    | Security Measures HAPTER Configuring HTTPS Figure 178: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...

  • Page 325: Table 20: Https System Support

    | Security Measures HAPTER Configuring HTTPS The client and server negotiate a set of security protocols to use for the connection. The client and server generate session keys for encrypting and decrypting data. The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6.x or above, or Mozilla Firefox 3.6.2/4/5.

  • Page 326: Replacing The Default Secure-Site Certificate

    | Security Measures HAPTER Configuring HTTPS Figure 179: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
  • Page 327 | Security Measures HAPTER Configuring HTTPS Private Key Source File Name – Name of private key file stored on the TFTP server. Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
  • Page 328 | Security Measures HAPTER Configuring the Secure Shell ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.

  • Page 329: Configuring The Secure Shell

    | Security Measures HAPTER Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 339, or use the copy tftp public-key command (page 724) to copy a file containing the public key for all the SSH client’s granted management access to the switch.

  • Page 330: Configuring The Ssh Server

    | Security Measures HAPTER Configuring the Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
  • Page 331 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.

  • Page 332: Generating The Host Key Pair

    | Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...

  • Page 333: Importing User Public Keys

    | Security Measures HAPTER Configuring the Secure Shell Figure 182: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
  • Page 334 | Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed: User Name – This drop-down box selects the user who’s public key you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...

  • Page 335: Access Control Lists

    | Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
  • Page 336 | Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 512. The maximum number of rules per system is 2048 rules. An ACL can have up to 2048 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.

  • Page 337: Settinga Time Range

    | Security Measures HAPTER Access Control Lists Rules within an ACL are checked in the configured order, from top to bottom. If the result of checking an IP ACL is to permit a packet, but the result of a MAC ACL on the same packet is to deny it, the packet will be denied (because the decision to deny a packet has a higher priority for security reasons).
  • Page 338 | Security Measures HAPTER Access Control Lists Enter the name of a time range. Click Apply. Figure 186: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL. Select Configure Time Range from the Step list. Select Show from the Action list.

  • Page 339: Showing Tcam Utilization

    | Security Measures HAPTER Access Control Lists Figure 188: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list. Figure 189: Showing the Rules Configured for a Time Range Use the Security >...

  • Page 340: Setting The Acl Name And Type

    | Security Measures HAPTER Access Control Lists Source Guard filter rules, Quality of Service (QoS) processes, QinQ, MAC-based VLANs, VLAN translation, or traps. For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
  • Page 341 | Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: ACL Name – Name of the ACL. (Maximum length: 32 characters) Type – The following filter modes are supported: IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
  • Page 342 | Security Measures HAPTER Access Control Lists To show a list of ACLs: Click Security, ACL. Select Configure ACL from the Step list. Select Show from the Action list. Figure 192: Showing a List of ACLs Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL.
  • Page 343 | Security Measures HAPTER Access Control Lists Source Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
  • Page 344 | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv4 ACL)" on page 940 "show ip access-list"...
  • Page 345 | Security Measures HAPTER Access Control Lists where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit. The following bits may be specified: 1 (fin) – Finish 2 (syn) – Synchronize 4 (rst) – Reset 8 (psh) –...
  • Page 346 | Security Measures HAPTER Access Control Lists Figure 194: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
  • Page 347 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list.
  • Page 348 | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 946 "show ipv6 access-list"...
  • Page 349 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Extended from the Type list. Select the name of an ACL from the Name list.

  • Page 350: Configuring Amac Acl

    | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)" on page 951 "show ip access-list"...
  • Page 351 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).

  • Page 352: Configuring An Arp Acl

    | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
  • Page 353 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an ARP ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).

  • Page 354: Binding A Port To An Access Control List

    | Security Measures HAPTER Access Control Lists After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port. CLI R EFERENCES "ip access-group"...

  • Page 355: Configuring Acl Mirroring

    | Security Measures HAPTER Access Control Lists Figure 199: Binding a Port to an ACL After configuring ACLs, use the Security > ACL > Configure Interface (Add ONFIGURING Mirror) page to mirror traffic matching an ACL from one or more source IRRORING ports to a target port for real-time analysis.
  • Page 356 | Security Measures HAPTER Access Control Lists NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select Add Mirror from the Action list. Select a port. Select the name of an ACL from the ACL list. Click Apply.

  • Page 357: Showing Acl Hardware Counters

    | Security Measures HAPTER Access Control Lists Use the Security > ACL > Configure Interface (Show Hardware Counters) HOWING page to show statistics for ACL hardware counters. ARDWARE OUNTERS CLI R EFERENCES "show access-list" on page 958 "clear access-list hardware counters" on page 958 ARAMETERS These parameters are displayed: Port –...

  • Page 358: Arp Inspection

    | Security Measures HAPTER ARP Inspection Figure 202: Showing ACL Statistics ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...

  • Page 359: Configuring Global Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
  • Page 360 | Security Measures HAPTER ARP Inspection ARP Inspection Logging By default, logging is active for ARP Inspection, and cannot be disabled. The administrator can configure the log facility rate. When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis.

  • Page 361: Configuring Vlan Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
  • Page 362 | Security Measures HAPTER ARP Inspection If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. ARAMETERS These parameters are displayed: ARP Inspection VLAN ID –...

  • Page 363: Configuring Interface Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate. ARP I NSPECTION CLI R EFERENCES "ARP Inspection" on page 922 ARAMETERS These parameters are displayed: Interface –...

  • Page 364: Displaying Arp Inspection Statistics

    | Security Measures HAPTER ARP Inspection Figure 205: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or NSPECTION dropped for various reasons. TATISTICS CLI R EFERENCES...

  • Page 365: Displaying The Arp Inspection Log

    | Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Statistics from the Action list. Figure 206: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated NSPECTION...

  • Page 366: Filtering Ip Addresses For Management Access

    | Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Log from the Action list. Figure 207: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
  • Page 367 | Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or by specifying both the start address and end address. ARAMETERS These parameters are displayed: Mode Web – Configures IP address(es) for the web group. SNMP –...

  • Page 368: Configuring Port Security

    | Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 209: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
  • Page 369 | Security Measures HAPTER Configuring Port Security When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.

  • Page 370: Configuring 802.1X Port Authentication

    | Security Measures HAPTER Configuring 802.1X Port Authentication MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 327. MAC Filter ID – The identifier for a MAC address filter. Last Intrusion MAC –...
  • Page 371 | Security Measures HAPTER Configuring 802.1X Port Authentication rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server.

  • Page 372: Configuring 802.1X Global Settings

    | Security Measures HAPTER Configuring 802.1X Port Authentication The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 7, Vista and XP, and in Windows 2000 with Service Pack 4.

  • Page 373: Configuring Port Authenticator Settings For 802.1X

    | Security Measures HAPTER Configuring 802.1X Port Authentication Default – Sets all configurable 802.1X global and port settings to their default values. NTERFACE To configure global settings for 802.1X: Click Security, Port Authentication. Select Configure Global from the Step list. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required.
  • Page 374 | Security Measures HAPTER Configuring 802.1X Port Authentication When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 378) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate clients through the remote authenticator (see...
  • Page 375 | Security Measures HAPTER Configuring 802.1X Port Authentication MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
  • Page 376 | Security Measures HAPTER Configuring 802.1X Port Authentication before it times out the authentication session. (Range: 1-10; Default: 2) Intrusion Action – Sets the port’s response to a failed authentication. Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.) Guest VLAN –...

  • Page 377: Configuring Port Supplicant Settings For 802.1X

    | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Authenticator. Modify the authentication settings for each port as required. Click Apply Figure 213: Configuring Interface Settings for 802.1X Port Authenticator Use the Security >...
  • Page 378 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 378) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...

  • Page 379: Displaying 802.1X Statistics

    | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 214: Configuring Interface Settings for 802.1X Port Supplicant Use the Security >...
  • Page 380 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
  • Page 381 | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 215: Showing Statistics for 802.1X Port Authenticator – 387 –...

  • Page 382: Dos Protection

    | Security Measures HAPTER DoS Protection To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 216: Showing Statistics for 802.1X Port Supplicant ROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks.
  • Page 383 | Security Measures HAPTER DoS Protection Echo/Chargen Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/second; Default: 1000 kbits/second) Smurf Attack – Attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.

  • Page 384: Ip Source Guard

    | Security Measures HAPTER IP Source Guard URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.” This did not cause any damage to, or change data on, the computer’s hard disk, but any unsaved data would be lost.

  • Page 385: Configuring Ports For Ip Source Guard

    | Security Measures HAPTER IP Source Guard Use the Security > IP Source Guard > Port Configuration page to set the ONFIGURING ORTS filtering type based on source IP address, or source IP address and MAC IP S OURCE address pairs. UARD IP Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be...
  • Page 386 | Security Measures HAPTER IP Source Guard ARAMETERS These parameters are displayed: Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) None – Disables IP source guard filtering on the port. SIP –...
  • Page 387 | Security Measures HAPTER IP Source Guard Use the Security > IP Source Guard > Static Configuration page to bind a ONFIGURING TATIC static address to a port. Table entries include a MAC address, IP address, INDINGS FOR lease time, entry type (Static, Dynamic), VLAN identifier, and port OURCE UARD identifier.

  • Page 388: Configuring Static Bindings For Ip Source Guard

    | Security Measures HAPTER IP Source Guard IP Address – IP address corresponding to the client. Lease Time – The time for which this IP address is leased to the client. (This value is zero for all static addresses.) NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration.

  • Page 389: Displaying Information For Dynamic Ip Source Guard Bindings

    | Security Measures HAPTER IP Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface. NFORMATION FOR IP S YNAMIC OURCE CLI R EFERENCES UARD INDINGS "show ip dhcp snooping binding"...

  • Page 390: Dhcp Snooping

    | Security Measures HAPTER DHCP Snooping Figure 221: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
  • Page 391 | Security Measures HAPTER DHCP Snooping Filtering rules are implemented as follows: If the global DHCP snooping is disabled, all DHCP packets are forwarded. If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port.

  • Page 392: Dhcp Snooping Configuration

    | Security Measures HAPTER DHCP Snooping DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
  • Page 393 | Security Measures HAPTER DHCP Snooping DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification. If the source MAC address in the Ethernet header of the packet is not same as the client's hardware address in the DHCP packet, the packet is dropped. (Default: Enabled) DHCP Snooping Information Option Status –...

  • Page 394: Dhcp Snooping Vlan Configuration

    | Security Measures HAPTER DHCP Snooping Figure 222: Configuring Global Settings for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or DHCP S NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...

  • Page 395: Configuring Ports For Dhcp Snooping

    | Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click IP Service, DHCP, Snooping. Select Configure VLAN from the Step list. Enable DHCP Snooping on any existing VLAN. Click Apply Figure 223: Configuring DHCP Snooping on a VLAN Use the IP Service >...

  • Page 396: Displaying Dhcp Snooping Binding Information

    | Security Measures HAPTER DHCP Snooping ARAMETERS These parameters are displayed: Trust Status – Enables or disables a port as trusted. (Default: Disabled) Circuit ID – Specifies DHCP Option 82 circuit ID suboption information. Mode – Specifies the default string “VLAN-Unit-Port” or an arbitrary string.
  • Page 397 | Security Measures HAPTER DHCP Snooping ARAMETERS These parameters are displayed: MAC Address – Physical address associated with the entry. IP Address – IP address corresponding to the client. Lease Time – The time for which this IP address is leased to the client. Type –...

  • Page 398: Basic Administration Protocols

    ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).

  • Page 399: Configuring Event Logging

    | Basic Administration Protocols HAPTER Configuring Event Logging ONFIGURING VENT OGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Use the Administration >...
  • Page 400 | Basic Administration Protocols HAPTER Configuring Event Logging RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) The Flash Level must be equal to or less than the RAM Level.

  • Page 401: Remote Log Configuration

    | Basic Administration Protocols HAPTER Configuring Event Logging random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Figure 227: Showing Error Messages Logged to System Memory Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations.

  • Page 402: Sending Simple Mail Transfer Protocol Alerts

    | Basic Administration Protocols HAPTER Configuring Event Logging Port - Host UDP port to use. (Range: 1-65535; Default: 514) NTERFACE To configure the logging of error messages to remote servers: Click Administration, Log, Remote. Enable remote logging, specify the facility type to use for the syslog messages.

  • Page 403: Link Layer Discovery Protocol

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol identifies the switch, or the address of an administrator responsible for the switch. Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients. Server IP Address –...

  • Page 404: Setting Lldp Timing Attributes

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers. Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches.
  • Page 405 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Notification Interval – Configures the allowed interval for sending SNMP notifications about LLDP MIB changes. (Range: 5-3600 seconds; Default: 5 seconds) This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management.

  • Page 406: Configuring Lldp Interface Attributes

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Configure Interface) page to specify the LLDP ONFIGURING message attributes for individual interfaces, including whether messages NTERFACE are transmitted, received, or both transmitted and received, whether SNMP TTRIBUTES notifications are sent, and the type of information advertised.
  • Page 407 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management...
  • Page 408 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Max Frame Size – The maximum frame size. (See "Configuring Support for Jumbo Frames" on page 116 for information on configuring the maximum frame size for this switch MAC/PHY Configuration/Status – The MAC/PHY configuration and status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.

  • Page 409: Configuring Lldp Interface Civic-Address

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To configure LLDP interface attributes: Click Administration, LLDP. Select Configure Interface from the Step list. Select Configure General from the Action list. Select an interface from the Port or Trunk list. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages.

  • Page 410: Table 25: Lldp Med Location Ca Types

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol specified as a type and value pair, with the civic address type defined in RFC 4776. The following table describes some of the CA type numbers and provides examples. Table 25: LLDP MED Location CA Types CA Type Description CA Value Example National subdivisions (state, canton, province)

  • Page 411: Displaying Lldp Local Device Information

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 232: Configuring the Civic Address for an LLDP Interface To show the physical location of the attached device: Click Administration, LLDP. Select Configure Interface from the Step list. Select Show CA-Type from the Action list. Select an interface from the Port or Trunk list.

  • Page 412: Table 26: Chassis Id Subtype

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 26: Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Interface alias IfAlias (IETF RFC 2863) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’...

  • Page 413: Table 28: Port Id Subtype

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Interface Settings The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. Port/Trunk Description – A string that indicates the port or trunk description.
  • Page 414 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Extended Power via MDI – PD Inventory NTERFACE To display LLDP information for the local device: Click Administration, LLDP. Select Show Local Device Information from the Step list. Select General, Port, Port Details, Trunk, or Trunk Details. Figure 234: Displaying Local Device Information for LLDP (General) Figure 235: Displaying Local Device Information for LLDP (Port) –...

  • Page 415: Displaying Lldp Remote Device Information

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 236: Displaying Local Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE EVICE which are advertising information through LLDP, or to display detailed...
  • Page 416 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent. There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the type of component being referenced by the chassis ID field.

  • Page 417: Table 29: Remote Port Auto-Negotiation Advertised Capability

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol protocol identity, and an octet string used to identify the protocols associated with a port of the remote system. Port Details – 802.3 Extension Port Information Remote Port Auto-Neg Supported – Shows whether the given port (associated with remote system) supports auto-negotiation.
  • Page 418 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Power MDI Status – Shows whether MDI power is enabled on the given port associated with the remote system. Remote Power Pairs – “Signal” means that the signal pairs only are in use, and “Spare”...
  • Page 419 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol access point, or any device that supports the IEEE 802.1AB and MED extensions defined by this Standard and can relay IEEE 802 frames via any method. Supported Capabilities – The supported set of capabilities that define the primary function(s) of the port: LLDP-MED Capabilities Network Policy...
  • Page 420 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol 64 code point values (0-63). A value of 0 represents use of the default DSCP value as defined in RFC 2475. Port Details – Location Identification Location Data Format – Any of these location ID data formats: Coordinate-based LCI –...
  • Page 421 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Manufacture Name – The manufacturer of the end-point device Asset ID – The asset identifier of the end-point device. End-point devices are typically assigned asset identifiers to facilitate inventory management and assets tracking. Firmware Revision –...
  • Page 422 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 238: Displaying Remote Device Information for LLDP (Port Details) – 429 –...

  • Page 423: Displaying Device Statistics

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 239: Displaying Remote Device Information for LLDP (End Node) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP...
  • Page 424 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.

  • Page 425: Simple Network Management Protocol

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 240: Displaying LLDP Device Statistics (General) Figure 241: Displaying LLDP Device Statistics (Port) IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.

  • Page 426: Table 30: Snmpv3 Security Models And Levels

    | Basic Administration Protocols HAPTER Simple Network Management Protocol as well as the traffic passing through its ports. A network management station can access this information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings.

  • Page 427: Configuring Global Settings For Snmp

    | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Use the Administration >...

  • Page 428: Setting The Local Engine Id

    | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Agent Status – Enables SNMP on the switch. (Default: Enabled) Authentication Traps – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process.

  • Page 429: Specifying A Remote Engine Id

    | Basic Administration Protocols HAPTER Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. ARAMETERS These parameters are displayed: Engine ID – A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format).
  • Page 430 | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.
  • Page 431 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 245: Showing Remote Engine IDs for SNMP Use the Administration > SNMP (Configure View) page to configure SNMP ETTING SNMPv3 views which are used to restrict user access to specified portions IEWS of the MIB tree.
  • Page 432 | Basic Administration Protocols HAPTER Simple Network Management Protocol Select Add View from the Action list. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view.
  • Page 433 | Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 248: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.

  • Page 434: Configuring Snmpv3 Groups

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Group) page to add an SNMPv3 ONFIGURING group which can be used to set the access policy for its assigned users, SNMP ROUPS restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.

  • Page 435: Table 31: Supported Notification Messages

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election.
  • Page 436 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.

  • Page 437: Setting Community Access Strings

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.

  • Page 438: Configuring Local Snmpv3 Users

    | Basic Administration Protocols HAPTER Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 253: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify...
  • Page 439 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and encryption. Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters is required.
  • Page 440 | Basic Administration Protocols HAPTER Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 255: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING User) page to identify the source of SNMPv3 inform messages sent from SNMP...
  • Page 441 | Basic Administration Protocols HAPTER Simple Network Management Protocol Security Level – The following security levels are only used for the groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) AuthNoPriv –...
  • Page 442 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 256: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 257: Showing Remote SNMPv3 Users –...

  • Page 443: Specifying Trap Managers

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
  • Page 444 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
  • Page 445 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
  • Page 446 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 258: Configuring Trap Managers (SNMPv1) Figure 259: Configuring Trap Managers (SNMPv2c)

  • Page 447: Creating Snmp Notification Logs

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 260: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 261: Showing Trap Managers Use the Administration >...
  • Page 448 | Basic Administration Protocols HAPTER Simple Network Management Protocol The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged. Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any...

  • Page 449: Showing Snmp Statistics

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 262: Creating SNMP Notification Logs To show configured SNMP notification logs: Click Administration, SNMP. Select Configure Notify Filter from the Step list. Select Show from the Action list. Figure 263: Showing SNMP Notification Logs Use the Administration >...
  • Page 450 | Basic Administration Protocols HAPTER Simple Network Management Protocol Illegal operation for community name supplied – The total number of SNMP messages delivered to the SNMP entity which represented an SNMP operation which was not allowed by the SNMP community named in the message. Encoding errors –...

  • Page 451: Remote Monitoring

    | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To show SNMP statistics: Click Administration, SNMP. Select Show Statistics from the Step list. Figure 264: Showing SNMP Statistics EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.

  • Page 452: Configuring Rmon Alarms

    | Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Alarm) page to RMON ONFIGURING define specific criteria that will generate response events. Alarms can be LARMS set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
  • Page 453 | Basic Administration Protocols HAPTER Remote Monitoring Falling Threshold – If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.

  • Page 454: Configuring Rmon Events

    | Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 266: Showing Configured RMON Alarms Use the Administration > RMON (Configure Global - Add - Event) page to RMON ONFIGURING set the action to take when an alarm is triggered.
  • Page 455 | Basic Administration Protocols HAPTER Remote Monitoring Type – Specifies the type of event to initiate: None – No event is generated. Log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for event logging (see "System Log Configuration"...

  • Page 456: Configuring Rmon History Samples

    | Basic Administration Protocols HAPTER Remote Monitoring Figure 267: Configuring an RMON Event To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 268: Showing Configured RMON Events Use the Administration >...
  • Page 457 | Basic Administration Protocols HAPTER Remote Monitoring OMMAND SAGE Each index number equates to a port on the switch. If history collection is already enabled on an interface, the entry must be deleted before any changes can be made. The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization.
  • Page 458 | Basic Administration Protocols HAPTER Remote Monitoring Click Apply Figure 269: Configuring an RMON History Sample To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History.

  • Page 459: Configuring Rmon Statistical Samples

    | Basic Administration Protocols HAPTER Remote Monitoring Select a port from the list. Click History. Figure 271: Showing Collected RMON History Samples Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates.
  • Page 460 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To enable regular sampling of statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 272: Configuring an RMON Statistical Sample...
  • Page 461 | Basic Administration Protocols HAPTER Remote Monitoring Figure 273: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics.

  • Page 462: Switch Clustering

    | Basic Administration Protocols HAPTER Switch Clustering WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
  • Page 463 | Basic Administration Protocols HAPTER Switch Clustering ARAMETERS These parameters are displayed: Cluster Status – Enables or disables clustering on the switch. (Default: Disabled) Commander Status – Enables or disables the switch as a cluster Commander. (Default: Disabled) IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster.

  • Page 464: Cluster Member Configuration

    | Basic Administration Protocols HAPTER Switch Clustering Use the Administration > Cluster (Configure Member - Add) page to add LUSTER EMBER Candidate switches to the cluster as Members. ONFIGURATION CLI R EFERENCES "Switch Clustering" on page 767 ARAMETERS These parameters are displayed: Member ID –...

  • Page 465: Managing Cluster Members

    | Basic Administration Protocols HAPTER Switch Clustering Figure 277: Showing Cluster Members To show cluster candidates: Click Administration, Cluster. Select Configure Member from the Step list. Select Show Candidate from the Action list. Figure 278: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING LUSTER switch in the cluster.

  • Page 466: Ethernet Ring Protection Switching

    | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Operate – Remotely manage a cluster member. NTERFACE To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate.
  • Page 467 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Operational Concept Loop avoidance in the ring is achieved by guaranteeing that, at any time, traffic may flow on all but one of the ring links. This particular link is called the ring protection link (RPL), and under normal conditions this link is blocked to traffic.
  • Page 468 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology. This arrangement consists of conjoined rings connected by one or more interconnection points, and is based on the following criteria: The R-APS channels are not shared across Ethernet Ring interconnections.
  • Page 469 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 281: Ring Interconnection Architecture (Multi-ring/Ladder Network) Normal Condition Signal Fail Condition RPL Owner RPL Owner Node Node for ERP1 for ERP1 ring node B ring node A ring node B ring node A ERP1 ERP1...

  • Page 470: Erps Global Configuration

    | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Enable ERPS (Configure Global): Before enabling a ring as described in the next step, first globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled, no ERPS rings will work. Enable an ERPS ring (Configure Domain –...

  • Page 471: Erps Ring Configuration

    | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To globally enable ERPS on the switch: Click Administration, ERPS. Select Configure Global from the Step list. Mark the ERPS Status check box. Click Apply. Figure 282: Setting ERPS Global Status Use the Administration >...
  • Page 472 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Show Domain Name – Name of a configured ERPS ring. ID – ERPS ring identifier used in R-APS messages. Admin Status – Shows whether ERPS is enabled on the switch. Ver – Shows the ERPS version. MEG Level –...
  • Page 473 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Local FS – Shows if a forced switch command was issued on this interface. Local MS – Shows if a manual switch command was issued on this interface. MEP – The CFM MEP used to monitor the status on this link. RPL –...
  • Page 474 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently. If set to version 1, MS and FS operator commands are filtered, and the switch set to revertive mode.
  • Page 475 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the Forced Switch or Manual Switch commands on the Configure Operation page).
  • Page 476 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching over both ring ports, informing that no request is present at this ring node and initiates a guard timer. When another recovered ring node (or nodes) holding the link block receives this message, it compares the Node ID information with its own Node ID.
  • Page 477 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Recovery for Forced Switching – A Forced Switch command is removed by issuing the Clear command (Configure Operation page) to the same ring node where Forced Switch mode is in effect. The clear command removes any existing local operator commands, and triggers reversion if the ring is in revertive behavior mode.
  • Page 478 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB.
  • Page 479 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Recovery with non-revertive mode is handled as follows: The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. Then, after the operator issues the Clear command (Configure Operation page) at the RPL Owner Node, this ring node blocks the ring port attached to the RPL,...
  • Page 480 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching A sub-ring may be attached to a primary ring with or without a virtual channel. A virtual channel is used to connect two interconnection points on the sub-ring, tunneling R-APS control messages across an arbitrary Ethernet network topology.
  • Page 481 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching No R-APS messages are inserted or extracted by other rings or sub- rings at the interconnection nodes where a sub-ring is attached. Hence there is no need for either additional bandwidth or for different VIDs/Ring IDs for the ring interconnection.
  • Page 482 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL. However, using this standard recovery procedure may cause a non- EPRS device to become isolated when the ERPS device adjacent to it detects a continuity check message (CCM) loss event and blocks the...
  • Page 483 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching that defect will be reported to the protection switching mechanism. The reported defect need not be the same one that started the timer. Guard Timer – The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
  • Page 484 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching West/East – Connects to next ring node to the west/east. Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports.
  • Page 485 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To create an ERPS ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Add from the Action list. Enter a name and optional identifier for the ring. Click Apply.
  • Page 486 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 286: Creating an ERPS Ring To show the configure ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 287: Showing Configured ERPS Rings –...

  • Page 487: Erps Forced And Manual Mode Operations

    | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Operation) page to block a ring ERPS F ORCED AND port using Forced Switch or Manual Switch commands. ANUAL PERATIONS CLI R EFERENCES "erps forced-switch" on page 1091 "erps manual-switch"...

  • Page 488: Table 32: Erps Request/State Priority

    | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
  • Page 489 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command. (Options: West or East) A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links.
  • Page 490 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request.

  • Page 491: Connectivity Fault Management

    | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 288: Blocking an ERPS Ring Port ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
  • Page 492 | Basic Administration Protocols HAPTER Connectivity Fault Management A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution.
  • Page 493 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 290: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.

  • Page 494: Configuring Global Settings For Cfm

    | Basic Administration Protocols HAPTER Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent.
  • Page 495 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES "CFM Commands" on page 1277 ARAMETERS These parameters are displayed: Global Configuration CFM Status – Enables CFM processing globally on the switch. (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
  • Page 496 | Basic Administration Protocols HAPTER Connectivity Fault Management Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field.
  • Page 497 | Basic Administration Protocols HAPTER Connectivity Fault Management Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled , and a CCM is received from a remote MEP that is not configured in the static list NTERFACE To configure global settings for CFM: Click Administration, CFM.

  • Page 498: Configuring Interfaces For Cfm

    | Basic Administration Protocols HAPTER Connectivity Fault Management CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings. CLI R EFERENCES "ethernet cfm port-enable"...
  • Page 499 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES "CFM Commands" on page 1277 OMMAND SAGE Configuring General Settings Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.

  • Page 500: Table 33: Remote Mep Priority Levels

    | Basic Administration Protocols HAPTER Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that the configured time period (MEP Fault Notify Alarm Time) has passed with one or more defects indicated, and fault alarms are enabled at or above...
  • Page 501 | Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: Creating a Maintenance Domain MD Index – Domain index. (Range: 1-65535) MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) MD Level – Authorized maintenance level for this domain. (Range: 0-7) MIP Creation Type –...
  • Page 502 | Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To create a maintenance domain: Click Administration, CFM. Select Configure MD from the Step list. Select Add from the Action list. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). Specify the manner in which MIPs can be created within each domain.

  • Page 503: Configuring Cfm Maintenance Associations

    | Basic Administration Protocols HAPTER Connectivity Fault Management To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters. Click Apply Figure 295: Configuring Detailed Settings for Maintenance Domains Use the Administration >...
  • Page 504 | Basic Administration Protocols HAPTER Connectivity Fault Management Multiple domains at the same maintenance level cannot have an MA on the same VLAN (see "Configuring CFM Maintenance Domains" on page 505). Before removing an MA, first remove the MEPs assigned to it (see "Configuring Maintenance End Points"...
  • Page 505 | Basic Administration Protocols HAPTER Connectivity Fault Management MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this MA: Default – MIPs can be created for this MA on any bridge port through which the MA’s VID can pass. Explicit –...
  • Page 506 | Basic Administration Protocols HAPTER Connectivity Fault Management AIS Transmit Level – Configure the AIS maintenance level in an MA. (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level AIS Suppress Alarm – Enables/disables suppression of the AIS. (Default: Disabled) NTERFACE To create a maintenance association:...
  • Page 507 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 297: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM. Select Configure MA from the Step list. Select Configure Details from the Action list. Select an entry from MD Index and MA Index. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters.

  • Page 508: Configuring Maintenance End Points

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.

  • Page 509: Configuring Remote Maintenance End Points

    | Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Figure 299: Configuring Maintenance End Points To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 300: Showing Maintenance End Points Use the Administration >...
  • Page 510 | Basic Administration Protocols HAPTER Connectivity Fault Management OMMAND SAGE All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross-check process. Remote MEPs can only be configured if local domain service access points (DSAPs) have already been created (see "Configuring Maintenance End...

  • Page 511: Transmitting Link Trace Messages

    | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 301: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 302: Showing Remote Maintenance End Points Use the Administration >...
  • Page 512 | Basic Administration Protocols HAPTER Connectivity Fault Management LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. LTMs are used to isolate faults.

  • Page 513: Transmitting Loop Back Messages

    | Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 303: Transmitting Link Trace Messages Use the Administration > CFM (Transmit Loopback) page to transmit RANSMITTING Loopback Messages (LBMs).
  • Page 514 | Basic Administration Protocols HAPTER Connectivity Fault Management MA Index – MA identifier. (Range: 1-2147483647) Source MEP ID – The identifier of a source MEP that will send the loopback message. (Range: 1-8191) Target MEP ID – The identifier of a remote MEP that is the target of a loopback message.

  • Page 515: Transmitting Delay-Measure Requests

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Transmit Delay Measure) page to send RANSMITTING periodic delay-measure requests to a specified MEP within a maintenance ELAY EASURE association. EQUESTS CLI R EFERENCES "ethernet cfm delay-measure two-way" on page 1316 OMMAND SAGE Delay measurement can be used to measure frame delay and frame...
  • Page 516 | Basic Administration Protocols HAPTER Connectivity Fault Management Count – The number of times to retry sending the message if no response is received before the specified timeout. (Range: 1-5; Default: 5) Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes;...

  • Page 517: Displaying Local Meps

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP) page ISPLAYING OCAL to show information for the MEPs configured on this device. CLI R EFERENCES "show ethernet cfm maintenance-points local" on page 1293 ARAMETERS These parameters are displayed: MEP ID –...

  • Page 518: Displaying Details For Local Meps

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP ISPLAYING ETAILS Details) page to show detailed CFM information about a local MEP in the OCAL continuity check database. CLI R EFERENCES "show ethernet cfm maintenance-points local detail mep"...
  • Page 519 | Basic Administration Protocols HAPTER Connectivity Fault Management Suppress Alarm – Shows if the specified MEP is configured to suppress sending frames containing AIS information following the detection of defect conditions. Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions.

  • Page 520: Displaying Local Mips

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MIP) page ISPLAYING OCAL to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) CLI R...

  • Page 521: Displaying Remote Meps

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Remote MEP) ISPLAYING EMOTE page to show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.

  • Page 522: Displaying Details For Remote Meps

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Remote MEP ISPLAYING ETAILS Details) page to show detailed information for MEPs located on other EMOTE devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
  • Page 523 | Basic Administration Protocols HAPTER Connectivity Fault Management Down – The interface cannot pass packets. Testing – The interface is in some test mode. Unknown – The interface status cannot be determined for some reason. Dormant – The interface is not in a state to pass packets but is in a pending state, waiting for some external event.

  • Page 524: Displaying The Link Trace Cache

    | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Link Trace ISPLAYING THE Cache) page to show information about link trace operations launched from RACE ACHE this device. CLI R EFERENCES "show ethernet cfm linktrace-cache" on page 1310 "clear ethernet cfm linktrace-cache"...

  • Page 525: Displaying Fault Notification Settings

    | Basic Administration Protocols HAPTER Connectivity Fault Management EgrVid – The Egress Port can be identified, but the bridge port is not in the LTM’s VID member set, and was therefore filtered by egress filtering. Reply – Reply action: FDB – Target address found in forwarding database. MPDB –...

  • Page 526: Displaying Continuity Check Errors

    | Basic Administration Protocols HAPTER Connectivity Fault Management Alarm Time – The time a defect must exist before a fault alarm is issued Reset Time – The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM.
  • Page 527 | Basic Administration Protocols HAPTER Connectivity Fault Management and some other MA y, at a higher maintenance level, and associated with at least one of the VID(s) also in MA x, does have a MEP configured on the bridge port. VIDS –...

  • Page 528: Oam Configuration

    | Basic Administration Protocols HAPTER OAM Configuration OAM C ONFIGURATION The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loopback testing, and displaying remote device information.
  • Page 529 | Basic Administration Protocols HAPTER OAM Configuration Table 35: OAM Operation State (Continued) State Description Operational When the local OAM entity learns that both it and the remote OAM entity have accepted the peering, the state moves to this state. Non Oper Half Duplex This state is returned whenever Ethernet OAM is enabled but the interface is in half-duplex operation.

  • Page 530: Displaying Statistics For Oam Messages

    | Basic Administration Protocols HAPTER OAM Configuration Window Size – The period of time in which to check the reporting threshold for errored frame link events. (Range: 10-65535 in units of 10 milliseconds; Default: 10 units of 10 milliseconds, or the equivalent of 1 second) Threshold Count –...

  • Page 531: Displaying The Oam Event Log

    | Basic Administration Protocols HAPTER OAM Configuration OAMPDU – Message types transmitted and received by the OAM protocol, including Information OAMPDUs, unique Event OAMPDUs, Loopback Control OAMPDUs, and Organization Specific OAMPDUs. NTERFACE To display statistics for OAM messages: Click Administration, OAM, Counters. Figure 315: Displaying Statistics for OAM Messages Use the Administration >...

  • Page 532: Displaying The Status Of Remote Interfaces

    | Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display link events for the selected port: Click Administration, OAM, Event Log. Select a port from the drop-down list. Figure 316: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING THE information about attached OAM-enabled devices.

  • Page 533: Configuring A Remote Loop Back Test

    | Basic Administration Protocols HAPTER OAM Configuration not support the unidirectional function, but can parse error messages sent from a peer with unidirectional capability. Link Monitor – Shows if the OAM entity can send and receive Event Notification OAMPDUs. MIB Variable Retrieval – Shows if the OAM entity can send and receive Variable Request and Response OAMPDUs.

  • Page 534: Table 36: Remote Loopback Status

    | Basic Administration Protocols HAPTER OAM Configuration To perform a loopback test, first enable Remote Loop Back Mode, click Test, and then click End. The number of packets transmitted and received will be displayed. ARAMETERS These parameters are displayed: Loopback Mode of Remote Device Port –...

  • Page 535: Displaying Results Of Remote Loop Back Testing

    | Basic Administration Protocols HAPTER OAM Configuration Packets Received – The number of loop back frames received during the last loopback test on this interface. Loss Rate – The percentage of packets for which there was no response. NTERFACE To initiate a loop back test to the peer device attached to the selected port: Click Administration, OAM, Remote Loop Back.
  • Page 536 | Basic Administration Protocols HAPTER OAM Configuration Packets Received – The number of loop back frames received during the last loop back test on this interface. Loss Rate – The percentage of packets transmitted for which there was no response. NTERFACE To display the results of remote loop back testing for each port for which this information is available:...

  • Page 537: Ulticast Iltering

    ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP – Configures snooping and query parameters. Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. Multicast VLAN Registration for IPv4 –...

  • Page 538: Layer 2 Igmp (Snooping And Query)

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router.
  • Page 539 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Only IGMPv3 hosts can request service from a specific multicast source. When downstream hosts request service from a specific source for a multicast service, these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources.

  • Page 540: Configuring Igmp Snooping And Query Parameters

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) The only deviation from TR-101 is that the marking of IGMP traffic initiated by the switch with priority bits as defined in R-250 is not supported. Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic intelligently.
  • Page 541 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting.
  • Page 542 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) TCN Query Solicit – Sends out an IGMP general query solicitation when a spanning tree topology change notification (TCN) occurs. (Default: Disabled) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation).
  • Page 543 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This command only applies when proxy reporting is enabled. Router Port Expire Time – The time the switch waits after the previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) IGMP Snooping Version –...

  • Page 544: Specifying Static Interfaces For A Multicast Router

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add) page to PECIFYING TATIC statically attach an interface to a multicast router/switch. NTERFACES FOR A ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
  • Page 545 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 322: Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information.

  • Page 546: Assigning Interfaces To Multicast Services

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 324: Showing Current Interfaces Attached a Multicast Router Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) SSIGNING page to statically assign a multicast service to an interface. NTERFACES TO ULTICAST ERVICES...
  • Page 547 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an IGMP-enabled switch or multicast router), and enter the multicast IP address. Click Apply.

  • Page 548: Setting Igmp Snooping Status Per Interface

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to IGMP ETTING configure IGMP snooping attributes for a VLAN. To configure snooping NOOPING TATUS PER globally, refer to "Configuring IGMP Snooping and Query Parameters"...
  • Page 549 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast Router Termination – These messages are sent when a router stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: Multicast forwarding is disabled on an interface. An interface is administratively disabled.
  • Page 550 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period.
  • Page 551 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) in report and leave messages sent upstream from the multicast router port. Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
  • Page 552 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Query Address – A static source address for locally generated query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.

  • Page 553: Filtering Igmp Query Packets And Multicast Data

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show VLAN Information from the Action list. Figure 328: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Interface (Configure Interface) page IGMP ILTERING to configure an interface to drop IGMP query packets.

  • Page 554: Displaying Multicast Groups Discovered By Igmp Snooping

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 329: Dropping IGMP Query or Multicast Data Packets Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS IGMP ISCOVERED BY...

  • Page 555: Displaying Igmp Snooping Statistics

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 330: Showing Multicast Groups Learned by IGMP Snooping Use the Multicast >...
  • Page 556 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Specific Query Received – The number of specific queries received on this interface. Specific Query Sent – The number of specific queries sent from this interface. Number of Reports Sent – The number of reports sent from this interface.
  • Page 557 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To display statistics for IGMP snooping query-related messages: Click Multicast, IGMP Snooping, Statistics. Select Show Query Statistics from the Action list. Select a VLAN. Figure 331: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics.
  • Page 558 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 332: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.

  • Page 559: Filtering And Throttling Igmp Groups

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.

  • Page 560: Configuring Igmp Filter Profiles

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 334: Enabling IGMP Filtering and Throttling Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page IGMP ONFIGURING to create an IGMP profile and set its access mode. Then use the (Add ILTER ROFILES Multicast Group Range) page to configure the multicast groups to filter.
  • Page 561 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode. Click Apply.

  • Page 562: Configuring Igmp Filtering And Throttling For Interfaces

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Click Apply. Figure 337: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Show Multicast Group Range from the Action list.
  • Page 563 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups removes an existing group and replaces it with the new multicast group. ARAMETERS These parameters are displayed: Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.

  • Page 564: Multicast Vlan Registration For Ipv4

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 339: Configuring IGMP Filtering and Throttling Interface Settings VLAN R ULTICAST EGISTRATION FOR Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.

  • Page 565: Configuring Mvr Global Settings

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 OMMAND SAGE General Configuration Guidelines for MVR: Enable MVR for a domain on the switch, and select the MVR VLAN (see "Configuring MVR Domain Settings" on page 575). Create an MVR profile by specifying the multicast groups that will stream traffic to attached hosts, and assign the profile to an MVR domain (see "Configuring MVR Group Address Profiles"...
  • Page 566 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 When the source port receives report and leave messages, it only forwards them to other source ports. When receiver ports receive any query messages, they are dropped. When changes occurring in the downstream MVR groups are learned by the receiver ports through report and leave messages, an MVR state change report is created and sent to the upstream source port, which in turn forwards this information upstream.

  • Page 567: Configuring Mvr Domain Settings

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 forwarded to any attached client. Note that the requested streams are still restricted to the address range which has been specified in a profile and bound to a domain. NTERFACE To configure global settings for MVR: Click Multicast, MVR.
  • Page 568 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 MVR Running Status – Indicates whether or not all necessary conditions in the MVR environment are satisfied. Running status is Active as long as MVR is enabled, the specified MVR VLAN exists, and a source port with a valid link has been configured (see "Configuring MVR Interface Status"...

  • Page 569: Configuring Mvr Group Address Profiles

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Use the Multicast > MVR (Configure Profile and Associate Profile) pages to ONFIGURING assign the multicast group address for required services to one or more ROUP DDRESS MVR domains. ROFILES CLI R EFERENCES "MVR for IPv4"...
  • Page 570 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To configure an MVR group address profile: Click Multicast, MVR. Select Configure Profile from the Step list. Select Add from the Action list. Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts.
  • Page 571 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To assign an MVR group address profile to a domain: Click Multicast, MVR. Select Associate Profile from the Step list. Select Add from the Action list. Select a domain from the scroll-down list, and enter the name of a group profile.

  • Page 572: Configuring Mvr Interface Status

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Use the Multicast > MVR (Configure Interface) page to configure each ONFIGURING interface that participates in the MVR protocol as a source port or receiver NTERFACE TATUS port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
  • Page 573 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Type – The following interface types are supported: Source – An uplink port that can send and receive multicast data for the groups assigned to the MVR VLAN. Note that the source port must be manually configured as a member of the MVR VLAN (see "Adding Static Members to VLANs"...
  • Page 574 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 347: Configuring Interface Settings for MVR Use the Multicast > MVR (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term MVR M ULTICAST multicast streams associated with a stable set of hosts.
  • Page 575 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To assign a static MVR group to an interface: Click Multicast, MVR. Select Configure Static Group Member from the Step list. Select Add from the Action list. Select an MVR domain. Select a VLAN and interface to receive the multicast stream, and then enter the multicast group address.

  • Page 576: Displaying Mvr Receiver Groups

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 349: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast ISPLAYING groups either statically or dynamically assigned to the MVR receiver groups ECEIVER ROUPS on each interface.

  • Page 577: Displaying Mvr Statistics

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 350: Displaying MVR Receiver Groups Use the Multicast > MVR > Show Statistics pages to display MVR protocol- ISPLAYING related statistics for the specified interface. TATISTICS CLI R EFERENCES "show mvr statistics" on page 1231 ARAMETERS These parameters are displayed: Domain ID –...
  • Page 578 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Number of Reports Sent – The number of reports sent from this interface. Number of Leaves Sent – The number of leaves sent from this interface. VLAN, Port, and Trunk Statistics Input Statistics Report –...
  • Page 579 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To display statistics for MVR query-related messages: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list. Select an MVR domain. Figure 351: Displaying MVR Statistics – Query –...
  • Page 580 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain. Select a VLAN. Figure 352: Displaying MVR Statistics –...
  • Page 581 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 353: Displaying MVR Statistics – Port VLAN R ULTICAST EGISTRATION FOR MVR6 functions in a manner similar to that described for MRV (see "Multicast VLAN Registration for IPv4" on page 572).

  • Page 582: Multicast Vlan Registration For Ipv6

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Global) page to configure proxy MVR6 ONFIGURING switching and the robustness variable. LOBAL ETTINGS CLI R EFERENCES "MVR for IPv6" on page 1234 ARAMETERS These parameters are displayed: Proxy Switching –...
  • Page 583 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) This parameter sets the general query interval at which active receiver ports send out general queries.
  • Page 584 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 MVR6 ONFIGURING globally on the switch, and select the VLAN that will serve as the sole OMAIN ETTINGS channel for common multicast streams supported by the service provider. CLI R EFERENCES "MVR for IPv6"...
  • Page 585 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required.
  • Page 586 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 ARAMETERS These parameters are displayed: Configure Profile Profile Name – The name of a profile containing one or more MVR6 group addresses. (Range: 1-21 characters) Start IPv6 Address – Starting IP address for an MVR6 multicast group.
  • Page 587 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To show the configured MVR6 group address profiles: Click Multicast, MVR6. Select Configure Profile from the Step list. Select Show from the Action list. Figure 357: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: Click Multicast, MVR6.
  • Page 588 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 359: Showing MVR6 Group Address Profiles Assigned to a Domain Use the Multicast > MVR6 (Configure Interface) page to configure each MVR6 ONFIGURING interface that participates in the MVR6 protocol as a source port or receiver NTERFACE TATUS port.
  • Page 589 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 disrupting services to other group members attached to the same interface. Immediate leave does not apply to multicast groups which have been statically assigned to a port. ARAMETERS These parameters are displayed: Domain ID –...

  • Page 590: Assigning Static Mvr6 Multicast Groups To Interfaces

    | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Set each port that will participate in the MVR6 protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. Click Apply.
  • Page 591 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 NTERFACE To assign a static MVR6 group to an interface: Click Multicast, MVR6. Select Configure Static Group Member from the Step list. Select Add from the Action list. Select an MVR6 domain. Select a VLAN and interface to receive the multicast stream, and then enter the multicast group address.
  • Page 592 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Show Member) page to show the multicast MVR6 ISPLAYING groups either statically or dynamically assigned to the MVR6 receiver ECEIVER ROUPS groups on each interface. CLI R EFERENCES "show mvr6 members"...
  • Page 593 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 > Show Statistics pages to display MVR6 MVR6 ISPLAYING protocol-related statistics for the specified interface. TATISTICS CLI R EFERENCES "show mvr6 statistics" on page 1248 ARAMETERS These parameters are displayed: Domain ID –...
  • Page 594 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Drop – The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR6 group report received. Join Success –...
  • Page 595 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR6 domain. Select a VLAN. Figure 365: Displaying MVR6 Statistics –...
  • Page 596 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 366: Displaying MVR6 Statistics – Port – 604 –...

  • Page 597: Ip Configuration

    IP C ONFIGURATION This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server.
  • Page 598 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 655) or use dynamic routing; i.e., RIP (page 660). The precedence for configuring IP interfaces is the IP >...
  • Page 599 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static address for the switch: Click IP, General, Routing Interface. Select Add Address from the Action list. Select any configured VLAN, set IP Address Mode to “Static,” set IP Address Type to “Primary”...
  • Page 600 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Figure 368: Configuring a Dynamic IPv4 Address The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface”...

  • Page 601: Setting The Switch's Ip Address (Ip Version 6)

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 369: Showing the Configured IP Address for an Interface ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an initial IPv6 interface for management access over the network, or for creating an interface to multiple subnets.
  • Page 602 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) If a routing protocol is enabled (page 659), you can still define a static route (page 655) to ensure that traffic to the designated address or subnet passes through a preferred gateway. An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.

  • Page 603: Configuring An Ipv6 Address

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) enabled. In this case, you must be manually configure an address (see "Configuring an IPv6 Address" on page 615). IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution Protocol in IPv6 networks. IPv6 nodes on the same network segment use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers and to maintain reachability information about the paths to active neighbors.
  • Page 604 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not otherwise well known. IPv6 routers do not fragment IPv6 packets forwarded from other routers.
  • Page 605 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ND Reachable-Time –...
  • Page 606 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) RA Guard – Blocks incoming Router Advertisement and Router Redirect packets. (Default: Disabled) IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network. This information may include the default router address taken from the observed source address of the RA message, as well as on-link prefix information.
  • Page 607 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) To configure RA Guard for the switch: Click IP, IPv6 Configuration. Select Configure Interface from the Action list. Select RA Guard mode. Enable RA Guard for untrusted interfaces. Click Apply.
  • Page 608 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) To connect to a larger network with multiple subnets, you must configure a global unicast address. There are several alternatives to configuring this address type: It can be manually configured by specifying the entire network prefix and prefix length, and using the EUI-64 form of the interface identifier to automatically create the low-order 64 bits in the host portion of the address.
  • Page 609 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) length exceeds 64 bits, then the bits used in the network portion of the address will take precedence over the interface identifier. IPv6 addresses are 16 bytes long, of which the bottom 8 bytes typically form a unique host identifier based on the device’s MAC address.
  • Page 610 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 373: Configuring an IPv6 Address Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface"...

  • Page 611: Table 37: Showipv6 Neighbors - Display Description

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Note that the solicited-node multicast address (link-local scope FF02) is used to resolve the MAC addresses for neighbor nodes since IPv6 does not support the broadcast method used by the Address Resolution Protocol in IPv4.
  • Page 612 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 37: ShowIPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: Incomplete - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.

  • Page 613: Table 38: Show Ipv6 Statistics - Display Description

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 1373 OMMAND SAGE This switch provides statistics for the following traffic types:...
  • Page 614 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 38: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
  • Page 615 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 38: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
  • Page 616 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 38: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages sent by Messages the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface.
  • Page 617 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 376: Showing IPv6 Statistics (IPv6) Figure 377: Showing IPv6 Statistics (ICMPv6) – 625 –...

  • Page 618: Showing The Mtu For Responding Destinations

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 378: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.

  • Page 619: Ip Services

    IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 396. This chapter provides information on the following IP services, including: –...

  • Page 620: Domain Name Service

    | IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed: Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.

  • Page 621: Configuring A List Of Name Servers

    | IP Services HAPTER Domain Name Service through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers" on page 630).
  • Page 622 | IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 1333 "show dns"...

  • Page 623: Configuring Static Dns Host To Address Entries

    | IP Services HAPTER Domain Name Service Figure 384: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING TATIC configure static entries in the DNS table that are used to map domain DNS H OST TO names to IP addresses.

  • Page 624: Displaying The Dns Cache

    | IP Services HAPTER Domain Name Service Figure 385: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 386: Showing Static Entries in the DNS Table Use the IP Service >...

  • Page 625: Dynamic Host Configuration Protocol

    | IP Services HAPTER Dynamic Host Configuration Protocol Type – This field includes CNAME which specifies the host address for the owner, and ALIAS which specifies an alias. IP – The IP address associated with this record. TTL – The time to live reported by the name server. Host –...

  • Page 626: Table 40: Options 60, 66 And 67 Statements

    Vendor Class ID – The following options are supported when the check box is marked to enable this feature: Default – The default string is DG-GS4528SE, DG-GS4528FSE. Text – A text string. (Range: 1-32 characters) Hex – A hexadecimal value. (Range: 1-64 characters)

  • Page 627: Configuring Dhcp Relay Service

    | IP Services HAPTER Dynamic Host Configuration Protocol NTERFACE To configure a DHCP client identifier: Click IP Service, DHCP, Client. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value.

  • Page 628: Configuring The Pppoe Intermediate Agent

    | IP Services HAPTER Configuring the PPPoE Intermediate Agent DHCP relay configuration will be disabled if an active DHCP server is detected on the same network segment. ARAMETERS These parameters are displayed: VLAN ID – ID of configured VLAN. Server IP Address – Addresses of DHCP servers to be used by the switch’s DHCP relay agent in order of preference.
  • Page 629 | IP Services HAPTER Configuring the PPPoE Intermediate Agent OMMAND SAGE When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS). The switch extracts access-loop information from the client’s PPPoE Active Discovery Request, and forwards this information to all trusted ports (designated on the Configure Interface page).

  • Page 630: Configuring Pppoe Ia Interface Settings

    | IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 391: Configuring Global Settings for PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page ONFIGURING to enable PPPoE IA on an interface, set trust status, enable vendor tag E IA I NTERFACE stripping, and set the circuit ID and remote ID.
  • Page 631 | IP Services HAPTER Configuring the PPPoE Intermediate Agent The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server.

  • Page 632: Showing Pppoe Ia Statistics

    | IP Services HAPTER Configuring the PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to E IA HOWING show statistics on PPPoE IA protocol messages. TATISTICS CLI R EFERENCES "show pppoe intermediate-agent statistics" on page 873 ARAMETERS These parameters are displayed: Interface –...
  • Page 633 | IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 393: Showing PPPoE Intermediate Agent Statistics – 641 –...

  • Page 634: General Ip Routing

    IP R ENERAL OUTING This chapter provides information on network functions including: Ping – Sends ping message to another node on the network. Trace – Sends ICMP echo request packets to another node on the network. Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses.

  • Page 635: Ip Routing And Switching

    | General IP Routing HAPTER IP Routing and Switching Figure 394: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP R OUTING AND...

  • Page 636: Routing Path Management

    | General IP Routing HAPTER IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.

  • Page 637: Routing Protocols

    | General IP Routing HAPTER Configuring IP Routing Interfaces The switch supports both static and dynamic routing. OUTING ROTOCOLS Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch.

  • Page 638: Using The Ping Function

    | General IP Routing HAPTER Configuring IP Routing Interfaces If the switch is configured to advertise itself as the default gateway, a routing protocol must still be used to determine the next hop router for any unknown destinations, i.e., packets that do not match any routing table entry.

  • Page 639: Using The Trace Route Function

    | General IP Routing HAPTER Configuring IP Routing Interfaces the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. NTERFACE To ping another device on the network: Click IP, General, Ping. Specify the target device and ping parameters. Click Apply.

  • Page 640: Address Resolution Protocol

    | General IP Routing HAPTER Address Resolution Protocol return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the round-trip time for each message. Not all devices respond correctly to probes by returning an “ICMP port unreachable”...

  • Page 641: Basic Arp Configuration

    | General IP Routing HAPTER Address Resolution Protocol address corresponding to the destination IP address in the ARP cache. If the address is found, the router writes the MAC address into the appropriate field in the frame header, and forwards the frame on to the next hop.
  • Page 642 | General IP Routing HAPTER Address Resolution Protocol Figure 397: Proxy ARP Proxy ARP request no routing, no default gateway Remote ARP Server ARAMETERS These parameters are displayed: Timeout – Sets the aging time for dynamic entries in the ARP cache. (Range: 300 - 86400 seconds;...

  • Page 643: Configuring Static Arp Addresses

    | General IP Routing HAPTER Address Resolution Protocol Figure 398: Configuring General Settings for ARP For devices that do not respond to ARP requests or do not respond in a ONFIGURING TATIC timely manner, traffic will be dropped because the IP address cannot be ARP A DDRESSES mapped to a physical address.
  • Page 644 | General IP Routing HAPTER Address Resolution Protocol NTERFACE To map an IP address to the corresponding physical address in the ARP cache using the web interface: Click IP, ARP. Select Configure Static Address from the Step List. Select Add from the Action List. Enter the IP address and the corresponding MAC address.

  • Page 645: Displaying Arp Statistics

    | General IP Routing HAPTER Address Resolution Protocol CLI R EFERENCES "show arp" on page 1359 NTERFACE To display all dynamic entries in the ARP cache: Click IP, ARP. Select Show Information from the Step List. Click Dynamic Address. Figure 401: Displaying Dynamic ARP Entries To display all local entries in the ARP cache: Click IP, ARP.

  • Page 646: Configuring Static Routes

    | General IP Routing HAPTER Configuring Static Routes These parameters are displayed: Table 43: ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router. Sent Request Number of ARP Request packets sent by the router.
  • Page 647 | General IP Routing HAPTER Configuring Static Routes If an administrative distance is defined for a static route, and the same destination can be reached through a dynamic route at a lower administration distance, then the dynamic route will be used. If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used.

  • Page 648: Displaying The Routing Table

    | General IP Routing HAPTER Displaying the Routing Table To display static routes: Click IP, Routing, Static Routes. Select Show from the Action List. Figure 405: Displaying Static Routes ISPLAYING THE OUTING ABLE Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
  • Page 649 | General IP Routing HAPTER Displaying the Routing Table to directly reach the next hop, so the VLAN interface associated with any dynamic or static route entry must be up. Note that routes currently not accessible for forwarding, may still be displayed by using show ip route database command.

  • Page 650: Unicast Routing

    NICAST OUTING This chapter describes how to configure the following unicast routing protocols: – Configures Routing Information Protocol. VERVIEW This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP). It supports RIP and RIP-2 dynamic routing.

  • Page 651: Configuring The Routing Information Protocol

    | Unicast Routing HAPTER Configuring the Routing Information Protocol ONFIGURING THE OUTING NFORMATION ROTOCOL The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost.

  • Page 652: Configuring General Protocol Settings

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Use the Routing Protocol > RIP > General (Configure) page to configure ONFIGURING general settings and the basic timers. ENERAL ROTOCOL RIP is used to specify how routers exchange routing information. When RIP ETTINGS is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table...
  • Page 653 | Unicast Routing HAPTER Configuring the Routing Information Protocol RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols. (Range: 1-15; Default: 1) The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
  • Page 654 | Unicast Routing HAPTER Configuring the Routing Information Protocol Basic Timer Settings The timers must be set to the same values for all routers in the network. Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes.

  • Page 655: Clearing Entries From The Routing Table

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 408: Configuring General Settings for RIP Use the Routing Protocol > RIP > General (Clear Route) page to clear LEARING NTRIES entries from the routing table based on route type or a specific network FROM THE OUTING address.
  • Page 656 | Unicast Routing HAPTER Configuring the Routing Information Protocol Clear Route By Network – Clears a specific route based on its IP address and prefix length. Network IP Address – Deletes all related entries for the specified network address. Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
  • Page 657 | Unicast Routing HAPTER Configuring the Routing Information Protocol ARAMETERS These parameters are displayed: By Address – Adds a network to the RIP routing process. Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) Prefix Length –...

  • Page 658: Specifying Passive Interfaces

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 411: Showing Network Interfaces Using RIP Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP PECIFYING ASSIVE from sending routing updates on the specified interface. NTERFACES CLI R EFERENCES...

  • Page 659: Specifying Static Neighbors

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 412: Specifying a Passive RIP Interface To show the passive RIP interfaces: Click Routing Protocol, RIP, Passive Interface. Select Show from the Action list. Figure 413: Showing Passive RIP Interfaces Use the Routing Protocol >...

  • Page 660: Configuring Route Redistribution

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Add the address of any static neighbors which may not readily to discovered through RIP. Click Apply. Figure 414: Specifying a Static RIP Neighbor To show static RIP neighbors: Click Routing Protocol, RIP, Neighbor Address. Select Show from the Action list.
  • Page 661 | Unicast Routing HAPTER Configuring the Routing Information Protocol Metric – Metric assigned to all external routes for the specified protocol. (Range: 0-16; Default: the default metric as described under "Configuring General Protocol Settings" on page 661.) A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics.

  • Page 662: Specifying An Administrative Distance

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 417: Showing External Routes Redistributed into RIP Use the Routing Protocol > RIP > Distance (Add) page to define an PECIFYING AN administrative distance for external routes learned from other routing DMINISTRATIVE protocols.
  • Page 663 | Unicast Routing HAPTER Configuring the Routing Information Protocol NTERFACE To define an administrative distance for external routes learned from other routing protocols: Click Routing Protocol, RIP, Distance. Select Add from the Action list. Enter the distance, the external route, and optionally enter the name of an ACL to filter networks according to the IP address of the router supplying the routing information.

  • Page 664: Configuring Network Interfaces For Rip

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Use the Routing Protocol > RIP > Distance (Add) page to configure the ONFIGURING send/receive version, authentication settings, and the loopback prevention ETWORK method for each interface that participates in the RIP routing process. NTERFACES FOR CLI R EFERENCES...
  • Page 665 | Unicast Routing HAPTER Configuring the Routing Information Protocol unwanted protocol messages can be easily propagated throughout the network if no authentication is required. RIPv2 supports authentication using a simple password or MD5 key encryption. When a router is configured to exchange authentication messages, it will insert the password into all transmitted protocol packets, and check all received packets to ensure that they contain the authorized password.
  • Page 666 | Unicast Routing HAPTER Configuring the Routing Information Protocol Do Not Receive: Does not accept incoming RIP packets. This option does not add any dynamic entries to the routing table for an interface. The default depends on the setting for the Global RIP Version. (See "Configuring General Protocol Settings"...
  • Page 667 | Unicast Routing HAPTER Configuring the Routing Information Protocol NTERFACE To network interface settings for RIP: Click Routing Protocol, RIP, Interface. Select Add from the Action list. Select a Layer 3 VLAN interface to participate in RIP. Select the RIP protocol message types that will be received and sent.

  • Page 668: Displaying Rip Interface Settings

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Use the Routing Protocol > RIP > Statistics (Show Interface Information) ISPLAYING page to display information about RIP interface configuration settings. NTERFACE ETTINGS CLI R EFERENCES "show ip rip" on page 1410 ARAMETERS These parameters are displayed: Interface –...

  • Page 669: Resetting Rip Statistics

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Update Time – Last time a route update was received from this peer. Version – Shows whether RIPv1 or RIPv2 packets were received from this peer. Rcv Bad Packets – Number of bad RIP packets received from this peer.

  • Page 670: Command Line Interface

    ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 681 "General Commands" on page 695 "System Management Commands"...
  • Page 671 | Command Line Interface ECTION "Spanning Tree Commands" on page 1041 "ERPS Commands" on page 1069 "VLAN Commands" on page 1101 "Class of Service Commands" on page 1149 "Quality of Service Commands" on page 1163 "Multicast Filtering Commands" on page 1183 "LLDP Commands"...

  • Page 672: Using The Command Line Interface

    When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the DG-GS4528SE is opened. To end the CLI session, enter [Exit]. Console# – 681 –...

  • Page 673: Telnet Connection

    When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the DG-GS4528SE is opened. To end the CLI session, enter [Exit]. Vty-0# – 682 –...

  • Page 674: Entering Commands

    | Using the Command Line Interface HAPTER Entering Commands You can open up to eight sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.

  • Page 675: Getting Help On Commands

    | Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
  • Page 676 | Using the Command Line Interface HAPTER Entering Commands pppoe Displays PPPoE configuration privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server RADIUS server information reload Shows the reload settings rmon Remote Monitoring Protocol...

  • Page 677: Partial Keyword Lookup

    | Using the Command Line Interface HAPTER Entering Commands If you terminate a partial keyword with a question mark, alternatives that ARTIAL EYWORD match the initial letters are provided. (Remember not to leave a space OOKUP between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...

  • Page 678: Exec Commands

    “super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the DG-GS4528SE is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the DG-GS4528SE is opened.

  • Page 679: Configuration Commands

    | Using the Command Line Interface HAPTER Entering Commands Configuration commands are privileged level commands used to modify ONFIGURATION switch settings. These commands modify the running configuration only OMMANDS and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.

  • Page 680: Table 45: Configuration Command Modes

    | Using the Command Line Interface HAPTER Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the...

  • Page 681: Command Line Processing

    | Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...

  • Page 682: Cli Command Groups

    | Using the Command Line Interface HAPTER CLI Command Groups VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Console# CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 47: Command Group Index Command Group Description Page...
  • Page 683 | Using the Command Line Interface HAPTER CLI Command Groups Table 47: Command Group Index (Continued) Command Group Description Page Loopback Detection Detects general loopback conditions caused by hardware 1023 problems or faulty protocol settings UniDirectional Link Detect and disables unidirectional links 1029 Detection Address Table...
  • Page 684 | Using the Command Line Interface HAPTER CLI Command Groups PE (Privileged Exec) PM (Policy Map Configuration) RC (Router Configuration) VC (VLAN Database Configuration) – 693 –...

  • Page 685: General Commands

    ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 48: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...

  • Page 686: Reload (Global Configuration)

    | General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload (Global delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.

  • Page 687: Enable

    | General Commands HAPTER OMMAND SAGE This command resets the entire system. Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
  • Page 688 | General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (700) enable password (812) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...

  • Page 689: Show History

    | General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
  • Page 690 | General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
  • Page 691 | General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
  • Page 692 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 702 –...

  • Page 693: Device Designation

    YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 49: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...

  • Page 694: Hostname

    | System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...

  • Page 695: Banner Configure

    | System Management Commands HAPTER Banner Information Table 51: Banner Commands (Continued) Command Function Mode banner configure Configures the Manager contact information that is manager-info displayed by banner banner configure mux Configures the MUX information that is displayed by banner banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading...
  • Page 696 | System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
  • Page 697 | System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure dc- banner. Use the no form to restore the default setting. power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
  • Page 698 | System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
  • Page 699 HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id DG-GS4528SE floor 3 row 10 rack 15 shelf-rack 12 manufacturer DIGISOL Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting.
  • Page 700 | System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.

  • Page 701: Banner Configure Manager-Info

    | System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...

  • Page 702: Banner Configure Note

    | System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.

  • Page 703: System Status

    R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis DG-GS4528SE Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
  • Page 704 | System Management Commands HAPTER System Status Table 52: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly This command shows utilization parameters for TCAM (Ternary Content show access-list tcam-...
  • Page 705 | System Management Commands HAPTER System Status Alarm Configuration Rising Threshold : 90% Falling Threshold : 70% Console# ELATED OMMANDS memory (791) This command shows the CPU utilization parameters, alarm status, and show process cpu alarm configuration. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 18%...

  • Page 706: Interface Settings

    VLAN 1 name DefaultVlan media ethernet state active spanning-tree mst configuration interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 switchport allowed vlan add 4093 tagged interface vlan 1 ip address dhcp ip dhcp client class-id text DIGISOL – 716 –...

  • Page 707: Show Running-Config

    | System Management Commands HAPTER System Status line console line vty Console# ELATED OMMANDS show startup-config (717) This command displays the configuration file stored in non-volatile memory show startup-config that is used to start up the system. OMMAND Privileged Exec OMMAND SAGE Use this command in conjunction with the show running-config...
  • Page 708 No information will be displayed under POST Result, unless there is a problem with the unit. If any POST test indicates “FAIL,” contact your distributor for assistance. XAMPLE Console#show system System Description : DG-GS4528SE System OID String : 1.3.6.1.4.1.36293.1.1.1.26 System Information System Up Time : 0 days, 8 hours, 13 minutes, and 38.59 seconds...

  • Page 709: Show System

    | System Management Commands HAPTER System Status XAMPLE Console#show tech-support show system: System Description : DG-GS4528SE System OID String : 1.3.6.1.4.1.36293.1.1.1.26 System Information System Up Time : 0 days, 0 hours, 52 minutes, and 2.21 seconds System Name System Location...
  • Page 710 | System Management Commands HAPTER System Status This command displays hardware and software version information for the show version system. OMMAND Normal Exec, Privileged Exec OMMAND SAGE "Displaying Hardware/Software Versions" on page 115 for detailed information on the items displayed by this command. XAMPLE Console#show version Unit 1...

  • Page 711: Frame Size

    | System Management Commands HAPTER Frame Size OMMAND Privileged Exec XAMPLE Console#watchdog Console# RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 53: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames This command enables support for layer 2 jumbo frames for Gigabit and jumbo frame 10 Gigabit Ethernet ports.

  • Page 712: File Management

    | System Management Commands HAPTER File Management XAMPLE Console(config)#jumbo frame Console(config)# ELATED OMMANDS show system (717) show ipv6 mtu (1372) ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation.

  • Page 713: Boot System

    | System Management Commands HAPTER File Management Table 54: Flash/File Commands (Continued) Command Function Mode upgrade opcode path Specifies an FTP/TFTP server and directory in which the new opcode is stored upgrade opcode reload Reloads the switch automatically after the opcode upgrade is completed show upgrade Shows the opcode upgrade configuration settings.

  • Page 714: Copy

    | System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
  • Page 715 | System Management Commands HAPTER File Management The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate"...
  • Page 716 | System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.

  • Page 717: Delete

    | System Management Commands HAPTER File Management This command deletes a file or image. delete YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE If the file type is used for system startup, then this file cannot be deleted.

  • Page 718: Whichboot

    | System Management Commands HAPTER File Management OMMAND SAGE If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 55: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file.

  • Page 719: Automatic Code Upgrade Commands

    | System Management Commands HAPTER File Management XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------...

  • Page 720: Upgrade Opcode Path

    | System Management Commands HAPTER File Management Any changes made to the default setting can be displayed with the show running-config show startup-config commands. XAMPLE Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup.

  • Page 721: Upgrade Opcode Reload

    | System Management Commands HAPTER File Management When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/...

  • Page 722: Tftp Configuration Commands

    | System Management Commands HAPTER File Management This command shows the opcode upgrade configuration settings. show upgrade OMMAND Privileged Exec XAMPLE Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path File Name : DG-GS4500SE-Series.bix Console# TFTP Configuration Commands This command specifies the number of times the switch can retry...

  • Page 723: Ip Tftp Timeout

    | System Management Commands HAPTER File Management This command specifies the time the switch can wait for a response from a ip tftp timeout TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. YNTAX ip tftp timeout seconds no ip tftp timeout...

  • Page 724: Line

    | System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
  • Page 725 | System Management Commands HAPTER Line This command identifies a specific line for configuration, and to process line subsequent line configuration commands. YNTAX line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING There is no default line.
  • Page 726 | System Management Commands HAPTER Line OMMAND SAGE The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.

  • Page 727: Login

    | System Management Commands HAPTER Line This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
  • Page 728 | System Management Commands HAPTER Line This command defines the generation of a parity bit. Use the no form to parity restore the default setting. YNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING...

  • Page 729: Password-Thresh

    | System Management Commands HAPTER Line OMMAND SAGE When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns...

  • Page 730: Silent-Time

    | System Management Commands HAPTER Line XAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# ELATED OMMANDS silent-time (740) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.

  • Page 731: Stopbits

    | System Management Commands HAPTER Line EFAULT ETTING 115200 bps OMMAND Line Configuration OMMAND SAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.

  • Page 732: Timeout Login Response

    | System Management Commands HAPTER Line This command sets the interval that the system waits for a user to log into timeout login response the CLI. Use the no form to restore the default setting. YNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
  • Page 733 | System Management Commands HAPTER Line XAMPLE Console#disconnect 1 Console# ELATED OMMANDS show ssh (849) show users (719) This command configures terminal settings, including escape-character, terminal lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting. YNTAX terminal {escape-character {ASCII-number | character} | history [size size] | length length | terminal-type {ansi-bbs |...
  • Page 734 | System Management Commands HAPTER Line XAMPLE This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line.

  • Page 735: Event Logging

    | System Management Commands HAPTER Event Logging VENT OGGING This section describes commands used to configure event logging on the switch. Table 57: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory based...

  • Page 736: Logging History

    | System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).

  • Page 737: Logging Host

    | System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address [port udp-port] host-ip-address - The IPv4 or IPv6 address of a syslog server.

  • Page 738: Logging Trap

    | System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (746) logging trap (748) clear log (748) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.

  • Page 739: Show Log

    | System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (749) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).

  • Page 740: Table 59: Show Logging Flash/Ram - Display Description

    | System Management Commands HAPTER Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).

  • Page 741: Smtp Alerts

    | System Management Commands HAPTER SMTP Alerts Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console# Table 60: show logging trap - display description Field...

  • Page 742: Logging Sendmail

    | System Management Commands HAPTER SMTP Alerts This command enables SMTP event handling. Use the no form to disable logging sendmail this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail host the no form to remove an SMTP server.

  • Page 743: Logging Sendmail Level

    | System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# This command sets the severity threshold used to trigger alert messages. logging sendmail level Use the no form to restore the default setting. YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
  • Page 744 | System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# This command sets the email address used for the “From” field in alert logging sendmail messages.

  • Page 745: Time

    | System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source E-mail Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).

  • Page 746: Sntp Commands

    | System Management Commands HAPTER Time SNTP Commands This command enables SNTP client requests for time synchronization from sntp client NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. YNTAX [no] sntp client EFAULT...

  • Page 747: Sntp Client

    | System Management Commands HAPTER Time This command sets the interval between sending time requests when the sntp poll switch is set to SNTP client mode. Use the no form to restore to the default. YNTAX sntp poll seconds no sntp poll seconds - Interval between time requests.

  • Page 748: Show Sntp

    | System Management Commands HAPTER Time XAMPLE Console(config)#sntp server 10.1.0.19 Console# ELATED OMMANDS sntp client (756) sntp poll (757) show sntp (758) This command displays the current time and configuration settings for the show sntp SNTP client, and indicates whether or not the local time has been properly updated.
  • Page 749 | System Management Commands HAPTER Time their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client. XAMPLE Console(config)#ntp authenticate Console(config)# ELATED OMMANDS ntp authentication-key (759)

  • Page 750: Ntp Authenticate

    | System Management Commands HAPTER Time XAMPLE Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# ELATED OMMANDS ntp authenticate (758) This command enables NTP client requests for time synchronization from ntp client NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests.

  • Page 751: Ntp Client

    | System Management Commands HAPTER Time This command sets the IP addresses of the servers to which NTP time ntp server requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. YNTAX ntp server ip-address [key key-number] no ntp server [ip-address]...

  • Page 752: Manual Configuration Commands

    | System Management Commands HAPTER Time This command displays the current time and configuration settings for the show ntp NTP client, and indicates whether or not the local time has been properly updated. OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).

  • Page 753: Calendar Set

    | System Management Commands HAPTER Time OMMAND SAGE This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is west (before) or east (after) of UTC.

  • Page 754: Time Range

    | System Management Commands HAPTER Time Range This command displays the system clock. show calendar EFAULT ETTING None OMMAND Normal Exec, Privileged Exec XAMPLE Console#show calendar 15:12:34 February 1 2011 Console# ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.

  • Page 755: Absolute

    | System Management Commands HAPTER Time Range XAMPLE Console(config)#time-range r&d Console(config-time-range)# ELATED OMMANDS Access Control Lists (937) This command sets the time range for the execution of a command. Use absolute the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year]...
  • Page 756 | System Management Commands HAPTER Time Range This command sets the time range for the periodic execution of a periodic command. Use the no form to remove a previously specified time range. YNTAX [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend |...

  • Page 757: Show Time-Range

    | System Management Commands HAPTER Switch Clustering This command shows configured time ranges. show time-range YNTAX show time-range [name] name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic Daily 01:01 to...

  • Page 758: Cluster

    | System Management Commands HAPTER Switch Clustering then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.

  • Page 759: Cluster Commander

    | System Management Commands HAPTER Switch Clustering XAMPLE Console(config)#cluster Console(config)# This command enables the switch as a cluster Commander. Use the no cluster commander form to disable the switch as cluster Commander. YNTAX [no] cluster commander EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE...
  • Page 760 | System Management Commands HAPTER Switch Clustering OMMAND SAGE An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
  • Page 761 There is no need to enter the username and password for access to the Member switch CLI. XAMPLE Console#rcommand id 1 CLI session with the DG-GS4528SE is opened. To end the CLI session, enter [Exit]. Vty-0# This command shows the switch clustering configuration.

  • Page 762: Show Cluster Members

    XAMPLE Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-17-7C-00-00-FE Description : DG-GS4528SE Console# This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec XAMPLE Console#show cluster candidates...

  • Page 763: Snmp-Server

    SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
  • Page 764 | SNMP Commands HAPTER Table 65: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs ATC Trap Commands...
  • Page 765 | SNMP Commands HAPTER General SNMP Commands General SNMP Commands This command enables the SNMPv3 engine and services for all snmp-server management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. YNTAX [no] snmp-server EFAULT ETTING Enabled OMMAND...

  • Page 766: Snmp-Server Location

    | SNMP Commands HAPTER General SNMP Commands XAMPLE Console(config)#snmp-server community alpha rw Console(config)# This command sets the system contact string. Use the no form to remove snmp-server contact the system contact information. YNTAX snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) EFAULT ETTING...

  • Page 767: Show Snmp

    | SNMP Commands HAPTER General SNMP Commands XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (776) This command can be used to check the status of SNMP communications. show snmp EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command provides information on the community access strings, counters for SNMP input and output protocol data units, and whether or not...

  • Page 768: Snmp Target Host Commands

    | SNMP Commands HAPTER SNMP Target Host Commands SNMP Target Host Commands This command enables this device to send Simple Network Management snmp-server enable Protocol traps or informs (i.e., SNMP notifications). Use the no form to traps disable SNMP notifications. YNTAX [no] snmp-server enable traps [authentication | link-up-down | ethernet cfm]...
  • Page 769 | SNMP Commands HAPTER SNMP Target Host Commands This command specifies the recipient of a Simple Network Management snmp-server host Protocol notification operation. Use the no form to remove the specified host. YNTAX snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr...
  • Page 770 | SNMP Commands HAPTER SNMP Target Host Commands you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. The snmp-server host command is used in conjunction with the snmp-server enable traps command.

  • Page 771: Snmp-Server Enable Traps

    | SNMP Commands HAPTER SNMPv3 Commands command using the name of the specified community string, and default settings for the read, write, and notify view. XAMPLE Console(config)#snmp-server host 10.1.19.23 batman Console(config)# ELATED OMMANDS snmp-server enable traps (778) SNMPv3 Commands This command configures an identification string for the SNMPv3 engine. snmp-server engine-id Use the no form to restore the default.

  • Page 772: Snmp-Server Group

    | SNMP Commands HAPTER SNMPv3 Commands Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. A local engine ID is automatically generated that is unique to the switch.

  • Page 773: Snmp-Server User

    | SNMP Commands HAPTER SNMPv3 Commands OMMAND SAGE A group sets the access policy for the assigned users. When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. When privacy is selected, the DES 56-bit algorithm is used for data encryption.
  • Page 774 | SNMP Commands HAPTER SNMPv3 Commands EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch.

  • Page 775: Snmp-Server View

    | SNMP Commands HAPTER SNMPv3 Commands This command adds an SNMP view which controls user access to the MIB. snmp-server view Use the no form to remove an SNMP view. YNTAX snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name view-name - Name of an SNMP view.

  • Page 776: Table 66: Show Snmp Engine-Id - Display Description

    | SNMP Commands HAPTER SNMPv3 Commands This command shows the SNMP engine ID. show snmp engine-id OMMAND Privileged Exec XAMPLE This example shows the default engine ID. Console#show snmp engine-id Local SNMP EngineID: 8000002a80000000177c666672 Local SNMP EngineBoots: 1 Remote SNMP EngineID IP address 80000000030004e2b316c54321 192.168.1.19...

  • Page 777: Table 67: Show Snmp Group - Display Description

    | SNMP Commands HAPTER SNMPv3 Commands Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview...

  • Page 778: Show Snmp View

    | SNMP Commands HAPTER SNMPv3 Commands Security Model : v3 Security Level : Anthentication and privacy Authentication Protocol : MD5 Privacy Protocol : DES56 Storage Type : Nonvolatile Row Status : Active Console# Table 68: show snmp user - display description Field Description Engine ID...

  • Page 779: Notification Log Commands

    | SNMP Commands HAPTER Notification Log Commands Table 69: show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree. View Type Indicates if the view is included or excluded. Storage Type The storage type for this entry.
  • Page 780 | SNMP Commands HAPTER Notification Log Commands ip-address - The Internet address of a remote device. The specified target host must already have been configured using the snmp- server host command. The notification log is stored locally. It is not sent to a remote device.

  • Page 781: Show Nlm Oper-Status

    | SNMP Commands HAPTER Additional Trap Commands XAMPLE This example first creates an entry for a remote host, and then instructs the switch to record this device as the remote host for the specified notification log. Console(config)#snmp-server host 10.1.19.23 batman Console(config)#snmp-server notify-filter A1 remote 10.1.19.23 Console# This command shows the operational status of configured notification logs.

  • Page 782: Process Cpu

    | SNMP Commands HAPTER Additional Trap Commands rising-threshold - Rising threshold for memory utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for memory utilization alarm expressed in percentage. (Range: 1-100) EFAULT ETTING Rising Threshold: 90% Falling Threshold: 70% OMMAND Global Configuration OMMAND...
  • Page 783 | SNMP Commands HAPTER Additional Trap Commands XAMPLE Console(config)#process cpu rising 80 Console(config)#process cpu falling 60 Console# ELATED OMMANDS show process cpu (715) – 793 –...

  • Page 784: Remote Monitoring Commands

    EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
  • Page 785 | Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...

  • Page 786: Rmon Event

    | Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
  • Page 787 | Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.

  • Page 788: Rmon Collection Rmon1

    | Remote Monitoring Commands HAPTER show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.

  • Page 789: Show Rmon Events

    | Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlentry 1 owner mike Console(config-if)# This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0...

  • Page 790: Show Rmon Statistics

    | Remote Monitoring Commands HAPTER 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 This command shows the information collected for all configured entries in show rmon statistics the statistics group.

  • Page 791: Table 71: Sflow Commands

    AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.

  • Page 792: Flow Sampling Commands

    | Flow Sampling Commands HAPTER OMMAND SAGE Flow sampling must be enabled globally on the switch, as well as for those ports where it is required (see the sflow source command). XAMPLE Console(config)#sflow Console(config)# This command configures the IP address and UDP port used by the sflow destination Collector.

  • Page 793: Sflow Max-Header-Size

    | Flow Sampling Commands HAPTER This command configures the maximum size of the sFlow datagram sflow max-datagram- payload. Use the no form to restore the default setting. size YNTAX sflow max-datagram-size max-datagram-size no max-datagram-size max-datagram-size - The maximum size of the sFlow datagram payload.

  • Page 794: Sflow Owner

    | Flow Sampling Commands HAPTER This command configures the name of the receiver (i.e., sFlow Collector). sflow owner Use the no form to remove this name. YNTAX sflow owner name no sflow owner name - The name of the receiver. (Range: 1-256 characters) EFAULT ETTING None...
  • Page 795 | Flow Sampling Commands HAPTER This command configures the packet sampling rate. Use the no form to sflow sample restore the default rate. YNTAX sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken.
  • Page 796 | Flow Sampling Commands HAPTER This command configures the length of time samples are sent to the sflow timeout Collector before resetting all sFlow port parameters. Use the no form to restore the default time out. YNTAX sflow timeout seconds no sflow timeout seconds - The length of time the sFlow process continuously sends samples to the Collector before resetting all sFlow port parameters.
  • Page 797 | Flow Sampling Commands HAPTER OMMAND Privileged Exec XAMPLE Console#show sflow interface ethernet 1/9 Interface of Ethernet Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.4 Owner socket port : 6343 Time out : 9994 Maximum header size : 256 Maximum datagram size : 1500 Sample rate...

  • Page 798: Uthentication Ommands

    UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.

  • Page 799: Username

    | Authentication Commands HAPTER User Accounts and Privilege Levels CCOUNTS AND RIVILEGE EVELS The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 734), user authentication via a remote authentication server (page...

  • Page 800: Table 74: Default Login Settings

    | Authentication Commands HAPTER User Accounts and Privilege Levels The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
  • Page 801 | Authentication Commands HAPTER User Accounts and Privilege Levels OMMAND SAGE The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/TFTP server.

  • Page 802: Show Privilege

    | Authentication Commands HAPTER Authentication Sequence XAMPLE This example sets the privilege level for the ping command to Privileged Exec. Console(config)#privilege exec level 15 ping Console(config)# This command shows the privilege level for the current user, or the show privilege privilege level for commands modified by the privilege command.

  • Page 803: Authentication Enable

    | Authentication Commands HAPTER Authentication Sequence This command defines the authentication method and precedence to use authentication enable when changing from Exec command mode to Privileged Exec command mode with the enable command. Use the no form to restore the default. YNTAX authentication enable {[local] [radius] [tacacs]} no authentication enable...

  • Page 804: Authentication Login

    | Authentication Commands HAPTER Authentication Sequence This command defines the login authentication method and precedence. authentication login Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password.

  • Page 805: Radius Client

    | Authentication Commands HAPTER RADIUS Client RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
  • Page 806 | Authentication Commands HAPTER RADIUS Client This command sets the RADIUS server network port. Use the no form to radius-server auth- restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.

  • Page 807: Radius-Server Key

    | Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS encryption key. Use the no form to restore radius-server key the default.

  • Page 808: Radius-Server Timeout

    | Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication radius-server timeout requests to the RADIUS server. Use the no form to restore the default. YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...

  • Page 809: Tacacs-Server Host

    | Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout RADIUS Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C...

  • Page 810: Tacacs-Server Key

    | Authentication Commands HAPTER TACACS+ Client key - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 48 characters) port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server.
  • Page 811 | Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.

  • Page 812: Tacacs-Server Timeout

    | Authentication Commands HAPTER TACACS+ Client This command sets the interval between transmitting authentication tacacs-server timeout requests to the TACACS+ server. Use the no form to restore the default. YNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.

  • Page 813: Aaa

    | Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 78: AAA Commands Command Function Mode...

  • Page 814: Aaa Accounting Dot1X

    | Authentication Commands HAPTER group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) EFAULT ETTING Accounting is not enabled...
  • Page 815 | Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.

  • Page 816: Aaa Accounting Update

    | Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.

  • Page 817: Aaa Authorization Exec

    | Authentication Commands HAPTER Using the command without specifying an interim interval enables updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization exec to disable the authorization service.

  • Page 818: Aaa Group Server

    | Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.

  • Page 819: Accounting Commands

    | Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
  • Page 820 | Authentication Commands HAPTER OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# This command applies an accounting method to local console, Telnet or accounting exec SSH connections. Use the no form to disable accounting on the line. YNTAX accounting exec {default | list-name} no accounting exec...
  • Page 821 | Authentication Commands HAPTER EFAULT ETTING None OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# This command displays the current accounting settings per function and show accounting per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information.

  • Page 822: Web Server

    | Authentication Commands HAPTER Web Server Interface : Eth 1/1 Method List : tps Group List : radius Interface : Eth 1/2 Accounting Type : EXEC Method List : default Group List : tacacs+ Interface : vty Accounting Type : Commands 0 Method List : default Group List...

  • Page 823: Ip Http Server

    | Authentication Commands HAPTER Web Server OMMAND Global Configuration XAMPLE Console(config)#ip http port 769 Console(config)# ELATED OMMANDS ip http server (836) show system (717) This command allows this device to be monitored or configured from a ip http server browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT...

  • Page 824: Ip Http Secure-Server

    | Authentication Commands HAPTER Web Server OMMAND SAGE You cannot configure the HTTP and HTTPS servers to use the same port. If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number XAMPLE Console(config)#ip http secure-port 1000...

  • Page 825: Telnet Server

    | Authentication Commands HAPTER Telnet Server The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6.x or above, and Mozilla Firefox 3.6.2/4/5. The following web browsers and operating systems currently support HTTPS: Table 80: HTTPS System Support Web Browser...

  • Page 826: Ip Telnet Port

    | Authentication Commands HAPTER Telnet Server This command specifies the maximum number of Telnet sessions that can ip telnet max-sessions simultaneously connect to this system. Use the no from to restore the default setting. YNTAX ip telnet max-sessions session-count no ip telnet max-sessions session-count - The maximum number of allowed Telnet session.

  • Page 827: Secure Shell

    | Authentication Commands HAPTER Secure Shell This command allows this device to be monitored or configured from ip telnet server Telnet. Use the no form to disable this function. YNTAX [no] ip telnet server EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#ip telnet server Console(config)#...
  • Page 828 | Authentication Commands HAPTER Secure Shell Table 82: Secure Shell Commands (Continued) Command Function Mode ip ssh timeout Specifies the authentication timeout for the SSH server copy tftp public-key Copies the user’s public key from a TFTP server to the switch delete public-key Deletes the public key for the specified user...
  • Page 829 | Authentication Commands HAPTER Secure Shell 93559423035774130980227370877945452408397175264635805817671670 9574804776117 Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch with the username command.)
  • Page 830 | Authentication Commands HAPTER Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.

  • Page 831: Ip Ssh Server

    | Authentication Commands HAPTER Secure Shell XAMPLE Console(config)#ip ssh authentication-retires 2 Console(config)# ELATED OMMANDS show ip ssh (848) This command enables the Secure Shell (SSH) server on this switch. Use ip ssh server the no form to disable this service. YNTAX [no] ip ssh server EFAULT...

  • Page 832: Ip Ssh Server-Key Size

    | Authentication Commands HAPTER Secure Shell This command sets the SSH server key size. Use the no form to restore the ip ssh server-key size default setting. YNTAX ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-896 bits) EFAULT ETTING 768 bits...

  • Page 833: Delete Public-Key

    | Authentication Commands HAPTER Secure Shell XAMPLE Console(config)#ip ssh timeout 60 Console(config)# ELATED OMMANDS exec-timeout (736) show ip ssh (848) This command deletes the specified user’s public key. delete public-key YNTAX delete public-key username [dsa | rsa] username – Name of an SSH user. (Range: 1-8 characters) dsa –...

  • Page 834: Ip Ssh Crypto Zeroize

    | Authentication Commands HAPTER Secure Shell This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory. Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process.

  • Page 835: Ip Ssh Save Host-Key

    | Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (846) ip ssh save host-key (848) no ip ssh server (844) This command saves the host key from RAM to flash memory. ip ssh save host-key YNTAX ip ssh save host-key EFAULT ETTING...
  • Page 836 | Authentication Commands HAPTER Secure Shell OMMAND Privileged Exec OMMAND SAGE If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.

  • Page 837: Port Authentication

    | Authentication Commands HAPTER 802.1X Port Authentication Table 83: show ssh - display description Field Description Connection The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that...
  • Page 838 | Authentication Commands HAPTER 802.1X Port Authentication Table 84: 802.1X Port Authentication Commands (Continued) Command Function Mode Supplicant Commands dot1x identity profile Configures dot1x supplicant user name and password GC dot1x max-start Sets the maximum number of times that a port supplicant will send an EAP start frame to the client dot1x pae supplicant Enables dot1x supplicant mode on an interface...
  • Page 839 | Authentication Commands HAPTER 802.1X Port Authentication other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network. When this device is functioning as an edge switch but does not require any attached clients to be authenticated, the no dot1x eapol-pass- through command can be used to discard unnecessary EAPOL traffic.
  • Page 840 | Authentication Commands HAPTER 802.1X Port Authentication EFAULT block-traffic OMMAND Interface Configuration OMMAND SAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).

  • Page 841: Dot1X Operation-Mode

    | Authentication Commands HAPTER 802.1X Port Authentication EFAULT OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# This command allows hosts (clients) to connect to an 802.1X-authorized dot1x operation-mode port. Use the no form with no keywords to restore the default to single host.

  • Page 842: Dot1X Port-Control

    | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto –...

  • Page 843: Dot1X Timeout Quiet-Period

    | Authentication Commands HAPTER 802.1X Port Authentication transparently by the dot1x client software. Only if re-authentication fails is the port blocked. The connected client is re-authenticated after the interval specified by dot1x timeout re-authperiod command. The default is 3600 seconds. XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication...

  • Page 844: Dot1X Timeout Supp-Timeout

    | Authentication Commands HAPTER 802.1X Port Authentication EFAULT 3600 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout supp- response to an EAP request from a client before re-transmitting an EAP timeout packet.

  • Page 845: Dot1X Re-Authenticate

    | Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that an interface on the switch waits during an dot1x timeout tx- authentication session before re-transmitting an EAP packet. Use the no period form to reset to the default value. YNTAX dot1x timeout tx-period seconds no dot1x timeout tx-period...

  • Page 846: Dot1X Identity Profile

    | Authentication Commands HAPTER 802.1X Port Authentication Supplicant Commands This command sets the dot1x supplicant user name and password. Use the dot1x identity profile no form to delete the identity settings. YNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.

  • Page 847: Dot1X Pae Supplicant

    | Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# This command enables dot1x supplicant mode on a port. Use the no form dot1x pae supplicant to disable dot1x supplicant mode on a port. YNTAX [no] dot1x pae supplicant EFAULT...
  • Page 848 | Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits for a response dot1x timeout auth- from the authenticator. Use the no form to restore the default setting. period YNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.

  • Page 849: Information Display Commands

    | Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits before resending dot1x timeout start- an EAPOL start frame to the authenticator. Use the no form to restore the period default setting. YNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
  • Page 850 | Authentication Commands HAPTER 802.1X Port Authentication Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 859). 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: Type –...

  • Page 851: X Port Authentication

    | Authentication Commands HAPTER 802.1X Port Authentication Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.

  • Page 852: Show Management

    | Authentication Commands HAPTER Management IP Filter Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch. Table 85: Management IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management...
  • Page 853 | Authentication Commands HAPTER Management IP Filter IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges.

  • Page 854: Pppoe Intermediate Agent

    | Authentication Commands HAPTER PPPoE Intermediate Agent TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# NTERMEDIATE GENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
  • Page 855 | Authentication Commands HAPTER PPPoE Intermediate Agent OMMAND SAGE The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS). The switch extracts access-loop information from the client’s PPPoE Active Discovery Request, and forwards this information to all trusted ports designated by the...
  • Page 856 | Authentication Commands HAPTER PPPoE Intermediate Agent These messages are forwarded to all trusted ports designated by the pppoe intermediate-agent trust command. XAMPLE Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# This command enables the PPPoE IA on an interface. Use the no form to pppoe intermediate- disable this feature.
  • Page 857 | Authentication Commands HAPTER PPPoE Intermediate Agent OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The PPPoE server extracts the Line-ID tag from PPPoE discovery stage messages, and uses the Circuit-ID field of that tag as a NAS-Port-ID attribute in AAA access and accounting requests. The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request...
  • Page 858 | Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# This command enables the stripping of vendor tags from PPPoE Discovery pppoe intermediate- packets sent from a PPPoE server. Use the no form to disable this feature. agent vendor-tag strip YNTAX [no] pppoe intermediate-agent vendor-tag strip...
  • Page 859 | Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console#clear pppoe intermediate-agent statistics Console# This command displays configuration settings for the PPPoE Intermediate show pppoe Agent. intermediate-agent info YNTAX show pppoe intermediate-agent info [interface [interface]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.

  • Page 860: Table 87: Show Pppoe Intermediate-Agent Statistics - Display Description

    | Authentication Commands HAPTER PPPoE Intermediate Agent This command displays statistics for the PPPoE Intermediate Agent. show pppoe intermediate-agent statistics YNTAX show pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) OMMAND Privileged Exec...

  • Page 861: Table 88: General Security Commands

    ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.

  • Page 862: General Security Measures

    | General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
  • Page 863 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.

  • Page 864: Table 90: Show Port Security - Display Description

    | General Security Measures HAPTER Port Security ELATED OMMANDS show interfaces status (973) shutdown (967) mac-address-table static (1036) This command displays port security status and the secure address count. show port security YNTAX show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
  • Page 865 | General Security Measures HAPTER Port Security The following example shows the port security settings and number of secure addresses for a specific port. The Last Intrusion MAC and Last Time Detected Intrusion MAC fields show information about the last detected intrusion MAC address.

  • Page 866: Network Access (Mac Address Authentication)

    | General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.

  • Page 867: Network-Access Aging

    | General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored network-access aging in the secure MAC address table. Use the no form of this command to disable address aging. YNTAX [no] network-access aging EFAULT...
  • Page 868 | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. This command is different from configuring static addresses with the mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...

  • Page 869: Table 92: Dynamic Qos Profiles

    | General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...

  • Page 870: Network-Access Dynamic-Vlan

    | General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# Use this command to enable dynamic VLAN assignment for an network-access authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan...
  • Page 871 | General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to assign all traffic on a port to a guest VLAN when network-access guest- 802.1x authentication is rejected. Use the no form of this command to vlan disable guest VLAN assignment.

  • Page 872: Network-Access Link-Detection Link-Down

    | General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to detect link-down events. When detected, the switch network-access link- can shut down the port, send an SNMP trap, or both. Use the no form of detection link-down this command to disable this feature.

  • Page 873: Network-Access Link-Detection Link-Up-Down

    | General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# Use this command to detect link-up and link-down events. When either network-access link- event is detected, the switch can shut down the port, send an SNMP trap, detection link-up- or both.
  • Page 874 | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.

  • Page 875: Network-Access Port-Mac-Filter

    | General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...

  • Page 876: Mac-Authentication Max-Mac-Count

    | General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...

  • Page 877: Clear Network-Access

    | General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to clear entries from the secure MAC addresses table. clear network-access YNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.

  • Page 878: Show Network-Access

    | General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion Action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...

  • Page 879: Show Network-Access Mac-Filter

    | General Security Measures HAPTER Web Authentication 00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. XAMPLE Console#show network-access mac-address-table Interface MAC Address RADIUS Server Time Attribute --------- ----------------- --------------- ------------------------- --------- 00-00-01-02-03-04 172.155.120.17 00d06h32m50s Static 00-00-01-02-03-05 172.155.120.17 00d06h33m20s Dynamic...

  • Page 880: Web-Auth Login-Attempts

    | General Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 815). Web authentication cannot be configured on trunk ports. Table 93: Web Authentication Command Function Mode...

  • Page 881: Web-Auth Quiet-Period

    | General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth login-attempts 2 Console(config)# This command defines the amount of time a host must wait after exceeding web-auth quiet-period the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
  • Page 882 | General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# This command globally enables web authentication for the switch. Use the web-auth system-auth- no form to restore the default. control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE...
  • Page 883 | General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth and forces the users to re-authenticate. re-authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.

  • Page 884: Show Web-Auth Interface

    | General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...

  • Page 885: Dhcpv4 Snooping

    | General Security Measures HAPTER DHCPv4 Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
  • Page 886 | General Security Measures HAPTER DHCPv4 Snooping Table 94: DHCP Snooping Commands (Continued) Command Function Mode show ip dhcp snooping Shows the DHCP snooping configuration settings show ip dhcp snooping Shows the DHCP snooping binding table entries binding This command enables DHCP snooping globally. Use the no form to restore ip dhcp snooping the default setting.
  • Page 887 | General Security Measures HAPTER DHCPv4 Snooping If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
  • Page 888 | General Security Measures HAPTER DHCPv4 Snooping This command enables the use of DHCP Option 82 information for the ip dhcp snooping switch, and specifies the frame format to use for the remote-id when information option Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no- subtype keyword to enable use of sub-type and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to...
  • Page 889 | General Security Measures HAPTER DHCPv4 Snooping When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
  • Page 890 | General Security Measures HAPTER DHCPv4 Snooping OMMAND SAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.

  • Page 891: Ip Dhcp Snooping

    | General Security Measures HAPTER DHCPv4 Snooping This command enables DHCP snooping on the specified VLAN. Use the no ip dhcp snooping vlan form to restore the default setting. YNTAX [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4093) EFAULT ETTING Disabled...

  • Page 892: Table 95: Option 82 Information

    | General Security Measures HAPTER DHCPv4 Snooping This command specifies DHCP Option 82 circuit-id suboption information. ip dhcp snooping Use the no form to use the default settings. information option circuit-id YNTAX ip dhcp snooping information option circuit-id string string no dhcp snooping information option circuit-id string - An arbitrary string inserted into the circuit identifier field.

  • Page 893: Ip Dhcp Snooping Trust

    | General Security Measures HAPTER DHCPv4 Snooping The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above. XAMPLE This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string mv2 Console(config-if)# This command configures the specified interface as trusted.

  • Page 894: Clear Ip Dhcp Snooping Binding

    | General Security Measures HAPTER DHCPv4 Snooping XAMPLE This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# ELATED OMMANDS ip dhcp snooping (900) ip dhcp snooping vlan (905) This command clears DHCP snooping binding table entries from RAM. Use clear ip dhcp snooping this command without any optional keywords to clear all entries from the binding...

  • Page 895: Show Ip Dhcp Snooping

    | General Security Measures HAPTER DHCPv4 Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.

  • Page 896: Show Ip Dhcp Snooping Binding

    | General Security Measures HAPTER DHCPv6 Snooping This command shows the DHCP snooping binding table entries. show ip dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- ------ 11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5...
  • Page 897 | General Security Measures HAPTER DHCPv6 Snooping OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall.
  • Page 898 | General Security Measures HAPTER DHCPv6 Snooping If a DHCPv6 packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. DHCP Server Packet If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system.
  • Page 899 | General Security Measures HAPTER DHCPv6 Snooping This command enables DHCPv6 snooping on the specified VLAN. Use the ipv6 dhcp snooping no form to restore the default setting. vlan YNTAX [no] ipv6 dhcp snooping vlan {vlan-id | vlan-range} vlan-id - ID of a configured VLAN (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
  • Page 900 | General Security Measures HAPTER DHCPv6 Snooping This command sets the maximum number of entries which can be stored in ipv6 dhcp snooping the binding database for an interface. Use the no form to restore the max-binding default setting. YNTAX ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
  • Page 901 | General Security Measures HAPTER DHCPv6 Snooping untrusted ports within the VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed.
  • Page 902 | General Security Measures HAPTER DHCPv6 Snooping This command removes all dynamically learned snooping entries from flash clear ipv6 dhcp memory. snooping database flash OMMAND Privileged Exec XAMPLE Console(config)#clear ipv6 dhcp snooping database flash Console(config)# This command shows the DHCPv6 snooping configuration settings. show ipv6 dhcp snooping OMMAND...

  • Page 903: Table 97: Ip Source Guard Commands

    | General Security Measures HAPTER IP Source Guard This command shows statistics for DHCPv6 snooping client, server and show ipv6 dhcp relay packets. snooping statistics OMMAND Privileged Exec XAMPLE Console#show ipv6 dhcp snooping statistics DHCPv6 Snooping Statistics: Client Packet: Solicit, Request, Confirm, Renew, Rebind, Decline, Release, Information-request Server Packet: Advertise, Reply, Reconfigure Relay...
  • Page 904 | General Security Measures HAPTER IP Source Guard This command adds a static address to the source-guard binding table. Use ip source-guard the no form to remove a static entry. binding YNTAX ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id mac-address - A valid unicast MAC address.
  • Page 905 | General Security Measures HAPTER IP Source Guard XAMPLE This example configures a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config-if)# ELATED OMMANDS ip source-guard (919) ip dhcp snooping (900) ip dhcp snooping vlan (905) This command configures the switch to filter inbound traffic based source ip source-guard IP address, or source IP address and corresponding MAC address.
  • Page 906 | General Security Measures HAPTER IP Source Guard Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier. Static addresses entered in the source guard binding table with the source-guard binding command (page 918) are automatically...
  • Page 907 | General Security Measures HAPTER IP Source Guard This command sets the maximum number of entries that can be bound to ip source-guard max- an interface. Use the no form to restore the default setting. binding YNTAX ip source-guard max-binding number no ip source-guard max-binding number - The maximum number of IP addresses that can be mapped to an interface in the binding table.

  • Page 908: Table 98: Arp Inspection Commands

    | General Security Measures HAPTER ARP Inspection This command shows the source guard binding table. show ip source-guard binding YNTAX show ip source-guard binding [dhcp-snooping | static] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 899) static - Shows static entries configured with the ip source-guard binding...
  • Page 909 | General Security Measures HAPTER ARP Inspection Table 98: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection show ip arp inspection Displays the global configuration settings for ARP...
  • Page 910 | General Security Measures HAPTER ARP Inspection When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. XAMPLE Console(config)#ip arp inspection Console(config)# This command specifies an ARP ACL to apply to one or more VLANs.
  • Page 911 | General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# This command sets the maximum number of entries saved in a log ip arp inspection log- message, and the rate at which these messages are sent. Use the no form buffer logs to restore the default settings.
  • Page 912 | General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] |...
  • Page 913 | General Security Measures HAPTER ARP Inspection This command enables ARP Inspection for a specified VLAN or range of ip arp inspection vlan VLANs. Use the no form to disable this function. YNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
  • Page 914 | General Security Measures HAPTER ARP Inspection This command sets a rate limit for the ARP packets received on a port. Use ip arp inspection limit the no form to restore the default setting. YNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
  • Page 915 | General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# This command displays the global configuration settings for ARP show ip arp inspection Inspection. configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval...
  • Page 916 | General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip arp inspection the associated VLAN, port, and address components. OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...

  • Page 917: Table 99: Dos Protection Commands

    | General Security Measures HAPTER Denial of Service Protection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# ENIAL OF ERVICE ROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
  • Page 918 | General Security Measures HAPTER Denial of Service Protection EFAULT ETTING Disabled, 1000 kbits/second OMMAND Global Configuration XAMPLE Console(config)#dos-protection echo-chargen 65 Console(config)# This command protects against DoS smurf attacks in which a perpetrator dos-protection smurf generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
  • Page 919 | General Security Measures HAPTER Denial of Service Protection OMMAND Global Configuration XAMPLE Console(config)#dos-protection tcp-flooding 65 Console(config)# This command protects against DoS TCP-null-scan attacks in which a TCP dos-protection tcp- NULL scan message is used to identify listening TCP ports. The scan uses a null-scan series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
  • Page 920 | General Security Measures HAPTER Denial of Service Protection XAMPLE Console(config)#dos-protection syn-fin-scan Console(config)# This command protects against DoS TCP-xmas-scan in which a so-called dos-protection tcp- TCP XMAS scan message is used to identify listening TCP ports. This scan xmas-scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
  • Page 921 | General Security Measures HAPTER Denial of Service Protection XAMPLE Console(config)#dos-protection udp-flooding 65 Console(config)# This command protects against DoS WinNuke attacks in which affected the dos-protection Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, win-nuke the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.”...
  • Page 922 | General Security Measures HAPTER Denial of Service Protection WinNuke Attack : Disabled, 1000 kilobits per second Console# – 936 –...

  • Page 923: Table 100: Access Control List Commands

    CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
  • Page 924 | Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
  • Page 925 | Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny (Standard condition for packets emanating from the specified source. Use the no IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
  • Page 926 | Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny (Extended condition for packets with specific source or destination IP addresses, IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
  • Page 927 | Access Control Lists HAPTER IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING...
  • Page 928 | Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
  • Page 929 | Access Control Lists HAPTER IPv4 ACLs OMMAND Interface Configuration (Ethernet) OMMAND SAGE If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...

  • Page 930: Table 102: Ipv6 Acl Commands

    | Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (939) ip access-group (942) 6 ACL The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
  • Page 931 | Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
  • Page 932 | Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
  • Page 933 | Access Control Lists HAPTER IPv6 ACLs to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
  • Page 934 | Access Control Lists HAPTER IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (944) Time Range (764) This command displays the rules for configured IPv6 ACLs. show ipv6 access-list YNTAX show ipv6 access-list {standard | extended} [acl-name]...
  • Page 935 | Access Control Lists HAPTER IPv6 ACLs This command binds a port to an IPv6 ACL. Use the no form to remove the ipv6 access-group port. YNTAX ipv6 access-group acl-name {in | out} [time-range time-range-name] [counter] no ipv6 access-group acl-name {in | out} acl-name –...

  • Page 936: Table 103: Mac Acl Commands

    | Access Control Lists HAPTER MAC ACLs ELATED OMMANDS ipv6 access-group (949) MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
  • Page 937 | Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED OMMANDS permit, deny (951) mac access-group (953) show mac access-list (954) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
  • Page 938 | Access Control Lists HAPTER MAC ACLs {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3...
  • Page 939 | Access Control Lists HAPTER MAC ACLs A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: 0800 - IP 0806 - ARP 8137 - IPX XAMPLE This rule permits packets from any source MAC address to the destination address 00-17-7c-94-34-de where the Ethernet type is 0800.
  • Page 940 | Access Control Lists HAPTER MAC ACLs ELATED OMMANDS show mac access-list (954) Time Range (764) This command shows the ports assigned to MAC ACLs. show mac access- group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS...

  • Page 941: Table 104: Arp Acl Commands

    | Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
  • Page 942 | Access Control Lists HAPTER ARP ACLs This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny (ARP a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...

  • Page 943: Table 105: Acl Information Commands

    | Access Control Lists HAPTER ACL Information XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (955) This command displays the rules for configured ARP ACLs.
  • Page 944 | Access Control Lists HAPTER ACL Information This command clears the hit counter for the rules in all ACLs, or for the clear access-list rules in a specified ACL. hardware counters YNTAX clear access-list hardware counters [acl-name] acl-name – Name of the ACL. (Maximum length: 32 characters) OMMAND Privileged Exec XAMPLE...
  • Page 945 | Access Control Lists HAPTER ACL Information ipv6 standard – Shows ingress or egress rules for Standard IPv6 ACLs. mac – Shows ingress or egress rules for MAC ACLs. tcam-utilization – Shows the percentage of user configured ACL rules as a percentage of total ACL rules acl-name –...

  • Page 946: Media-Type

    NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 106: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
  • Page 947 | Interface Commands HAPTER Interface Configuration Table 106: Interface Commands (Continued) Command Function Mode Power Savings power-save Enables power savings mode on the specified port show power-save Shows the configuration settings for power savings Enabling hardware-level storm control with this command on a port will disable software-level automatic storm control on the same port if configured by the auto- traffic-control...
  • Page 948 | Interface Commands HAPTER Interface Configuration This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.

  • Page 949: Speed-Duplex

    | Interface Commands HAPTER Interface Configuration EFAULT ETTING 100BASE-FX: 100full (SFP / SFP+) 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/ZX (SFP / SFP+): 1000full 10GBASE-SR/LR/ER (SFP+): 10Gfull OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 10GBASE-SFP+ connections are fixed at 10G, full duplex. When auto- negotiation is enabled, the only attributes which can be advertised include flow control and symmetric pause frames.
  • Page 950 | Interface Commands HAPTER Interface Configuration EFAULT ETTING None OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
  • Page 951 | Interface Commands HAPTER Interface Configuration XAMPLE The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (967) capabilities (flowcontrol, symmetric) (963) This command forces the port type selected for combination ports. Use the media-type no form to restore the default mode.
  • Page 952 | Interface Commands HAPTER Interface Configuration This command enables auto-negotiation for a given interface. Use the no negotiation form to disable auto-negotiation. YNTAX [no] negotiation EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
  • Page 953 | Interface Commands HAPTER Interface Configuration OMMAND SAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. XAMPLE The following example disables port 5.

  • Page 954: Switchport Packet-Rate

    | Interface Commands HAPTER Interface Configuration XAMPLE The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (967) capabilities (963) This command configures broadcast, multicast and unknown unicast storm switchport packet-rate control.
  • Page 955 | Interface Commands HAPTER Interface Configuration Using both rate limiting and storm control on the same interface may lead to unexpected results. For example, suppose broadcast storm control is set to 500 Kbps by the command “switchport broadcast packet-rate 500,” and the rate limit is set to 20000 Kbps by the command “rate-limit input 20000"...

  • Page 956: Show Interfaces Brief

    | Interface Commands HAPTER Interface Configuration This command displays a summary of key information, including show interfaces brief operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports. OMMAND Privileged Exec XAMPLE Console#show interfaces brief Interface Name Status PVID Pri Speed/Duplex...

  • Page 957: Interface Commands

    | Interface Commands HAPTER Interface Configuration 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protocols Input 0 QLen Output ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 Alignment Errors 0 FCS Errors 0 Single Collision Frames...

  • Page 958: Show Interfaces Status

    | Interface Commands HAPTER Interface Configuration This command displays the status for an interface. show interfaces status YNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) vlan vlan-id (Range: 1-4093) EFAULT ETTING...

  • Page 959: Show Interfaces Switchport

    | Interface Commands HAPTER Interface Configuration This command displays the administrative and operational status of the show interfaces specified interfaces. switchport YNTAX show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) EFAULT ETTING...

  • Page 960: Show Interfaces Transceiver

    | Interface Commands HAPTER Interface Configuration Table 107: show interfaces switchport - display description (Continued) Field Description Unknown-unicast Shows if unknown unicast storm suppression is enabled or disabled; if Threshold enabled it also shows the threshold level (page 969). LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 984).

  • Page 961: Cable Diagnostics

    | Interface Commands HAPTER Cable Diagnostics OMMAND SAGE The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, and received optical power.
  • Page 962 | Interface Commands HAPTER Cable Diagnostics Ports are linked down while running cable diagnostics. To ensure more accurate measurement of the length to a fault, first disable power-saving mode (using the no power-save command) on the link partner before running cable diagnostics. The test takes approximately 5 seconds.
  • Page 963 | Interface Commands HAPTER Power Savings XAMPLE Console#show cable-diagnostics interface ethernet 1/24 Port Type Link Status Pair A (meters) Pair B (meters) Last Update -------- ---- ----------- ---------------- ---------------- ------------------- Eth 1/24 GE OK (1) OK (1) 2012-08-09 10:24:49 Console# Power Savings This command enables power savings mode on the specified port.

  • Page 964: Show Power-Save

    | Interface Commands HAPTER Power Savings Power saving when there is a link partner: Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter. When cable length is shorter, power consumption can be reduced since signal attenuation is proportional to cable length.

  • Page 965: Link Aggregation Commands

    GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
  • Page 966 | Link Aggregation Commands HAPTER Manual Configuration Commands The ports at both ends of a connection must be configured as trunk ports. All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings.
  • Page 967 | Link Aggregation Commands HAPTER Manual Configuration Commands EFAULT ETTING src-dst-ip OMMAND Global Configuration OMMAND SAGE This command applies to all static and dynamic trunks on the switch. To ensure that the switch traffic load is distributed evenly across all links in a trunk, select the source and destination addresses used in the load-balance calculation to provide the best result for trunk connections:...
  • Page 968 | Link Aggregation Commands HAPTER Dynamic Configuration Commands This command adds a port to a trunk. Use the no form to remove a port channel-group from a trunk. YNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-16) EFAULT ETTING The current port will be added to this trunk.
  • Page 969 | Link Aggregation Commands HAPTER Dynamic Configuration Commands A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
  • Page 970 | Link Aggregation Commands HAPTER Dynamic Configuration Commands This command configures a port's LACP administration key. Use the no lacp admin-key form to restore the default setting. (Ethernet Interface) YNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link.
  • Page 971 | Link Aggregation Commands HAPTER Dynamic Configuration Commands This command configures LACP port priority. Use the no form to restore lacp port-priority the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.

  • Page 972: Lacp System-Priority

    | Link Aggregation Commands HAPTER Dynamic Configuration Commands This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link.
  • Page 973 | Link Aggregation Commands HAPTER Dynamic Configuration Commands EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
  • Page 974 | Link Aggregation Commands HAPTER Trunk Status Display Commands If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port.

  • Page 975: Table 109: Show Lacp Counters - Display Description

    | Link Aggregation Commands HAPTER Trunk Status Display Commands LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 109: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group.

  • Page 976: Table 111: Show Lacp Neighbors - Display Description

    | Link Aggregation Commands HAPTER Trunk Status Display Commands Table 110: show lacp internal - display description (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; Defaulted –...

  • Page 977: Table 112: Show Lacp Sysid - Display Description

    | Link Aggregation Commands HAPTER Trunk Status Display Commands Table 111: show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner.

  • Page 978: Mirroring Commands

    IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
  • Page 979 | Port Mirroring Commands HAPTER Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) EFAULT ETTING No mirror session is defined.

  • Page 980: Show Port Monitor

    | Port Mirroring Commands HAPTER Local Port Mirroring Commands The destination port cannot be a trunk or trunk member port. ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: Use the access-list command (page 937) to add an ACL.

  • Page 981: Table 115: Rspan Commands

    | Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND Privileged Exec OMMAND SAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). XAMPLE The following shows mirroring configured from port 6 to port 5: Console(config)#interface ethernet 1/5 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end...
  • Page 982 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
  • Page 983 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use this command to specify the source port and traffic type to be mirrored rspan source remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. YNTAX [no] rspan session session-id source interface interface-list [rx | tx | both]...
  • Page 984 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use this command to specify the destination port to monitor the mirrored rspan destination traffic. Use the no form to disable RSPAN on the specified port. YNTAX rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id –...
  • Page 985 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands XAMPLE The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# Use this command to specify the RSPAN VLAN, switch role (source, rspan remote vlan intermediate or destination), and the uplink ports.
  • Page 986 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. Only destination and uplink ports will be assigned by the switch as members of this VLAN.
  • Page 987 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use this command to displays the configuration settings for an RSPAN show rspan session. YNTAX show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Only two mirror sessions are allowed, including both local and remote mirroring.

  • Page 988: Table 116: Rate Limit Commands

    IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
  • Page 989 | Rate Limit Commands HAPTER by the storm control command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (974) – 1006 –...

  • Page 990: Table 117: Atc Commands

    UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 117: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...
  • Page 991 | Automatic Traffic Control Commands HAPTER Table 117: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...
  • Page 992 | Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
  • Page 993 | Automatic Traffic Control Commands HAPTER Threshold Commands Threshold Commands This command sets the time at which to apply the control response after auto-traffic-control ingress traffic has exceeded the upper threshold. Use the no form to apply-timer restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer...
  • Page 994 | Automatic Traffic Control Commands HAPTER Threshold Commands seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 1-900 seconds) EFAULT ETTING 900 seconds OMMAND Global Configuration OMMAND SAGE This command sets the delay after which the control response can be terminated.
  • Page 995 | Automatic Traffic Control Commands HAPTER Threshold Commands XAMPLE This example enables automatic storm control for broadcast traffic on port Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# This command sets the control action to limit ingress traffic or shut down auto-traffic-control the offending port.
  • Page 996 | Automatic Traffic Control Commands HAPTER Threshold Commands XAMPLE This example sets the control response for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast action shutdown Console(config-if)# This command sets the lower threshold for ingress traffic beneath which a auto-traffic-control control response for rate limiting will be released after the Release Timer alarm-clear-threshold...
  • Page 997 | Automatic Traffic Control Commands HAPTER Threshold Commands XAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# This command sets the upper threshold for ingress traffic beyond which a auto-traffic-control storm control response is triggered after the apply timer expires.
  • Page 998 | Automatic Traffic Control Commands HAPTER Threshold Commands This command automatically releases a control response of rate-limiting auto-traffic-control after the time specified in the auto-traffic-control release-timer command auto-control-release has expired. YNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
  • Page 999 | Automatic Traffic Control Commands HAPTER SNMP Trap Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast control-release Console(config-if)# SNMP Trap Commands This command sends a trap when broadcast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap.
  • Page 1000 | Automatic Traffic Control Commands HAPTER SNMP Trap Commands ELATED OMMANDS auto-traffic-control alarm-fire-threshold (1014) This command sends a trap when broadcast traffic exceeds the upper snmp-server enable threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap.

This manual is also suitable for:

Dg-gs4528fse

Table of Contents