Page 1 8-Port Layer 2 Management Guide Fast Ethernet Switch www.edge-core.com...
Page 3 ANAGEMENT UIDE ES3510MA-DC F THERNET WITCH Layer 2 Switch with 8 10/100BASE-TX (RJ-45) Ports, and 2 Gigabit Combination Ports (RJ-45/SFP) ES3510MA-DC E122010/ST-R01 150200000251A...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 BOUT UIDE – 6 –...
Page 7: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access Managing System Files...
Page 8 ONTENTS Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via TFTP or HTTP Saving the Running Configuration to a Local File Setting The Start-Up File Showing System Files...
Page 9 ONTENTS Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Saving Power Traffic Segmentation Enabling Traffic Segmentation Configuring Uplink and Downlink Ports VLAN Trunking 6 VLAN C...
Page 10 ONTENTS Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP IMIT ONFIGURATION 10 S TORM ONTROL ONFIGURATION 11 C LASS OF ERVICE Layer 2 Queue Settings Setting the Default Priority for Interfaces Selecting the Queue Mode Mapping CoS Values to Egress Queues Layer 3/4 Priority Settings...
Page 11 ONTENTS Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports Configuring Port Link Detection Configuring a MAC Address Filter Displaying Secure MAC Address Information Configuring HTTPS Configuring Global Settings for HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Configuring the SSH Server Generating the Host Key Pair...
Page 12 ONTENTS Displaying 802.1X Statistics IP Source Guard Configuring Ports for IP Source Guard Configuring Static Bindings for IP Source Guard Displaying Information for Dynamic IP Source Guard Bindings DHCP Snooping DHCP Snooping Configuration DHCP Snooping VLAN Configuration Configuring Ports for DHCP Snooping Displaying DHCP Snooping Binding Information 15 B ASIC...
Page 13 ONTENTS Switch Clustering Configuring General Settings for Clusters Cluster Member Configuration Managing Cluster Members 16 IP C ONFIGURATION Using the Ping Function Address Resolution Protocol Setting the ARP Timeout Displaying ARP Entries Setting the Switch’s IP Address (IP Version 4) Configuring the IPv4 Default Gateway Configuring IPv4 Interface Settings Setting the Switch’s IP Address (IP Version 6)
Page 14 ONTENTS Configuring IGMP Filter Profiles Configuring IGMP Filtering and Throttling for Interfaces Multicast VLAN Registration Configuring Global MVR Settings Configuring MVR Group Address Ranges Configuring MVR Interface Status Assigning Static Multicast Groups to Interfaces Displaying MVR Receiver Groups ECTION OMMAND NTERFACE 19 U SING THE...
Page 15 ONTENTS reload (Privileged Exec) show reload exit 21 S YSTEM ANAGEMENT OMMANDS Device Designation hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note...
Page 16 ONTENTS whichboot upgrade opcode auto upgrade opcode path Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail...
Page 17 ONTENTS sntp poll sntp server show sntp clock timezone calendar set show calendar Time Range time-range absolute periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 22 SNMP C OMMANDS snmp-server snmp-server community...
Page 18 ONTENTS snmp-server notify-filter show nlm oper-status show snmp notify-filter 23 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 24 A UTHENTICATION OMMANDS User Accounts enable password username...
Page 19 ONTENTS aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-server ip http secure-port Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet...
Page 20 ONTENTS dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate dot1x identity profile dot1x max-start dot1x pae supplicant dot1x timeout auth-period dot1x timeout held-period dot1x timeout start-period show dot1x Management IP Filter management...
Page 21 ONTENTS mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCP Snooping ip dhcp snooping ip dhcp snooping database flash...
Page 22 ONTENTS ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust show ip arp inspection configuration show ip arp inspection interface show ip arp inspection log show ip arp inspection statistics show ip arp inspection vlan 26 A...
Page 23 ONTENTS ACL Information show access-group show access-list 27 I NTERFACE OMMANDS interface alias capabilities description flowcontrol media-type negotiation shutdown speed-duplex switchport packet-rate clear counters show interfaces brief show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver test cable-diagnostics show cable-diagnostics power-save show power-save...
Page 24 ONTENTS show port monitor RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 30 R IMIT OMMANDS rate-limit 31 A UTOMATIC RAFFIC ONTROL OMMANDS auto-traffic-control apply-timer auto-traffic-control release-timer auto-traffic-control auto-traffic-control action auto-traffic-control alarm-clear-threshold auto-traffic-control alarm-fire-threshold auto-traffic-control auto-control-release auto-traffic-control control-release snmp-server enable port-traps atc broadcast-alarm-clear...
Page 25 ONTENTS 33 S PANNING OMMANDS spanning-tree spanning-tree cisco-prestandard spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree system-bpdu-flooding spanning-tree transmission-limit max-hops mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection...
Page 26 ONTENTS 34 ERPS C OMMANDS erps erps domain control-vlan enable guard-timer holdoff-timer major-domain meg-level node-id propagate-tc ring-port rpl owner wtr-timer show erps 35 VLAN C OMMANDS GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration...
Page 27 ONTENTS Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid show dot1q-tunnel Configuring Port-based Traffic Segmentation traffic-segmentation show traffic-segmentation Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs...
Page 28 ONTENTS show queue mode show queue weight Priority Commands (Layer 3 and 4) qos map cos-dscp qos map dscp-mutation qos map phb-queue qos map trust-mode show qos map dscp-mutation show qos map phb-queue show qos map cos-dscp show qos map trust-mode 37 Q UALITY OF ERVICE...
Page 29 ONTENTS ip igmp snooping tcn-flood ip igmp snooping tcn-query-solicit ip igmp snooping unregistered-data-flood ip igmp snooping unsolicited-report-interval ip igmp snooping version ip igmp snooping version-exclusive ip igmp snooping vlan general-query-suppression ip igmp snooping vlan immediate-leave ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address...
Page 30 ONTENTS mvr vlan mvr immediate-leave mvr type mvr vlan group show mvr 39 LLDP C OMMANDS lldp lldp holdtime-multiplier lldp med-fast-start-count lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident...
Page 31 ONTENTS show lldp info statistics 40 CFM C OMMANDS ethernet cfm ais level ethernet cfm ais ma ethernet cfm ais period ethernet cfm ais suppress alarm ethernet cfm domain ethernet cfm enable ma index name vlan ma index name-format ethernet cfm mep ethernet cfm port-enable clear ethernet cfm ais mpid show ethernet cfm configuration...
Page 32 ONTENTS show ethernet cfm linktrace-cache ethernet cfm loopback mep fault-notify lowest-priority mep fault-notify alarm-time mep fault-notify reset-time show ethernet cfm fault-notify-generator ethernet cfm delay-measure two-way 41 OAM C 1001 OMMANDS efm oam 1002 efm oam critical-link-event 1002 efm oam link-monitor frame 1003 efm oam link-monitor frame threshold 1003...
Page 33 ONTENTS 43 DHCP C 1021 OMMANDS DHCP Client 1021 ip dhcp client class-id 1022 ip dhcp restart client 1022 ipv6 dhcp restart client vlan 1023 show ipv6 dhcp duid 1024 show ipv6 dhcp vlan 1025 44 IP I 1027 NTERFACE OMMANDS IPv4 Interface 1027...
Page 34 ONTENTS ipv6 nd reachable-time 1055 clear ipv6 neighbors 1056 show ipv6 neighbors 1056 1059 ECTION PPENDICES 1061 OFTWARE PECIFICATIONS Software Features 1061 Management Features 1062 Standards 1063 Management Information Bases 1064 1067 ROUBLESHOOTING Problems Accessing the Management Interface 1067 Using System Logs 1068 1069 ICENSE...
Page 35: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 36 IGURES Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Figure 34: Showing Port Statistics (Table) Figure 35: Showing Port Statistics (Chart) Figure 36: Performing Cable Tests Figure 37: Configuring Static Trunks Figure 38: Creating Static Trunks Figure 39: Adding Static Trunks Members Figure 40: Configuring Connection Parameters for a Static Trunk Figure 41: Showing Information for Static Trunks...
Page 37 IGURES Figure 68: Showing Dynamic VLANs Registered on the Switch Figure 69: Showing the Members of a Dynamic VLAN Figure 70: QinQ Operational Concept Figure 71: Enabling QinQ Tunneling Figure 72: Adding an Interface to a QinQ Tunnel Figure 73: Configuring Protocol VLANs Figure 74: Displaying Protocol VLANs Figure 75: Assigning Interfaces to Protocol VLANs Figure 76: Showing the Interface to Protocol Group Mapping...
Page 38 IGURES Figure 104: Displaying Global Settings for an MST Instance Figure 105: Adding a VLAN to an MST Instance Figure 106: Displaying Members of an MST Instance Figure 107: Configuring MSTP Interface Settings Figure 108: Displaying MSTP Interface Settings Figure 109: Configuring Rate Limits Figure 110: Configuring Storm Control Figure 111: Setting the Default Port Priority Figure 112: Setting the Queue Mode (Strict)
Page 39 IGURES Figure 140: Showing AAA Server Groups Figure 141: Configuring Global Settings for AAA Accounting Figure 142: Configuring AAA Accounting Methods Figure 143: Showing AAA Accounting Methods Figure 144: Configuring AAA Accounting Service for 802.1X Service Figure 145: Configuring AAA Accounting Service for Exec Service Figure 146: Displaying a Summary of Applied AAA Accounting Methods Figure 147: Displaying Statistics for AAA Accounting Sessions Figure 148: Configuring AAA Authorization Methods...
Page 40 IGURES Figure 176: Configuring a Standard IPv4 ACL Figure 177: Configuring an Extended IPv4 ACL Figure 178: Configuring a Standard IPv6 ACL Figure 179: Configuring an Extended IPv6 ACL Figure 180: Configuring a MAC ACL Figure 181: Configuring a ARP ACL Figure 182: Binding a Port to an ACL Figure 183: Configuring Global Settings for ARP Inspection Figure 184: Configuring VLAN Settings for ARP Inspection...
Page 41 IGURES Figure 212: Displaying Local Device Information for LLDP (Port) Figure 213: Displaying Remote Device Information for LLDP (Port) Figure 214: Displaying Remote Device Information for LLDP (Port Details) Figure 215: Displaying LLDP Device Statistics (General) Figure 216: Displaying LLDP Device Statistics (Port) Figure 217: Configuring Global Settings for SNMP Figure 218: Configuring the Local Engine ID for SNMP Figure 219: Configuring a Remote Engine ID for SNMP...
Page 42 IGURES Figure 248: Configuring a Cluster Members Figure 249: Showing Cluster Members Figure 250: Showing Cluster Candidates Figure 251: Managing a Cluster Member Figure 252: Pinging a Network Device Figure 253: Setting the ARP Timeout Figure 254: Displaying ARP Entries Figure 255: Configuring the IPv4 Default Gateway Figure 256: Configuring a Static IPv4 Address Figure 257: Configuring a Dynamic IPv4 Address...
Page 43 IGURES Figure 284: Configuring IGMP Snooping on an Interface Figure 285: Showing Interface Settings for IGMP Snooping Figure 286: Showing Multicast Groups Learned by IGMP Snooping Figure 287: Enabling IGMP Filtering and Throttling Figure 288: Creating an IGMP Filtering Profile Figure 289: Showing the IGMP Filtering Profiles Created Figure 290: Adding Multicast Groups to an IGMP Filtering Profile Figure 291: Showing the Groups Assigned to an IGMP Filtering Profile...
Page 44 IGURES – 44 –...
Page 45: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Internal Configuration Information Table 11: Traffic Segmentation Forwarding...
Page 46 ABLES Table 32: Show IPv6 Neighbors - display description Table 33: Show IPv6 Statistics - display description Table 34: Show MTU - display description Table 35: General Command Modes Table 36: Configuration Command Modes Table 37: Keystroke Commands Table 38: Command Group Index Table 39: General Commands Table 40: System Management Commands Table 41: Device Designation Commands...
Page 47 ABLES Table 68: AAA Commands Table 69: Web Server Commands Table 70: HTTPS System Support Table 71: Telnet Server Commands Table 72: Secure Shell Commands Table 73: show ssh - display description Table 74: 802.1X Port Authentication Commands Table 75: Management IP Filter Commands Table 76: General Security Commands Table 77: Management IP Filter Commands Table 78: Network Access Commands...
Page 48 ABLES Table 104: Recommended STA Path Cost Range Table 105: Default STA Path Costs Table 106: ERPS Commands Table 107: show erps - summary display description Table 108: show erps domain - detailed display description Table 109: VLAN Commands Table 110: GVRP and Bridge Extension Commands Table 111: Commands for Editing VLAN Groups Table 112: Commands for Configuring VLAN Interfaces Table 113: Commands for Displaying VLAN Information...
Page 49 ABLES Table 140: show ethernet cfm maintenance-points remote detail - display Table 141: show ethernet cfm errors - display description Table 142: show ethernet cfm linktrace-cache - display description Table 143: Remote MEP Priority Levels Table 144: MEP Defect Descriptions Table 145: show fault-notify-generator - display description Table 146: OAM Commands 1001...
Page 50 ABLES – 50 –...
Page 51: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 53 ◆...
Page 52 | Getting Started ECTION – 52 –...
Page 53: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 54: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4093 using IEEE 802.1Q, port-based, protocol-based, voice VLANs, and QinQ tunnel...
Page 55 | Introduction HAPTER Description of Software Features 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Page 56 | Introduction HAPTER Description of Software Features Broadcast, multicast and unknown unicast storm suppression prevents TORM ONTROL traffic from overwhelming the network.When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
Page 57 | Introduction HAPTER Description of Software Features 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
Page 58 | Introduction HAPTER Description of Software Features frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network. This switch prioritizes each packet based on the required level of service, RAFFIC using four priority queues with strict priority, Weighted Round Robin RIORITIZATION (WRR), or a combination of strict and weighted queuing.
Page 59: System Defaults
| Introduction HAPTER System Defaults MED information can be used by SNMP applications to simplify troubleshooting, enhance network management, and maintain an accurate network topology. ERPS can also be used to increase the availability and robustness of THERNET Ethernet rings, such as those used in Metropolitan Area Networks (MAN). ROTECTION ERPS technology converges in a little over 50 ms.
Page 60 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Server Port SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled...
Page 61 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight Queue: 0 1 2 3 Weight: 1 2 4 6 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings...
Page 62 | Introduction HAPTER System Defaults – 62 –...
Page 63: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 64: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 256 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 65: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows ■ keys. Once you have set up the terminal correctly, the console login screen will be displayed.
Page 66: Basic Configuration
Press <Enter>. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the ES3510MA-DC is opened. To end the CLI session, enter [Exit]. – 66 –...
Page 67: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING AN management access through the network. This can be done in either of the DDRESS following ways: Manual —...
Page 68 | Initial Switch Configuration HAPTER Basic Configuration Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press <Enter>. Type “exit” to return to the global configuration mode prompt. Press <Enter>.
Page 69 | Initial Switch Configuration HAPTER Basic Configuration VLAN 1 is up IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): (None) Joined group address(es): FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds Console# Address for Multi-segment Network —...
Page 70 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::/64 Console(config-if)#exit Console(config)#ipv6 default-gateway 2001:DB8:2222:7272::254 Console(config)end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1...
Page 71 | Initial Switch Configuration HAPTER Basic Configuration To obtain IP settings via DHCP, type “ip address dhcp” and press ■ <Enter>. To obtain IP settings via BOOTP, type “ip address bootp” and press ■ <Enter>. Type “end” to return to the Privileged Exec mode. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface”...
Page 72 | Initial Switch Configuration HAPTER Basic Configuration FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds Console# Address for Multi-segment Network —...
Page 73: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration Information passed on to the switch from a DHCP server may also include a OWNLOADING A configuration file to be downloaded and the TFTP servers where that file ONFIGURATION can be accessed. If the Factory Default Configuration file is used to EFERENCED BY A provision the switch at startup, in addition to requesting IP configuration DHCP S...
Page 74: Table 4: Options 55 And 124 Statements
| Initial Switch Configuration HAPTER Basic Configuration Table 4: Options 55 and 124 Statements Statement Option Keyword Parameter dhcp-parameter-request-list a list of parameters, separated by ',' vendor-class-identifier a string indicating the vendor class identifier The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.conf file).
Page 75: Enabling Snmp Management Access
| Initial Switch Configuration HAPTER Basic Configuration Use “es3510ma.bix” for the vendor-class-identifier in the dhcpd.conf file. The switch can be configured to accept management commands from SNMP NABLING Simple Network Management Protocol (SNMP) applications such as ANAGEMENT CCESS EdgeCore ECView. You can configure the switch to respond to SNMP requests or generate SNMP traps.
Page 76 | Initial Switch Configuration HAPTER Basic Configuration To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press <Enter>. Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings.
Page 77: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#...
Page 78: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files In the system flash memory, one file of each type must be set as the start- up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded. Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings.
Page 79 | Initial Switch Configuration HAPTER Managing System Files Enter the address of the TFTP server. Press <Enter>. Enter the name of the startup file stored on the server. Press <Enter>. Enter the name for the startup file on the switch. Press <Enter>. Console#copy file startup-config Console#copy tftp startup-config TFTP server IP address: 192.168.0.4...
Page 80 | Initial Switch Configuration HAPTER Managing System Files – 80 –...
Page 81: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 83 ◆ "Basic Management Tasks" on page 99 ◆...
Page 82 | Web Configuration ECTION – 82 –...
Page 83: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 84: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the manufacturer’s web site by clicking on the Edge-core logo. – 84 –...
Page 85: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 86: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 87 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Mirror Sets the source and target ports for mirroring Show Shows the configured mirror sessions Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics Cable Test...
Page 88 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Green Ethernet Adjusts the power provided to ports based on the length of the cable used to connect to other devices RSPAN Mirrors traffic from remote switches for analysis at a destination port on the local switch...
Page 89 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping Mirror Mirrors traffic from one or more source VLANs to a target port Show Shows mirror list...
Page 90 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Traffic Rate Limit Sets the input and output rate limits for a port Storm Control Sets the broadcast storm threshold for each interface Priority Default Priority Sets the default priority for each port or trunk...
Page 91 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure OUI Maps the OUI in the source MAC address of ingress packets to the VoIP device manufacturer Show Shows the OUI telephony list Configure Interface Configures VoIP traffic settings for ports, including the way in which a port is added to the Voice VLAN, filtering of non-VoIP packets, the...
Page 92 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Web Authentication Allows authentication and access to the network when 802.1X or Network Access authentication are infeasible or impractical Configure Global Configures general protocol settings Configure Interface Enables Web Authentication for individual ports...
Page 93 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Adds an ACL based on IP or MAC address filtering Show Shows the name and type of configured ACLs Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes Show Rule...
Page 94 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page LLDP Configure Global Configures global LLDP timing parameters Configure Interface Sets the message transmission mode; enables SNMP notification; and sets the LLDP attributes to advertise Show Local Device Information General Displays general information about the local device...
Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Trap Configures trap managers to receive messages on key events that occur this switch Show Shows configured trap managers RMON Remote Monitoring Configure Global...
Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Statistics IPv6 Shows statistics about IPv6 traffic ICMPv6 Shows statistics about ICMPv6 messages Shows statistics about UDP messages Show MTU Shows the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch...
Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IGMP Member Add Static Member Statically assigns multicast addresses to the selected VLAN Show Static Member Shows multicast addresses statically configured on the selected VLAN Show Current Member Shows multicast addresses associated with the selected VLAN,...
Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 98 –...
Page 99: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 100: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS These parameters are displayed: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. System Up Time – Length of time the management agent has been ◆...
Page 101: Figure 4: General Switch Information
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS The following parameters are displayed: Main Board Information Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ ◆ Hardware Version – Hardware version of the main board. Internal Power Status –...
Page 102: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Page 103: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 104: Managing System Files
| Basic Management Tasks HAPTER Managing System Files NTERFACE To view Bridge Extension information: Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System >...
Page 105 | Basic Management Tasks HAPTER Managing System Files ARAMETERS The following parameters are displayed: Copy Type – The firmware copy operation includes these options: ◆ TFTP Upgrade – Copies a file from a TFTP server to the switch. ■ TFTP Download – Copies a file from the switch to a TFTP server. ■...
Page 106: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files Figure 7: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch.
Page 107: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files Select Copy from the Action list. Select Running-Config from the Copy Type list. Select the current startup file on the switch to overwrite or specify a new file name. Then click Apply. Figure 8: Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System >...
Page 108: Showing System Files
| Basic Management Tasks HAPTER Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Use the System > File (Show) page to show the files in the system HOWING YSTEM directory, or to delete a file.
Page 109: Automatic Operation Code Upgrade
| Basic Management Tasks HAPTER Managing System Files Use the System > File (Automatic Operation Code Upgrade) page to UTOMATIC automatically download an operation code file when a file newer than the PERATION currently installed one is discovered on the file server. After the file is PGRADE transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Page 110 | Basic Management Tasks HAPTER Managing System Files Note that the switch itself does not distinguish between upper and ◆ lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. If two operation code image files are already stored on the switch’s file ◆...
Page 111 | Basic Management Tasks HAPTER Managing System Files ftp://[username[:password@]]host[/filedir]/ ftp:// – Defines FTP protocol for the server connection. ■ username – Defines the user name for the FTP connection. If the ■ user name is omitted, then “anonymous” is the assumed user name for the connection.
Page 112: Figure 11: Configuring Automatic Code Upgrade
| Basic Management Tasks HAPTER Managing System Files ftp://switches:upgrade@192.168.0.1/switches/opcode/ ■ The user name is “switches” and the password is “upgrade”. The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the FTP root. NTERFACE To configure automatic code upgrade: Click System, then File.
Page 113: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 114: Setting The Sntp Polling Interval
| Basic Management Tasks HAPTER Setting the System Clock Figure 12: Manually Setting the System Clock Use the System > Time (Configure General - SNTP) page to set the polling SNTP ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R...
Page 115: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Figure 13: Setting the Polling Interval for SNTP Use the System > Time (Configure Time Server) page to specify the IP SNTP PECIFYING address for up to three SNTP time servers. ERVERS CLI R EFERENCES...
Page 116: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 117: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings ONSOLE ETTINGS Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 118: Figure 16: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings The password for the console connection can only be configured through the CLI (see "password" on page 539). Password checking can be enabled or disabled for logging in to the console connection (see "login"...
Page 119: Telnet Settings
| Basic Management Tasks HAPTER Telnet Settings ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 120: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. NTERFACE To configure parameters for the console port: Click System, then Telnet.
Page 121: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization Change the update interval if required. Note that the interval is changed as soon as a new setting is selected. Figure 18: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters.
Page 122: Resetting The System
| Basic Management Tasks HAPTER Resetting the System Figure 19: Displaying Memory Utilization ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)"...
Page 123 | Basic Management Tasks HAPTER Resetting the System MM - The month at which to reload. (january ... december) ■ YYYY - The year at which to reload. (Range: 2001-2050) ■ HH - The hour at which to reload. (Range: 0-23) ■...
Page 124: Figure 20: Restarting The Switch (Immediately)
| Basic Management Tasks HAPTER Resetting the System Figure 20: Restarting the Switch (Immediately) Figure 21: Restarting the Switch (In) – 124 –...
Page 125: Figure 22: Restarting The Switch (At)
| Basic Management Tasks HAPTER Resetting the System Figure 22: Restarting the Switch (At) Figure 23: Restarting the Switch (Regularly) – 125 –...
Page 126 | Basic Management Tasks HAPTER Resetting the System – 126 –...
Page 127: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
Page 128 | Interface Configuration HAPTER Port Configuration OMMAND SAGE ◆ Auto-negotiation must be disabled before you can configure or force an RJ-45 interface to use the Speed/Duplex mode or Flow Control options. When using auto-negotiation, the optimal settings will be negotiated ◆...
Page 129 | Interface Configuration HAPTER Port Configuration 10f - Supports 10 Mbps full-duplex operation ■ 100h - Supports 100 Mbps half-duplex operation ■ 100f - Supports 100 Mbps full-duplex operation ■ 1000f (Gigabit ports only) - Supports 1000 Mbps full-duplex ■ operation Sym (Gigabit only) - Check this item to transmit and receive pause ■...
Page 130: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Figure 24: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 131: Displaying Connection Status
| Interface Configuration HAPTER Port Configuration Figure 25: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES ◆...
Page 132: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration Select Show Information from the Action List. Figure 26: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING OCAL port to a target port for real-time analysis. You can then attach a logic IRRORING analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 133: Figure 28: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration When traffic matches the rules for both port mirroring, and for ◆ mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring.
Page 134: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration Figure 29: Displaying Local Port Mirror Sessions Use the Interface > Port > RSPAN page to mirror traffic from remote ONFIGURING EMOTE switches for analysis at a destination port on the local switch. This feature, IRRORING also called Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports for each session over a user-...
Page 135 | Interface Configuration HAPTER Port Configuration Configuration Guidelines ◆ Take the following step to configure an RSPAN session: Use the VLAN Static List (see "Configuring VLAN Groups" on page 168) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN”...
Page 136 | Interface Configuration HAPTER Port Configuration port is configured as an RSPAN uplink port, port security cannot be enabled on that port. ARAMETERS These parameters are displayed: Session – A number identifying this RSPAN session. (Range: 1-2) ◆ Only two mirror sessions are allowed, including both local and remote mirroring.
Page 137: Figure 31: Configuring Remote Port Mirroring (Source)
| Interface Configuration HAPTER Port Configuration configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Also note that a destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Page 138: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 33: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 139 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher- layer protocol.
Page 140 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Internal MAC Receive A count of frames for which reception on a particular interface fails Errors due to an internal MAC sublayer receive error. Internal MAC Transmit A count of frames for which transmission on a particular interface Errors fails due to an internal MAC sublayer transmit error.
Page 141: Figure 34: Showing Port Statistics (Table)
| Interface Configuration HAPTER Port Configuration NTERFACE To show a list of port statistics: Click Interface, Port, Statistics. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). Select a port from the drop-down list. Use the Refresh button at the bottom of the page if you need to update the screen.
Page 142: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration Figure 35: Showing Port Statistics (Chart) Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING ABLE port. The cable test will check for any cable faults (short, open, etc.). If a IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 143: Figure 36: Performing Cable Tests
| Interface Configuration HAPTER Port Configuration Not Supported: This message is displayed for any Fast Ethernet ■ ports that are linked up, or for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps. Impedance mismatch: Terminating impedance is not in the ■...
Page 144: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two devices.
Page 145: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Static page to create a trunk, assign member ONFIGURING A ports, and configure the connection parameters. TATIC RUNK Figure 37: Configuring Static Trunks statically configured active links CLI R EFERENCES "Link Aggregation Commands"...
Page 146: Figure 38: Creating Static Trunks
| Interface Configuration HAPTER Trunk Configuration Set the unit and port for the initial trunk member. Click Apply. Figure 38: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list.
Page 147: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration Figure 40: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 41: Showing Information for Static Trunks Use the Interface >...
Page 148 | Interface Configuration HAPTER Trunk Configuration If the target switch has also enabled LACP on the connected ports, the ◆ trunk will be activated automatically. A trunk formed with another switch using LACP will automatically be ◆ assigned the next available trunk ID. If more than eight ports attached to the same target switch have LACP ◆...
Page 149: Figure 43: Configuring The Lacp Aggregator Admin Key
| Interface Configuration HAPTER Trunk Configuration other switches during LAG negotiations. (Range: 0-65535; Default: 32768) System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. Port Priority –...
Page 150: Figure 44: Enabling Lacp On A Port
| Interface Configuration HAPTER Trunk Configuration To enable LACP for a port: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click General. Enable LACP on the required ports. Click Apply. Figure 44: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic.
Page 151: Figure 45: Configuring Lacp Parameters On A Port
| Interface Configuration HAPTER Trunk Configuration Figure 45: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show Member from the Action List. Select a Trunk.
Page 152: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Figure 47: Configuring Connection Settings for Dynamic Trunks To display connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show from the Action List. Figure 48: Displaying Connection Parameters for Dynamic Trunks Use the Interface >...
Page 153 | Interface Configuration HAPTER Trunk Configuration Table 8: LACP Port Counters (Continued) Parameter Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 154: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
Page 155: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration Figure 50: Displaying LACP Port Internal Information Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation.
Page 156: Saving Power
| Interface Configuration HAPTER Saving Power NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Internal. Select a group member from the Port list. Figure 51: Displaying LACP Port Remote Information AVING OWER...
Page 157 | Interface Configuration HAPTER Saving Power of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity. The power-saving methods provided by this switch include: ◆ Power saving when there is no link partner: ■...
Page 158: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation Figure 52: Enabling Power Savings RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 159 | Interface Configuration HAPTER Traffic Segmentation Forwarding – Forwards traffic between uplink ports assigned to ■ different sessions. NTERFACE To enable traffic segmentation: Click Interface, Traffic Segmentation. Select Configure Global from the Step list. Mark the Status check box, and set the required uplink-to-uplink mode. Click Apply.
Page 160: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 161: Figure 54: Configuring Members For Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation ARAMETERS These parameters are displayed: Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the ◆ direction to uplink or downlink. (Default: Uplink) Interface –...
Page 162: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking NTERFACE To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 55: Showing Traffic Segmentation Members VLAN T RUNKING Use the Interface >...
Page 163 | Interface Configuration HAPTER VLAN Trunking VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports.
Page 164: Figure 57: Configuring Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking Figure 57: Configuring VLAN Trunking – 164 –...
Page 165: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 166: Figure 58: Vlan Compliant And Vlan Non-Compliant Devices
| VLAN Configuration HAPTER IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4093 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit or ◆...
Page 167 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 168: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 59: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 169: Figure 60: Creating Static Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring ◆ Remote Port Mirroring" on page 134). Modify VLAN ID – ID of configured VLAN (1-4093). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆...
Page 170: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 171 | VLAN Configuration HAPTER IEEE 802.1Q VLANs CLI R EFERENCES ◆ "Configuring VLAN Interfaces" on page 832 "Displaying VLAN Information" on page 839 ◆ ARAMETERS These parameters are displayed: Edit Member by VLAN VLAN – ID of configured VLAN (1-4093). ◆...
Page 172 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for ■ VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 173: Figure 63: Configuring Static Members By Vlan Index
| VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To configure static members by the VLAN index: Click VLAN, Static. Select Edit Member by VLAN from the Action list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required. Click Apply.
Page 174: Figure 64: Configuring Static Vlan Members By Interface
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Action list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply. Figure 64: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static.
Page 175: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 65: Configuring Static VLAN Members by Interface Range Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION...
Page 176 | VLAN Configuration HAPTER IEEE 802.1Q VLANs GVRP Timers – Timer settings must follow this rule: ◆ 2 x (join timer) < leave timer < leaveAll timer Join – The interval between transmitting requests/queries to ■ participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) Leave –...
Page 177: Figure 66: Configuring Global Status Of Gvrp
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 66: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: Click VLAN, Dynamic. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk. Modify the GVRP status or timers for any interface.
Page 178: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 68: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN Members from the Action list. Figure 69: Showing the Members of a Dynamic VLAN IEEE 802.1Q T UNNELING...
Page 179: Figure 70: Qinq Operational Concept
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging). A port configured to support QinQ tunneling must be set to tunnel port mode.
Page 180 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling New SPVLAN tags are added to all incoming packets, no matter how many tags they already have. The ingress process constructs and inserts the outer tag (SPVLAN) into the packet based on the default VLAN ID and Tag Protocol Identifier (TPID, that is, the ether-type of the tag).
Page 181 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling After successful source and destination lookups, the packet is double tagged. The switch uses the TPID of 0x8100 to indicate that an incoming packet is double-tagged. If the outer tag of an incoming double-tagged packet is equal to the port TPID and the inner tag is 0x8100, it is treated as a double-tagged packet.
Page 182: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Create a Service Provider VLAN, also referred to as an SPVLAN (see "Configuring VLAN Groups" on page 168). Configure the QinQ tunnel access port to Tunnel mode (see "Adding an Interface to a QinQ Tunnel" on page 183).
Page 183: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling NTERFACE To enable QinQ Tunneling on the switch: Click VLAN, Tunnel. Select Configure Global from the Step list. Enable Tunnel Status, and specify the TPID if a client attached to a tunnel port is using a non-standard ethertype to identify 802.1Q tagged frames.
Page 184: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs Mode – Sets the VLAN membership mode of the port. ◆ None – The port operates in its normal VLAN mode. (This is the ■ default.) Tunnel – Configures QinQ tunneling for a client access port to ■...
Page 185: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs OMMAND SAGE ◆ To configure protocol-based VLANs, follow these steps: First configure VLAN groups for the protocols you want to use (page 830). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time.
Page 186: Figure 73: Configuring Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Add from the Action list. Select an entry from the Frame Type list. Select an entry from the Protocol Type list. Enter an identifier for the protocol group.
Page 187: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group. NTERFACES CLI R EFERENCES "protocol-vlan protocol-group (Configuring Interfaces)"...
Page 188: Figure 75: Assigning Interfaces To Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To map a protocol group to a VLAN for a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Add from the Action list. Select a port or trunk. Enter the identifier for a protocol group.
Page 189: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 190: Figure 77: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
Page 191: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 192: Figure 79: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured.
Page 193: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 194: Figure 81: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring NTERFACE To configure VLAN mirroring: Click VLAN, Mirror. Select Add from the Action list. Select the source VLAN, and select a target port. Click Apply. Figure 81: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror.
Page 195: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 196 | Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed: VLAN – ID of configured VLAN. (Range: 1-4093) ◆ Interface – Port or trunk associated with the device assigned a static ◆ address. MAC Address – Physical address of a device mapped to this interface. ◆...
Page 197: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Figure 84: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
Page 198: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table Figure 85: Setting the Address Aging Time ISPLAYING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch.
Page 199: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table Figure 86: Displaying the Dynamic MAC Address Table LEARING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. CLI R EFERENCES "clear mac-address-table dynamic"...
Page 200: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring Figure 87: Clearing Entries in the Dynamic MAC Address Table MAC A ONFIGURING DDRESS IRRORING Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis.
Page 201: Figure 88: Mirroring Packets Based On The Source Mac Address
| Address Table Settings HAPTER Configuring MAC Address Mirroring Target Port – The port that will mirror the traffic from the source port. ◆ (Range: 1-10) NTERFACE To mirror packets based on a MAC address: Click MAC Address, Mirror. Select Add from the Action list. Specify the source MAC address and destination port.
Page 202 | Address Table Settings HAPTER Configuring MAC Address Mirroring – 202 –...
Page 203: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 204: Figure 90: Stp Root Ports And Designated Ports
| Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 90: STP Root Ports and Designated Ports Designated Root...
Page 205: Figure 91: Mstp Region, Internal Spanning Tree, Multiple Spanning Tree
| Spanning Tree Algorithm HAPTER Overview Figure 91: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 206: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 207: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Loopback Detection. Click Port or Trunk to display the required interface type. Modify the required loopback detection attributes. Click Apply Figure 93: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR...
Page 208 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives ■ an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
Page 209 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Default: 32768 ■ Range: 0-61440, in steps of 4096 ■ Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, ■ 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 BPDU Flooding – Configures the system to flood BPDUs to all other ◆...
Page 210 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) Default: 20 ■ Minimum: The higher of 6 or [2 x (Hello Time + 1)] ■...
Page 211: Figure 94: Configuring Global Settings For Sta (Stp)
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 94: Configuring Global Settings for STA (STP) Figure 95: Configuring Global Settings for STA (RSTP) – 211 –...
Page 212: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 96: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 213: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the ◆ root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 214: Table 12: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES ◆ "Spanning Tree Commands" on page 783 ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. ◆...
Page 215: Table 13: Default Sta Path Costs
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 13: Default STA Path Costs Port Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 Admin Link Type – The link type attached to this interface. ◆...
Page 216 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 207), edge-port mode ■ cannot automatically transition to operational edge-port state using the automatic setting.
Page 217: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 98: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 218 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging ■ device is always forwarding. If two ports of a switch are connected to the same segment and ■...
Page 219: Figure 99: Sta Port Roles
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 99: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 220: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 783 ◆...
Page 221: Figure 101: Creating An Mst Instance
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 222: Figure 102: Displaying Mst Instances
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To show the MSTP instances: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show from the Action list. Figure 102: Displaying MST Instances To modify the priority for an MST instance: Click Spanning Tree, MSTP.
Page 223: Figure 104: Displaying Global Settings For An Mst Instance
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To display global settings for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Information from the Action list. Select an MST ID. The attributes displayed on this page are described under "Displaying Global Settings for STA"...
Page 224: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To show the VLAN members of an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Member from the Action list. Figure 106: Displaying Members of an MST Instance MSTP ONFIGURING NTERFACE...
Page 225: Figure 107: Configuring Mstp Interface Settings
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP Priority – Defines the priority used for this port in the Spanning Tree ◆ Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 226: Figure 108: Displaying Mstp Interface Settings
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Show Information from the Action list. Figure 108: Displaying MSTP Interface Settings –...
Page 227: Rate Limit Configuration
IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 228 | Rate Limit Configuration HAPTER NTERFACE To configure rate limits: Click Traffic, Rate Limit. Enable the Rate Limit Status for the required ports. Set the rate limit for the individual ports,. Click Apply. Figure 109: Configuring Rate Limits – 228 –...
Page 229: Storm Control Configuration
TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds. Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 230: Figure 110: Configuring Storm Control
| Storm Control Configuration HAPTER Unknown Unicast – Specifies storm control for unknown unicast ◆ traffic. Multicast – Specifies storm control for multicast traffic. ◆ Broadcast – Specifies storm control for broadcast traffic. ◆ Status – Enables or disables storm control. (Default: Enabled for ◆...
Page 231: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 232: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, ◆...
Page 233 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a ◆...
Page 234: Figure 112: Setting The Queue Mode (Strict)
| Class of Service HAPTER Layer 2 Queue Settings Weight – Sets a weight for each queue which is used by the WRR ◆ scheduler. (Range: 1-255; Default: Weights 1, 2, 4, 6 are assigned to queues 0 - 3 respectively) NTERFACE To configure the queue mode: Click Traffic, Priority, Queue.
Page 235: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 114: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...
Page 236: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES "qos map phb-queue" on page 871 ◆ OMMAND SAGE Egress packets are placed into the hardware queues according to the ◆...
Page 237 | Class of Service HAPTER Layer 2 Queue Settings Figure 115: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Select an interface. Figure 116: Showing CoS Values to Egress Queue Mapping –...
Page 238: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Page 239: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: Interface – Specifies a port or trunk. ◆ Trust Mode ◆ DSCP – Maps layer 3/4 priorities using Differentiated Services Code ■ Point values. CoS – Maps layer 3/4 priorities using Class of Service values. ■...
Page 240: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings OMMAND SAGE ◆ Enter per-hop behavior and drop precedence for any of the DSCP values 0 - 63. This map is only used when the priority mapping mode is set to DSCP ◆...
Page 241: Figure 118: Configuring Dscp To Dscp Internal Mapping
| Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To map DSCP values to internal PHB/drop precedence: Click Traffic, Priority, DSCP to DSCP. Select Configure from the Action list. Select a port. Set the PHB and drop precedence for any DSCP value. Click Apply.
Page 242: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in APPING incoming packets to per-hop behavior and drop precedence values for RIORITIES TO priority processing. DSCP NTERNAL ALUES CLI R...
Page 243: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) NTERFACE To map CoS/CFI values to internal PHB/drop precedence: Click Traffic, Priority, CoS to DSCP.
Page 244: Figure 121: Showing Cos To Dscp Internal Mapping
| Class of Service HAPTER Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Select a port. Figure 121: Showing CoS to DSCP Internal Mapping –...
Page 245: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 246: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 247: Figure 122: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the ◆...
Page 248: Figure 123: Showing Class Maps
| Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 123: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 249: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 125: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 250 | Quality of Service HAPTER Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate”...
Page 251 | Quality of Service HAPTER Creating QoS Policies if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B ■ down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. ■...
Page 252 | Quality of Service HAPTER Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
Page 253 | Quality of Service HAPTER Creating QoS Policies ARAMETERS These parameters are displayed: Policy Name – Name of policy map. (Range: 1-16 characters) ◆ Description – A brief description of a policy map. (Range: 1-256 ◆ characters) Add Rule Policy Name – Name of policy map. ◆...
Page 254 | Quality of Service HAPTER Creating QoS Policies Committed Burst Size (BC) – Burst in bytes. (Range: 4000- ■ 16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. Conform – Specifies that traffic conforming to the maximum ■...
Page 255 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum ■ rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any ■ change to the DSCP service level. Exceed –...
Page 256 | Quality of Service HAPTER Creating QoS Policies Committed Burst Size (BC) – Burst in bytes. ■ (Range: 4000-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. Peak Burst Size (BP) – Burst size in bytes. (Range: 4000- ■...
Page 257: Figure 126: Configuring A Policy Map
| Quality of Service HAPTER Creating QoS Policies NTERFACE To configure a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add from the Action list. Enter a policy name. Enter a description. Click Add. Figure 126: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ.
Page 258: Figure 128: Adding Rules To A Policy Map
| Quality of Service HAPTER Creating QoS Policies To edit the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add Rule from the Action list. Select the name of a policy map. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class.
Page 259: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 129: Showing the Rules for a Policy Map TTACHING A OLICY AP TO A...
Page 260: Figure 130: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port NTERFACE To bind a policy map to a port: Click Traffic, DiffServ. Select Configure Interface from the Step list. Check the box under the Ingress field to enable a policy map for a port. Select a policy map from the scroll-down box.
Page 261: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 262: V O Ip T Raffic C Onfiguration
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES ◆ "Configuring Voice VLANs" on page 855 ARAMETERS These parameters are displayed: Auto Detection Status – Enables the automatic detection of VoIP ◆ traffic on switch ports. (Default: Disabled) Voice VLAN –...
Page 263: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 264: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 132: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list. Figure 133: Showing an OUI Telephony List IP T ONFIGURING...
Page 265 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Auto – The port will be added as a tagged member to the Voice ■ VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or 802.1ab (LLDP). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list.
Page 266: Figure 134: Configuring Port Settings For A Voice Vlan
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 134: Configuring Port Settings for a Voice VLAN – 266 –...
Page 267: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 268: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source ◆ address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 269: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Page 270: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting [authentication sequence] – User authentication is performed by up ■ to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods).
Page 271 | Security Measures HAPTER AAA Authorization and Accounting CLI R EFERENCES ◆ "RADIUS Client" on page 602 "TACACS+ Client" on page 606 ◆ "AAA" on page 609 ◆ OMMAND SAGE If a remote authentication server is used, you must specify the ◆...
Page 272 | Security Measures HAPTER AAA Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. ■ Authentication Key – Encryption key used to authenticate logon ■ access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
Page 273: Figure 137: Configuring Remote Authentication Server (Radius)
| Security Measures HAPTER AAA Authorization and Accounting Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. To set or modify the authentication key, mark the Set Key box, enter the key, and then confirm it Click Apply.
Page 274: Figure 139: Configuring Aaa Server Groups
| Security Measures HAPTER AAA Authorization and Accounting To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list. Select RADIUS or TACACS+ server type. Enter the group name, followed by the index of the server to use for each priority level.
Page 275: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting Figure 140: Showing AAA Server Groups Use the Security > AAA > Accounting page to enable accounting of ONFIGURING requested services for billing or security purposes, and also to display the CCOUNTING configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions.
Page 276 | Security Measures HAPTER AAA Authorization and Accounting Accounting Notice – Records user activity from log-in to log-off point. ◆ Server Group Name - Specifies the accounting server group. ◆ (Range: 1-255 characters) The group names “radius” and “tacacs+” specifies all configured RADIUS and TACACS+ hosts (see "Configuring Local/Remote Logon Authentication"...
Page 277 | Security Measures HAPTER AAA Authorization and Accounting NTERFACE To configure global settings for AAA accounting: Click Security, AAA, Accounting. Select Configure Global from the Step list. Enter the required update interval. Click Apply. Figure 141: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting.
Page 278: Figure 143: Showing Aaa Accounting Methods
| Security Measures HAPTER AAA Authorization and Accounting To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Show from the Action list. Figure 143: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or...
Page 279: Figure 145: Configuring Aaa Accounting Service For Exec Service
| Security Measures HAPTER AAA Authorization and Accounting Figure 145: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.
Page 280: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces. CLI R EFERENCES "AAA"...
Page 281 | Security Measures HAPTER AAA Authorization and Accounting Interface - Displays the console or Telnet interface to which these ◆ rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group:...
Page 282: Figure 150: Configuring Aaa Authorization Methods For Exec Service
| Security Measures HAPTER AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 150: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization.
Page 283: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 597 ◆ OMMAND SAGE The default guest name is “guest”...
Page 284: Web Authentication
| Security Measures HAPTER Web Authentication Specify a user name, select the user's access level, then enter a password if required and confirm it. Click Apply. Figure 152: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 153: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network...
Page 285: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 269.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.
Page 286: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Figure 154: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...
Page 287: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate. Figure 155: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 288: Table 19: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) The user name and password are both equal to the MAC address being authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
Page 289: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) If duplicate profiles are passed in the Filter-ID attribute, then only the ◆ first profile is used. For example, if the attribute is “service-policy-in=p1;service-policy- in=p2”, then the switch applies only the DiffServ profile “p1.” Any unsupported profiles in the Filter-ID attribute are ignored.
Page 290: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 341).
Page 291 | Security Measures HAPTER Network Access (MAC Address Authentication) ARAMETERS These parameters are displayed: MAC Authentication ◆ Status – Enables MAC authentication on a port. (Default: Disabled) ■ Intrusion – Sets the port response to a host MAC authentication ■ failure to either block access to the port or to pass traffic through.
Page 292: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) exempt from authentication on the specified port (as described under "Configuring a MAC Address Filter"). (Range: 1-64; Default: None) NTERFACE To configure MAC authentication on switch ports: Click Security, Network Access. Select Configure Interface from the Step list.
Page 293: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) Link up and down – All link up and link down events will trigger ■ the port action. Action – The switch can respond in three ways to a link up or down ◆...
Page 294 | Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND SAGE ◆ Specified MAC addresses are exempt from authentication. Up to 65 filter tables can be defined. ◆ There is no limitation on the number of entries used in a filter table. ◆...
Page 295: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Select Show from the Action list. Figure 160: Showing the MAC Address Filter Table for Network Access Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table.
Page 296: Figure 161: Showing Addresses Authenticated For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To display the authenticated MAC addresses stored in the secure MAC address table: Click Security, Network Access. Select Show Information from the Step list. Use the sort key to display addresses based MAC address, interface, or attribute.
Page 297: Configuring Https
| Security Measures HAPTER Configuring HTTPS HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security > HTTPS (Configure Global) page to enable or disable ONFIGURING LOBAL HTTPS and specify the UDP port used for this service.
Page 298: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS ARAMETERS These parameters are displayed: HTTPS Status – Allows you to enable/disable the HTTPS server feature ◆ on the switch. (Default: Enabled) HTTPS Port – Specifies the UDP port number used for HTTPS ◆ connection to the switch’s web interface.
Page 299 | Security Measures HAPTER Configuring HTTPS When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one. The switch must be reset for the new certificate to be activated. To reset the switch, see "Resetting the System"...
Page 300: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell Figure 163: Downloading the Secure-Site Certificate ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 301 | Security Measures HAPTER Configuring the Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 302 | Security Measures HAPTER Configuring the Secure Shell To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys.
Page 303: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Global) page to enable the SSH server ONFIGURING THE and configure basic settings for authentication. SSH S ERVER A host key pair must be configured on the switch before you can enable the SSH server.
Page 304: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell Figure 164: Configuring the SSH Server Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...
Page 305: Figure 165: Generating The Ssh Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To generate the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Generate from the Action list. Select the host-key type from the drop-down box. Select the option to save the host key from memory to flash if required.
Page 306: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure User Key - Copy) page to upload a MPORTING user’s public key to the switch. This public key must be stored on the UBLIC switch for the user to be able to log in using the public key authentication mechanism.
Page 307: Figure 167: Copying The Ssh User's Public Key
| Security Measures HAPTER Configuring the Secure Shell Figure 167: Copying the SSH User’s Public Key To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list.
Page 308: Access Control Lists
| Security Measures HAPTER Access Control Lists CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP, or next header type), or any frames (based on MAC address or Ethernet type).
Page 309: Settinga Time Range
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure Time Range) page to sets a time range ETTING during which ACL functions are applied. ANGE CLI R EFERENCES "Time Range" on page 560 ◆ ARAMETERS These parameters are displayed: Time-Range Name –...
Page 310: Figure 170: Showing A List Of Time Ranges
| Security Measures HAPTER Access Control Lists To show a list of time ranges: Click Security, ACL. Select Configure Time Range from the Step list. Select Show from the Action list. Figure 170: Showing a List of Time Ranges To configure a rule for a time range: Click Security, ACL.
Page 311: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list. Figure 172: Showing the Rules Configured for a Time Range Use the Security >...
Page 312: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Entries Used by User – The number of policy control entries used by ◆ configuration settings, such as access control lists. TCAM Utilization – The overall percentage of TCAM in use. ◆ NTERFACE To show information on TCAM utilization: Click Security, ACL.
Page 313: Figure 174: Creating An Acl
| Security Measures HAPTER Access Control Lists IPv6 Extended: IPv6 ACL mode filters packets based on the ■ source or destination IP address, as well as DSCP, and the type of the next header. MAC – MAC ACL mode filters packets based on the source or ■...
Page 314: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IP ACL)" on page 699 ◆...
Page 315: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Click Apply. Figure 176: Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES...
Page 316 | Security Measures HAPTER Access Control Lists Source/Destination Port Bit Mask – Decimal number representing ◆ the port bits to match. (Range: 0-65535) Protocol – Specifies the protocol type to match as TCP, UDP or Others, ◆ where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others;...
Page 317 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an IP Extended ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Extended from the Type list. Select the name of an ACL from the Name list.
Page 318: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)" on page 849 ◆...
Page 319: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and the prefix length. Click Apply. Figure 178: Configuring a Standard IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL.
Page 320 | Security Measures HAPTER Access Control Lists Destination Prefix-Length – A decimal value indicating how many ◆ contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-8 bits) DSCP – DSCP traffic class. (Range: 0-63) ◆...
Page 321: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists Figure 179: Configuring an Extended IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and Ethernet type.
Page 322 | Security Measures HAPTER Access Control Lists Untagged-802.3 – Untagged Ethernet 802.3 packets. ■ Tagged-eth2 – Tagged Ethernet II packets. ■ Tagged-802.3 – Tagged Ethernet 802.3 packets. ■ VID – VLAN ID. (Range: 1-4094) ◆ VID Bit Mask – VLAN bit mask. (Range: 0-4094) ◆...
Page 323: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Figure 180: Configuring a MAC ACL Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 324 | Security Measures HAPTER Access Control Lists Source/Destination IP Subnet Mask – Subnet mask for source or ◆ destination address. (See the description for Subnet Mask on page 314.) Source/Destination MAC Address Type – Use “Any” to include all ◆ possible addresses, “Host”...
Page 325: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists Figure 181: Configuring a ARP ACL After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.
Page 326: Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select IP or MAC from the Type list. Select a port. Select the name of an ACL from the ACL list. Click Apply.
Page 327: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection OMMAND SAGE Enabling & Disabling ARP Inspection ARP Inspection is controlled on a global and VLAN basis. ◆ By default, ARP Inspection is disabled both globally and on all VLANs. ◆ If ARP Inspection is globally enabled, then it becomes active only on ■...
Page 328 | Security Measures HAPTER ARP Inspection with different MAC addresses are classified as invalid and are dropped. IP – Checks the ARP body for invalid and unexpected IP addresses. ■ These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
Page 329: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Src-MAC – Validates the source MAC address in the Ethernet ■ header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. Log Message Number – The maximum number of entries saved in a ◆...
Page 330 | Security Measures HAPTER ARP Inspection ARP Inspection ACLs can be applied to any configured VLAN. ◆ ARP Inspection uses the DHCP snooping bindings database for the list ◆ of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs.
Page 331: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 184: Configuring VLAN Settings for ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate.
Page 332: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection NTERFACE To configure interface settings for ARP Inspection: Click Security, ARP Inspection. Select Configure Interface from the Step list. Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. Click Apply. Figure 185: Configuring Interface Settings for ARP Inspection Use the Security >...
Page 333: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection Table 21: ARP Inspection Statistics (Continued) Parameter Description ARP packets dropped by Count of packets that failed the source MAC address test. additional validation (Src-MAC) ARP packets dropped by ARP Count of ARP packets that failed validation against ARP ACL ACLs rules.
Page 334: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access Table 22: ARP Inspection Log (Continued) Parameter Description Src. IP Address The source IP address in the packet. Dst. IP Address The destination IP address in the packet. Src. MAC Address The source MAC address in the packet.
Page 335: Figure 188: Creating An Ip Address Filter For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access When entering addresses for the same group (i.e., SNMP, web or ◆ Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Page 336: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 189: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
Page 337 | Security Measures HAPTER Configuring Port Security OMMAND SAGE ◆ A secure port has the following restrictions: It cannot be used as a member of a static or dynamic trunk. ■ It should not be connected to a network interconnection device. ■...
Page 338: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 190: Configuring Port Security 802.1X P ONFIGURING UTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 339: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Figure 191: Configuring Port Security 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. RADIUS 3.
Page 340 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port Authentication Status – Sets the global setting for 802.1X. ◆ (Default: Disabled) ◆ EAPOL Pass Through – Passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. (Default: Disabled) When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, EAPOL Pass...
Page 341: Configuring Port Authenticator Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 192: Configuring Global Settings for 802.1X Port Authentication Use the Security > Port Authentication (Configure Interface – ONFIGURING Authenticator) page to configure 802.1X port settings for the switch as the UTHENTICATOR local authenticator.
Page 342 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port – Port number. ◆ Status – Indicates if authentication is enabled or disabled on the port. ◆ The status is disabled if the control mode is set to Force-Authorized. Authorized –...
Page 343 | Security Measures HAPTER Configuring 802.1X Port Authentication Max-Request – Sets the maximum number of times the switch port ◆ will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) Quiet Period –...
Page 344 | Security Measures HAPTER Configuring 802.1X Port Authentication Authenticator PAE State Machine State – Current state (including initialize, disconnected, connecting, ◆ authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count – Number of times connecting state is re-entered. ◆ Current Identifier – Identifier sent in each EAP Success, Failure or ◆...
Page 345: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 193: Configuring Interface Settings for 802.1X Port Authenticator Use the Security > Port Authentication (Configure Interface – Supplicant) ONFIGURING page to configure 802.1X port settings for supplicant requests issued from UPPLICANT ETTINGS a port to an authenticator on another device.
Page 346 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 339) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...
Page 347: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 194: Configuring Interface Settings for 802.1X Port Supplicant Use the Security >...
Page 348 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
Page 349: Figure 195: Showing Statistics For 802.1X Port Authenticator
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 195: Showing Statistics for 802.1X Port Authenticator – 349 –...
Page 350: Ip Source Guard
| Security Measures HAPTER IP Source Guard To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 196: Showing Statistics for 802.1X Port Supplicant IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 351 | Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 352: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and ■ corresponding MAC addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be ◆ bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see...
Page 353 | Security Measures HAPTER IP Source Guard If there is an entry with the same VLAN ID and MAC address, and ■ the type of entry is static IP source guard binding, then the new entry will replace the old one. If there is an entry with the same VLAN ID and MAC address, and ■...
Page 354: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard Figure 198: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Show from the Action list. Figure 199: Displaying Static Bindings for IP Source Guard Use the Security >...
Page 355: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping Dynamic Binding List VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – Port to which this entry is bound. ◆ IP Address – IP address corresponding to the client. ◆...
Page 356 | Security Measures HAPTER DHCP Snooping OMMAND SAGE DHCP Snooping Process Network traffic may be disrupted when malicious DHCP messages are ◆ received from an outside source. DHCP snooping is used to filter DHCP messages received on a non-secure interface from outside the network or fire wall.
Page 357 | Security Measures HAPTER DHCP Snooping If a DHCP packet from a client passes the filtering criteria above, it ■ will only be forwarded to trusted ports in the same VLAN. If a DHCP packet is from server is received on a trusted port, it will ■...
Page 358: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping DHCP packets, keep the existing information, or replace it with the switch’s relay information. Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP S NOOPING DHCP Snooping globally on the switch, or to configure MAC Address ONFIGURATION Verification.
Page 359: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping Figure 201: Configuring Global Settings for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or DHCP S NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...
Page 360: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click Security, DHCP Snooping. Select Configure VLAN from the Step list. Enable DHCP Snooping on any existing VLAN. Click Apply Figure 202: Configuring DHCP Snooping on a VLAN Use the IP Service >...
Page 361: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click Security, DHCP Snooping. Select Configure Interface from the Step list. Set any ports within the local network or firewall to trusted. Click Apply Figure 203: Configuring the Port Mode for DHCP Snooping Use the IP Service >...
Page 362: Figure 204: Displaying The Binding Table For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
Page 363: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 364: Table 24: Logging Levels
| Basic Administration Protocols HAPTER Configuring Event Logging ARAMETERS These parameters are displayed: System Log Status – Enables/disables the logging of debug or error ◆ messages to the logging process. (Default: Enabled) ◆ Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
Page 365: Figure 205: Configuring Settings For System Memory Logs
| Basic Administration Protocols HAPTER Configuring Event Logging NTERFACE To configure the logging of error messages to system memory: Click Administration, Log, System. Select Configure Global from the Step list. Enable or disable system logging, set the level of event messages to be logged to flash memory and RAM.
Page 366: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations. You can also limit the event ONFIGURATION messages sent to only those messages below a specified level. CLI R EFERENCES "Event Logging"...
Page 367: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 207: Configuring Settings for Remote Logging of Error Messages Use the Administration > Log > SMTP page to alert system administrators ENDING IMPLE of problems by sending SMTP (Simple Mail Transfer Protocol) email RANSFER ROTOCOL messages when triggered by logging events of a specified level.
Page 368: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To configure SMTP alert messages: Click Administration, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. Specify the source and destination email addresses, and one or more SMTP servers.
Page 369: Setting Lldp Timing Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Configure Global) page to set attributes for LLDP T ETTING IMING general functions such as globally enabling LLDP on the switch, setting the TTRIBUTES message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB.
Page 370: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.
Page 371 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol SNMP Notification – Enables the transmission of SNMP trap ◆ notifications about LLDP and LLDP-MED changes. (Default: Disabled) This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section.
Page 372 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Description – The system description is taken from the ■ sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. System Name –...
Page 373: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Click Apply. Figure 210: Configuring LLDP Interface Attributes Use the Administration > LLDP (Show Local Device Information) page to LLDP ISPLAYING display information about the switch, such as its MAC address, chassis ID, OCAL EVICE management IP address, and port information.
Page 374: Table 26: System Capabilities
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 25: Chassis ID Subtype (Continued) ID Basis Reference Interface name ifName (IETF RFC 2863) Locally assigned locally assigned Chassis ID – An octet string indicating the specific identifier for the ◆...
Page 375: Displaying Lldp Remote Port Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To display LLDP information for the local device: Click Administration, LLDP. Select Show Local Device Information from the Step list. Select General, Port, or Trunk. Figure 211: Displaying Local Device Information for LLDP (General) Figure 212: Displaying Local Device Information for LLDP (Port) Use the Administration >...
Page 376: Table 27: Port Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol ARAMETERS These parameters are displayed: Port Local Port – The local port to which a remote LLDP-capable device is ◆ attached. Chassis ID – An octet string indicating the specific identifier for the ◆...
Page 377 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port Description – A string that indicates the port’s description. If RFC ◆ 2863 is implemented, the ifDescr object should be used for this field. Port ID – A string that contains the specific identifier for the port from ◆...
Page 378: Table 28: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 28: Remote Port Auto-Negotiation Advertised Capability Capability other or unknown 10BASE-T half duplex mode 10BASE-T full duplex mode 100BASE-T4 100BASE-TX half duplex mode 100BASE-TX full duplex mode 100BASE-T2 half duplex mode 100BASE-T2 full duplex mode PAUSE for full-duplex links Asymmetric PAUSE for full-duplex links...
Page 379: Figure 213: Displaying Remote Device Information For Lldp (Port)
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Power Classification – This classification is used to tag ◆ different terminals on the Power over LAN network according to their power consumption. Devices such as IP telephones, WLAN access points and others, will be classified according to their power requirements.
Page 380: Figure 214: Displaying Remote Device Information For Lldp (Port Details)
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 214: Displaying Remote Device Information for LLDP (Port Details) – 380 –...
Page 381: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces. CLI R EFERENCES "show lldp info statistics"...
Page 382: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To display statistics for LLDP-capable devices attached to the switch: Click Administration, LLDP. Select Show Device Statistics from the Step list. Select General, Port, or Trunk. Figure 215: Displaying LLDP Device Statistics (General) Figure 216: Displaying LLDP Device Statistics (Port) IMPLE ETWORK...
Page 383: Table 29: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device.
Page 384 | Basic Administration Protocols HAPTER Simple Network Management Protocol The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access. OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration >...
Page 385: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Global) page to enable SNMPv3 ONFIGURING LOBAL service for all management clients (i.e., versions 1, 2c, 3), and to enable SNMP ETTINGS FOR trap messages. CLI R EFERENCES "snmp-server"...
Page 386: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE OCAL change the local engine ID. An SNMPv3 engine is an independent SNMP NGINE agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Page 387: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A EMOTE page to configure a engine ID for a remote management station. To allow NGINE management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 388: Setting Snmpv3 Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure a remote SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Add Remote Engine from the Action list. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host.
Page 389: Figure 221: Creating An Snmp View
| Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Add View View Name – The name of the SNMP view. (Range: 1-64 characters) ◆ OID Subtree – Specifies the initial object identifier of a branch within ◆...
Page 390: Figure 222: Showing Snmp Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 222: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP.
Page 391: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list. Select a view name from the list of existing views.
Page 392: Table 30: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Read View – The configured view for read access. ◆ (Range: 1-64 characters) Write View – The configured view for write access. ◆ (Range: 1-64 characters) Notify View – The configured view for notifications. ◆...
Page 393 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 30: Supported Notification Messages (Continued) Model Level Group Private Traps swPowerStatus ChangeTrap 1.3.6.1.4.1.259.10.1.17.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.17.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled.
Page 394: Figure 225: Creating An Snmp Group
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 395: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 396: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 228: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify...
Page 397 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters ◆...
Page 398: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 230: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from...
Page 399 | Basic Administration Protocols HAPTER Simple Network Management Protocol Security Level – The following security levels are only used for the ◆ groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in ■ SNMP communications.
Page 400 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 231: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 232: Showing Remote SNMPv3 Users –...
Page 401: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 402 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 403 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 404: Figure 233: Configuring Trap Managers (Snmpv1)
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 233: Configuring Trap Managers (SNMPv1) Figure 234: Configuring Trap Managers (SNMPv2c)
Page 405: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring Figure 235: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 236: Showing Trap Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
Page 406: Configuring Rmon Alarms
| Basic Administration Protocols HAPTER Remote Monitoring The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol.
Page 407 | Basic Administration Protocols HAPTER Remote Monitoring generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. (Range: 1-65535) Rising Event Index –...
Page 408: Figure 237: Configuring An Rmon Alarm
| Basic Administration Protocols HAPTER Remote Monitoring Figure 237: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 238: Showing Configured RMON Alarms –...
Page 409: Configuring Rmon Events
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Event) page to RMON ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Page 410: Figure 239: Configuring An Rmon Event
| Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.
Page 411: Configuring Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 240: Showing Configured RMON Events Use the Administration > RMON (Configure Interface - Add - History) page RMON ONFIGURING to collect statistics on a physical interface to monitor network utilization,...
Page 412: Figure 241: Configuring An Rmon History Sample
| Basic Administration Protocols HAPTER Remote Monitoring ARAMETERS These parameters are displayed: Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 ◆...
Page 413: Figure 242: Showing Configured Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History. Figure 242: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON.
Page 414: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates. CLI R EFERENCES "Remote Monitoring Commands"...
Page 415: Figure 244: Configuring An Rmon Statistical Sample
| Basic Administration Protocols HAPTER Remote Monitoring Figure 244: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click Statistics.
Page 416: Switch Clustering
| Basic Administration Protocols HAPTER Switch Clustering Figure 246: Showing Collected RMON Statistical Samples WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 417: Configuring General Settings For Clusters
| Basic Administration Protocols HAPTER Switch Clustering A switch can only be a member of one cluster. ◆ After the Commander and Members have been configured, any switch ◆ in the cluster can be managed from the web agent by choosing the desired Member ID from the Show Member page.
Page 418: Cluster Member Configuration
| Basic Administration Protocols HAPTER Switch Clustering Set the required attributes for a Commander or a managed candidate. Click Apply Figure 247: Configuring a Switch Cluster Use the Administration > Cluster (Configure Member - Add) page to add LUSTER EMBER Candidate switches to the cluster as Members.
Page 419: Figure 248: Configuring A Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering Figure 248: Configuring a Cluster Members To show the cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Show from the Action list. Figure 249: Showing Cluster Members To show cluster candidates: Click Administration, Cluster.
Page 420: Managing Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering Use the Administration > Cluster (Show Member) page to manage another ANAGING LUSTER switch in the cluster. EMBERS CLI R EFERENCES "Switch Clustering" on page 563 ◆ ARAMETERS These parameters are displayed: ◆ Member ID –...
Page 421: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 422: Address Resolution Protocol
| IP Configuration HAPTER Address Resolution Protocol The following are some results of the ping command: ◆ Normal response - The normal response occurs in one to ten ■ seconds, depending on network traffic. Destination does not respond - If the host does not respond, a ■...
Page 423: Setting The Arp Timeout
| IP Configuration HAPTER Address Resolution Protocol traffic passes along the path to its final destination in this way, with each routing device mapping the destination IP address to the MAC address of the next hop toward the recipient, until the packet is delivered to the final destination.
Page 424: Displaying Arp Entries
| IP Configuration HAPTER Address Resolution Protocol NTERFACE To configure the timeout for the ARP cache: Click IP, ARP. Select Configure General from the Step List. Set the timeout to a suitable value for the ARP cache. Click Apply. Figure 253: Setting the ARP Timeout Use the IP >...
Page 425: Setting The Switch's Ip Address (Ip Version 4)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an IPv4 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Page 426: Configuring Ipv4 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Use the System > IP (Configure Interface – Add) page to configure an IPv4 ONFIGURING address for the switch. An IPv4 address is obtained via DHCP by default for NTERFACE ETTINGS VLAN 1.
Page 427: Figure 256: Configuring A Static Ipv4 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static IPv4 address for the switch: Click System, IP. Select Configure Interface from the Action list. Select Add from the Step list. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,”...
Page 428: Figure 257: Configuring A Dynamic Ipv4 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Figure 257: Configuring a Dynamic IPv4 Address The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface”...
Page 429: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 258: Showing the IPv4 Address Configured for an Interface ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an IPv6 interface for management access over the network.
Page 430: Configuring Ipv6 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To configure an IPv6 default gateway for the switch: Click IP, IPv6 Configuration. Select Configure Global from the Action list. Enter the IPv6 default gateway. Click Apply. Figure 259: Configuring the IPv6 Default Gateway Use the IP >...
Page 431 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: VLAN – ID of a configured VLAN which is to be used for management ◆ access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 432 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Duplicate address detection is stopped on any interface that has ■ been suspended (see "Configuring VLAN Groups" on page 168). While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending”...
Page 433: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Click Apply. Figure 260: Configuring General Settings for an IPv6 Interface Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an ONFIGURING AN IPv6 interface for management access over the network. DDRESS CLI R EFERENCES...
Page 434 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) It can be manually configured by specifying the entire network ■ prefix and prefix length, and using the EUI-64 form of the interface identifier to automatically create the low-order 64 bits in the host portion of the address.
Page 435 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) address. The EUI-64 specification is designed for devices that use an extended 8-byte MAC address. For devices that still use a 6-byte MAC address (also known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
Page 436: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface" on page 1045 ◆...
Page 437: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the configured IPv6 addresses: Click IP, IPv6 Configuration. Select Show IPv6 Address from the Action list. Select a VLAN from the list. Figure 262: Showing Configured IPv6 Addresses Use the IP >...
Page 438: Figure 263: Showing Ipv6 Neighbors
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 32: Show IPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: INCMP (Incomplete) - Address resolution is being carried out on the ◆...
Page 439: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 1047 ◆...
Page 440 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 441 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
Page 442 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages sent by Messages the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface.
Page 443 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 264: Showing IPv6 Statistics (IPv6) Figure 265: Showing IPv6 Statistics (ICMPv6) –...
Page 444: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 266: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 445: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 355. DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network.
Page 446: Configuring A List Of Domain Names
| IP Services HAPTER Configuring a List of Domain Names NTERFACE To configure general settings for DNS: Click IP Service, DNS. Select Configure Global from the Action list. Enable domain lookup, and set the default domain name. Click Apply. Figure 268: Configuring General Settings for DNS ONFIGURING A IST OF OMAIN...
Page 447: Figure 269: Configuring A List Of Domain Names For Dns
| IP Services HAPTER Configuring a List of Domain Names ARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) NTERFACE To create a list domain names: Click IP Service, DNS.
Page 448: Configuring A List Of Name Servers
| IP Services HAPTER Configuring a List of Name Servers ONFIGURING A IST OF ERVERS Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order. CLI R EFERENCES "ip name-server"...
Page 449: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Configuring Static DNS Host to Address Entries To show the list name servers: Click IP Service, DNS. Select Show Name Servers from the Action list. Figure 272: Showing the List of Name Servers for DNS DNS H ONFIGURING TATIC OST TO...
Page 450: Figure 273: Configuring Static Entries In The Dns Table
| IP Services HAPTER Configuring Static DNS Host to Address Entries NTERFACE To configure static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Add from the Action list. Enter a host name and the corresponding address. Click Apply.
Page 451: Displaying The Dns Cache
| IP Services HAPTER Displaying the DNS Cache DNS C ISPLAYING THE ACHE Use the IP Service > DNS - Cache page to display entries in the DNS cache that have been learned via the designated name servers. CLI R EFERENCES "show dns cache"...
Page 452 | IP Services HAPTER Displaying the DNS Cache – 452 –...
Page 453: Multicast
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP – Configuring snooping and query parameters. ◆ Filtering and Throttling – Filtering specified multicast service, or ◆ throttling the maximum of multicast groups allowed on an interface. Multicast VLAN Registration (MVR) –...
Page 454: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 455 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) also request that service be forwarded from any source except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN.
Page 456: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic intelligently. Based on the IGMP query and NOOPING AND UERY report messages, the switch forwards multicast traffic only to the ports ARAMETERS that request it.
Page 457 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy ◆ Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 458 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred.
Page 459: Figure 277: Configuring General Settings For Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Router Port Expire Time – The time the switch waits after the ◆ previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) IGMP Snooping Version –...
Page 460: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add) page to PECIFYING TATIC statically attach an interface to a multicast router/switch. NTERFACES FOR A ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 461: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select the VLAN for which to display this information. Figure 279: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list.
Page 462: Figure 281: Assigning An Interface To A Multicast Service
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) CLI R EFERENCES ◆ "ip igmp snooping vlan static" on page 911 OMMAND SAGE Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, ◆...
Page 463: Figure 282: Showing Static Interfaces Assigned To A Multicast Service
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select the VLAN for which to display this information. Figure 282: Showing Static Interfaces Assigned to a Multicast Service To show the all interfaces statically or dynamically assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member.
Page 464: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Interface (Configure) page to IGMP ETTING configure IGMP snooping attributes for a VLAN interface. To configure NOOPING TATUS snooping globally, refer to "Configuring IGMP Snooping and Query NTERFACE Parameters"...
Page 465 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast Router Termination – These messages are sent when a router ◆ stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: Multicast forwarding is disabled on an interface. ■...
Page 466 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period.
Page 467 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This command applies when the switch is serving as the querier (page 456), or as a proxy host when IGMP snooping proxy reporting is enabled (page 456). Query Response Interval – The maximum time the system waits for ◆...
Page 468: Figure 284: Configuring Igmp Snooping On An Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To configure IGMP snooping on a VLAN: Click Multicast, IGMP Snooping, Interface. Select Configure from the Action list. Select the VLAN to configure and update the required parameters. Click Apply. Figure 284: Configuring IGMP Snooping on an Interface To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface.
Page 469: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 285: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS IGMP ISCOVERED BY CLI R...
Page 470: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 286: Showing Multicast Groups Learned by IGMP Snooping IGMP G ILTERING AND HROTTLING...
Page 471: Enabling Igmp Filtering And Throttling
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Use the Multicast > IGMP Snooping > Filter (Configure General) page to IGMP NABLING enable IGMP filtering and throttling globally on the switch. ILTERING AND HROTTLING CLI R EFERENCES "ip igmp filter (Global Configuration)" on page 916 ◆...
Page 472: Figure 288: Creating An Igmp Filtering Profile
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed: Profile ID – Creates an IGMP profile. (Range: 1-4294967295) ◆ Access Mode – Sets the access mode of the profile; either permit or ◆ deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Page 473: Figure 289: Showing The Igmp Filtering Profiles Created
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To show the IGMP filter profiles: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Show from the Action list. Figure 289: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filter.
Page 474: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Show Multicast Group Range from the Action list. Select the profile for which to display this information.
Page 475: Figure 292: Configuring Igmp Filtering And Throttling Interface Settings
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Max Multicast Groups – Sets the maximum number of multicast ◆ groups an interface can join at the same time. (Range: 1-255; Default: 255) Current Multicast Groups – Displays the current multicast groups the ◆...
Page 476: Multicast Vlan Registration
| Multicast Filtering HAPTER Multicast VLAN Registration VLAN R ULTICAST EGISTRATION Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.
Page 477: Configuring Global Mvr Settings
| Multicast Filtering HAPTER Multicast VLAN Registration Although MVR operates on the underlying mechanism of IGMP ◆ snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and leave messages from multicast groups configured under MVR.
Page 478: Configuring Mvr Group Address Ranges
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure global settings for MVR: Click Multicast, MVR. Select Configure General from the Action list. Enable MVR globally on the switch, select the MVR VLAN, and set the forwarding priority to be assigned to all ingress multicast traffic. Click Apply.
Page 479: Figure 295: Configuring An Mvr Group Address Range
| Multicast Filtering HAPTER Multicast VLAN Registration IGMP snooping and MVR share a maximum number of 1024 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the MVR VLAN. NTERFACE To configure an MVR group address range: Click Multicast, MVR.
Page 480: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure Interface) page to configure each ONFIGURING interface that participates in the MVR protocol as a source port or receiver NTERFACE TATUS port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Page 481 | Multicast Filtering HAPTER Multicast VLAN Registration Source – An uplink port that can send and receive multicast data ■ for the groups assigned to the MVR VLAN. Note that the source port must be manually configured as a member of the MVR VLAN (see "Adding Static Members to VLANs"...
Page 482: Assigning Static Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration Figure 297: Configuring Interface Settings for MVR Use the Multicast > MVR (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term ULTICAST ROUPS multicast streams associated with a stable set of hosts.
Page 483: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration Figure 298: Assigning Static MVR Groups to a Port To show the static MVR groups assigned to a port: Click Multicast, MVR. Select Configure Static Group Member from the Step list. Select Show from the Action list. Select the port for which to display this information.
Page 484 | Multicast Filtering HAPTER Multicast VLAN Registration VLAN – Indicates the MVR VLAN receiving the multicast service. ◆ Forwarding Port – Shows the interfaces with subscribers for multicast ◆ services provided through the MVR VLAN. Also shows the VLAN through which the service is received.
Page 485: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 487 ◆ "General Commands" on page 499 ◆...
Page 486 | Command Line Interface ECTION "Quality of Service Commands" on page 877 ◆ "Multicast Filtering Commands" on page 895 ◆ "LLDP Commands" on page 933 ◆ "CFM Commands" on page 957 ◆ "OAM Commands" on page 1001 ◆ "Domain Name Service Commands" on page 1011 ◆...
Page 487: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the ES3510MA-DC is opened. To end the CLI session, enter [Exit]. Console# – 487 –...
Page 488: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the ES3510MA-DC is opened. To end the CLI session, enter [Exit]. Vty-0# – 488 –...
Page 489: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 490: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 491: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands rmon Remote Monitoring Protocol rspan Display status of the current RSPAN configuration running-config Information on the running configuration snmp Simple Network Management Protocol configuration and statistics sntp Simple Network Time Protocol configuration spanning-tree Spanning-tree configuration Secure shell server connections...
Page 492: Using Command History
| Using the Command Line Interface HAPTER Entering Commands host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands. The CLI maintains a history of commands that have been entered. You can SING OMMAND scroll back through the history of commands by pressing the up arrow key.
Page 493: Configuration Commands
Entering Commands To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ES3510MA-DC is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the ES3510MA-DC is opened.
Page 494: Table 36: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands Interface Configuration - These commands modify the port ◆ configuration such as speed-duplex and negotiation. Line Configuration - These commands modify the console port and ◆ Telnet configuration, and include command such as parity and databits.
Page 495: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING...
Page 496: Cli Command Groups
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 38: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
Page 497 | Using the Command Line Interface HAPTER CLI Command Groups Table 38: Command Group Index (Continued) Command Group Description Page Class of Service Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue, also sets priority for DSCP Quality of Service Configures Differentiated Services...
Page 498 | Using the Command Line Interface HAPTER CLI Command Groups – 498 –...
Page 499: General Commands
ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 39: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 500: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload (Global delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 501: Enable
| General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 502: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (504) enable password (598) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 503: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 504: Disable
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 505: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 506 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 506 –...
Page 507: System Management Commands
YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 40: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 508: Hostname
| System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 509: Banner Configure
| System Management Commands HAPTER Banner Information Table 42: Banner Commands (Continued) Command Function Mode banner configure Configures the Manager contact information that is manager-info displayed by banner banner configure mux Configures the MUX information that is displayed by banner banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading...
Page 510: Banner Configure Company
| System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
Page 511: Banner Configure Dc-Power-Info
| System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 512: Banner Configure Equipment-Info
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 513: Banner Configure Equipment-Location
| System Management Commands HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id ES3510MA-DC floor 3 row 10 rack 15 shelf-rack 12 manufacturer EdgeCore Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting.
Page 514: Banner Configure Lp-Number
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 515: Banner Configure Manager-Info
| System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 516: Banner Configure Note
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 517: Show Banner
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis EdgeCore-ES3510MA-DC Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 518: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status This command shows utilization parameters for TCAM (Ternary Content show access-list Addressable Memory), including the number policy control entries in use, tcam-utilization the number of free entries, and the overall percentage of TCAM in use. OMMAND Privileged Exec OMMAND...
Page 519: Show Process Cpu
| System Management Commands HAPTER System Status This command shows the CPU utilization parameters. show process cpu OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# This command displays the configuration information currently in use. show running- config YNTAX...
Page 520: Show Startup-Config
1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 switchport allowed vlan add 4093 tagged interface vlan 1 ip address dhcp ip dhcp client class-id text Edge-Core line console line vty Console# ELATED OMMANDS show startup-config (520)
Page 521: Show System
"Displaying System Information" on page If any POST test indicates “FAIL,” contact your distributor for ◆ assistance. XAMPLE Console#show system System Description : ES3510MA-DC System OID String : 1.3.6.1.4.1.259.10.1.17 System Information System Up Time : 0 days, 7 hours, 20 minutes, and 43.30 seconds...
Page 522: Show Tech-Support
XAMPLE Console#show tech-support show system: System Description : ES3510MA-DC System OID String : 1.3.6.1.4.1.259.10.1.17 System Information System Up Time: 0 days, 2 hours, 17 minutes, and 6.23 seconds...
Page 523: Show Version
| System Management Commands HAPTER System Status XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key --------- --------- ---------- admin 15 None guest 0 None steve Online Users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14...
Page 524: Frame Size
| System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 44: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames This command enables support for jumbo frames for Gigabit Ethernet jumbo frame ports.
Page 525: File Management
| System Management Commands HAPTER File Management ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 526: Boot System
| System Management Commands HAPTER File Management This command specifies the file or image used to start up the system. boot system YNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image.
Page 527: Copy
| System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 528 | System Management Commands HAPTER File Management The Boot ROM and Loader cannot be uploaded or downloaded from the ◆ FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the ◆...
Page 529: System Management Commands
| System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 530: Delete
| System Management Commands HAPTER File Management This command deletes a file or image. delete YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE ◆ If the file type is used for system startup, then this file cannot be deleted.
Page 531: Whichboot
| System Management Commands HAPTER File Management OMMAND SAGE ◆ If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 46: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file.
Page 532: Upgrade Opcode Auto
| System Management Commands HAPTER File Management XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------...
Page 533: Upgrade Opcode Path
| System Management Commands HAPTER File Management XAMPLE Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0;...
Page 534 | System Management Commands HAPTER File Management When specifying an FTP server, the following syntax must be used, ◆ where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “Anonymous” will be used for the connection.
Page 535: Line
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 536: Databits
| System Management Commands HAPTER Line OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 537: Exec-Timeout
| System Management Commands HAPTER Line ELATED OMMANDS parity (538) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval. (Range: 0 - 65535 seconds;...
Page 538: Parity
| System Management Commands HAPTER Line EFAULT ETTING login local OMMAND Line Configuration OMMAND SAGE There are three authentication modes provided by the switch itself at ◆ login: login selects authentication by a single global password as ■ specified by the password line configuration command.
Page 539: Password
| System Management Commands HAPTER Line EFAULT ETTING No parity OMMAND Line Configuration OMMAND SAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. XAMPLE To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# This command specifies the password for a line.
Page 540: Password-Thresh
| System Management Commands HAPTER Line XAMPLE Console(config-line)#password 0 secret Console(config-line)# ELATED OMMANDS login (537) password-thresh (540) This command sets the password intrusion threshold which limits the password-thresh number of failed logon attempts. Use the no form to remove the threshold value.
Page 541: Silent-Time
| System Management Commands HAPTER Line This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. YNTAX silent-time [seconds] no silent-time...
Page 542: Stopbits
| System Management Commands HAPTER Line be supported. The system indicates if the speed you selected is not supported. XAMPLE To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# This command sets the number of the stop bits transmitted per byte. Use stopbits the no form to restore the default setting.
Page 543: Disconnect
| System Management Commands HAPTER Line OMMAND Line Configuration OMMAND SAGE If a login attempt is not detected within the timeout interval, the ◆ connection is terminated for the session. This command applies to both the local console and Telnet connections. ◆...
Page 544: Show Line
| System Management Commands HAPTER Event Logging This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING Shows all lines OMMAND Normal Exec, Privileged Exec XAMPLE...
Page 545: Logging Facility
| System Management Commands HAPTER Event Logging Table 48: Event Logging Commands (Continued) Command Function Mode logging trap Limits syslog messages saved to a remote server based on severity clear log Clears messages from the logging buffer show log Displays log messages show logging Displays the state of logging This command sets the facility type for remote logging of syslog messages.
Page 546: Logging History
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 547: Logging Host
| System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address host-ip-address - The IP address of a syslog server. EFAULT ETTING None...
Page 548: Logging Trap
| System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (546) logging trap (548) clear log (548) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 549: Show Log
| System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (549) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 550: Show Logging
| System Management Commands HAPTER Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 551: Smtp Alerts
| System Management Commands HAPTER SMTP Alerts Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console# Table 51: show logging trap - display description Field...
Page 552: Logging Sendmail
| System Management Commands HAPTER SMTP Alerts This command enables SMTP event handling. Use the no form to disable logging sendmail this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail the no form to remove an SMTP server.
Page 553: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# This command sets the severity threshold used to trigger alert messages. logging sendmail Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
Page 554: Logging Sendmail Source-Email
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# This command sets the email address used for the “From” field in alert logging sendmail messages.
Page 555: Time
| System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source Email Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 556: Sntp Poll
| System Management Commands HAPTER Time OMMAND SAGE ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 557: Sntp Server
| System Management Commands HAPTER Time ELATED OMMANDS sntp client (555) This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 558: Clock Timezone
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# This command sets the time zone for the switch’s internal clock.
Page 559: Calendar Set
| System Management Commands HAPTER Time This command sets the system clock. It may be used if there is no time calendar set server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
Page 560: Time Range
| System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 54: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
Page 561: Absolute
| System Management Commands HAPTER Time Range This command sets the time range for the execution of a command. Use absolute the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Page 562: Show Time-Range
| System Management Commands HAPTER Time Range monday - Monday saturday - Saturday sunday - Sunday thursday - Thursday tuesday - Tuesday wednesday - Wednesday weekdays - Weekdays weekend - Weekends hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) EFAULT ETTING None...
Page 563: Switch Clustering
| System Management Commands HAPTER Switch Clustering WITCH LUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 564: Cluster
| System Management Commands HAPTER Switch Clustering This command enables clustering on the switch. Use the no form to disable cluster clustering. YNTAX [no] cluster EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE To create a switch cluster, first be sure that clustering is enabled on the ◆...
Page 565: Cluster Ip-Pool
| System Management Commands HAPTER Switch Clustering OMMAND SAGE ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
Page 566: Cluster Member
| System Management Commands HAPTER Switch Clustering This command configures a Candidate switch as a cluster Member. Use the cluster member no form to remove a Member switch from the cluster. YNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch.
Page 567: Show Cluster
| System Management Commands HAPTER Switch Clustering XAMPLE Console#rcommand id 1 CLI session with the ES3510MA-DC is opened. To end the CLI session, enter [Exit]. Vty-0# This command shows the switch clustering configuration. show cluster OMMAND Privileged Exec XAMPLE Console#show cluster...
Page 568: Show Cluster Candidates
This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec XAMPLE Console#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Active member 00-E0-0C-00-00-FE ES3510MA-DC CANDIDATE 00-12-CF-0B-47-A0 ES3510MA-DC Console# – 568 –...
Page 569: Snmp Commands
SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 570: Snmp-Server
| SNMP Commands HAPTER Table 56: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter Displays the configured notification logs...
Page 571: Snmp-Server Community
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server Console(config)# This command defines community access strings used to authorize snmp-server management access by clients using SNMP v1 or v2c. Use the no form to community remove the specified community string. YNTAX snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Page 572: Snmp-Server Location
| SNMP Commands HAPTER OMMAND Global Configuration XAMPLE Console(config)#snmp-server contact Paul Console(config)# ELATED OMMANDS snmp-server location (572) This command sets the system location string. Use the no form to remove snmp-server the location string. location YNTAX snmp-server location text no snmp-server location text - String that describes the system location.
Page 573: Snmp-Server Enable Traps
| SNMP Commands HAPTER XAMPLE Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled Link-up-down : Enabled SNMP Communities : 1. public, and the access level is read-only 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied...
Page 574: Snmp-Server Host
| SNMP Commands HAPTER snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. The snmp-server enable traps command is used in conjunction with ◆...
Page 575 | SNMP Commands HAPTER prior to using the snmp-server host command. (Maximum length: 32 characters) version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
Page 576 | SNMP Commands HAPTER To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 570). Create a view with the required notification messages (page 580). Create a group that includes the required notify view (page 578).
Page 577: Snmp-Server Engine-Id
| SNMP Commands HAPTER This command configures an identification string for the SNMPv3 engine. snmp-server Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device.
Page 578: Snmp-Server Group
| SNMP Commands HAPTER ELATED OMMANDS snmp-server host (574) This command adds an SNMP group, mapping SNMP users to SNMP views. snmp-server group Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.
Page 579: Snmp-Server User
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Page 580: Snmp-Server View
| SNMP Commands HAPTER Remote users (i.e., the command specifies a remote engine identifier) ◆ must be configured to identify the source of SNMPv3 inform messages sent from the local switch. The SNMP engine ID is used to compute the authentication/privacy ◆...
Page 581: Show Snmp Engine-Id
| SNMP Commands HAPTER OMMAND SAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB ◆ tree. XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.
Page 582: Show Snmp Group
| SNMP Commands HAPTER Table 57: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. Four default groups are provided –...
Page 583: Show Snmp User
| SNMP Commands HAPTER Table 58: show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 584: Show Snmp View
| SNMP Commands HAPTER This command shows information on the SNMP views. show snmp view OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 585: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Disabling logging with this command does not delete the entries stored ◆ in the notification log. XAMPLE This example enables the notification logs A1. Console(config)#nlm A1 Console(config)# This command creates an SNMP notification log. Use the no form to snmp-server notify- remove this log.
Page 586: Show Nlm Oper-Status
| SNMP Commands HAPTER To avoid this problem, notification logging should be configured and ◆ enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 587: Show Snmp Notify-Filter
| SNMP Commands HAPTER This command displays the configured notification logs. show snmp notify- filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23 Console# –...
Page 588 | SNMP Commands HAPTER – 588 –...
Page 589: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 590: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 591: Rmon Event
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and ◆ the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 592: Rmon Collection History
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm ◆ triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.
Page 593: Rmon Collection Rmon1
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# This command enables the collection of statistics on a physical interface. rmon collection Use the no form to disable statistics collection. rmon1 YNTAX rmon collection rmon1 controlEntry index [owner name]...
Page 594: Show Rmon Alarms
| Remote Monitoring Commands HAPTER This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 This command shows the settings for all configured events.
Page 595: Show Rmon Statistics
| Remote Monitoring Commands HAPTER This command shows the information collected for all configured entries in show rmon the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets,...
Page 596 | Remote Monitoring Commands HAPTER – 596 –...
Page 597: Authentication
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 598: Enable Password
| Authentication Commands HAPTER User Accounts After initially logging onto the system, you should set the Privileged Exec enable password password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 599: Username
| Authentication Commands HAPTER User Accounts This command adds named users, requires authentication at login, username specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Page 600: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 65: Authentication Sequence Commands Command Function Mode...
Page 601: Authentication Login
| Authentication Commands HAPTER Authentication Sequence XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (598) This command defines the login authentication method and precedence. authentication login Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login...
Page 602: Radius Client
| Authentication Commands HAPTER RADIUS Client ELATED OMMANDS username - for setting the local user names and passwords (599) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 603: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client This command sets the RADIUS server network port. Use the no form to radius-server auth- restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 604: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS encryption key. Use the no form to restore radius-server key the default.
Page 605: Radius-Server Timeout
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication radius-server requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...
Page 606: Tacacs+ Client
| Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout Radius Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C...
Page 607: Tacacs-Server Key
| Authentication Commands HAPTER TACACS+ Client port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Page 608: Show Tacacs-Server
| Authentication Commands HAPTER TACACS+ Client no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#tacacs-server port 181 Console(config)# This command displays the current settings for the TACACS+ server. show tacacs-server EFAULT ETTING...
Page 609: Aaa
| Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 68: AAA Commands Command Function Mode...
Page 610: Aaa Accounting Dot1X
| Authentication Commands HAPTER group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters) EFAULT ETTING Accounting is not enabled...
Page 611: Aaa Accounting Exec
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 612: Aaa Accounting Update
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 613: Aaa Authorization Exec
| Authentication Commands HAPTER Using the command without specifying an interim interval enables ◆ updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service.
Page 614: Aaa Group Server
| Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 615: Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 616: Authorization Exec
| Authentication Commands HAPTER XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to local console, Telnet or authorization exec SSH connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...
Page 617: Web Server
| Authentication Commands HAPTER Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show accounting Accounting Type : dot1x...
Page 618: Ip Http Port
| Authentication Commands HAPTER Web Server This command specifies the TCP port number used by the web browser ip http port interface. Use the no form to use the default port. YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Page 619: Ip Http Secure-Server
| Authentication Commands HAPTER Web Server This command enables the secure hypertext transfer protocol (HTTPS) over ip http secure- the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted server connection) to the switch’s web interface. Use the no form to disable this function.
Page 620: Ip Http Secure-Port
| Authentication Commands HAPTER Web Server To specify a secure-site certificate, see “Replacing the Default Secure- ◆ site Certificate” on page 298. Also refer to the copy tftp https-certificate command. XAMPLE Console(config)#ip http secure-server Console(config)# ELATED OMMANDS ip http secure-port (620) copy tftp https-certificate (527) show system (521)
Page 621: Telnet Server
| Authentication Commands HAPTER Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 71: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 622: Ip Telnet Port
| Authentication Commands HAPTER Telnet Server This command specifies the TCP port number used by the Telnet interface. ip telnet port Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 623: Show Ip Telnet
| Authentication Commands HAPTER Secure Shell This command displays the configuration settings for the Telnet server. show ip telnet OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE HELL...
Page 624 | Authentication Commands HAPTER Secure Shell Table 72: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 625 | Authentication Commands HAPTER Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 626: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell The client sends a signature generated using the private key to the switch. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.
Page 627: Ip Ssh Server-Key Size
| Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The SSH server supports up to four client sessions. The maximum ◆ number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server uses DSA or RSA for key exchange when the client first ◆...
Page 628: Ip Ssh Timeout
| Authentication Commands HAPTER Secure Shell This command configures the timeout for the SSH server. Use the no form ip ssh timeout to restore the default setting. YNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING...
Page 629: Ip Ssh Crypto Host-Key Generate
| Authentication Commands HAPTER Secure Shell XAMPLE Console#delete public-key admin dsa Console# This command generates the host key pair (i.e., public and private). ip ssh crypto host- key generate YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...
Page 630: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell This command clears the host key from memory (i.e. RAM). ip ssh crypto zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. EFAULT ETTING Clears both the DSA and RSA key.
Page 631: Show Ip Ssh
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (629) This command displays the connection settings used when authenticating show ip ssh client access to the SSH server. OMMAND Privileged Exec XAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 632: Show Ssh
| Authentication Commands HAPTER Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5...
Page 633: Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 634: Dot1X Default
| Authentication Commands HAPTER 802.1X Port Authentication Table 74: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator Display Information Commands show dot1x Shows all dot1x related information This command sets all configurable dot1x global and port settings to their...
Page 635: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# This command enables IEEE 802.1X port authentication globally on the dot1x system-auth- switch.
Page 636: Dot1X Max-Req
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# This command sets the maximum number of times the switch port will dot1x max-req retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 637: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT Single-host OMMAND Interface Configuration OMMAND SAGE The “max-count” parameter specified by this command is only effective ◆ if the dot1x mode is set to “auto” by the dot1x port-control command. In “multi-host” mode, only one host connected to a port needs to pass ◆...
Page 638: Dot1X Re-Authentication
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# This command enables periodic re-authentication for a specified port. Use dot1x re- the no form to disable re-authentication. authentication YNTAX [no] dot1x re-authentication OMMAND Interface Configuration OMMAND SAGE The re-authentication process verifies the connected client’s user ID...
Page 639: Dot1X Timeout Re-Authperiod
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# This command sets the time period after which a connected client must be dot1x timeout re- re-authenticated. Use the no form of this command to reset the default. authperiod YNTAX dot1x timeout re-authperiod seconds...
Page 640: Dot1X Timeout Tx-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command sets the timeout for EAP-request frames other than EAP- request/identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information.
Page 641: Dot1X Identity Profile
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Privileged Exec OMMAND SAGE The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
Page 642: Dot1X Max-Start
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the maximum number of times that a port supplicant dot1x max-start will send an EAP start frame to the client before assuming that the client is 802.1X unaware. Use the no form to restore the default value. YNTAX dot1x max-start count no dot1x max-start...
Page 643: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication A port cannot be configured as a dot1x supplicant if it is a member of a ◆ trunk or LACP is enabled on the port. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#dot1x pae supplicant Console(config-if)# This command sets the time that a supplicant port waits for a response dot1x timeout auth- from the authenticator.
Page 644: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# This command sets the time that a supplicant port waits before resending dot1x timeout start- an EAPOL start frame to the authenticator. Use the no form to restore the period default setting.
Page 645 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command displays the following information: Global 802.1X Parameters – Shows whether or not 802.1X port ◆ authentication is globally enabled on the switch (page 635). ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 634).
Page 646 | Authentication Commands HAPTER 802.1X Port Authentication Current Identifier– The integer (0-255) used by the Authenticator to ■ identify the current authentication session. Backend State Machine ◆ State – Current state (including request, response, success, fail, ■ timeout, idle, initialize). Request Count–...
Page 647: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Authenticator PAE State Machine State : Authenticated Reauth Count Current Identifier Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch.
Page 648: Show Management
| Authentication Commands HAPTER Management IP Filter OMMAND Global Configuration OMMAND SAGE If anyone tries to access a management interface on the switch from an ◆ invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 649 | Authentication Commands HAPTER Management IP Filter XAMPLE Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address...
Page 650 | Authentication Commands HAPTER Management IP Filter – 650 –...
Page 651: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 652: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 653 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE When port security is enabled with this command, the switch first clears ◆ all dynamically learned entries from the address table. It then starts learning new MAC addresses on the specified port, and stops learning addresses when it reaches a configured maximum number.
Page 654: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 655: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored network-access in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
Page 656: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the ◆ mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
Page 657: Network-Access Dynamic-Qos
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
Page 658: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# Use this command to enable dynamic VLAN assignment for an network-access authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan...
Page 659: Network-Access Guest-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to assign all traffic on a port to a guest VLAN when network-access 802.1x authentication is rejected. Use the no form of this command to guest-vlan disable guest VLAN assignment. YNTAX network-access guest-vlan vlan-id no network-access guest-vlan...
Page 660: Network-Access Link-Detection Link-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to detect link-down events. When detected, the switch network-access can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.
Page 661: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# Use this command to detect link-up and link-down events. When either network-access event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.
Page 662: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 663: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from ◆ the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN ◆...
Page 664: Mac-Authentication Intrusion-Action
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...
Page 665: Clear Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to clear entries from the secure MAC addresses table. clear network- access YNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 666: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048...
Page 667: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication XAMPLE Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s Console#...
Page 668: Web-Auth Login-Attempts
| General Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 600). Web authentication cannot be configured on trunk ports. Table 80: Web Authentication Command Function Mode...
Page 669: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth login-attempts 2 Console(config)# This command defines the amount of time a host must wait after exceeding web-auth quiet- the limit for failed login attempts, before it may attempt web period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 670: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# This command globally enables web authentication for the switch. Use the web-auth system- no form to restore the default. auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE...
Page 671: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth re- and forces the users to re-authenticate. authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 672: Show Web-Auth
| General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
Page 673: Show Web-Auth Summary
| General Security Measures HAPTER DHCP Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 674: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command enables DHCP snooping globally. Use the no form to restore ip dhcp snooping the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are ◆...
Page 675 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or ■ RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, ■...
Page 676: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 677 | General Security Measures HAPTER DHCP Snooping OMMAND Global Configuration OMMAND SAGE DHCP provides a relay mechanism for sending information about the ◆ switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 678: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping This command sets the DHCP snooping information option policy for DHCP ip dhcp snooping client packets that include Option 82 information. information policy YNTAX ip dhcp snooping information policy {drop | keep | replace} drop - Drops the client’s request packet instead of relaying it.
Page 679: Ip Dhcp Snooping Vlan
| General Security Measures HAPTER DHCP Snooping XAMPLE This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# ELATED OMMANDS ip dhcp snooping (674) ip dhcp snooping vlan (679) ip dhcp snooping trust (680) This command enables DHCP snooping on the specified VLAN. Use the no ip dhcp snooping form to restore the default setting.
Page 680: Ip Dhcp Snooping Trust
| General Security Measures HAPTER DHCP Snooping ELATED OMMANDS ip dhcp snooping (674) ip dhcp snooping trust (680) This command configures the specified interface as trusted. Use the no ip dhcp snooping form to restore the default setting. trust YNTAX [no] ip dhcp snooping trust EFAULT ETTING...
Page 681: Clear Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping This command removes all dynamically learned snooping entries from flash clear ip dhcp memory. snooping database flash OMMAND Privileged Exec XAMPLE Console(config)#ip dhcp snooping database flash Console(config)# This command shows the DHCP snooping configuration settings. show ip dhcp snooping OMMAND...
Page 682: Ip Source Guard
| General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 683 | General Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is ◆...
Page 684: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard This command configures the switch to filter inbound traffic based source ip source-guard IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...
Page 685: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: ◆ If DHCP snooping is disabled (see page 674), IP source guard will ■ check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 686: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 687: Arp Inspection
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 688: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 83: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...
Page 689: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use ip arp inspection the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 690: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 691: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 692: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection ◆ command, it becomes active only on those VLANs where it has been enabled with this command.
Page 693: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, ◆ the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 694: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection This command displays the global configuration settings for ARP show ip arp Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 695: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip arp the associated VLAN, port, and address components. inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 696: Privileged Exec
| General Security Measures HAPTER ARP Inspection OMMAND Privileged Exec XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# – 696 –...
Page 697: Lists
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 698: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 699: Permit, Deny (Standard Ip Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 700: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 701 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 702: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 703: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE ◆ Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, ◆ the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 704: Ipv6 Acls
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (699) ip access-group (702) 6 ACL The commands in this section configure ACLs based on IPv6 addresses, next header type, and flow label.
Page 705: Permit, Deny (Standard Ipv6 Acl) (705
| Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 706: Permit, Deny (Extended Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 707 | Access Control Lists HAPTER IPv6 ACLs undefined fields. (The switch only checks the first 64 bits of the destination address.) prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
Page 708: Show Ipv6 Access-List
| Access Control Lists HAPTER IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (704) Time Range (560) This command displays the rules for configured IPv6 ACLs. show ipv6 access- list YNTAX...
Page 709: Show Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Interface Configuration (Ethernet) OMMAND SAGE A port can only be bound to one ACL. ◆ If a port is already bound to an ACL and you bind it to a different ACL, ◆...
Page 710: Mac Acls
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 711: (Mac Acl)
| Access Control Lists HAPTER MAC ACLs ELATED OMMANDS permit, deny (711) mac access-group (713) show mac access-list (714) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 712 | Access Control Lists HAPTER MAC ACLs {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 –...
Page 713: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs XAMPLE This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# ELATED OMMANDS access-list mac (710) Time Range (560) This command binds a MAC ACL to a port.
Page 714: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs This command shows the ports assigned to MAC ACLs. show mac access- group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS mac access-group (713) This command displays the rules for configured MAC ACLs.
Page 715: Arp Acls
| Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
Page 716: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny (ARP a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
Page 717: Show Arp Access-List
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (715) This command displays the rules for configured ARP ACLs.
Page 718: Acl Information
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 89: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules This command shows the port assignments of ACLs.
Page 719: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 90: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 720: Interface
| Interface Commands HAPTER Table 90: Interface Commands (Continued) Command Function Mode Power Savings power-save Enables power savings mode on the specified port show power-save Shows the configuration settings for power savings Enabling hardware-level storm control with this command on a port will disable software-level automatic storm control on the same port if configured by the auto- traffic-control...
Page 721: Alias
| Interface Commands HAPTER This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 722: Description
| Interface Commands HAPTER EFAULT ETTING 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The 1000BASE-T standard does not support forced mode. Auto- ◆ negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 723: Flowcontrol
| Interface Commands HAPTER OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 724: Media-Type
| Interface Commands HAPTER XAMPLE The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (725) capabilities (flowcontrol, symmetric) (721) This command forces the port type selected for combination ports 9-10. media-type Use the no form to restore the default mode.
Page 725: Negotiation
| Interface Commands HAPTER This command enables auto-negotiation for a given interface. Use the no negotiation form to disable auto-negotiation. YNTAX [no] negotiation EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 726: Speed-Duplex
| Interface Commands HAPTER OMMAND SAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. XAMPLE The following example disables port 5.
Page 727: Switchport Packet-Rate
| Interface Commands HAPTER the speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. XAMPLE The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS...
Page 728: Clear Counters
| Interface Commands HAPTER The rate limits set by this command are also used by automatic storm ◆ control when the control response is set to rate limiting by the auto- traffic-control action command. Using both rate limiting and storm control on the same interface may ◆...
Page 729: Show Interfaces Brief
| Interface Commands HAPTER XAMPLE The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# This command displays a summary of key information, including show interfaces operational status, native VLAN ID, default priority, speed/duplex mode, brief and port type for all ports. OMMAND Privileged Exec XAMPLE...
Page 730: Interface Commands
| Interface Commands HAPTER XAMPLE Console#show interfaces counters ethernet 1/1 Ethernet 1/ 1 ===== IF table Stats ===== 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protos Input 0 QLen Output ===== Extended Iftable Stats =====...
Page 731: Show Interfaces Status
| Interface Commands HAPTER This command displays the status for an interface. show interfaces status YNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) vlan vlan-id (Range: 1-4093) EFAULT ETTING Shows the status for all interfaces.
Page 732: Show Interfaces Switchport
| Interface Commands HAPTER This command displays the administrative and operational status of the show interfaces specified interfaces. switchport YNTAX show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) EFAULT ETTING Shows all interfaces.
Page 733: Show Interfaces Transceiver
| Interface Commands HAPTER Table 91: show interfaces switchport - display description (Continued) Field Description Unknown-unicast Shows if unknown unicast storm suppression is enabled or disabled; if Threshold enabled it also shows the threshold level (page 727). LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 742).
Page 734: Test Cable-Diagnostics
| Interface Commands HAPTER OMMAND SAGE The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm...
Page 735: Show Cable-Diagnostics
| Interface Commands HAPTER OMMAND SAGE ◆ Cable diagnostics are performed using Digital Signal Processing (DSP) test methods. This cable test is only accurate for cables 7 - 140 meters long. ◆ ◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length of each cable pair.
Page 736: Power-Save
| Interface Commands HAPTER XAMPLE Console#show cable-diagnostics interface ethernet 1/10 Console#show cable-diagnostics interface e 1/10 Port Type Link Status Pair A (meters) Pair B (meters) Last Update -------- ---- ----------- ---------------- ---------------- ----------------- Eth 1/10 OK (21) OK (21) 2009-11-13 09:44:19 Console# This command enables power savings mode on the specified port.
Page 737: Show Power-Save
| Interface Commands HAPTER analyzes cable length to determine whether or not it can reduce the signal amplitude used on a particular link. Power-savings mode on a active link only works when the connection speed is 100 Mbps or higher at linkup, and line length is less than 60 meters.
Page 738 | Interface Commands HAPTER – 738 –...
Page 739: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 740: Port Channel Load-Balance
| Link Aggregation Commands HAPTER Any of the Gigabit ports on the front panel can be trunked together, ◆ including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Page 741 | Link Aggregation Commands HAPTER OMMAND SAGE ◆ This command applies to all static and dynamic trunks on the switch. To ensure that the switch traffic load is distributed evenly across all ◆ links in a trunk, select the source and destination addresses used in the load-balance calculation to provide the best result for trunk connections: dst-ip: All traffic with the same destination IP address is output on...
Page 742: Channel-Group
| Link Aggregation Commands HAPTER This command adds a port to a trunk. Use the no form to remove a port channel-group from a trunk. YNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-5) EFAULT ETTING The current port will be added to this trunk. OMMAND Interface Configuration (Ethernet) OMMAND...
Page 743 | Link Aggregation Commands HAPTER A trunk formed with another switch using LACP will automatically be ◆ assigned the next available port-channel ID. If the target switch has also enabled LACP on the connected ports, the ◆ trunk will be activated automatically. If more than eight ports attached to the same target switch have LACP ◆...
Page 744: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER This command configures a port's LACP administration key. Use the no lacp admin-key form to restore the default setting. (Ethernet Interface) YNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 745: Lacp Port-Priority
| Link Aggregation Commands HAPTER This command configures LACP port priority. Use the no form to restore lacp port-priority the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 746: Lacp System-Priority
| Link Aggregation Commands HAPTER This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 747: Show Lacp
| Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system ◆ priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 748: Table 93: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent : 12 LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 93: show lacp counters - display description Field Description LACPDUs Sent...
Page 749: Table 95: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Table 94: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired –...
Page 750: Table 96: Show Lacp Sysid - Display Description
| Link Aggregation Commands HAPTER Table 95: show lacp neighbors - display description (Continued) Field Description Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner.
Page 751: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 752 | Port Mirroring Commands HAPTER Local Port Mirroring Commands mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. EFAULT ETTING No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received ◆ and transmitted packets.
Page 753: Show Port Monitor
| Port Mirroring Commands HAPTER Local Port Mirroring Commands This command displays mirror information. show port monitor YNTAX show port monitor [interface | vlan vlan-id | mac-address mac-address] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number.
Page 754: Rspan Mirroring Commands
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands RSPAN M IRRORING OMMANDS Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port. Table 99: RSPAN Commands Command Function Mode vlan rspan Creates a VLAN dedicated to carrying RSPAN traffic rspan source...
Page 755: Rspan Source
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands Only two mirror sessions are allowed. Both sessions can be allocated to remote mirroring, unless local mirroring is enabled (which is limited to a single session). Spanning Tree – If the spanning tree is disabled, BPDUs will not be ◆...
Page 756: Rspan Destination
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands EFAULT ETTING Both TX and RX traffic is mirrored OMMAND Global Configuration OMMAND SAGE One or more source ports can be assigned to the same RSPAN session, ◆ either on the same switch or on different switches. Only ports can be configured as an RSPAN source –...
Page 757: Rspan Remote Vlan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND Global Configuration OMMAND SAGE Only one destination port can be configured on the same switch per ◆ session, but a destination port can be configured on more than one switch for the same session. Only ports can be configured as an RSPAN destination –...
Page 758: No Rspan Session
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands interface - ethernet unit/port ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured ◆...
Page 759: Show Rspan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND SAGE The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database (see the vlan command). XAMPLE Console(config)#no rspan session 1 Console(config)# Use this command to displays the configuration settings for an RSPAN show rspan...
Page 760 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands – 760 –...
Page 761: Rate Limit Commands
IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 762 | Rate Limit Commands HAPTER by the storm control command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (732) – 762 –...
Page 763: Automatic Traffic Control Commands
UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 101: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...
Page 764 | Automatic Traffic Control Commands HAPTER Table 101: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...
Page 765: Auto-Traffic-Control Apply-Timer
| Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release ◆ timer expires, traffic control will be stopped and a Traffic Control Release Trap sent and logged.
Page 766: Auto-Traffic-Control Release-Timer
| Automatic Traffic Control Commands HAPTER EFAULT ETTING 300 seconds OMMAND Global Configuration OMMAND SAGE After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply...
Page 767: Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER XAMPLE This example sets the release timer to 800 seconds for all ports. Console(config)#auto-traffic-control broadcast release-timer 800 Console(config)# This command enables automatic traffic control for broadcast or multicast auto-traffic-control storms. Use the no form to disable this feature. YNTAX [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic.
Page 768: Auto-Traffic-Control Action
| Automatic Traffic Control Commands HAPTER This command sets the control action to limit ingress traffic or shut down auto-traffic-control the offending port. Use the no form to restore the default setting. action YNTAX auto-traffic-control {broadcast | multicast} action {rate-control | shutdown} no auto-traffic-control {broadcast | multicast} action broadcast - Specifies automatic storm control for broadcast traffic.
Page 769: Auto-Traffic-Control Alarm-Clear-Threshold
| Automatic Traffic Control Commands HAPTER This command sets the lower threshold for ingress traffic beneath which a auto-traffic-control cleared storm control trap is sent. Use the no form to restore the default alarm-clear- setting. threshold YNTAX auto-traffic-control {broadcast | multicast} alarm-clear-threshold threshold no auto-traffic-control {broadcast | multicast} alarm-clear-threshold...
Page 770: Auto-Traffic-Control Alarm-Fire-Threshold
| Automatic Traffic Control Commands HAPTER This command sets the upper threshold for ingress traffic beyond which a auto-traffic-control storm control response is triggered after the apply timer expires. Use the alarm-fire-threshold no form to restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold no auto-traffic-control {broadcast | multicast}...
Page 771: Auto-Traffic-Control Auto-Control-Release
| Automatic Traffic Control Commands HAPTER This command automatically releases a control response after the time auto-traffic-control specified in the auto-traffic-control release-timer command has expired. auto-control-release YNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Page 772: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Clear
| Automatic Traffic Control Commands HAPTER This command sends a trap when broadcast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap. broadcast-alarm- clear YNTAX [no] snmp-server enable port-traps atc broadcast-alarm-clear...
Page 773: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Apply
| Automatic Traffic Control Commands HAPTER This command sends a trap when broadcast traffic exceeds the upper snmp-server enable threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. broadcast-control- apply YNTAX [no] snmp-server enable port-traps atc broadcast-control-apply...
Page 774: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Clear
| Automatic Traffic Control Commands HAPTER This command sends a trap when multicast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap. multicast-alarm- clear YNTAX [no] snmp-server enable port-traps atc multicast-alarm-clear...
Page 775: Snmp-Server Enable Port-Traps Atc Multicast-Control-Apply
| Automatic Traffic Control Commands HAPTER This command sends a trap when multicast traffic exceeds the upper snmp-server enable threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. multicast-control- apply YNTAX [no] snmp-server enable port-traps atc multicast-control-apply...
Page 776: Show Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER This command shows global configuration settings for automatic storm show auto-traffic- control. control OMMAND Privileged Exec XAMPLE Console#show auto-traffic-control Storm-control: Broadcast Apply-timer (sec) : 300 Release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 Release-timer(sec) : 900 Console#...
Page 777: Address Table Commands
DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 102: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 778: Mac-Address-Table Static
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# This command maps a static address to a destination port in a VLAN. Use mac-address-table the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 779: Clear Mac-Address-Table Dynamic
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# This command removes any learned entries from the forwarding database. clear mac-address- table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# This command shows classes of entries in the bridge-forwarding database.
Page 780: Show Mac-Address-Table Aging-Time
| Address Table Commands HAPTER Learn - Dynamic address entries ■ Config - Static entry ■ The mask should be hexadecimal numbers (representing an equivalent ◆ bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0”...
Page 781: Show Mac-Address-Table Count
| Address Table Commands HAPTER This command shows the number of MAC addresses used and the number show mac-address- of available MAC addresses for the overall system or for an interface. table count YNTAX show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Page 782 | Address Table Commands HAPTER – 782 –...
Page 783: Spanning Tree Commands
PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 103: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree cisco- Configures spanning tree operation to be compatible prestandard...
Page 784: Spanning-Tree
| Spanning Tree Commands HAPTER Table 103: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback- Enables BPDU loopback SNMP trap notification for a detection trap port spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST priority...
Page 785: Spanning-Tree Cisco-Prestandard
| Spanning Tree Commands HAPTER XAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# This command configures spanning tree operation to be compatible with spanning-tree cisco- Cisco prestandard versions. Use the no form to restore the default setting. prestandard [no] spanning-tree cisco-prestandard EFAULT...
Page 786: Spanning-Tree Hello-Time
| Spanning Tree Commands HAPTER OMMAND SAGE This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 787: Spanning-Tree Max-Age
| Spanning Tree Commands HAPTER This command configures the spanning tree bridge maximum age globally spanning-tree max- for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 788 | Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Spanning Tree Protocol ◆ Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 789: Spanning-Tree Pathcost Method
| Spanning Tree Commands HAPTER This command configures the path cost method used for Rapid Spanning spanning-tree Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method YNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.
Page 790: Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 791: Spanning-Tree System-Bpdu-Flooding
| Spanning Tree Commands HAPTER This command configures the system to flood BPDUs to all other ports on spanning-tree the switch or just to all other ports in the same VLAN when spanning tree is system-bpdu- disabled globally on the switch or disabled on a specific port. Use the no flooding form to restore the default.
Page 792: Max-Hops
| Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# This command configures the maximum number of hops in the region max-hops before a BPDU is discarded. Use the no form to restore the default. YNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) EFAULT ETTING...
Page 793: Mst Vlan
| Spanning Tree Commands HAPTER EFAULT ETTING 32768 OMMAND MST Configuration OMMAND SAGE MST priority is used in selecting the root bridge and alternate bridge of ◆ the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 794: Name
| Spanning Tree Commands HAPTER which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (page 794) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree.
Page 795: Spanning-Tree Bpdu-Filter
| Spanning Tree Commands HAPTER EFAULT ETTING OMMAND MST Configuration OMMAND SAGE The MST region name (page 794) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 796: Spanning-Tree Bpdu-Guard
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# ELATED OMMANDS spanning-tree edge-port (798) This command shuts down an edge port (i.e., an interface set for fast spanning-tree bpdu- forwarding) if it receives a BPDU. Use the no form to disable this feature. guard YNTAX [no] spanning-tree bpdu-guard...
Page 797: Spanning-Tree Cost
| Spanning Tree Commands HAPTER This command configures the spanning tree path cost for the specified spanning-tree cost interface. Use the no form to restore the default auto-configuration mode. YNTAX spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method , 1-200,000,000 for long path cost method)
Page 798: Spanning-Tree Edge-Port
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# This command specifies an interface as an edge port. Use the no form to spanning-tree edge- restore the default. port YNTAX spanning-tree edge-port [auto] no spanning-tree edge-port auto - Automatically determines if an interface is an edge port.
Page 799: Spanning-Tree Link-Type
| Spanning Tree Commands HAPTER This command configures the link type for Rapid Spanning Tree and spanning-tree link- Multiple Spanning Tree. Use the no form to restore the default. type YNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Page 800: Spanning-Tree Loopback-Detection Release-Mode
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). Port Loopback Detection will not be active if Spanning Tree is disabled ◆...
Page 801: Spanning-Tree Loopback-Detection Trap
| Spanning Tree Commands HAPTER When configured for manual release mode, then a link down / up event ◆ will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)#...
Page 802: Spanning-Tree Mst Port-Priority
| Spanning Tree Commands HAPTER shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 803: Spanning-Tree Port-Bpdu-Flooding
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 804: Spanning-Tree Port-Priority
| Spanning Tree Commands HAPTER This command configures the priority for the specified interface. Use the spanning-tree port- no form to restore the default. priority YNTAX spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) EFAULT ETTING OMMAND...
Page 805: Spanning-Tree Spanning-Disabled
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. When Root Guard is enabled, and the switch receives a superior BPDU ◆...
Page 806: Spanning-Tree Loopback-Detection Release
| Spanning Tree Commands HAPTER This command manually releases a port placed in discarding state by spanning-tree loopback-detection. loopback-detection release YNTAX spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) OMMAND Privileged Exec...
Page 807: Show Spanning-Tree
| Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree protocol-migration eth 1/5 Console# This command shows the configuration for the common spanning tree show spanning-tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id] interface...
Page 808: Spanning Tree Commands
| Spanning Tree Commands HAPTER XAMPLE Console#show spanning-tree Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance VLANs Configured : 1-4093 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) Root Max.
Page 809: Show Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER This command shows the configuration of the multiple spanning tree. show spanning-tree mst configuration OMMAND Privileged Exec XAMPLE Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4093 Console# –...
Page 810 | Spanning Tree Commands HAPTER – 810 –...
Page 811: Erps Commands
ERPS C OMMANDS The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links. The mechanisms and protocol defined in G.8032 achieve highly reliable and stable protection;...
Page 812: Figure 303: Erps Ring Components
| ERPS Commands HAPTER and all nodes to flush their forwarding database. The ring is now in protection state, but it remains connected in a logical topology. When the failed link recovers, the traffic is kept blocked on the nodes adjacent to the recovered link.
Page 813: Table 106: Erps Commands
| ERPS Commands HAPTER Table 106: ERPS Commands Command Function Mode erps Enables ERPS globally on the switch erps domain Creates an ERPS ring and enters ERPS configuration mode control-vlan Adds a Control VLAN to an ERPS ring ERPS enable Activates the current ERPS ring ERPS guard-timer...
Page 814: Erps
| ERPS Commands HAPTER Configure the ERPS Control VLAN (CVLAN): Use the control-vlan command to create the VLAN used to pass R-APS ring maintenance commands. The CVLAN must NOT be configured with an IP address. In addition, only ring ports may be added to the CVLAN (prior to configuring the VLAN as a CVLAN).
Page 815: Erps Domain
| ERPS Commands HAPTER This command creates an ERPS ring and enters ERPS configuration mode erps domain for the specified domain. Use the no form to delete a ring. YNTAX [no] erps domain name name - Name of a specific ERPS ring. (Range: 1-32 characters) EFAULT ETTING None...
Page 816: Enable
| ERPS Commands HAPTER enable command to stop the ERPS ring before making any configuration changes to the control VLAN. XAMPLE Console(config)#vlan database Console(config-vlan)#vlan 2 name rdc media ethernet state active Console(config-vlan)#exit Console(config)#interface ethernet 1/12 Console(config-if)#switchport allowed vlan add 2 tagged Console(config-if)#interface ethernet 1/11 Console(config-if)#switchport allowed vlan add 2 tagged Console(config-if)#exit...
Page 817: Guard-Timer
| ERPS Commands HAPTER This command sets the guard timer to prevent ring nodes from receiving guard-timer outdated R-APS messages. Use the no form to restore the default setting. YNTAX guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Page 818: Major-Domain
| ERPS Commands HAPTER server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero.
Page 819: Meg-Level
| ERPS Commands HAPTER This command sets the Maintenance Entity Group level for a ring. Use the meg-level no form to restore the default setting. YNTAX meg-level level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information.
Page 820: Propagate-Tc
| ERPS Commands HAPTER XAMPLE Console(config-erps)#node-id 00-12-CF-61-24-2D Console(config-erps)# This command enables propagation of topology change messages for a propagate-tc secondary ring to the primary ring. Use the no form to disable this feature. YNTAX [no] propagate-tc EFAULT ETTING Disabled OMMAND ERPS Configuration OMMAND SAGE...
Page 821: Ring-Port
| ERPS Commands HAPTER This command configures a node’s connection to the ring through the east ring-port or west interface. Use the no form to disassociate a node from the ring. YNTAX ring-port {east | west} interface east - Connects to next ring node to the east. west - Connects to next ring node to the west.
Page 822: Wtr-Timer
| ERPS Commands HAPTER The east and west connections to the ring must be specified for all ring ◆ nodes using the ring-port command. When this switch is configured as the RPL owner, the west ring port is set as being connected to the RPL. XAMPLE Console(config-erps)#rpl owner Console(config-erps)#...
Page 823: Table 107: Show Erps - Summary Display Description
| ERPS Commands HAPTER XAMPLE This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ERPS Status : Enabled Number of ERPS Domains Domain State MEL Enabled West East RPL Owner Ctrl VLAN ------------ ---------- --- ------- -------- -------- --------- --------- Idle 0 Yes Eth 1/12 Eth 1/10 Yes...
Page 824: Table 108: Show Erps Domain - Detailed Display Description
| ERPS Commands HAPTER WTR Timer : 5 minutes Control VLAN Propagate TC : Disabled Console# Table 108: show erps domain - detailed display description Field Description Domain Name The ERPS ring name. Admin Status Shows if the specified ring is enabled. MEG Level The maintenance entity group (MEG) level providing a communication channel for ring automatic protection switching...
Page 825: Vlan Commands
VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 826: Gvrp And Bridge Extension Commands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 827: Garp Timer
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command sets the values for the join, leave and leaveall timers. Use garp timer the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 828: Switchport Forbidden Vlan
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command configures forbidden VLANs. Use the no form to remove the switchport list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 829: Show Bridge-Ext
| VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# This command shows the configuration for bridge extension commands. show bridge-ext EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" on page 103 for a description of the displayed items.
Page 830: Show Gvrp Configuration
| VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# ELATED OMMANDS garp timer (827) This command shows if GVRP is enabled.
Page 831: Vlan Database
| VLAN Commands HAPTER Editing VLAN Groups This command enters VLAN database mode. All commands in this mode vlan database will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete ◆...
Page 832: Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces VLAN 1 (the switch’s default VLAN), nor VLAN 4093 (the VLAN used for switch clustering). For more information on configuring RSPAN through the CLI, see "RSPAN Mirroring Commands" on page 754. EFAULT ETTING By default only VLAN 1 exists and is active.
Page 833: Interface Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces Table 112: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport ingress- Enables ingress filtering on an interface filtering switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default Sets a port priority for incoming untagged frames vlan-trunking...
Page 834: Switchport Acceptable-Frame-Types
| VLAN Commands HAPTER Configuring VLAN Interfaces This command configures the acceptable frame types for a port. Use the switchport no form to restore the default. acceptable-frame- types YNTAX switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Page 835: Switchport Ingress-Filtering
| VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING All ports are assigned to VLAN 1 by default. The default frame type is untagged. OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE A port, or a trunk with switchport mode set to hybrid, must be ◆...
Page 836: Switchport Mode
| VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE ◆ Ingress filtering only affects tagged frames. If ingress filtering is disabled and a port receives frames tagged for ◆ VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 837: Switchport Native Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# ELATED OMMANDS switchport acceptable-frame-types (834) This command configures the PVID (i.e., default VLAN ID) for a port.
Page 838: Vlan-Trunking
| VLAN Commands HAPTER Configuring VLAN Interfaces This command allows unknown VLAN groups to pass through the specified vlan-trunking interface. Use the no form to disable this feature. YNTAX [no] vlan-trunking EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use this command to configure a tunnel across one or more...
Page 839: Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information enabled. (In other words, VLAN trunking will still be effectively enabled for the unknown VLAN). XAMPLE The following example enables VLAN trunking on ports 9 and 10 to establish a path across the switch for unknown VLAN groups: Console(config)#interface ethernet 1/9 Console(config-if)#vlan-trunking Console(config-if)#interface ethernet 1/10...
Page 840: Configuring Ieee 802.1Q Tunneling
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Console# IEEE 802.1Q T ONFIGURING...
Page 841: Dot1Q-Tunnel System-Tunnel-Control
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (switchport allowed vlan). Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan).
Page 842: Switchport Dot1Q-Tunnel Mode
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling This command configures an interface as a QinQ tunnel port. Use the no switchport dot1q- form to disable QinQ on the interface. tunnel mode YNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access –...
Page 843: Switchport Dot1Q-Tunnel Service Match Cvid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling This command creates a CVLAN to SPVLAN mapping entry. Use the no switchport dot1q- form to delete a VLAN mapping entry. tunnel service match cvid YNTAX switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] svid - VLAN ID for the outer VLAN tag (Service Provider VID).
Page 844: Switchport Dot1Q-Tunnel Tpid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling XAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# In the following examples, ports 1 and 2 are configured as follows: Port 1 = Access, PVID = 100, VLAN = 100(u), 101(u)
Page 845: Show Dot1Q-Tunnel
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use the switchport dot1q-tunnel tpid command to set a custom ◆ 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Page 846: Configuring Port-Based Traffic Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/3 is Normal mode, TPID is 0x8100.
Page 847: Show Traffic-Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation EFAULT ETTING Disabled globally No segmented port groups are defined. OMMAND Global Configuration OMMAND SAGE Traffic segmentation provides port-based security and isolation ◆ between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).
Page 848: Configuring Protocol-Based Vlans
| VLAN Commands HAPTER Configuring Protocol-based VLANs Ethernet 1/8 Console# VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 849: Protocol-Vlan Protocol-Group (Configuring Groups)
| VLAN Commands HAPTER Configuring Protocol-based VLANs This command creates a protocol group, or to add specific protocols to a protocol-vlan group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.
Page 850: Show Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this ◆ command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 851: Show Interfaces Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# This command shows the mapping from protocol groups to VLANs for the show interfaces selected interfaces.
Page 852: Configuring Ip Subnet Vlans
| VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Page 853: Show Subnet-Vlan
| VLAN Commands HAPTER Configuring IP Subnet VLANs mapping is found, the PVID of the receiving port is assigned to the frame. The IP subnet cannot be a broadcast or multicast IP address. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are ◆...
Page 854: Configuring Mac Based Vlans
| VLAN Commands HAPTER Configuring MAC Based VLANs MAC B VLAN ONFIGURING ASED When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Page 855: Show Mac-Vlan
| VLAN Commands HAPTER Configuring Voice VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are ◆ supported concurrently, priority is applied in this sequence, and then port-based VLANs last. XAMPLE The following example assigns traffic from source MAC address 00-00-00- 11-22-33 to VLAN 10.
Page 856: Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs Table 119: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings This command enables VoIP traffic detection and defines the Voice VLAN voice vlan...
Page 857: Voice Vlan Aging
| VLAN Commands HAPTER Configuring Voice VLANs This command sets the Voice VLAN ID time out. Use the no form to restore voice vlan aging the default. YNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) EFAULT ETTING...
Page 858: Switchport Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE ◆ VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Page 859: Switchport Voice Vlan Priority
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# This command specifies a CoS priority for VoIP traffic on a port. Use the no switchport voice form to restore the default priority on a port.
Page 860: Switchport Voice Vlan Security
| VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING OUI: Enabled LLDP: Disabled OMMAND Interface Configuration OMMAND SAGE When OUI is selected, be sure to configure the MAC address ranges in ◆ the Telephony OUI list (see the voice vlan mac-address command.
Page 861: Show Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables security filtering on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan security Console(config-if)# This command displays the Voice VLAN settings on the switch and the OUI show voice vlan Telephony list.
Page 862 | VLAN Commands HAPTER Configuring Voice VLANs – 862 –...
Page 863: Class Of Service Commands
LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 864: Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) This command sets the scheduling mode used for processing each of the queue mode class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Page 865: Queue Weight
| Class of Service Commands HAPTER Priority Commands (Layer 2) Service time is shared at the egress ports by defining scheduling ◆ weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Page 866: Switchport Priority Default
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. Console(config)#queue weight 1 2 3 4 Console(config)# ELATED OMMANDS queue mode (864) show queue weight (867)
Page 867: Show Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# ELATED OMMANDS show interfaces switchport (732) This command shows the current queue mode.
Page 868: Priority Commands (Layer 3 And 4)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 122: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 869: Table 123: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) EFAULT ETTING Table 123: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) OMMAND Interface Configuration (Port, Static Aggregation) OMMAND...
Page 870: Qos Map Dscp-Mutation
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command maps DSCP values in incoming packets to per-hop behavior qos map dscp- and drop precedence values for priority processing. Use the no form to mutation restore the default settings. YNTAX qos map dscp-mutation phb drop-precedence from dscp0 ...
Page 871: Qos Map Phb-Queue
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. Random Early Detection starts dropping yellow and red packets when ◆...
Page 872: Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# This command sets QoS mapping to DSCP or CoS. Use the no form to qos map trust-mode restore the default setting.
Page 873: Show Qos Map Dscp-Mutation
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows the ingress DSCP to internal DSCP map. show qos map dscp-mutation YNTAX show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 874: Show Qos Map Cos-Dscp
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) OMMAND Privileged Exec XAMPLE Console#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 phb-queue map: phb: ------------------------------------------------------- queue: Console# This command shows ingress CoS/CFI to internal DSCP map. show qos map cos- dscp YNTAX...
Page 875: Show Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows the QoS mapping mode. show qos map trust- mode YNTAX show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 876 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) – 876 –...
Page 877: Quality Of Service Commands
UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 878: Class-Map
| Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an...
Page 879: Description
| Quality of Service Commands HAPTER OMMAND SAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. One or more class maps can be assigned to a policy map (page 881).
Page 880: Match
| Quality of Service Commands HAPTER This command defines the criteria used to classify traffic. Use the no form match to delete the matching criteria. YNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list.
Page 881: Rename
| Quality of Service Commands HAPTER This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Page 882: Class
| Quality of Service Commands HAPTER OMMAND SAGE ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. A policy map can contain multiple class statements that can be applied ◆...
Page 883: Police Flow
| Quality of Service Commands HAPTER set ip dscp command sets the IP DSCP value in matching packets. ■ (This modifies packet priority in the IP header.) police commands define parameters such as the maximum ■ throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
Page 884 | Quality of Service Commands HAPTER OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and ◆ the committed-burst cannot exceed 16 Mbytes. Policing is based on a token bucket, where bucket depth (i.e., the ◆...
Page 885: Police Srtcm-Color
| Quality of Service Commands HAPTER This command defines an enforcer for classified traffic based on a single police srtcm-color rate three color meter (srTCM). Use the no form to remove a policer. YNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp}...
Page 886 | Quality of Service Commands HAPTER The srTCM as defined in RFC 2697 meters a traffic stream and ◆ processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). The PHB label is composed of five bits, three bits for per-hop behavior, ◆...
Page 887: Police Trtcm-Color
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst...
Page 888 | Quality of Service Commands HAPTER violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action.
Page 889: Set Cos
| Quality of Service Commands HAPTER When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■...
Page 890: Set Ip Dscp
| Quality of Service Commands HAPTER OMMAND SAGE ◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets. The set cos and set phb command function at the same level of ◆...
Page 891: Set Phb
| Quality of Service Commands HAPTER OMMAND SAGE The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets. XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,”...
Page 892: Service-Policy
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
Page 893: Show Class-Map
| Quality of Service Commands HAPTER This command displays the QoS class maps which define matching criteria show class-map used for classifying traffic. YNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) EFAULT ETTING Displays all class maps. OMMAND Privileged Exec XAMPLE...
Page 894: Show Policy-Map Interface
| Quality of Service Commands HAPTER Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# This command displays the service policy assigned to the specified show policy-map interface. interface YNTAX show policy-map interface interface input interface...
Page 895: Commands
ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 896 | Multicast Filtering Commands HAPTER IGMP Snooping Table 128: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Floods unregistered multicast traffic into the attached unregistered-data-flood VLAN ip igmp snooping Specifies how often the upstream interface should unsolicited-report- transmit unsolicited IGMP reports (when proxy interval reporting is enabled) ip igmp snooping version...
Page 897: Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping This command enables IGMP snooping globally on the switch or on a ip igmp snooping selected VLAN interface. Use the no form to disable it. YNTAX [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Enabled...
Page 898: Ip Igmp Snooping Proxy-Reporting
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE Console(config)#ip igmp snooping priority 6 Console(config)# ELATED OMMANDS show ip igmp snooping (912) This command enables IGMP Snooping with Proxy Reporting. Use the no ip igmp snooping form to restore the default setting. proxy-reporting YNTAX [no] ip igmp snooping proxy-reporting...
Page 899: Ip Igmp Snooping Querier
| Multicast Filtering Commands HAPTER IGMP Snooping This command enables the switch as an IGMP querier. Use the no form to ip igmp snooping disable it. querier YNTAX [no] ip igmp snooping querier EFAULT ETTING Enabled OMMAND Global Configuration OMMAND SAGE IGMP snooping querier is not supported for IGMPv3 snooping (see ◆...
Page 900: Ip Igmp Snooping Router-Port-Expire-Time
| Multicast Filtering Commands HAPTER IGMP Snooping (such as when using proxy routing), it should ignore version 2 or 3 queries that do not contain the Router Alert option. XAMPLE Console(config)#ip igmp snooping router-alert-option-check Console(config)# This command configures the querier time out. Use the no form to restore ip igmp snooping the default.
Page 901 | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE ◆ When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change.
Page 902: Ip Igmp Snooping Tcn-Query-Solicit
| Multicast Filtering Commands HAPTER IGMP Snooping This command instructs the switch to send out an IGMP general query ip igmp snooping solicitation when a spanning tree topology change notification (TCN) tcn-query-solicit occurs. Use the no form to disable this feature. YNTAX [no] ip igmp snooping tcn-query-solicit EFAULT...
Page 903: Ip Igmp Snooping Unsolicited-Report-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN. XAMPLE Console(config)#ip igmp snooping unregistered-data-flood Console(config)# This command specifies how often the upstream interface should transmit ip igmp snooping unsolicited IGMP reports when proxy reporting is enabled.
Page 904: Ip Igmp Snooping Version
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the IGMP snooping version. Use the no form to ip igmp snooping restore the default. version YNTAX ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093) 1 - IGMP Version 1 2 - IGMP Version 2...
Page 905: Ip Igmp Snooping Vlan General-Query-Suppression
| Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Global: Disabled VLAN: Disabled OMMAND Global Configuration OMMAND SAGE If version exclusive is disabled on a VLAN, then this setting is based on ◆ the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
Page 906: Ip Igmp Snooping Vlan Immediate-Leave
| Multicast Filtering Commands HAPTER IGMP Snooping This command immediately deletes a member port of a multicast service if ip igmp snooping a leave packet is received at that port and immediate-leave is enabled for vlan immediate- the parent VLAN. Use the no form to restore the default. leave YNTAX [no] ip igmp snooping vlan vlan-id immediate-leave...
Page 907: Ip Igmp Snooping Vlan Last-Memb-Query-Count
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the number of IGMP proxy group-specific or ip igmp snooping group-and-source-specific query messages that are sent out before the vlan last-memb- system assumes there are no more local members. Use the no form to query-count restore the default.
Page 908: Ip Igmp Snooping Vlan Mrd
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group- specific or group-and-source-specific query message, and starts a timer.
Page 909: Ip Igmp Snooping Vlan Proxy-Address
| Multicast Filtering Commands HAPTER IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. This command may also be used to disable multicast router solicitation ◆ messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN.
Page 910: Ip Igmp Snooping Vlan Proxy-Query-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# This command configures the interval between sending IGMP proxy general ip igmp snooping queries.
Page 911: Ip Igmp Snooping Vlan Proxy-Query-Resp-Intvl
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the maximum time the system waits for a ip igmp snooping response to proxy general queries. Use the no form to restore the default. vlan proxy-query- resp-intvl YNTAX ip igmp snooping vlan vlan-id proxy-query-resp-intvl interval no ip igmp snooping vlan vlan-id proxy-query-resp-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The maximum time the system waits for a response to...
Page 912: Show Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE ◆ Static multicast entries are never aged out. When a multicast entry is assigned to an interface in a specific VLAN, ◆ the corresponding traffic can only be forwarded to ports within that VLAN.
Page 913: Show Ip Igmp Snooping Group
| Multicast Filtering Commands HAPTER IGMP Snooping Proxy reporting : Using global status (Enabled) Multicast Router Discovery : Enabled This command shows known multicast group, source, and host port show ip igmp mappings for the specified VLAN interface, or for all interfaces if none is snooping group specified.
Page 914: Static Multicast Routing
| Multicast Filtering Commands HAPTER Static Multicast Routing TATIC ULTICAST OUTING This section describes commands used to configure static multicast routing on the switch. Table 129: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Page 915: Show Ip Igmp Snooping Mrouter
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command displays information on statically configured and show ip igmp dynamically learned multicast router ports. snooping mrouter YNTAX show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Displays multicast router ports for all configured VLANs.
Page 916: Ip Igmp Filter (Global Configuration)
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling Table 130: IGMP Filtering and Throttling Commands (Continued) Command Function Mode ip igmp max-groups Sets the IGMP throttling action for an interface action show ip igmp filter Displays the IGMP filtering status show ip igmp profile Displays IGMP profiles and settings show ip igmp throttle...
Page 917: Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command creates an IGMP filter profile number and enters IGMP ip igmp profile profile configuration mode. Use the no form to delete a profile number. YNTAX [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Page 918: Range
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# This command specifies multicast group addresses for a profile. Use the no range form to delete addresses from a profile. YNTAX [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Page 919: Ip Igmp Max-Groups
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE ◆ The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. Only one profile can be assigned to an interface. ◆...
Page 920: Ip Igmp Max-Groups Action
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command sets the IGMP throttling action for an interface on the ip igmp max-groups switch. action YNTAX ip igmp max-groups action {replace | deny} replace - The new multicast group replaces an existing group. deny - The new multicast group join report is dropped.
Page 921: Show Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# This command displays IGMP filtering profiles created on the switch. show ip igmp profile YNTAX show ip igmp profile [profile-number]...
Page 922: Multicast Vlan Registration
| Multicast Filtering Commands HAPTER Multicast VLAN Registration EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Using this command without specifying an interface displays all interfaces. XAMPLE Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console#...
Page 923: Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command enables Multicast VLAN Registration (MVR) globally on the switch. Use the no form of this command to globally disable MVR. YNTAX [no] mvr EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Page 924: Mvr Priority
| Multicast Filtering Commands HAPTER Multicast VLAN Registration The IP address range from 224.0.0.0 to 239.255.255.255 is used for ◆ multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. IGMP snooping and MVR can share a maximum number of 1024 ◆...
Page 925: Mvr Upstream-Source-Ip
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command configures the source IP address assigned to all MVR control mvr upstream- packets sent upstream on the specified domain. Use the no form to restore source-ip the default setting. YNTAX mvr upstream-source-ip source-ip-address no mvr upstream-source-ip source-ip-address –...
Page 926: Mvr Immediate-Leave
| Multicast Filtering Commands HAPTER Multicast VLAN Registration command, but MVR receiver ports should not be statically configured as members of this VLAN. XAMPLE Console(config)#mvr vlan 228 Console(config)# This command causes the switch to immediately remove an interface from mvr immediate- a multicast stream as soon as it receives a leave message for that group.
Page 927: Mvr Type
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command configures an interface as an MVR receiver or source port. mvr type Use the no form to restore the default settings. YNTAX [no] mvr type {receiver | source} receiver - Configures the interface as a subscriber port that can receive multicast data.
Page 928: Mvr Vlan Group
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command statically binds a multicast group to a port which will receive mvr vlan group long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. YNTAX [no] mvr vlan vlan-id group ip-address vlan-id - Receiver VLAN to which the specified multicast traffic is...
Page 929: Show Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command shows information about the global MVR configuration show mvr settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
Page 930: Table 132: Show Mvr - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 132: show mvr - display description Field Description MVR Config Status Shows if MVR is globally enabled on the switch. MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied.
Page 931: Table 134: Show Mvr Members - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Forwarding Entry Count:1 Group Address Source Address VLAN Forwarding Port ------------- -------------- ---- -------------- 225.0.0.9...
Page 932 | Multicast Filtering Commands HAPTER Multicast VLAN Registration – 932 –...
Page 933: Lldp Commands
LLDP C OMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 934 | LLDP Commands HAPTER Table 135: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system- Configures an LLDP-enabled port to advertise its name system name lldp dot1-tlv proto- Configures an LLDP-enabled port to advertise ident the supported protocols lldp dot1-tlv proto-vid Configures an LLDP-enabled port to advertise port-based protocol related VLAN information lldp dot1-tlv pvid...
Page 935: Lldp
| LLDP Commands HAPTER This command enables LLDP globally on the switch. Use the no form to lldp disable LLDP. YNTAX [no] lldp EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#lldp Console(config)# This command configures the time-to-live (TTL) value sent in LLDP lldp holdtime- advertisements.
Page 936: Lldp Med-Fast-Start-Count
| LLDP Commands HAPTER This command specifies the amount of MED Fast Start LLDPDUs to transmit lldp med-fast-start- during the activation process of the LLDP-MED Fast Start mechanism. count YNTAX lldp med-fast-start-count packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) EFAULT ETTING...
Page 937: Lldp Refresh-Interval
| LLDP Commands HAPTER should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. XAMPLE Console(config)#lldp notification-interval 30 Console(config)# This command configures the periodic transmit interval for LLDP lldp refresh-interval advertisements.
Page 938: Lldp Tx-Delay
| LLDP Commands HAPTER OMMAND Global Configuration OMMAND SAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. XAMPLE Console(config)#lldp reinit-delay 10 Console(config)# This command configures a delay between the successive transmission of lldp tx-delay advertisements initiated by a change in local LLDP MIB variables.
Page 939: Lldp Admin-Status
| LLDP Commands HAPTER This command enables LLDP transmit, receive, or transmit and receive lldp admin-status mode on the specified port. Use the no form to disable this feature. YNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.
Page 940: Lldp Basic-Tlv Port-Description
| LLDP Commands HAPTER enterprise specific or other starting points for the search, such as the Interface or Entity MIB. Since there are typically a number of different addresses associated ◆ with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
Page 941: Lldp Basic-Tlv System-Capabilities
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise its system lldp basic-tlv capabilities. Use the no form to disable this feature. system-capabilities YNTAX [no] lldp basic-tlv system-capabilities EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The system capabilities identifies the primary function(s) of the system and...
Page 942: Lldp Basic-Tlv System-Name
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise the system lldp basic-tlv name. Use the no form to disable this feature. system-name YNTAX [no] lldp basic-tlv system-name EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The system name is taken from the sysName object in RFC 3418, which...
Page 943: Lldp Dot1-Tlv Proto-Vid
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise port-based lldp dot1-tlv proto- protocol VLAN information. Use the no form to disable this feature. YNTAX [no] lldp dot1-tlv proto-vid EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises the port-based protocol VLANs configured on this...
Page 944: Lldp Dot1-Tlv Vlan-Name
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise its VLAN lldp dot1-tlv vlan- name. Use the no form to disable this feature. name YNTAX [no] lldp dot1-tlv vlan-name EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises the name of all VLANs to which this interface has...
Page 945: Lldp Dot3-Tlv Mac-Phy
| LLDP Commands HAPTER This command configures an LLDP-enabled port to advertise its MAC and lldp dot3-tlv mac- physical layer capabilities. Use the no form to disable this feature. YNTAX [no] lldp dot3-tlv mac-phy EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises MAC/PHY configuration/status which includes...
Page 946: Lldp Med-Location Civic-Addr
| LLDP Commands HAPTER This command configures an LLDP-MED-enabled port to advertise its lldp med-location location identification details. Use the no form to restore the default civic-addr settings. YNTAX lldp med-location civic-adr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-adr [[country] | [what] | [ca-type]] country-code –...
Page 947: Lldp Med-Notification
| LLDP Commands HAPTER Table 136: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519 Floor Room 509B Any number of CA type and value pairs can be specified for the civic...
Page 948: Lldp Med-Tlv Inventory
| LLDP Commands HAPTER OMMAND SAGE ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Page 949: Lldp Med-Tlv Location
| LLDP Commands HAPTER This command configures an LLDP-MED-enabled port to advertise its lldp med-tlv location location identification details. Use the no form to disable this feature. YNTAX [no] lldp med-tlv location EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises location identification details.
Page 950: Lldp Med-Tlv Network-Policy
| LLDP Commands HAPTER This command configures an LLDP-MED-enabled port to advertise its lldp med-tlv network policy configuration. Use the no form to disable this feature. network-policy YNTAX [no] lldp med-tlv network-policy EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises network policy configuration information, aiding in...
Page 951: Show Lldp Config
| LLDP Commands HAPTER An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# This command shows LLDP configuration settings for all ports. show lldp config YNTAX show lldp config [detail interface]...
Page 952: Show Lldp Info Local-Device
| LLDP Commands HAPTER Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.3 specific TLVs Advertised:...
Page 953: Show Lldp Info Remote-Device
Console#show lldp info local-device LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : ES3510MA-DC System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information...
Page 954 Chassis ID : 70-72-CF-18-B7-E0 Port ID Type : MAC Address Port ID : 70-72-CF-18-B7-E1 System Name System Description : ES3510MA-DC Port Description : Ethernet Port on unit 0, port 1 SystemCapSupported : Bridge SystemCapEnabled : Bridge Remote Management Address : 192.168.0.5 (IPv4)
Page 955: Show Lldp Info Statistics
| LLDP Commands HAPTER This command shows statistics based on traffic received through all show lldp info attached LLDP-enabled interfaces. statistics YNTAX show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 956 | LLDP Commands HAPTER – 956 –...
Page 957: Cfm Commands
CFM C OMMANDS Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Page 958: Figure 305: Single Cfm Maintenance Domain
| CFM Commands HAPTER Maintenance End Points (MEPs) which provide full CFM access to a ◆ Service Instance (i.e., a specific MA), and Maintenance Intermediate Points (MIPs) which are passive entities that merely validate received CFM messages, or respond to link trace and loop back requests. MIPs are the interconnection points that make up all possible paths between the DSAPs within an MA, and may also include interconnection points in lower-level domains if exposed by CFM settings.
Page 959: Figure 306: Multiple Cfm Maintenance Domains
| CFM Commands HAPTER Figure 306: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 960: Table 137: Cfm Commands
| CFM Commands HAPTER SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
Page 961 | CFM Commands HAPTER Table 137: CFM Commands (Continued) Command Function Mode show ethernet cfm Displays detailed CFM information about a specified maintenance-points remote MEP in the continuity check database remote detail Continuity Check Operations ethernet cfm cc ma Sets the transmission delay between continuity check interval messages ethernet cfm cc enable...
Page 962 | CFM Commands HAPTER Table 137: CFM Commands (Continued) Command Function Mode Loopback Operations ethernet cfm loopback Sends CFM loopback messages to a MAC address for a MEP or MIP Fault Generator Operations mep fault-notify lowest- Sets the lowest priority defect that is allowed to priority generate a fault alarm mep fault-notify alarm-...
Page 963: Ethernet Cfm Ais Level
| CFM Commands HAPTER messages are sent (page 980), or setting the start-up delay for the cross- check operation (page 986). You can also enable SNMP traps for events discovered by continuity check messages (page 982) or cross-check messages (page 986).
Page 964: Ethernet Cfm Ais Ma
| CFM Commands HAPTER This command enables the MEPs within the specified MA to send frames ethernet cfm ais ma with AIS information following detection of defect conditions. Use the no form to disable this feature. YNTAX [no] ethernet cfm ais md domain-name ma ma-name domain-name –...
Page 965: Ethernet Cfm Ais Period
| CFM Commands HAPTER This command configures the interval at which AIS information is sent. Use ethernet cfm ais the no form to restore the default setting. period YNTAX ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period –...
Page 966: Ethernet Cfm Domain
| CFM Commands HAPTER OMMAND SAGE ◆ For multipoint connectivity, a MEP cannot determine the specific maintenance level entity that has encountered defect conditions upon receiving a frame with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information.
Page 967 | CFM Commands HAPTER pass, and only if a maintenance end point (MEP) is created at some lower MA Level. none – No MIP can be created for any MA configured in this domain. EFAULT ETTING No maintenance domains are configured. No MIPs are created for any MA in the specified domain.
Page 968: Ethernet Cfm Enable
| CFM Commands HAPTER Also note that while MEPs are active agents which can initiate consistency check messages (CCMs), transmit loop back or link trace messages, and maintain the local CCM database. MIPs, on the other hand are passive agents which can only validate received CFM messages, and respond to loop back and link trace messages.
Page 969: Ma Index Name Vlan
| CFM Commands HAPTER This command creates a maintenance association (MA) within the current ma index name vlan maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA.
Page 970: Ma Index Name-Format
| CFM Commands HAPTER XAMPLE This example creates a maintenance association, binds it to VLAN 1, and allows MIPs to be created within this MA using the default method. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#ma index 1 name rd vlan 1 mip-creation default Console(config-ether-cfm)# This command specifies the name format for the maintenance association ma index name-...
Page 971: Ethernet Cfm Mep
| CFM Commands HAPTER This command sets an interface as a domain boundary, defines it as a ethernet cfm mep maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. YNTAX ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name...
Page 972: Ethernet Cfm Port-Enable
| CFM Commands HAPTER This command enables CFM processing on an interface. Use the no form to ethernet cfm port- disable CFM processing on an interface. enable YNTAX [no] ethernet cfm port-enable EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE An interface must be enabled before a MEP can be created with the...
Page 973: Show Ethernet Cfm Configuration
| CFM Commands HAPTER OMMAND SAGE This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. XAMPLE This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# This command displays CFM configuration settings, including global...
Page 974: Table 138: Show Ethernet Cfm Configuration Traps - Display Description
| CFM Commands HAPTER This example shows the configuration status for continuity check and cross-check traps. Console#show ethernet cfm configuration traps CC MEP Up Trap :Disabled CC MEP Down Trap :Disabled CC Configure Trap :Disabled CC Loop Trap :Disabled Cross Check MEP Unknown Trap :Disabled Cross Check MEP Missing Trap :Disabled Cross Check MA Up :Disabled...
Page 975: Show Ethernet Cfm Md
| CFM Commands HAPTER This command displays the configured maintenance domains. show ethernet cfm YNTAX show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) EFAULT ETTING None OMMAND Privileged Exec XAMPLE This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name...
Page 976: Show Ethernet Cfm Maintenance-Points Local
| CFM Commands HAPTER This command displays the maintenance points configured on this device. show ethernet cfm maintenance-points local YNTAX show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep –...
Page 977: Show Ethernet Cfm Maintenance-Points Local Detail Mep
| CFM Commands HAPTER This command displays detailed CFM information about a local MEP in the show ethernet cfm continuity check database. maintenance-points local detail mep YNTAX show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name –...
Page 978: Show Ethernet Cfm Maintenance-Points Remote Detail
| CFM Commands HAPTER Table 139: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry. MA Name Maintenance association to which this remote MEP belongs MA Name Format The format of the Maintenance Association name, including primary VID, character string, unsigned Integer 16, or RFC 2865 VPN ID Level...
Page 979: Table 140: Show Ethernet Cfm Maintenance-Points Remote Detail - Display
| CFM Commands HAPTER ma-name – Maintenance association name. (Range: 1-45 alphanumeric characters) EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address.
Page 980: Ethernet Cfm Cc Ma Interval
| CFM Commands HAPTER Table 140: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state –...
Page 981: Ethernet Cfm Cc Enable
| CFM Commands HAPTER configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. The maintenance of a MIP CCM database by a MIP presents some ◆ difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency.
Page 982: Snmp-Server Enable Traps Ethernet Cfm Cc
| CFM Commands HAPTER If a maintenance point receives a CCM with an invalid MEPID or MA ◆ level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs).
Page 983: Mep Archive-Hold-Time
| CFM Commands HAPTER XAMPLE This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# ELATED OMMANDS ethernet cfm mep crosscheck (988) This command sets the time that data from a missing MEP is retained in mep archive-hold- the continuity check message (CCM) database before being purged.
Page 984: Clear Ethernet Cfm Errors
| CFM Commands HAPTER EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Page 985: Show Ethernet Cfm Errors
| CFM Commands HAPTER This command displays the CFM continuity check errors logged on this show ethernet cfm device. errors YNTAX show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain. (Range: 0-7) EFAULT ETTING...
Page 986: Ethernet Cfm Mep Crosscheck Start-Delay
| CFM Commands HAPTER This command sets the maximum delay that a device waits for remote ethernet cfm mep MEPs to come up before starting the cross-check operation. Use the no crosscheck start- form to restore the default setting. delay YNTAX ethernet cfm mep crosscheck start-delay delay delay –...
Page 987: Mep Crosscheck Mpid
| CFM Commands HAPTER EFAULT ETTING All continuity checks are enabled. OMMAND Global Configuration OMMAND SAGE For this trap type to function, cross-checking must be enabled on the ◆ required maintenance associations using the ethernet cfm mep crosscheck command. ◆ A mep-missing trap is sent if cross-checking is enabled (with the ethernet cfm mep crosscheck command), and no CCM is received for a...
Page 988: Ethernet Cfm Mep Crosscheck
| CFM Commands HAPTER OMMAND SAGE ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross- check operation to verify that all endpoints in the specified MA are operational.
Page 989: Show Ethernet Cfm Maintenance-Points Remote Crosscheck
| CFM Commands HAPTER The cross-check process is disabled by default, and must be manually ◆ started using this command with the enable keyword. XAMPLE This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# This command displays information about remote MEPs statically show ethernet cfm...
Page 990: Ethernet Cfm Linktrace Cache Hold-Time
| CFM Commands HAPTER OMMAND Global Configuration OMMAND SAGE A link trace message is a multicast CFM frame initiated by a MEP, and ◆ forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded.
Page 991: Ethernet Cfm Linktrace Cache Size
| CFM Commands HAPTER XAMPLE This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# This command sets the maximum size for the link trace cache. Use the no ethernet cfm form to restore the default setting.
Page 992: Ethernet Cfm Linktrace
| CFM Commands HAPTER This command sends CFM link trace messages to the MAC address of a ethernet cfm remote MEP. linktrace YNTAX ethernet cfm linktrace {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [ttl number] destination-mpid –...
Page 993: Clear Ethernet Cfm Linktrace-Cache
| CFM Commands HAPTER XAMPLE This example sends a link trace message to the specified MEP with a maximum hop count of 25. Console#linktrace ethernet dest-mep 2 md voip ma rd ttl 25 Console# This command clears link trace messages logged on this device. clear ethernet cfm linktrace-cache OMMAND...
Page 994: Ethernet Cfm Loopback
| CFM Commands HAPTER Table 142: show ethernet cfm linktrace-cache - display description Field Description Ing. Action Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false. This value could be returned, for example, by an operationally Down MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port’s MAC_Operational...
Page 995: Mep Fault-Notify Lowest-Priority
| CFM Commands HAPTER packet-size – The size of the loopback message. (Range: 64-1518 bytes) EFAULT ETTING Loop back count: One loopback message is sent. Loop back size: 64 bytes OMMAND Privileged Exec OMMAND SAGE Use this command to test the connectivity between maintenance ◆...
Page 996: Table 143: Remote Mep Priority Levels
| CFM Commands HAPTER OMMAND CFM Domain Configuration OMMAND SAGE A fault alarm can generate an SNMP notification. It is issued when the ◆ MEP fault notification generator state machine detects that a configured time period (see the mep fault-notify alarm-time command) has passed with one or more defects indicated, and fault alarms are enabled at or above the priority level set by this command.
Page 997: Mep Fault-Notify Alarm-Time
| CFM Commands HAPTER XAMPLE This example sets the lowest priority defect that will generate a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify lowest-priority 1 Console(config-ether-cfm)# This command sets the time a defect must exist before a fault alarm is mep fault-notify issued.
Page 998: Mep Fault-Notify Reset-Time
| CFM Commands HAPTER This command configures the time after a fault alarm has been issued, and mep fault-notify no defect exists, before another fault alarm can be issued. Use the no form reset-time to restore the default setting. YNTAX mep fault-notify reset-time reset-time no fault-notify reset-time reset-time –...
Page 999: Ethernet Cfm Delay-Measure Two-Way
| CFM Commands HAPTER Table 145: show fault-notify-generator - display description Field Description MD Name The maintenance domain for this entry. MA Name The maintenance association for this entry. Hihest Defect The highest defect that will generate a fault alarm. (This is disabled by default.) Lowest Alarm The lowest defect that will generate a fault alarm (see the...
Page 1000 | CFM Commands HAPTER Size: 64 bytes Timeout: 5 seconds OMMAND Privileged Exec OMMAND SAGE Delay measurement can be used to measure frame delay and frame ◆ delay variation between MEPs. A local MEP must be configured for the same MA before you can use ◆...
Page 1001: Ommands
OAM C OMMANDS The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Page 1002: Efm Oam
| OAM Commands HAPTER This command enables OAM functions on the specified port. Use the no efm oam form to disable this function. YNTAX [no] efm oam EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND SAGE If the remote device also supports OAM, both exchange Information ◆...

Edge-Core ES3510MA-DC Management Manual

About this Guide

Contents

Figures

Tables

Sectioni

Getting Started

Introduction

Initial Switch Configuration

Ection

Web Configuration

Using the Web Interface

Basic

Interface Configuration

Vlan Configuration

Address Table Settings

Spanning Tree Algorithm

Rate Limit Configuration

Storm Control Configuration

Class of Service

Quality of Service

Oip Traffic Configuration

Security Measures

Quick Links

Related Manuals for Edge-Core ES3510MA-DC

Summary of Contents for Edge-Core ES3510MA-DC