Download Print this page

Digisol DG-FS4526E Management Manual

Digisol DG-FS4526E Management Manual

Mustang 4000 switch series

Hide thumbs Also See for DG-FS4526E:

Installation manual (66 pages)

Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual

MUSTANG 4000 SWITCH SERIES

DG-FS4526E

MANAGEMENT GUIDE

V1.0

2012-04-12

As our products undergo continuous development the specifications are subject to change without prior notice

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the DG-FS4526E and is the answer not in the manual?

Questions and answers

Summary of Contents for Digisol DG-FS4526E

Page 1: Management Guide
MUSTANG 4000 SWITCH SERIES DG-FS4526E MANAGEMENT GUIDE V1.0 2012-04-12 As our products undergo continuous development the specifications are subject to change without prior notice...
Page 2 ANAGEMENT UIDE DG-FS4526E E NHANCED THERNET WITCH Layer 2 Switch with 24 10/100BASE-TX (RJ-45) Ports, and 2 Gigabit Combination Ports (RJ-45/SFP) DG-FS4526E E032011/ST-R01 149100000142A...
Page 3: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 4 BOUT UIDE – 4 –...
Page 5: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access Managing System Files...
Page 6 ONTENTS Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting The Start-Up File Showing System Files Automatic Operation Code Upgrade...
Page 7 ONTENTS Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Saving Power Traffic Segmentation Enabling Traffic Segmentation Configuring Uplink and Downlink Ports VLAN Trunking 6 VLAN C ONFIGURATION IEEE 802.1Q VLANs...
Page 8 ONTENTS Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP IMIT ONFIGURATION 10 S TORM ONTROL ONFIGURATION 11 C LASS OF ERVICE Layer 2 Queue Settings Setting the Default Priority for Interfaces Selecting the Queue Mode Mapping CoS Values to Egress Queues Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Setting Priority Processing to DSCP or CoS...
Page 9 ONTENTS Configuring Network Access for Ports Configuring Port Link Detection Configuring a MAC Address Filter Displaying Secure MAC Address Information Configuring HTTPS Configuring Global Settings for HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Configuring the SSH Server Generating the Host Key Pair Importing User Public Keys Access Control Lists...
Page 10 ONTENTS Configuring Ports for IP Source Guard Configuring Static Bindings for IP Source Guard Displaying Information for Dynamic IP Source Guard Bindings DHCP Snooping DHCP Snooping Configuration DHCP Snooping VLAN Configuration Configuring Ports for DHCP Snooping Displaying DHCP Snooping Binding Information 15 B ASIC DMINISTRATION...
Page 11 ONTENTS Cluster Member Configuration Managing Cluster Members Ethernet Ring Protection Switching ERPS Configuration ERPS Ring Configuration Connectivity Fault Management Configuring Global Settings for CFM Configuring Interfaces for CFM Configuring CFM Maintenance Domains Configuring CFM Maintenance Associations Configuring Maintenance End Points Configuring Remote Maintenance End Points Transmitting Link Trace Messages Transmitting Loop Back Messages...
Page 12 ONTENTS Configuring the IPv4 Default Gateway Configuring IPv4 Interface Settings Setting the Switch’s IP Address (IP Version 6) Configuring the IPv6 Default Gateway Configuring IPv6 Interface Settings Configuring an IPv6 Address Showing IPv6 Addresses Showing the IPv6 Neighbor Cache Showing IPv6 Statistics Showing the MTU for Responding Destinations 17 IP S ERVICES...
Page 13 ONTENTS ECTION OMMAND NTERFACE 19 U SING THE OMMAND NTERFACE Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands...
Page 14 ONTENTS banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config...
Page 15 ONTENTS parity password password-thresh silent-time speed stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail...
Page 16 ONTENTS periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 22 SNMP C OMMANDS snmp-server snmp-server community snmp-server contact snmp-server location show snmp snmp-server enable traps snmp-server host snmp-server engine-id snmp-server group snmp-server user...
Page 17 ONTENTS show rmon alarms show rmon events show rmon history show rmon statistics 24 A UTHENTICATION OMMANDS User Accounts enable password username Authentication Sequence authentication enable authentication login RADIUS Client radius-server acct-port radius-server auth-port radius-server host radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client...
Page 18 ONTENTS Web Server ip http port ip http server ip http secure-server ip http secure-port Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate...
Page 19 ONTENTS dot1x identity profile dot1x max-start dot1x pae supplicant dot1x timeout auth-period dot1x timeout held-period dot1x timeout start-period show dot1x Management IP Filter management show management 25 G ENERAL ECURITY EASURES Port Security port security Network Access (MAC Address Authentication) network-access aging network-access mac-filter mac-authentication reauth-time...
Page 20 ONTENTS web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCP Snooping ip dhcp snooping ip dhcp snooping database flash ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping verify mac-address ip dhcp snooping vlan ip dhcp snooping trust...
Page 21 ONTENTS show ip arp inspection statistics show ip arp inspection vlan 26 A CCESS ONTROL ISTS IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs access-list ipv6 permit, deny (Standard IPv6 ACL) permit, deny (Extended IPv6 ACL)
Page 22 ONTENTS media-type negotiation shutdown speed-duplex switchport packet-rate clear counters show interfaces brief show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver test cable-diagnostics show cable-diagnostics power-save show power-save 28 L GGREGATION OMMANDS port channel load-balance channel-group lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority...
Page 23 ONTENTS 31 A UTOMATIC RAFFIC ONTROL OMMANDS auto-traffic-control apply-timer auto-traffic-control release-timer auto-traffic-control auto-traffic-control action auto-traffic-control alarm-clear-threshold auto-traffic-control alarm-fire-threshold auto-traffic-control auto-control-release auto-traffic-control control-release snmp-server enable port-traps atc broadcast-alarm-clear snmp-server enable port-traps atc broadcast-alarm-fire snmp-server enable port-traps atc broadcast-control-apply snmp-server enable port-traps atc broadcast-control-release snmp-server enable port-traps atc multicast-alarm-clear snmp-server enable port-traps atc multicast-alarm-fire snmp-server enable port-traps atc multicast-control-apply...
Page 24 ONTENTS spanning-tree system-bpdu-flooding spanning-tree transmission-limit max-hops mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority spanning-tree port-bpdu-flooding spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree loopback-detection release...
Page 25 ONTENTS wtr-timer show erps 35 VLAN C OMMANDS GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering...
Page 26 ONTENTS show traffic-segmentation Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan...
Page 27 ONTENTS show qos map trust-mode 37 Q UALITY OF ERVICE OMMANDS class-map description match rename policy-map class police flow police srtcm-color police trtcm-color set cos set ip dscp set phb service-policy show class-map show policy-map show policy-map interface 38 M ULTICAST ILTERING OMMANDS...
Page 28 ONTENTS ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan proxy-query-interval ip igmp snooping vlan proxy-query-resp-intvl ip igmp snooping vlan static show ip igmp snooping show ip igmp snooping group Static Multicast Routing ip igmp snooping vlan mrouter show ip igmp snooping mrouter IGMP Filtering and Throttling ip igmp filter (Global Configuration)
Page 29 ONTENTS lldp refresh-interval 1003 lldp reinit-delay 1003 lldp tx-delay 1004 lldp admin-status 1005 lldp basic-tlv management-ip-address 1005 lldp basic-tlv port-description 1006 lldp basic-tlv system-capabilities 1007 lldp basic-tlv system-description 1007 lldp basic-tlv system-name 1008 lldp dot1-tlv proto-ident 1008 lldp dot1-tlv proto-vid 1009 lldp dot1-tlv pvid 1009...
Page 30 ONTENTS ethernet cfm mep 1034 ethernet cfm port-enable 1035 clear ethernet cfm ais mpid 1035 show ethernet cfm configuration 1036 show ethernet cfm md 1038 show ethernet cfm ma 1038 show ethernet cfm maintenance-points local 1039 show ethernet cfm maintenance-points local detail mep 1040 show ethernet cfm maintenance-points remote detail 1041...
Page 31 ONTENTS efm oam link-monitor frame 1067 efm oam link-monitor frame threshold 1067 efm oam link-monitor frame window 1068 efm oam mode 1069 clear efm oam counters 1069 efm oam remote-loopback 1070 efm oam remote-loopback test 1071 show efm oam counters interface 1072 show efm oam event-log interface 1072...
Page 32 ONTENTS show ip default-gateway 1094 show ip interface 1094 traceroute 1095 ping 1096 ARP Configuration 1097 arp timeout 1097 clear arp-cache 1098 show arp 1098 IPv6 Interface 1099 ipv6 default-gateway 1100 ipv6 address 1101 ipv6 address autoconfig 1102 ipv6 address eui-64 1103 ipv6 address link-local 1105...
Page 33 ONTENTS Problems Accessing the Management Interface 1131 Using System Logs 1132 1133 ICENSE NFORMATION The GNU General Public License 1133 1137 LOSSARY 1145 OMMAND 1153 NDEX – 33 –...
Page 34 ONTENTS – 34 –...
Page 35: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 36 IGURES Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Figure 34: Showing Port Statistics (Table) Figure 35: Showing Port Statistics (Chart) Figure 36: Performing Cable Tests Figure 37: Configuring Static Trunks Figure 38: Creating Static Trunks Figure 39: Adding Static Trunks Members Figure 40: Configuring Connection Parameters for a Static Trunk Figure 41: Showing Information for Static Trunks...
Page 37 IGURES Figure 68: Showing Dynamic VLANs Registered on the Switch Figure 69: Showing the Members of a Dynamic VLAN Figure 70: QinQ Operational Concept Figure 71: Enabling QinQ Tunneling Figure 72: Adding an Interface to a QinQ Tunnel Figure 73: Configuring Protocol VLANs Figure 74: Displaying Protocol VLANs Figure 75: Assigning Interfaces to Protocol VLANs Figure 76: Showing the Interface to Protocol Group Mapping...
Page 38 IGURES Figure 104: Displaying Global Settings for an MST Instance Figure 105: Adding a VLAN to an MST Instance Figure 106: Displaying Members of an MST Instance Figure 107: Configuring MSTP Interface Settings Figure 108: Displaying MSTP Interface Settings Figure 109: Configuring Rate Limits Figure 110: Configuring Storm Control Figure 111: Setting the Default Port Priority Figure 112: Setting the Queue Mode (Strict)
Page 39 IGURES Figure 140: Showing AAA Server Groups Figure 141: Configuring Global Settings for AAA Accounting Figure 142: Configuring AAA Accounting Methods Figure 143: Showing AAA Accounting Methods Figure 144: Configuring AAA Accounting Service for 802.1X Service Figure 145: Configuring AAA Accounting Service for Exec Service Figure 146: Displaying a Summary of Applied AAA Accounting Methods Figure 147: Displaying Statistics for AAA Accounting Sessions Figure 148: Configuring AAA Authorization Methods...
Page 40 IGURES Figure 176: Configuring a Standard IPv4 ACL Figure 177: Configuring an Extended IPv4 ACL Figure 178: Configuring a Standard IPv6 ACL Figure 179: Configuring an Extended IPv6 ACL Figure 180: Configuring a MAC ACL Figure 181: Configuring a ARP ACL Figure 182: Binding a Port to an ACL Figure 183: Configuring Global Settings for ARP Inspection Figure 184: Configuring VLAN Settings for ARP Inspection...
Page 41 IGURES Figure 212: Displaying Local Device Information for LLDP (Port) Figure 213: Displaying Remote Device Information for LLDP (Port) Figure 214: Displaying Remote Device Information for LLDP (Port Details) Figure 215: Displaying LLDP Device Statistics (General) Figure 216: Displaying LLDP Device Statistics (Port) Figure 217: Configuring Global Settings for SNMP Figure 218: Configuring the Local Engine ID for SNMP Figure 219: Configuring a Remote Engine ID for SNMP...
Page 42 IGURES Figure 248: Configuring a Cluster Members Figure 249: Showing Cluster Members Figure 250: Showing Cluster Candidates Figure 251: Managing a Cluster Member Figure 252: ERPS Ring Components Figure 253: Setting ERPS Global Status Figure 254: Creating an ERPS Ring Figure 255: Creating an ERPS Ring Figure 256: Showing Configured ERPS Rings Figure 257: Single CFM Maintenance Domain...
Page 43 IGURES Figure 284: Displaying the OAM Event Log Figure 285: Displaying Status of Remote Interfaces Figure 286: Running a Remote Loop Back Test Figure 287: Displaying the Results of Remote Loop Back Testing Figure 288: Pinging a Network Device Figure 289: Setting the ARP Timeout Figure 290: Displaying ARP Entries Figure 291: Configuring the IPv4 Default Gateway Figure 292: Configuring a Static IPv4 Address...
Page 44 IGURES Figure 320: Configuring IGMP Snooping on a VLAN Figure 321: Showing Interface Settings for IGMP Snooping Figure 322: Showing Multicast Groups Learned by IGMP Snooping Figure 323: Enabling IGMP Filtering and Throttling Figure 324: Creating an IGMP Filtering Profile Figure 325: Showing the IGMP Filtering Profiles Created Figure 326: Adding Multicast Groups to an IGMP Filtering Profile Figure 327: Showing the Groups Assigned to an IGMP Filtering Profile...
Page 45: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Internal Configuration Information Table 11: Traffic Segmentation Forwarding...
Page 46 ABLES Table 32: MEP Defect Descriptions Table 33: OAM Operation State Table 34: OAM Operation State Table 35: Address Resolution Protocol Table 36: Show IPv6 Neighbors - display description Table 37: Show IPv6 Statistics - display description Table 38: Show MTU - display description Table 39: General Command Modes Table 40: Configuration Command Modes Table 41: Keystroke Commands...
Page 47 ABLES Table 68: Default Login Settings Table 69: Authentication Sequence Commands Table 70: RADIUS Client Commands Table 71: TACACS+ Client Commands Table 72: AAA Commands Table 73: Web Server Commands Table 74: HTTPS System Support Table 75: Telnet Server Commands Table 76: Secure Shell Commands Table 77: show ssh - display description Table 78: 802.1X Port Authentication Commands...
Page 48 ABLES Table 104: Rate Limit Commands Table 105: ATC Commands Table 106: Address Table Commands Table 107: Spanning Tree Commands Table 108: Recommended STA Path Cost Range Table 109: Default STA Path Costs Table 110: ERPS Commands Table 111: show erps - summary display description Table 112: show erps domain - detailed display description Table 113: VLAN Commands Table 114: GVRP and Bridge Extension Commands...
Page 49 ABLES Table 140: LLDP Commands Table 141: LLDP MED Location CA Types 1012 Table 142: CFM Commands 1023 Table 143: show ethernet cfm configuration traps - display description 1037 Table 144: show ethernet cfm maintenance-points local detail mep - display 1041 Table 145: show ethernet cfm maintenance-points remote detail - display 1042...
Page 50 ABLES – 50 –...
Page 51: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 53 "Initial Switch Configuration"...
Page 52 | Getting Started ECTION – 52 –...
Page 53: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 54: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4093 using IEEE 802.1Q, port-based, protocol-based, voice VLANs, and QinQ tunnel...
Page 55 | Introduction HAPTER Description of Software Features 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Page 56 | Introduction HAPTER Description of Software Features Broadcast, multicast and unknown unicast storm suppression prevents TORM ONTROL traffic from overwhelming the network.When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
Page 57 | Introduction HAPTER Description of Software Features 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
Page 58 | Introduction HAPTER Description of Software Features frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network. This switch prioritizes each packet based on the required level of service, RAFFIC using four priority queues with strict priority, Weighted Round Robin RIORITIZATION (WRR), or a combination of strict and weighted queuing.
Page 59: System Defaults
| Introduction HAPTER System Defaults information used SNMP applications simplify troubleshooting, enhance network management, and maintain an accurate network topology. ERPS can also be used to increase the availability and robustness of THERNET Ethernet rings, such as those used in Metropolitan Area Networks (MAN). ROTECTION ERPS technology converges in a little over 50 ms.
Page 60 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Server Port SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled...
Page 61 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight Queue: 0 1 2 3 Weight: 1 2 4 6 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings...
Page 62 | Introduction HAPTER System Defaults – 62 –...
Page 63: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 64: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 256 IEEE 802.1Q VLANs Enable GVRP automatic VLAN registration Configure IGMP multicast filtering Upload and download system firmware or configuration files via HTTP (using the web interface) or FTP/TFTP (using the command line or web interface)
Page 65: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set flow control to none. Set the emulation mode to VT100. When using HyperTerminal, select Terminal keys, not Windows keys. Once you have set up the terminal correctly, the console login screen will be displayed.
Page 66: Basic Configuration
| Initial Switch Configuration HAPTER Basic Configuration ASIC ONFIGURATION The CLI program provides two different command levels — normal access ONSOLE level (Normal Exec) and privileged access level (Privileged Exec). The ONNECTION commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Page 67: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Username: admin Password: CLI session with the DG-FS4526E is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING management access through the network.
Page 68 | Initial Switch Configuration HAPTER Basic Configuration To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask”...
Page 69 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): (None) Joined group address(es): FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Page 70 | Initial Switch Configuration HAPTER Basic Configuration To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::/64 Console(config-if)#exit...
Page 71 | Initial Switch Configuration HAPTER Basic Configuration At the interface-configuration mode prompt, use one of the following commands: To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>. To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.
Page 72 | Initial Switch Configuration HAPTER Basic Configuration Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds Console# Address for Multi-segment Network —...
Page 73: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration Information passed on to the switch from a DHCP server may also include a OWNLOADING configuration file to be downloaded and the TFTP servers where that file ONFIGURATION can be accessed. If the Factory Default Configuration file is used to EFERENCED provision the switch at startup, in addition to requesting IP configuration DHCP S...
Page 74: Table 4: Options 55 And 124 Statements
192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100";#Default Option 66 option bootfile-name "bootfile"; #Default Option 67 class "Option66,67_1" { #DHCP Option 60 Vendor class match if option vendor-class-identifier = "dg-fs4526e.bix"; #option 43 option vendor-class-information code encapsulate dynamicProvision; #option 66 encapsulated in option 43 option vendor-class-information.tftp-server-name "192.168.255.100";...
Page 75: Enabling Snmp Management Access
| Initial Switch Configuration HAPTER Basic Configuration “dg-fs4526e.bix” vendor-class-identifier dhcpd.conf file. SNMP The switch can be configured to accept management commands from NABLING Simple Network Management Protocol (SNMP) applications. You can ANAGEMENT CCESS configure the switch to respond to SNMP requests or generate SNMP traps.
Page 76 | Initial Switch Configuration HAPTER Basic Configuration To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press <Enter>. Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings.
Page 77: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files used authentication, provides password “greenpeace” authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)# For a more detailed explanation on how to configure the switch for access...
Page 78: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files In the system flash memory, one file of each type must be set as the start- up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded. Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings.
Page 79 | Initial Switch Configuration HAPTER Managing System Files Enter the address of the TFTP server. Press <Enter>. Enter the name of the startup file stored on the server. Press <Enter>. Enter the name for the startup file on the switch. Press <Enter>. Console#copy file startup-config Console#copy tftp startup-config TFTP server IP address: 192.168.0.4...
Page 80 | Initial Switch Configuration HAPTER Managing System Files – 80 –...
Page 81: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 83 "Basic Management Tasks" on page 101 "Interface Configuration"...
Page 82 | Web Configuration ECTION – 82 –...
Page 83: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 84: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the manufacturer’s web site by clicking on the DIGISOL logo. – 84 –...
Page 85: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 86: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 87 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Mirror Sets the source and target ports for mirroring Show Shows the configured mirror sessions Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics Cable Test...
Page 88 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Green Ethernet Adjusts the power provided to ports based on the length of the cable used to connect to other devices RSPAN Mirrors traffic from remote switches for analysis at a destination port on the local switch...
Page 89 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping Mirror Mirrors traffic from one or more source VLANs to a target port Show Shows mirror list...
Page 90 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Traffic Rate Limit Sets the input and output rate limits for a port Storm Control Sets the broadcast storm threshold for each interface Priority Default Priority Sets the default priority for each port or trunk...
Page 91 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure OUI Maps the OUI in the source MAC address of ingress packets to the VoIP device manufacturer Show Shows the OUI telephony list Configure Interface Configures VoIP traffic settings for ports, including the way in which a port is added to the Voice VLAN, filtering of non-VoIP packets, the...
Page 92 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Web Authentication Allows authentication and access to the network when 802.1X or Network Access authentication are infeasible or impractical Configure Global Configures general protocol settings Configure Interface Enables Web Authentication for individual ports...
Page 93 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Adds an ACL based on IP or MAC address filtering Show Shows the name and type of configured ACLs Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes Show Rule...
Page 94 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page LLDP Configure Global Configures global LLDP timing parameters Configure Interface Sets the message transmission mode; enables SNMP notification; and sets the LLDP attributes to advertise Show Local Device Information General Displays general information about the local device...
Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Trap Configures trap managers to receive messages on key events that occur this switch Show Shows configured trap managers RMON Remote Monitoring Configure Global...
Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure MD Configure Maintenance Domains Defines a portion of the network for which connectivity faults can be managed, identified by an MD index, maintenance level, and the MIP creation method Configure Details Configures the archive hold time and fault notification settings...
Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Counters Displays statistics on OAM PDUs Event Log Displays the log for recorded link events Remote Interface Displays information about attached OAM-enabled devices Remote Loopback Remote Loopback Test Performs a loopback test on the specified port...
Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows the list of static mapping entries Modify Modifies the static address mapped to the selected host name Cache Displays cache entries discovered by designated name servers DHCP...
Page 99 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Multicast VLAN Registration Configure General Globally enables MVR, sets the MVR VLAN and forwarding priority Configure Group Range Configures multicast stream addresses Show Shows multicast stream addresses Configure Interface...
Page 100 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 100 –...
Page 101: Basic Management Tasks
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, including contact information. Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions Configuring Support for Jumbo Frames – Enables support for jumbo frames.
Page 102: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS These parameters are displayed: System Description – Brief description of device type. System Object ID – MIB II object ID for switch’s network management subsystem. System Up Time – Length of time the management agent has been System Name –...
Page 103 | Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS The following parameters are displayed: Main Board Information Serial Number – The serial number of the switch. Number of Ports – Number of built-in ports. Hardware Version – Hardware version of the main board. Internal Power Status –...
Page 104: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Page 105: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 106: Managing System Files
| Basic Management Tasks HAPTER Managing System Files NTERFACE To view Bridge Extension information: Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System >...
Page 107 | Basic Management Tasks HAPTER Managing System Files ARAMETERS The following parameters are displayed: Copy Type – The firmware copy operation includes these options: FTP Upgrade – Copies a file from the FTP server to the switch. FTP Download – Copies a file from the switch to an FTP server. TFTP Upgrade –...
Page 108: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files If FTP Upgrade is used, enter the user name and password for your account on the FTP server. Set the file type to Operation Code. Enter the name of the file to download. Select a file on the switch to overwrite or specify a new file name.
Page 109: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files The maximum number of user-defined configuration files is limited only by available flash memory space. NTERFACE To save the running configuration file: Click System, then File. Select Copy from the Action list. Select Running-Config from the Copy Type list.
Page 110: Showing System Files
| Basic Management Tasks HAPTER Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Use the System > File (Show) page to show the files in the system HOWING YSTEM directory, or to delete a file.
Page 111: Automatic Operation Code Upgrade
NetBSD, OpenBSD, and most Linux distributions, etc.) are case- sensitive, meaning that two files in the same directory, dg-fs4526e.bix and DG-FS4526E.bix are considered to be unique files. Thus, if the upgrade file is stored as DG-FS4526E.bix (or even Dg-fs4526e.bix) on a case-sensitive server, then the switch (requesting dg-fs4526e.bix)
Page 112 Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The dg-fs4526e.bix filename must not be included since it is automatically appended by the switch.
Page 113 | Basic Management Tasks HAPTER Managing System Files ftp://[username[:password@]]host[/filedir]/ ftp:// – Defines FTP protocol for the server connection. username – Defines the user name for the FTP connection. If the user name is omitted, then “anonymous” is the assumed user name for the connection.
Page 114 | Basic Management Tasks HAPTER Managing System Files ftp://switches:upgrade@192.168.0.1/switches/opcode/ The user name is “switches” and the password is “upgrade”. The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the FTP root. NTERFACE To configure automatic code upgrade: Click System, then File.
Page 115: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 116: Setting The Sntp Polling Interval
| Basic Management Tasks HAPTER Setting the System Clock Figure 12: Manually Setting the System Clock SNTP Use the System > Time (Configure General - SNTP) page to set the polling ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R...
Page 117: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Figure 13: Setting the Polling Interval for SNTP SNTP Use the System > Time (Configure Time Server) page to specify the IP PECIFYING address for up to three SNTP time servers. ERVERS CLI R EFERENCES...
Page 118: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 119: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings ONSOLE ETTINGS Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 120 | Basic Management Tasks HAPTER Console Port Settings The password for the console connection can only be configured through the CLI (see "password" on page 603). Password checking can be enabled or disabled for logging in to the console connection (see "login"...
Page 121: Telnet Settings
| Basic Management Tasks HAPTER Telnet Settings ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 122: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. NTERFACE To configure parameters for the console port: Click System, then Telnet.
Page 123: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization NTERFACE To display CPU utilization: Click System, then CPU Utilization. Change the update interval if required. Note that the interval is changed as soon as a new setting is selected. Figure 18: Displaying CPU Utilization ISPLAYING EMORY TILIZATION...
Page 124: Resetting The System
| Basic Management Tasks HAPTER Resetting the System NTERFACE To display memory utilization: Click System, then Memory Status. Figure 19: Displaying Memory Utilization ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)"...
Page 125 | Basic Management Tasks HAPTER Resetting the System At – Specifies a periodic interval at which to reload the switch. DD - The day of the month at which to reload. (Range: 1-31) MM - The month at which to reload. (january ... december) YYYY - The year at which to reload.
Page 126 | Basic Management Tasks HAPTER Resetting the System Figure 20: Restarting the Switch (Immediately) Figure 21: Restarting the Switch (In) – 126 –...
Page 127 | Basic Management Tasks HAPTER Resetting the System Figure 22: Restarting the Switch (At) Figure 23: Restarting the Switch (Regularly) – 127 –...
Page 128 | Basic Management Tasks HAPTER Resetting the System – 128 –...
Page 129: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on the local switch.
Page 130 | Interface Configuration HAPTER Port Configuration OMMAND SAGE Auto-negotiation must be disabled before you can configure or force an RJ-45 interface to use the Speed/Duplex mode or Flow Control options. When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities. To set the speed, duplex mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface.
Page 131 | Interface Configuration HAPTER Port Configuration 10f - Supports 10 Mbps full-duplex operation 100h - Supports 100 Mbps half-duplex operation 100f - Supports 100 Mbps full-duplex operation 1000f (Gigabit ports only) - Supports 1000 Mbps full-duplex operation Sym (Gigabit only) - Check this item to transmit and receive pause frames.
Page 132: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Figure 24: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 133: Displaying Connection Status
| Interface Configuration HAPTER Port Configuration Figure 25: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES "show interfaces status"...
Page 134: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration NTERFACE To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 26: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING OCAL port to a target port for real-time analysis.
Page 135 | Interface Configuration HAPTER Port Configuration When mirroring VLAN traffic (see "Configuring VLAN Mirroring" on page 196) or packets based on a source MAC address (see "Configuring MAC Address Mirroring" on page 204), the target port cannot be set to the same target ports as that used for port mirroring by this command.
Page 136: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 29: Displaying Local Port Mirror Sessions Use the Interface > Port > RSPAN page to mirror traffic from remote ONFIGURING EMOTE switches for analysis at a destination port on the local switch.
Page 137 | Interface Configuration HAPTER Port Configuration OMMAND SAGE Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in "Configuring Local Port Mirroring" on page 134), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section).
Page 138 | Interface Configuration HAPTER Port Configuration still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port.
Page 139 | Interface Configuration HAPTER Port Configuration Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, Tx, Both) Destination Port – Specifies the destination port to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
Page 140: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the...
Page 141: Table 7: Port Statistics
| Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed: Table 7: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Page 142 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Alignment Errors The number of alignment errors (missynchronized data packets). FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check.
Page 143 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Utilization Statistics Input Octets per second Number of octets entering this interface per second. Input Packets per second Number of packets entering this interface per second. Input Utilization The input utilization rate for this interface.
Page 144: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display. Figure 35: Showing Port Statistics (Chart) Use the Interface >...
Page 145 | Interface Configuration HAPTER Port Configuration Short: Shorted pair Not Supported: This message is displayed for any Fast Ethernet ports that are linked up, or for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps. Impedance mismatch: Terminating impedance is not in the reference range.
Page 146: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two devices.
Page 147: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Static page to create a trunk, assign member ONFIGURING ports, and configure the connection parameters. TATIC RUNK Figure 37: Configuring Static Trunks statically configured active links CLI R EFERENCES "Link Aggregation Commands"...
Page 148 | Interface Configuration HAPTER Trunk Configuration Set the unit and port for the initial trunk member. Click Apply. Figure 38: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list.
Page 149: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration Figure 40: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 41: Showing Information for Static Trunks Use the Interface >...
Page 150 | Interface Configuration HAPTER Trunk Configuration If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 151 | Interface Configuration HAPTER Trunk Configuration other switches during negotiations. (Range: 0-65535; Default: 32768) System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. Port Priority –...
Page 152 | Interface Configuration HAPTER Trunk Configuration Click General. Enable LACP on the required ports. Click Apply. Figure 44: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list.
Page 153 | Interface Configuration HAPTER Trunk Configuration To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show Member from the Action List. Select a Trunk. Figure 46: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 154: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration To display connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show from the Action List. Figure 48: Displaying Connection Parameters for Dynamic Trunks LACP Use the Interface >...
Page 155: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP port counters: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Counters. Select a group member from the Port list. Figure 49: Displaying LACP Port Counters LACP Use the Interface >...
Page 156 | Interface Configuration HAPTER Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 157: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration Figure 50: Displaying LACP Port Internal Information LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation.
Page 158: Saving Power
| Interface Configuration HAPTER Saving Power NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Internal. Select a group member from the Port list. Figure 51: Displaying LACP Port Remote Information AVING OWER...
Page 159 | Interface Configuration HAPTER Saving Power of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity. The power-saving methods provided by this switch include: Power saving when there is no link partner: Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists.
Page 160: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation NTERFACE To enable power savings: Click Interface, Green Ethernet. Mark the Enabled check box for a port. Click Apply. Figure 52: Enabling Power Savings RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 161: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation ARAMETERS These parameters are displayed: Status – Enables port-based traffic segmentation. (Default: Disabled) Uplink-to-Uplink Mode – Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Blocking – Blocks traffic between uplink ports assigned to different sessions.
Page 162: Table 11: Traffic Segmentation Forwarding
| Interface Configuration HAPTER Traffic Segmentation OMMAND SAGE When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below. Table 11: Traffic Segmentation Forwarding Destination Session #1 Session #1 Session #2 Session #2 Normal...
Page 163 | Interface Configuration HAPTER Traffic Segmentation NTERFACE To configure the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Add from the Action list. Enter the session ID, set the direction to uplink or downlink, and select the interface to add.
Page 164: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking" on page 900 OMMAND SAGE Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
Page 165 | Interface Configuration HAPTER VLAN Trunking ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. Port – Port Identifier. (Range: 1-26) Trunk – Trunk Identifier. (Range: 1-13) VLAN Trunking Status – Enables VLAN trunking on the selected interface.
Page 166 | Interface Configuration HAPTER VLAN Trunking – 166 –...
Page 167: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 168 | VLAN Configuration HAPTER IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4093 VLANs based on the IEEE 802.1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol Port overlapping, allowing a port to participate in multiple VLANs End stations can belong to multiple VLANs...
Page 169 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 170: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 59: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 171 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring Remote Port Mirroring" on page 136). Modify VLAN ID – ID of configured VLAN (1-4093). VLAN Name – Name of the VLAN (1 to 32 characters). Status –...
Page 172: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 173 | VLAN Configuration HAPTER IEEE 802.1Q VLANs CLI R EFERENCES "Configuring VLAN Interfaces" on page 894 "Displaying VLAN Information" on page 901 ARAMETERS These parameters are displayed: Edit Member by VLAN VLAN – ID of configured VLAN (1-4093). Interface – Displays a list of ports or trunks. Port –...
Page 174 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 175 | VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To configure static members by the VLAN index: Click VLAN, Static. Select Edit Member by VLAN from the Action list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required. Click Apply.
Page 176 | VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Action list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply. Figure 64: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static.
Page 177: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 65: Configuring Static VLAN Members by Interface Range Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION...
Page 178 | VLAN Configuration HAPTER IEEE 802.1Q VLANs GVRP Timers – Timer settings must follow this rule: 2 x (join timer) < leave timer < leaveAll timer Join – The interval between transmitting requests/queries to participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) Leave –...
Page 179 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 66: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: Click VLAN, Dynamic. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk. Modify the GVRP status or timers for any interface.
Page 180 | VLAN Configuration HAPTER IEEE 802.1Q VLANs To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 68: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
Page 181: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 182 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 70: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel...
Page 183 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged One tag (CVLAN or SPVLAN) Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
Page 184 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.
Page 185: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON THE Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
Page 186: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling NTERFACE To enable QinQ Tunneling on the switch: Click VLAN, Tunnel. Select Configure Global from the Step list. Enable Tunnel Status, and specify the TPID if a client attached to a tunnel port is using a non-standard ethertype to identify 802.1Q tagged frames.
Page 187 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Trunk – Trunk Identifier. (Range: 1-13) Mode – Sets the VLAN membership mode of the port. None – The port operates in its normal VLAN mode. (This is the default.) Access – Configures QinQ tunneling for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network.
Page 188: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 189 | VLAN Configuration HAPTER Protocol VLANs Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN (VLAN 1) that has been configured with the switch's administrative IP. IP Protocol Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivity to the switch.
Page 190: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Figure 74: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group.
Page 191 | VLAN Configuration HAPTER Protocol VLANs VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4093) NTERFACE To map a protocol group to a VLAN for a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Add from the Action list.
Page 192: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 193 | VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
Page 194: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 195 | VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured.
Page 196: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 197 | VLAN Configuration HAPTER Configuring VLAN Mirroring NTERFACE To configure VLAN mirroring: Click VLAN, Mirror. Select Add from the Action list. Select the source VLAN, and select a target port. Click Apply. Figure 81: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror.
Page 198 | VLAN Configuration HAPTER Configuring VLAN Mirroring – 198 –...
Page 199: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 200 | Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed: VLAN – ID of configured VLAN. (Range: 1-4093) Interface – Port or trunk associated with the device assigned a static address. MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 201: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 84: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table.
Page 202: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
Page 203: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
Page 204: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring NTERFACE To clear the entries in the dynamic address table: Click MAC Address, Dynamic. Select Clear Dynamic MAC from the Action list. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface).
Page 205 | Address Table Settings HAPTER Configuring MAC Address Mirroring cannot be set to the same target ports as that used for port mirroring (see "Configuring Local Port Mirroring" on page 134). When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring.
Page 206 | Address Table Settings HAPTER Configuring MAC Address Mirroring To show the MAC addresses to be mirrored: Click MAC Address, Mirror. Select Show from the Action list. Figure 89: Showing the Source MAC Addresses to Mirror – 206 –...
Page 207: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback BPDUs. Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Page 208 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 90: STP Root Ports and Designated Ports Designated Root...
Page 209 | Spanning Tree Algorithm HAPTER Overview Figure 91: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 210: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 211: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Loopback Detection. Click Port or Trunk to display the required interface type. Modify the required loopback detection attributes. Click Apply Figure 93: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR...
Page 212 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
Page 213 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Default: 32768 Range: 0-61440, in steps of 4096 Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 BPDU Flooding – Configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port.
Page 214 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) Default: 20 Minimum: The higher of 6 or [2 x (Hello Time + 1)] Maximum: The lower of 40 or [2 x (Forward Delay - 1)] Forward Delay –...
Page 215 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 94: Configuring Global Settings for STA (STP) Figure 95: Configuring Global Settings for STA (RSTP) – 215 –...
Page 216: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 96: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 217: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 218: Table 12: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES "Spanning Tree Commands" on page 847 ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. Spanning Tree – Enables/disables this interface. (Default: Enabled) BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page...
Page 219: Table 13: Default Sta Path Costs
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 13: Default STA Path Costs Port Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 Admin Link Type – The link type attached to this interface. Point-to-Point –...
Page 220 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 211), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting.
Page 221: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 98: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 222 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding.
Page 223 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 99: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 224: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 847 OMMAND SAGE MSTP generates a unique spanning tree for each instance.
Page 225 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 226 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To show the MSTP instances: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show from the Action list. Figure 102: Displaying MST Instances To modify the priority for an MST instance: Click Spanning Tree, MSTP.
Page 227 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To display global settings for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Information from the Action list. Select an MST ID. The attributes displayed on this page are described under "Displaying Global Settings for STA"...
Page 228: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To show the VLAN members of an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Member from the Action list. Figure 106: Displaying Members of an MST Instance MSTP ONFIGURING NTERFACE...
Page 229 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 230 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Show Information from the Action list. Figure 108: Displaying MSTP Interface Settings –...
Page 231: Rate Limit Configuration
IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 232 | Rate Limit Configuration HAPTER NTERFACE To configure rate limits: Click Traffic, Rate Limit. Enable the Rate Limit Status for the required ports. Set the rate limit for the individual ports,. Click Apply. Figure 109: Configuring Rate Limits – 232 –...
Page 233: Storm Control Configuration
TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds. Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 234 | Storm Control Configuration HAPTER Unknown Unicast – Specifies storm control for unknown unicast traffic. Multicast – Specifies storm control for multicast traffic. Broadcast – Specifies storm control for broadcast traffic. Status – Enables or disables storm control. (Default: Enabled for broadcast storm control, disabled for multicast and unknown unicast storm control) Rate –...
Page 235: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 236: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.
Page 237 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
Page 238 | Class of Service HAPTER Layer 2 Queue Settings Weight – Sets a weight for each queue which is used by the WRR scheduler. (Range: 1-255; Default: Weights 1, 2, 4, 6 are assigned to queues 0 - 3 respectively) NTERFACE To configure the queue mode: Click Traffic, Priority, Queue.
Page 239: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 114: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...
Page 240: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES "qos map phb-queue" on page 937 OMMAND SAGE Egress packets are placed into the hardware queues according to the mapping defined by this command.
Page 241 | Class of Service HAPTER Layer 2 Queue Settings Figure 115: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Select an interface. Figure 116: Showing CoS Values to Egress Queue Mapping –...
Page 242: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings 3/4 P AYER RIORITY ETTINGS The switch supports several common methods of prioritizing layer 3/4 APPING AYER traffic to meet application requirements. Traffic priorities can be specified in RIORITIES TO the IP header of a frame, using the priority bits in the Type of Service (ToS) ALUES octet, or the number of the TCP/UDP port.
Page 243: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: Interface – Specifies a port or trunk. Trust Mode DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values. CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) NTERFACE To configure the trust mode:...
Page 244: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings OMMAND SAGE Enter per-hop behavior and drop precedence for any of the DSCP values 0 - 63. This map is only used when the priority mapping mode is set to DSCP (see page 242), and the ingress packet type is IPv4.
Page 245 | Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To map DSCP values to internal PHB/drop precedence: Click Traffic, Priority, DSCP to DSCP. Select Configure from the Action list. Select a port. Set the PHB and drop precedence for any DSCP value. Click Apply.
Page 246: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in APPING incoming packets to per-hop behavior and drop precedence values for RIORITIES TO priority processing. DSCP NTERNAL ALUES CLI R...
Page 247: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) NTERFACE To map CoS/CFI values to internal PHB/drop precedence: Click Traffic, Priority, CoS to DSCP.
Page 248 | Class of Service HAPTER Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Select a port. Figure 121: Showing CoS to DSCP Internal Mapping –...
Page 249: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 250: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 251 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 characters) Add Rule Class Name – Name of the class map. Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
Page 252 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 123: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 253: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 125: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 254 | Quality of Service HAPTER Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate”...
Page 255 | Quality of Service HAPTER Creating QoS Policies if Te(t)-B0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B0, the packet is green and Tc is decremented by B down to the minimum...
Page 256 | Quality of Service HAPTER Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
Page 257 | Quality of Service HAPTER Creating QoS Policies ARAMETERS These parameters are displayed: Policy Name – Name of policy map. (Range: 1-16 characters) Description – A brief description of a policy map. (Range: 1-256 characters) Add Rule Policy Name – Name of policy map. Class Name –...
Page 258 | Quality of Service HAPTER Creating QoS Policies Committed Burst Size (BC) – Burst in bytes. (Range: 4000- 16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level.
Page 259 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any change to the DSCP service level. Exceed –...
Page 260 | Quality of Service HAPTER Creating QoS Policies Committed Burst Size (BC) – Burst in bytes. (Range: 4000-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. Peak Burst Size (BP) – Burst size in bytes. (Range: 4000- 16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes.
Page 261 | Quality of Service HAPTER Creating QoS Policies NTERFACE To configure a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add from the Action list. Enter a policy name. Enter a description. Click Add. Figure 126: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ.
Page 262 | Quality of Service HAPTER Creating QoS Policies To edit the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add Rule from the Action list. Select the name of a policy map. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class.
Page 263: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 129: Showing the Rules for a Policy Map TTACHING A OLICY AP TO A...
Page 264 | Quality of Service HAPTER Attaching a Policy Map to a Port NTERFACE To bind a policy map to a port: Click Traffic, DiffServ. Select Configure Interface from the Step list. Check the box under the Ingress field to enable a policy map for a port. Select a policy map from the scroll-down box.
Page 265: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Page 266: V O Ip T Raffic C Onfiguration
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES "Configuring Voice VLANs" on page 921 ARAMETERS These parameters are displayed: Auto Detection Status – Enables the automatic detection of VoIP traffic on switch ports. (Default: Disabled) Voice VLAN – Sets the Voice VLAN ID for the network. Only one Voice VLAN is supported and it must already be created on the switch.
Page 267: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 268 | VoIP Traffic Configuration HAPTER Configuring Telephony OUI NTERFACE To configure MAC OUI numbers for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Add from the Action list. Enter a MAC address that specifies the OUI for VoIP devices in the network.
Page 269: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports IP T ONFIGURING RAFFIC ORTS Use the Traffic > VoIP (Configure Interface) page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority. You can also enable security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN.
Page 270 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports when the Voice VLAN feature is active for the port. (Range: 0-6; Default: 6) Remaining Age – Number of minutes before this entry is aged out. NTERFACE To configure VoIP traffic settings for a port: Click Traffic, VoIP.
Page 271: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 272: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 273: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Page 274: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods). Click Apply.
Page 275 | Security Measures HAPTER AAA Authorization and Accounting CLI R EFERENCES "RADIUS Client" on page 666 "TACACS+ Client" on page 670 "AAA" on page 673 OMMAND SAGE If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
Page 276 | Security Measures HAPTER AAA Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
Page 277 | Security Measures HAPTER AAA Authorization and Accounting Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. To set or modify the authentication key, mark the Set Key box, enter the key, and then confirm it Click Apply.
Page 278 | Security Measures HAPTER AAA Authorization and Accounting To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list. Select RADIUS or TACACS+ server type. Enter the group name, followed by the index of the server to use for each priority level.
Page 279: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting Figure 140: Showing AAA Server Groups Use the Security > AAA > Accounting page to enable accounting of ONFIGURING requested services for billing or security purposes, and also to display the CCOUNTING configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions.
Page 280 | Security Measures HAPTER AAA Authorization and Accounting Accounting Notice – Records user activity from log-in to log-off point. Server Group Name - Specifies the accounting server group. (Range: 1-255 characters) The group names “radius” and “tacacs+” specifies all configured RADIUS and TACACS+ hosts (see "Configuring Local/Remote Logon Authentication"...
Page 281 | Security Measures HAPTER AAA Authorization and Accounting NTERFACE To configure global settings for AAA accounting: Click Security, AAA, Accounting. Select Configure Global from the Step list. Enter the required update interval. Click Apply. Figure 141: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting.
Page 282 | Security Measures HAPTER AAA Authorization and Accounting To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Show from the Action list. Figure 143: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or...
Page 283 | Security Measures HAPTER AAA Authorization and Accounting Figure 145: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.
Page 284: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces. CLI R EFERENCES "AAA"...
Page 285 | Security Measures HAPTER AAA Authorization and Accounting Interface - Displays the console or Telnet interface to which these rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group:...
Page 286 | Security Measures HAPTER AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 150: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization.
Page 287: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 661 OMMAND SAGE The default guest name is “guest”...
Page 288 | Security Measures HAPTER Configuring User Accounts NTERFACE To configure user accounts: Click Security, User Accounts. Select Add from the Action list. Specify a user name, select the user's access level, then enter a password if required and confirm it. Click Apply.
Page 289: Web Authentication
| Security Measures HAPTER Web Authentication UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
Page 290: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication NTERFACE To configure global parameters for web authentication: Click Security, Web Authentication. Select Configure Global from the Step list. Enable web authentication globally on the switch, and adjust any of the protocol parameters as required. Click Apply.
Page 291: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To enable web authentication for a port: Click Security, Web Authentication. Select Configure Interface from the Step list. Set the status box to enabled for any port that requires web authentication, and click Apply Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate.
Page 292: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
Page 293 | Security Measures HAPTER Network Access (MAC Address Authentication) Table 19: Dynamic QoS Profiles (Continued) Profile Attribute Syntax Example IP ACL ip-access-group-in=ip-acl-name ip-access-group-in=ipv4acl IPv6 ACL ipv6-access-group-in=ipv6-acl-name ipv6-access-group-in=ipv6acl MAC ACL mac-access-group-in=mac-acl-name mac-access-group-in=macAcl Multiple profiles can be specified in the Filter-ID attribute by using a semicolon to separate each profile.
Page 294: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) MAC address authentication is configured on a per-port basis, however ONFIGURING LOBAL there are two configurable parameters that apply globally to all ports on ETTINGS FOR the switch. Use the Security > Network Access (Configure Global) page to ETWORK CCESS configure MAC address authentication aging and reauthentication time.
Page 295: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 156: Configuring Global Settings for Network Access Use the Security > Network Access (Configure Interface - General) page to ONFIGURING configure MAC authentication on switch ports, including enabling address ETWORK CCESS authentication, setting the maximum MAC count, and enabling dynamic ORTS...
Page 296 | Security Measures HAPTER Network Access (MAC Address Authentication) Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server are applied to the port, providing the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Page 297: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 157: Configuring Interface Settings for Network Access Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION occurs.
Page 298: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 299 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 300: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.
Page 301: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 161: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 302: Table 20: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above. The following web browsers and operating systems currently support HTTPS: Table 20: HTTPS System Support...
Page 303: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site.
Page 304: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To replace the default secure-site certificate: Click Security, HTTPS. Select Copy Certificate from the Step list. Fill in the TFTP server, certificate and private key file name, and private password. Click Apply. Figure 163: Downloading the Secure-Site Certificate ONFIGURING THE ECURE...
Page 305 | Security Measures HAPTER Configuring the Secure Shell OMMAND SAGE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the System Authentication page (page...
Page 306 | Security Measures HAPTER Configuring the Secure Shell Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) The client sends its password to the server.
Page 307: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell checks whether the signature is correct. If both checks succeed, the client is authenticated. The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Page 308: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To configure the SSH server: Click Security, SSH. Select Configure Global from the Step list. Enable the SSH server. Adjust the authentication parameters as required. Click Apply. Figure 164: Configuring the SSH Server Use the Security >...
Page 309 | Security Measures HAPTER Configuring the Secure Shell client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory) to flash memory.
Page 310: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear. Click Clear.
Page 311 | Security Measures HAPTER Configuring the Secure Shell The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 312: Access Control Lists
| Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 313: Settinga Time Range
| Security Measures HAPTER Access Control Lists The maximum number of rules per system is 512 rules. An ACL can have up to 64 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20. The order in which active ACLs are checked is as follows: User-defined rules in IP and MAC ACLs for ingress ports are checked in parallel.
Page 314 | Security Measures HAPTER Access Control Lists NTERFACE To configure a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Add from the Action list. Enter the name of a time range. Click Apply. Figure 169: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL.
Page 315 | Security Measures HAPTER Access Control Lists Fill in the required parameters for the selected mode. Click Apply. Figure 171: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list.
Page 316: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists TCAM Use the Security > ACL (Configure ACL - Show TCAM) page to show HOWING utilization parameters for TCAM (Ternary Content Addressable Memory), TILIZATION including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Page 317: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Figure 173: Showing TCAM Utilization Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R EFERENCES "access-list ip" on page 762 "show ip access-list" on page 767 ARAMETERS These parameters are displayed: ACL Name –...
Page 318 | Security Measures HAPTER Access Control Lists NTERFACE To configure the name and type of an ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add from the Action list. Fill in the ACL Name field, and select the ACL type. Click Apply.
Page 319: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IP ACL)" on page 763 "show ip access-list"...
Page 320: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists NTERFACE To add rules to an IP Standard ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Standard from the Type list. Select the name of an ACL from the Name list.
Page 321 | Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: Type – Selects the type of ACLs to show in the Name list. Name – Shows the names of ACLs matching the selected type. Action – An ACL can contain any combination of permit or deny rules. Source/Destination Address Type –...
Page 322 | Security Measures HAPTER Access Control Lists 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use control-code 2, control bit mask 2 Both SYN and ACK valid, use control-code 18, control bit mask 18 SYN valid and ACK invalid, use control-code 2, control bit mask 18 Time Range –...
Page 323: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Figure 177: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
Page 324 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list.
Page 325: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 770 "show ipv6 access-list"...
Page 326: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Extended from the Type list. Select the name of an ACL from the Name list.
Page 327 | Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: Type – Selects the type of ACLs to show in the Name list. Name – Shows the names of ACLs matching the selected type. Action – An ACL can contain any combination of permit or deny rules. Source/Destination Address Type –...
Page 328 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 329: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 330 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an ARP ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 331: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.
Page 332: Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select IP or MAC from the Type list. Select a port. Select the name of an ACL from the ACL list. Click Apply.
Page 333: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection OMMAND SAGE Enabling & Disabling ARP Inspection ARP Inspection is controlled on a global and VLAN basis. By default, ARP Inspection is disabled both globally and on all VLANs. If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled.
Page 334 | Security Measures HAPTER ARP Inspection with different MAC addresses are classified as invalid and are dropped. IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
Page 335: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Src-MAC – Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. Log Message Number – The maximum number of entries saved in a log message.
Page 336 | Security Measures HAPTER ARP Inspection ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs. If Static is specified, ARP packets are only validated against the selected ACL –...
Page 337: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 184: Configuring VLAN Settings for ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate.
Page 338: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection NTERFACE To configure interface settings for ARP Inspection: Click Security, ARP Inspection. Select Configure Interface from the Step list. Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. Click Apply. Figure 185: Configuring Interface Settings for ARP Inspection Use the Security >...
Page 339: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection Table 21: ARP Inspection Statistics (Continued) Parameter Description ARP packets dropped by Count of packets that failed the source MAC address test. additional validation (Src-MAC) ARP packets dropped by ARP Count of ARP packets that failed validation against ARP ACL ACLs rules.
Page 340: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access Table 22: ARP Inspection Log (Continued) Parameter Description Src. IP Address The source IP address in the packet. Dst. IP Address The destination IP address in the packet. Src. MAC Address The source MAC address in the packet.
Page 341 | Security Measures HAPTER Filtering IP Addresses for Management Access When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Page 342: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 189: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
Page 343 | Security Measures HAPTER Configuring Port Security OMMAND SAGE A secure port has the following restrictions: It cannot be used as a member of a static or dynamic trunk. It should not be connected to a network interconnection device. The default maximum number of MAC addresses allowed on a secure port is zero.
Page 344: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port security: Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the check box in the Security Status column to enable security for a port, and set the maximum number of MAC addresses allowed on a port.
Page 345 | Security Measures HAPTER Configuring 802.1X Port Authentication method used to pass authentication messages can be MD5 (Message- Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate.
Page 346: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication 802.1X Use the Security > Port Authentication (Configure Global) page to ONFIGURING configure IEEE 802.1X port authentication. The 802.1X protocol must be LOBAL ETTINGS enabled globally for the switch system before port settings are active. CLI R EFERENCES "802.1X Port Authentication"...
Page 347: Configuring Port Authenticator Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server. Click Apply Figure 192: Configuring Global Settings for 802.1X Port Authentication Use the Security >...
Page 348 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port – Port number. Status – Indicates if authentication is enabled or disabled on the port. The status is disabled if the control mode is set to Force-Authorized. Authorized –...
Page 349 | Security Measures HAPTER Configuring 802.1X Port Authentication Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) Quiet Period – Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.
Page 350 | Security Measures HAPTER Configuring 802.1X Port Authentication Authenticator PAE State Machine State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count – Number of times connecting state is re-entered. Current Identifier – Identifier sent in each EAP Success, Failure or Request packet by the Authentication Server.
Page 351: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 193: Configuring Interface Settings for 802.1X Port Authenticator Use the Security > Port Authentication (Configure Interface – Supplicant) ONFIGURING page to configure 802.1X port settings for supplicant requests issued from UPPLICANT ETTINGS a port to an authenticator on another device.
Page 352 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 346) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...
Page 353: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 194: Configuring Interface Settings for 802.1X Port Supplicant 802.1X Use the Security >...
Page 354 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
Page 355 | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 195: Showing Statistics for 802.1X Port Authenticator – 355 –...
Page 356: Ip Source Guard
| Security Measures HAPTER IP Source Guard To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 196: Showing Statistics for 802.1X Port Supplicant IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 357 | Security Measures HAPTER IP Source Guard OMMAND SAGE Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 358: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see...
Page 359 | Security Measures HAPTER IP Source Guard If there is an entry with the same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. If there is an entry with the same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be...
Page 360: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Add from the Action list. Enter the required bindings for each port. Click Apply Figure 198: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration.
Page 361 | Security Measures HAPTER IP Source Guard ARAMETERS These parameters are displayed: Query by Port – A port on this switch. VLAN – ID of a configured VLAN (Range: 1-4093) MAC Address – A valid unicast MAC address. IP Address – A valid unicast IP address, including classful types A, B or C.
Page 362: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 363 | Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled.
Page 364: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping the DHCP client request, including the port and VLAN ID. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them to the entire VLAN. If DHCP Snooping Information Option 82 is enabled on the switch, information may be inserted into a DHCP request packet received over any VLAN (depending on DHCP snooping filtering rules).
Page 365: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click Security, DHCP Snooping. Select Configure Global from the Step list. Select the required options for the general DHCP snooping process and for the DHCP Option 82 information policy. Click Apply Figure 201: Configuring Global Settings for DHCP Snooping DHCP S...
Page 366: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN. (Default: Disabled) NTERFACE To configure global settings for DHCP Snooping: Click Security, DHCP Snooping.
Page 367: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping ARAMETERS These parameters are displayed: Trust Status – Enables or disables a port as trusted. (Default: Disabled) NTERFACE To configure global settings for DHCP Snooping: Click Security, DHCP Snooping. Select Configure Interface from the Step list. Set any ports within the local network or firewall to trusted.
Page 368 | Security Measures HAPTER DHCP Snooping VLAN – VLAN to which this entry is bound. Interface – Port or trunk to which this entry is bound. Store – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 369: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 370: Configuring Event Logging
| Basic Administration Protocols HAPTER Configuring Event Logging ONFIGURING VENT OGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Use the Administration >...
Page 371 | Basic Administration Protocols HAPTER Configuring Event Logging Table 24: Logging Levels (Continued) Level Severity Name Description Alert Immediate action needed Emergency System unusable * There are only Level 2, 5 and 6 error messages for the current firmware release. RAM Level –...
Page 372: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging To show the error messages logged to system or flash memory: Click Administration, Log, System. Select Show System Logs from the Step list. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory.
Page 373: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23) Logging Trap Level – Limits log messages that are sent to the remote syslog server for all levels up to the specified level.
Page 374 | Basic Administration Protocols HAPTER Configuring Event Logging Severity – Sets the syslog severity threshold level (see table on page 370) used to trigger alert messages. All events at this level or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0.
Page 375: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 376 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Delay Interval – Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. (Range: 1-8192 seconds; Default: 2 seconds) The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Page 377: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 209: Configuring LLDP Timing Attributes LLDP Use the Administration > LLDP (Configure Interface) page to specify the ONFIGURING message attributes for individual interfaces, including whether messages NTERFACE are transmitted, received, or both transmitted and received, whether SNMP TTRIBUTES notifications are sent, and the type of information advertised.
Page 378 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol MED Notification – Enables the transmission of SNMP trap notifications about LLDP-MED changes. (Default: Enabled) Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. Management Address – The management address protocol packet includes the IPv4 address of the switch.
Page 379 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 167). VLAN Name – The name of all VLANs to which this interface has been assigned (see "IEEE 802.1Q VLANs"...
Page 380: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To configure LLDP interface attributes: Click Administration, LLDP. Select Configure Interface from the Step list. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages.
Page 381: Table 25: Chassis Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 25: Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Interface alias IfAlias (IETF RFC 2863) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’...
Page 382 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Interface Settings The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. Port/Trunk Description – A string that indicates the port or trunk description.
Page 383: Displaying Lldp Remote Port Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol LLDP Use the Administration > LLDP (Show Remote Device Information) page to ISPLAYING display information about devices connected directly to the switch’s ports EMOTE which are advertising information through LLDP, or to display detailed NFORMATION information about an LLDP-enabled device connected to a specific port on the local switch.
Page 384 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 27: Port ID Subtype (Continued) ID Basis Reference Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863)
Page 385: Table 28: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port Details – 802.3 Extension Port Information Remote Port Auto-Neg Supported – Shows whether the given port (associated with remote system) supports auto-negotiation. Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636) which is associated with a port on the remote system.
Page 386 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Power Pairs – “Signal” means that the signal pairs only are in use, and “Spare” means that the spare pairs only are in use. Remote Power MDI Supported – Shows whether MDI power is supported on the given port associated with the remote system.
Page 387 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 213: Displaying Remote Device Information for LLDP (Port) Figure 214: Displaying Remote Device Information for LLDP (Port Details) – 387 –...
Page 388: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces. CLI R EFERENCES "show lldp info statistics"...
Page 389: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To display statistics for LLDP-capable devices attached to the switch: Click Administration, LLDP. Select Show Device Statistics from the Step list. Select General, Port, or Trunk. Figure 215: Displaying LLDP Device Statistics (General) Figure 216: Displaying LLDP Device Statistics (Port) IMPLE ETWORK...
Page 390: Table 29: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device.
Page 391 | Basic Administration Protocols HAPTER Simple Network Management Protocol The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access. OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration >...
Page 392: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Global) page to enable SNMPv3 ONFIGURING LOBAL service for all management clients (i.e., versions 1, 2c, 3), and to enable SNMP ETTINGS FOR trap messages. CLI R EFERENCES "snmp-server"...
Page 393: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE OCAL change the local engine ID. An SNMPv3 engine is an independent SNMP NGINE agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Page 394: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A EMOTE page to configure a engine ID for a remote management station. To allow NGINE management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 395: Setting Snmpv3 Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 219: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: Click Administration, SNMP. Select Configure Engine from the Step list. Select Show Remote Engine from the Action list. Figure 220: Showing Remote Engine IDs for SNMP SNMP Use the Administration >...
Page 396 | Basic Administration Protocols HAPTER Simple Network Management Protocol Add OID Subtree View Name – Lists the SNMP views configured in the Add View page. OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
Page 397 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 222: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Add OID Subtree from the Action list. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view.
Page 398: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list. Select a view name from the list of existing views.
Page 399: Table 30: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Read View – The configured view for read access. (Range: 1-64 characters) Write View – The configured view for write access. (Range: 1-64 characters) Notify View – The configured view for notifications. (Range: 1-64 characters) Table 30: Supported Notification Messages Model...
Page 400 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 401: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 226: Showing SNMP Groups Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c.
Page 402 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To set a community access string: Click Administration, SNMP. Select Configure User from the Step list. Select Add Community from the Action list. Add new community strings as required, and select the corresponding access rights from the Access Mode list.
Page 403: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify SNMP SERS the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
Page 404 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure a local SNMPv3 user: Click Administration, SNMP. Select Configure User from the Step list. Select Add SNMPv3 Local User from the Action list. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified.
Page 405: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 230: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from SNMP SERS the local switch.
Page 406 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and encryption. Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters is required.
Page 407 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 231: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 232: Showing Remote SNMPv3 Users –...
Page 408: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 409 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
Page 410 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
Page 411 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 233: Configuring Trap Managers (SNMPv1) Figure 234: Configuring Trap Managers (SNMPv2c)
Page 412: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring Figure 235: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 236: Showing Trap Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
Page 413: Configuring Rmon Alarms
| Basic Administration Protocols HAPTER Remote Monitoring The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol.
Page 414 | Basic Administration Protocols HAPTER Remote Monitoring generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. (Range: 1-65535) Rising Event Index –...
Page 415 | Basic Administration Protocols HAPTER Remote Monitoring Figure 237: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 238: Showing Configured RMON Alarms –...
Page 416: Configuring Rmon Events
| Basic Administration Protocols HAPTER Remote Monitoring RMON Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Page 417 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.
Page 418: Configuring Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 240: Showing Configured RMON Events RMON Use the Administration > RMON (Configure Interface - Add - History) page ONFIGURING to collect statistics on a physical interface to monitor network utilization, ISTORY...
Page 419 | Basic Administration Protocols HAPTER Remote Monitoring ARAMETERS These parameters are displayed: Port – The port number on the switch. Index - Index to this entry. (Range: 1-65535) Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) Buckets - The number of buckets requested for this entry. (Range: 1-65536;...
Page 420 | Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History. Figure 242: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON.
Page 421: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates. CLI R EFERENCES "Remote Monitoring Commands"...
Page 422 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To enable regular sampling of statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 244: Configuring an RMON Statistical Sample...
Page 423 | Basic Administration Protocols HAPTER Remote Monitoring Figure 245: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics.
Page 424: Switch Clustering
| Basic Administration Protocols HAPTER Switch Clustering WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 425 | Basic Administration Protocols HAPTER Switch Clustering ARAMETERS These parameters are displayed: Cluster Status – Enables or disables clustering on the switch. (Default: Disabled) Commander Status – Enables or disables the switch as a cluster Commander. (Default: Disabled) IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster.
Page 426: Cluster Member Configuration
| Basic Administration Protocols HAPTER Switch Clustering Use the Administration > Cluster (Configure Member - Add) page to add LUSTER EMBER Candidate switches to the cluster as Members. ONFIGURATION CLI R EFERENCES "Switch Clustering" on page 627 ARAMETERS These parameters are displayed: Member ID –...
Page 427: Managing Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering Figure 249: Showing Cluster Members To show cluster candidates: Click Administration, Cluster. Select Configure Member from the Step list. Select Show Candidate from the Action list. Figure 250: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING LUSTER switch in the cluster.
Page 428: Ethernet Ring Protection Switching
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Operate – Remotely manage a cluster member. NTERFACE To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate.
Page 429 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Operational Concept Loop avoidance in the ring is achieved by guaranteeing that, at any time, traffic may flow on all but one of the ring links. This particular link is called the ring protection link (RPL), and under normal conditions this link is blocked to traffic.
Page 430 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 252: ERPS Ring Components East Port West Port RPL Owner (Idle State) CC Messages CC Messages Configuration Guidelines for ERPS Create an ERPS ring (Configure Domain – Add): The ring name is used as an index in the G.8032 database.
Page 431: Erps Configuration
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Enable an ERPS ring (Configure Domain – Configure Details): Before an EAPS ring can work, it must be enabled. When configuration is completed and the ring enabled, R-APS messages will start flowing in the control VLAN, and normal traffic will begin to flow in the data VLANs.
Page 432: Erps Ring Configuration
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To globally enable ERPS on the switch: Click Administration, ERPS. Select Configure Global from the Step list. Mark the ERPS Status check box. Click Apply. Figure 253: Setting ERPS Global Status ERPS R Use the Administration >...
Page 433 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Idle – If all nodes in a ring are in this state, it means that all the links in the ring are up. This state will switch to protection state if a link failure occurs.
Page 434 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching west should be the next node in the ring in a counter-clockwise direction. Once configured, this field shows the ring port for this node, and the interface state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed.
Page 435 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching WTR Timer – The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. (Range: 5-12 minutes) If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to- restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal...
Page 436 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching To configure the ERPS parameters for a ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Configure Details from the Action list. Configure the ERPS parameters for this node. Note that spanning tree protocol cannot be configured on the ring ports, nor can these ports be members of a static or dynamic trunk.
Page 437: Connectivity Fault Management
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 256: Showing Configured ERPS Rings ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 438 | Basic Administration Protocols HAPTER Connectivity Fault Management A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution.
Page 439 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 258: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 440: Configuring Global Settings For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent.
Page 441 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES "CFM Commands" on page 1023 ARAMETERS These parameters are displayed: Global Configuration CFM Status – Enables CFM processing globally on the switch. (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
Page 442 | Basic Administration Protocols HAPTER Connectivity Fault Management Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field.
Page 443 | Basic Administration Protocols HAPTER Connectivity Fault Management Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled , and a CCM is received from a remote MEP that is not configured in the static list NTERFACE To configure global settings for CFM: Click Administration, CFM.
Page 444: Configuring Interfaces For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings. CLI R EFERENCES "ethernet cfm port-enable"...
Page 445 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES "CFM Commands" on page 1023 OMMAND SAGE Configuring General Settings Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Page 446: Table 31: Remote Mep Priority Levels
| Basic Administration Protocols HAPTER Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that the configured time period (MEP Fault Notify Alarm Time) has passed with one or more defects indicated, and fault alarms are enabled at or above...
Page 447 | Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: Creating a Maintenance Domain MD Index – Domain index. (Range: 1-65535) MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) MD Level – Authorized maintenance level for this domain. (Range: 0-7) MIP Creation Type –...
Page 448 | Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To create a maintenance domain: Click Administration, CFM. Select Configure MD from the Step list. Select Add from the Action list. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). Specify the manner in which MIPs can be created within each domain.
Page 449: Configuring Cfm Maintenance Associations
| Basic Administration Protocols HAPTER Connectivity Fault Management To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters. Click Apply Figure 263: Configuring Detailed Settings for Maintenance Domains Use the Administration >...
Page 450 | Basic Administration Protocols HAPTER Connectivity Fault Management Multiple domains at the same maintenance level cannot have an MA on the same VLAN (see "Configuring CFM Maintenance Domains" on page 444). Before removing an MA, first remove the MEPs assigned to it (see "Configuring Maintenance End Points"...
Page 451 | Basic Administration Protocols HAPTER Connectivity Fault Management MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this MA: Default – MIPs can be created for this MA on any bridge port through which the MA’s VID can pass. Explicit –...
Page 452 | Basic Administration Protocols HAPTER Connectivity Fault Management AIS Transmit Level – Configure the AIS maintenance level in an MA. (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level AIS Suppress Alarm – Enables/disables suppression of the AIS. (Default: Disabled) NTERFACE To create a maintenance association:...
Page 453 | Basic Administration Protocols HAPTER Connectivity Fault Management To show the configured maintenance associations: Click Administration, CFM. Select Configure MA from the Step list. Select Show from the Action list. Select an entry from the MD Index list. Figure 265: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM.
Page 454: Configuring Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 266: Configuring Detailed Settings for Maintenance Associations Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.
Page 455 | Basic Administration Protocols HAPTER Connectivity Fault Management and receives them from, the direction of the internal bridge relay mechanism. If the Up option is not selected, then the MEP is facing away from the switch, and transmits CFM messages towards, and receives them from, the direction of the physical medium.
Page 456: Configuring Remote Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 268: Showing Maintenance End Points Use the Administration >...
Page 457 | Basic Administration Protocols HAPTER Connectivity Fault Management SNMP traps for continuity check events discovered by cross-check operations can also be configured on the Configure Global page (see "Configuring Global Settings for CFM"). ARAMETERS These parameters are displayed: MD Index – Domain index. (Range: 1-65535) MA Index –...
Page 458: Transmitting Link Trace Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management To show the configured remote maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 270: Showing Remote Maintenance End Points Use the Administration >...
Page 459 | Basic Administration Protocols HAPTER Connectivity Fault Management Parameters controlling the link trace cache, including operational state, entry hold time, and maximum size can be configured on the Configure Global page (see "Configuring Global Settings for CFM"). ARAMETERS These parameters are displayed: MD Index –...
Page 460: Transmitting Loop Back Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To transmit link trace messages: Click Administration, CFM. Select Transmit Link Trace from the Step list. Select an entry from MD Index and MA Index. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, and set the maximum number of hops allowed in the TTL field.
Page 461 | Basic Administration Protocols HAPTER Connectivity Fault Management If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. When using the command line or web interface, the source MEP used by to send a loopback message is chosen by the CFM protocol.
Page 462: Transmitting Delay-Measure Requests
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To transmit loopback messages: Click Administration, CFM. Select Transmit Loopback from the Step list. Select an entry from MD Index and MA Index. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, set the number of times the loopback message is to be sent.
Page 463 | Basic Administration Protocols HAPTER Connectivity Fault Management Frame delay measurement can be made only for two-way measurements, where the MEP transmits a frame with DM request information with the TxTimeStampf (Timestamp at the time of sending a frame with DM request information), and the receiving MEP responds with a frame with DM reply information with TxTimeStampf copied from the DM request information, RxTimeStampf (Timestamp at the time of receiving a frame with DM request information), and TxTimeStampb...
Page 464: Displaying Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To transmit delay-measure messages: Click Administration, CFM. Select Transmit Delay Measure from the Step list. Select an entry from MD Index and MA Index. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, set the number of times the delay-measure message is to be sent, the interval, and the timeout.
Page 465: Displaying Details For Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Level – Authorized maintenance level for this domain. Direction – Direction in which the MEP communicates CFM messages: Down indicates that the MEP is facing away from the switch, and transmits CFM messages towards, and receives them from, the direction of the physical medium.
Page 466 | Basic Administration Protocols HAPTER Connectivity Fault Management MD Name – The maintenance domain for this entry. MA Name – Maintenance association to which this remote MEP belongs. MA Name Format – The format of the Maintenance Association name, including primary VID, character string, unsigned Integer 16, or RFC 2865 VPN ID.
Page 467: Displaying Local Mips
| Basic Administration Protocols HAPTER Connectivity Fault Management Select a MEP ID. Figure 275: Showing Detailed Information on Local MEPs Use the Administration > CFM > Show Information (Show Local MIP) page ISPLAYING OCAL to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".)
Page 468: Displaying Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show information for the MIPs discovered by the CFM protocol: Click Administration, CFM. Select Show Information from the Step list. Select Show Local MIP from the Action list. Figure 276: Showing Information on Local MIPs Use the Administration >...
Page 469: Displaying Details For Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show information for remote MEPs: Click Administration, CFM. Select Show Information from the Step list. Select Show Remote MEP from the Action list. Figure 277: Showing Information on Remote MEPs Use the Administration >...
Page 470 | Basic Administration Protocols HAPTER Connectivity Fault Management Age of Last CC Message – Length of time the last CCM message about this MEP has been in the CCM database. Frame Loss – Percentage of transmitted frames lost. CC Packet Statistics – The number of CCM packets received successfully and those with errors.
Page 471: Displaying The Link Trace Cache
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 278: Showing Detailed Information on Remote MEPs Use the Administration > CFM > Show Information (Show Link Trace ISPLAYING THE Cache) page to show information about link trace operations launched from RACE ACHE this device.
Page 472 | Basic Administration Protocols HAPTER Connectivity Fault Management Ingress Action – Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false. This value could be returned, for example, by an operationally Down MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port’s MAC_Operational parameter to be false.
Page 473: Displaying Fault Notification Settings
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 279: Showing the Link Trace Cache Use the Administration > CFM > Show Information (Show Fault Notification ISPLAYING AULT Generator) page to display configuration settings for the fault notification OTIFICATION generator. ETTINGS CLI R EFERENCES...
Page 474: Displaying Continuity Check Errors
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM. Select Show Information from the Step list. Select Show Fault Notification Generator from the Action list. Figure 280: Showing Settings for the Fault Notification Generator Use the Administration >...
Page 475: Oam Configuration
| Basic Administration Protocols HAPTER OAM Configuration MA x, also has an Up MEP configured facing inward (up) on some bridge port. EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities. OVERLAP_LEV –...
Page 476: Table 33: Oam Operation State
| Basic Administration Protocols HAPTER OAM Configuration ARAMETERS These parameters are displayed: Port – Port identifier. (Range: 1-26) Admin Status – Enables or disables OAM functions. (Default: Disabled) Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface.
Page 477 | Basic Administration Protocols HAPTER OAM Configuration When system power fails, the switch will always send a dying gasp trap message prior to power down. Critical Event – If a critical event occurs, the local OAM entity indicates this to its peer by setting the appropriate flag in the next OAMPDU to be sent and stores this information in its OAM event log.
Page 478: Displaying Statistics For Oam Messages
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To enable OAM functionality on the selected port: Click Administration, OAM, Interface. Set the OAM administrative status and operational mode for the required ports. Specify whether or not critical link events will be reported by the switch.
Page 479: Displaying The Oam Event Log
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display statistics for OAM messages: Click Administration, OAM, Counters. Figure 283: Displaying Statistics for OAM Messages Use the Administration > OAM > Event Log page to display link events for ISPLAYING THE the selected port.
Page 480: Displaying The Status Of Remote Interfaces
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display link events for the selected port: Click Administration, OAM, Event Log. Select a port from the drop-down list. Figure 284: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING THE information about attached OAM-enabled devices.
Page 481: Configuring A Remote Loop Back Test
| Basic Administration Protocols HAPTER OAM Configuration not support the unidirectional function, but can parse error messages sent from a peer with unidirectional capability. Link Monitor – Shows if the OAM entity can send and receive Event Notification OAMPDUs. MIB Variable Retrieval – Shows if the OAM entity can send and receive Variable Request and Response OAMPDUs.
Page 482: Table 34: Oam Operation State
| Basic Administration Protocols HAPTER OAM Configuration To perform a loopback test, first enable Remote Loop Back Mode, click Test, and then click End. The number of packets transmitted and received will be displayed. ARAMETERS These parameters are displayed: Loopback Mode of Remote Device Port –...
Page 483: Displaying Results Of Remote Loop Back Testing
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To initiate a loop back test to the peer device attached to the selected port: Click Administration, OAM, Remote Loop Back. Select Remote Loopback Test from the Action list. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply.
Page 484 | Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display the results of remote loop back testing for each port for which this information is available: Click Administration, OAM, Remote Loopback. Select Show Test Result from the Action list. Figure 287: Displaying the Results of Remote Loop Back Testing –...
Page 485: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 486: Address Resolution Protocol
| IP Configuration HAPTER Address Resolution Protocol The following are some results of the ping command: Normal response - The normal response occurs in one to ten seconds, depending on network traffic. Destination does not respond - If the host does not respond, a “timeout”...
Page 487: Setting The Arp Timeout
| IP Configuration HAPTER Address Resolution Protocol traffic passes along the path to its final destination in this way, with each routing device mapping the destination IP address to the MAC address of the next hop toward the recipient, until the packet is delivered to the final destination.
Page 488: Displaying Arp Entries
| IP Configuration HAPTER Address Resolution Protocol NTERFACE To configure the timeout for the ARP cache: Click IP, ARP. Select Configure General from the Step List. Set the timeout to a suitable value for the ARP cache. Click Apply. Figure 289: Setting the ARP Timeout Use the IP >...
Page 489: Setting The Switch's Ip Address (Ip Version 4)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an IPv4 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Page 490: Configuring Ipv4 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Use the System > IP (Configure Interface – Add) page to configure an IPv4 ONFIGURING address for the switch. An IPv4 address is obtained via DHCP by default for NTERFACE ETTINGS VLAN 1.
Page 491 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static IPv4 address for the switch: Click System, IP. Select Configure Interface from the Action list. Select Add from the Step list. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,”...
Page 492 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: Click System, IP. Select Configure Interface from the Action list. Select Add from the Step list. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP”...
Page 493: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Select Configure Interface from the Step list. Select Show from the Action list. Select an entry from the VLAN list. Figure 294: Showing the IPv4 Address Configured for an Interface ’...
Page 494: Configuring Ipv6 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) An IPv6 default gateway must be defined if the management station is located in a different IPv6 segment. An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Page 495 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) reachability information about the paths to active neighbors. The key parameters used to facilitate this process are the number of attempts made to verify whether or not a duplicate address exists on the same network segment, and the interval between neighbor solicitations used to verify reachability information.
Page 496 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ND DAD Attempts – The number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. (Range: 0-600, Default: 1) Configuring a value of 0 disables duplicate address detection. Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface.
Page 497: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Select Configure Interface from the Action list. Specify the VLAN to configure, enable address auto-configuration, or enable IPv6 explicitly to automatically configure a link-local address and enable IPv6 on the selected interface. Set the MTU size, the maximum number of duplicate address detection messages, and the neighbor solicitation message interval.
Page 498 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) To connect to a larger network with multiple subnets, you must configure a global unicast address. There are several alternatives to configuring this address type: The global unicast address can be automatically configured by taking the network prefix from router advertisements observed on the local interface, and using the modified EUI-64 form of the interface identifier to automatically create the host portion of the...
Page 499 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) of the address comprise the prefix (i.e., the network portion of the address). Note that the value specified in the IPv6 Address field may include some of the high-order host bits if the specified prefix length is less than 64 bits.
Page 500: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 297: Configuring an IPv6 Address Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface"...
Page 501: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Note that the solicited-node multicast address (link-local scope FF02) is used to resolve the MAC addresses for neighbor nodes since IPv6 does not support the broadcast method used by the Address Resolution Protocol in IPv4.
Page 502 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 36: Show IPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: INCMP (Incomplete) - Address resolution is being carried out on the entry.
Page 503: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 1111 OMMAND SAGE This switch provides statistics for the following traffic types:...
Page 504 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 505 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
Page 506 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages sent by Messages the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface.
Page 507 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 300: Showing IPv6 Statistics (IPv6) Figure 301: Showing IPv6 Statistics (ICMPv6) –...
Page 508: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 302: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 509: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 362. DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network.
Page 510: Configuring A List Of Domain Names
| IP Services HAPTER Configuring a List of Domain Names NTERFACE To configure general settings for DNS: Click IP Service, DNS. Select Configure Global from the Action list. Enable domain lookup, and set the default domain name. Click Apply. Figure 304: Configuring General Settings for DNS ONFIGURING A IST OF OMAIN...
Page 511 | IP Services HAPTER Configuring a List of Domain Names ARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) NTERFACE To create a list domain names: Click IP Service, DNS.
Page 512: Configuring A List Of Name Servers
| IP Services HAPTER Configuring a List of Name Servers ONFIGURING A IST OF ERVERS Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order. CLI R EFERENCES "ip name-server"...
Page 513: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Configuring Static DNS Host to Address Entries To show the list name servers: Click IP Service, DNS. Select Show Name Servers from the Action list. Figure 308: Showing the List of Name Servers for DNS DNS H ONFIGURING TATIC OST TO...
Page 514: Displaying The Dns Cache
| IP Services HAPTER Displaying the DNS Cache NTERFACE To configure static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Add from the Action list. Enter a host name and the corresponding address. Click Apply. Figure 309: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table.
Page 515 | IP Services HAPTER Displaying the DNS Cache with a host name via information returned from a name server, a DNS client can try each address in succession, until it establishes a connection with the target device. ARAMETERS These parameters are displayed: No.
Page 516 | IP Services HAPTER Displaying the DNS Cache – 516 –...
Page 517: Ulticast Iltering
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP – Configures snooping and query parameters. Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. Multicast VLAN Registration (MVR) –...
Page 518: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 519 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) also request that service be forwarded from any source except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN.
Page 520: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Use the Multicast > IGMP Snooping > General page to configure the switch ONFIGURING to forward multicast traffic intelligently. Based on the IGMP query and NOOPING AND UERY report messages, the switch forwards multicast traffic only to the ports ARAMETERS that request it.
Page 521 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 522 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred.
Page 523 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Router Port Expire Time – The time the switch waits after the previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) IGMP Snooping Version –...
Page 524: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add) page to PECIFYING TATIC statically attach an interface to a multicast router/switch. NTERFACES FOR A ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 525: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select the VLAN for which to display this information. Figure 315: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list.
Page 526 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) CLI R EFERENCES "ip igmp snooping vlan static" on page 977 OMMAND SAGE Static multicast addresses are never aged out. When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Page 527 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select the VLAN for which to display this information. Figure 318: Showing Static Interfaces Assigned to a Multicast Service To show the all interfaces statically or dynamically assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member.
Page 528: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to ETTING configure IGMP snooping attributes for a VLAN interface. To configure NOOPING TATUS snooping globally, refer to "Configuring IGMP Snooping and Query NTERFACE Parameters"...
Page 529 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast Router Termination – These messages are sent when a router stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: Multicast forwarding is disabled on an interface. An interface is administratively disabled.
Page 530 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period.
Page 531 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This command applies when the switch is serving as the querier (page 520), or as a proxy host when IGMP snooping proxy reporting is enabled (page 520). Query Response Interval – The maximum time the system waits for a response to proxy general queries.
Page 532 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To configure IGMP snooping on a VLAN: Click Multicast, IGMP Snooping, Interface. Select Configure VLAN from the Action list. Select the VLAN to configure and update the required parameters. Click Apply.
Page 533: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS IGMP ISCOVERED BY CLI R EFERENCES NOOPING "show ip igmp snooping group" on page 979 OMMAND SAGE To display information about multicast groups, IGMP Snooping must first...
Page 534: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Page 535: Configuring Igmp Filter Profiles
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 323: Enabling IGMP Filtering and Throttling IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page ONFIGURING to create an IGMP profile and set its access mode. Then use the (Add ILTER ROFILES Multicast Group Range) page to configure the multicast groups to filter.
Page 536 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode. Click Apply.
Page 537: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Select the profile to configure, and add a multicast group address or range of addresses. Click Apply. Figure 326: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter.
Page 538 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Page 539: Multicast Vlan Registration
| Multicast Filtering HAPTER Multicast VLAN Registration Figure 328: Configuring IGMP Filtering and Throttling Interface Settings VLAN R ULTICAST EGISTRATION Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.
Page 540 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 329: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE General Configuration Guidelines for MVR: Enable MVR globally on the switch, and select the MVR VLAN (see "Configuring Global MVR Settings"...
Page 541: Configuring Global Mvr Settings
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure General) page to enable MVR globally ONFIGURING LOBAL on the switch, and select the VLAN that will serve as the sole channel for MVR S ETTINGS common multicast streams supported by the service provider. CLI R EFERENCES "Multicast VLAN Registration"...
Page 542: Configuring Mvr Group Address Ranges
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure global settings for MVR: Click Multicast, MVR. Select Configure General from the Action list. Enable MVR globally on the switch, select the MVR VLAN, and set the forwarding priority to be assigned to all ingress multicast traffic. Click Apply.
Page 543: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure an MVR group address range: Click Multicast, MVR. Select Configure Group Range from the Step list. Select Add from the Action list. Specify the starting and ending IP address for the multicast services that will stream traffic to participating hosts.
Page 544 | Multicast Filtering HAPTER Multicast VLAN Registration OMMAND SAGE A port configured as an MVR receiver or source port can join or leave multicast groups configured under MVR. However, note that these ports can also use IGMP snooping to join or leave any other multicast groups using the standard rules for multicast filtering.
Page 545 | Multicast Filtering HAPTER Multicast VLAN Registration remember that only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned (see "Assigning Static Multicast Groups to Interfaces"...
Page 546: Assigning Static Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term ULTICAST ROUPS multicast streams associated with a stable set of hosts. NTERFACES CLI R EFERENCES...
Page 547: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration Figure 334: Assigning Static MVR Groups to a Port To show the static MVR groups assigned to a port: Click Multicast, MVR. Select Configure Static Group Member from the Step list. Select Show from the Action list. Select the port for which to display this information.
Page 548 | Multicast Filtering HAPTER Multicast VLAN Registration Port – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Also shows the VLAN through which the service is received. Note that this may be different from the MVR VLAN if the group address has been statically assigned.
Page 549: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 551 "General Commands" on page 563 "System Management Commands"...
Page 550 | Command Line Interface ECTION "Quality of Service Commands" on page 943 "Multicast Filtering Commands" on page 961 "LLDP Commands" on page 999 "CFM Commands" on page 1023 "OAM Commands" on page 1065 "Domain Name Service Commands" on page 1075 "DHCP Commands"...
Page 551: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the DG-FS4526E is opened. To end the CLI session, enter [Exit]. Console# – 551 –...
Page 552: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the DG-FS4526E is opened. To end the CLI session, enter [Exit]. Vty-0# – 552 –...
Page 553: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 554: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 555: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands reload Shows the reload settings rmon Remote Monitoring Protocol rspan Display status of the current RSPAN configuration running-config Information on the running configuration snmp Simple Network Management Protocol configuration and statistics sntp Simple Network Time Protocol configuration spanning-tree...
Page 556: Negating The Effect Of Commands
| Using the Command Line Interface HAPTER Entering Commands For many configuration commands you can enter the prefix keyword “no” EGATING THE FFECT to cancel the effect of a command or reset the configuration to the default OMMANDS value. For example, the logging command will log system messages to a host server.
Page 557: Configuration Commands
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the DG-FS4526E is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the DG-FS4526E is opened.
Page 558: Table 40: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode. Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits.
Page 559: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Table 40: Configuration Command Modes (Continued) Mode Command Prompt Page Time Range time-range Console(config-time-range) VLAN vlan database Console(config-vlan) For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)#...
Page 560: Cli Command Groups
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 42: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
Page 561 | Using the Command Line Interface HAPTER CLI Command Groups Table 42: Command Group Index (Continued) Command Group Description Page Class of Service Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue, also sets priority for DSCP Quality of Service Configures Differentiated Services...
Page 562 | Using the Command Line Interface HAPTER CLI Command Groups – 562 –...
Page 563: General Commands
ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 43: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 564: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 565: Enable
| General Commands HAPTER OMMAND SAGE This command resets the entire system. Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 566: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (568) enable password (662) quit This command exits the configuration program. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 567: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 568: Disable
| General Commands HAPTER disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 569: Show Reload
| General Commands HAPTER show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 570 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 570 –...
Page 571: System Management Commands
YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 44: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 572: Hostname
| System Management Commands HAPTER Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 573: Banner Configure
| System Management Commands HAPTER Banner Information Table 46: Banner Commands (Continued) Command Function Mode banner configure Configures the Manager contact information that is manager-info displayed by banner banner configure mux Configures the MUX information that is displayed by banner banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading...
Page 574: Banner Configure Company
Input strings cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. XAMPLE Console(config)#banner configure company digisol Console(config)# – 574 –...
Page 575: Banner Configure Dc-Power-Info
| System Management Commands HAPTER Banner Information banner configure This command is use to configure DC power information displayed in the banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 576: Banner Configure Equipment-Info
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 577: Banner Configure Equipment-Location
HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id DG-FS4526E floor 3 row 10 rack 15 shelf-rack 12 manufacturer DIGISOL Console(config)# banner configure This command is used to configure the equipment location information displayed in the banner. Use the no form to restore the default setting.
Page 578: Banner Configure Lp-Number
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 579: Banner Configure Manager-Info
| System Management Commands HAPTER Banner Information banner configure This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 580: Banner Configure Note
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 581: Show Banner
HAPTER System Status show banner This command displays all banner information. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show banner DIGISOL WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis DIGISOL_DG-FS4526E Floor / Row / Rack / Sub-Rack...
Page 582: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status show access-list This command shows utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, tcam-utilization the number of free entries, and the overall percentage of TCAM in use. OMMAND Privileged Exec OMMAND...
Page 583: Show Process Cpu
| System Management Commands HAPTER System Status show process cpu This command shows the CPU utilization parameters. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# show running- This command displays the configuration information currently in use. config YNTAX show running-config [interface interface]...
Page 584: Show Startup-Config
| System Management Commands HAPTER System Status Interface settings Any configured settings for the console port and Telnet XAMPLE Console#show running-config Building startup configuration. Please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-17-7C-00-00-fd_00</stackingMac> snmp-server community public ro snmp-server community private rw snmp-server enable traps authentication username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0...
Page 585: Show System
"Displaying System Information" on page 101. If any POST test indicates “FAIL,” contact your distributor for assistance. XAMPLE Console#show system System Description : DG-FS4526E System OID String : 1.3.6.1.4.1.36293.1.1.1.16 System Information System Up Time : 0 days, 4 hours, 10 minutes, and 27.90 seconds...
Page 586: Show Tech-Support
XAMPLE Console#show tech-support show system: System Description : DG-FS4526E System OID String : 1.3.6.1.4.1.36293.1.1.1.16 System Information System Up Time: 0 days, 2 hours, 17 minutes, and 6.23 seconds...
Page 587: Show Version
| System Management Commands HAPTER System Status XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key -------------------------------- --------- ---------- admin 15 None guest 0 None Online Users: Line User Name Idle time (h:m:s) Remote IP addr ------- -------------------------------- ----------------- --------------- *console admin 0:00:00 VTY 0...
Page 588: Frame Size
| System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 48: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames jumbo frame This command enables support for jumbo frames for Gigabit Ethernet ports.
Page 589: File Management
| System Management Commands HAPTER File Management ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 590: Boot System
| System Management Commands HAPTER File Management boot system This command specifies the file or image used to start up the system. YNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image.
Page 591: Copy
| System Management Commands HAPTER File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 592 | System Management Commands HAPTER File Management The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate"...
Page 593 | System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 594: Delete
| System Management Commands HAPTER File Management delete This command deletes a file or image. YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE If the file type is used for system startup, then this file cannot be deleted.
Page 595: Whichboot
| System Management Commands HAPTER File Management OMMAND SAGE If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 50: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file.
Page 596: Upgrade Opcode Auto
The name for the new image stored on the TFTP server must be dg-fs4526e.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
Page 597: Upgrade Opcode Path
| System Management Commands HAPTER File Management XAMPLE Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0;...
Page 598 | System Management Commands HAPTER File Management When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “Anonymous” will be used for the connection.
Page 599: Line
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 600: Databits
| System Management Commands HAPTER Line OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 601: Exec-Timeout
| System Management Commands HAPTER Line ELATED OMMANDS parity (602) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval. (Range: 0 - 65535 seconds;...
Page 602: Parity
| System Management Commands HAPTER Line EFAULT ETTING login local OMMAND Line Configuration OMMAND SAGE There are three authentication modes provided by the switch itself at login: login selects authentication by a single global password as specified by the password line configuration command.
Page 603: Password
| System Management Commands HAPTER Line EFAULT ETTING No parity OMMAND Line Configuration OMMAND SAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. XAMPLE To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# password...
Page 604: Password-Thresh
| System Management Commands HAPTER Line XAMPLE Console(config-line)#password 0 secret Console(config-line)# ELATED OMMANDS login (601) password-thresh (604) password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value.
Page 605: Silent-Time
| System Management Commands HAPTER Line silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. YNTAX silent-time [seconds] no silent-time...
Page 606: Stopbits
| System Management Commands HAPTER Line be supported. The system indicates if the speed you selected is not supported. XAMPLE To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting.
Page 607: Disconnect
| System Management Commands HAPTER Line OMMAND Line Configuration OMMAND SAGE If a login attempt is not detected within the timeout interval, the connection is terminated for the session. This command applies to both the local console and Telnet connections. The timeout for Telnet cannot be disabled.
Page 608: Show Line
| System Management Commands HAPTER Event Logging show line This command displays the terminal line’s parameters. YNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING Shows all lines OMMAND Normal Exec, Privileged Exec XAMPLE...
Page 609: Logging Facility
| System Management Commands HAPTER Event Logging Table 52: Event Logging Commands (Continued) Command Function Mode logging trap Limits syslog messages saved to a remote server based on severity clear log Clears messages from the logging buffer show log Displays log messages show logging Displays the state of logging logging facility...
Page 610: Logging History
| System Management Commands HAPTER Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 611: Logging Host
| System Management Commands HAPTER Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address host-ip-address - The IP address of a syslog server. EFAULT ETTING None...
Page 612: Logging Trap
| System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (610) logging trap (612) clear log (612) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 613: Show Log
| System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (613) show log This command displays the log messages stored in local memory. YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 614: Show Logging
| System Management Commands HAPTER Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 615: Smtp Alerts
| System Management Commands HAPTER SMTP Alerts Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console# Table 55: show logging trap - display description Field...
Page 616: Logging Sendmail
| System Management Commands HAPTER SMTP Alerts logging sendmail This command enables SMTP event handling. Use the no form to disable this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# logging sendmail This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Page 617: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# logging sendmail This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
Page 618: Logging Sendmail Source-Email
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command sets the email address used for the “From”...
Page 619: Time
| System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source Email Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 620: Sntp Poll
| System Management Commands HAPTER Time OMMAND SAGE The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 621: Sntp Server
| System Management Commands HAPTER Time ELATED OMMANDS sntp client (619) sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 622: Clock Timezone
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# clock timezone This command sets the time zone for the switch’s internal clock.
Page 623: Calendar Set
| System Management Commands HAPTER Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
Page 624: Time Range
| System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 58: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
Page 625: Absolute
| System Management Commands HAPTER Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Page 626: Show Time-Range
| System Management Commands HAPTER Time Range monday - Monday saturday - Saturday sunday - Sunday thursday - Thursday tuesday - Tuesday wednesday - Wednesday weekdays - Weekdays weekend - Weekends hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) EFAULT ETTING None...
Page 627: Switch Clustering
| System Management Commands HAPTER Switch Clustering WITCH LUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 628: Cluster
| System Management Commands HAPTER Switch Clustering cluster This command enables clustering on the switch. Use the no form to disable clustering. YNTAX [no] cluster EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander.
Page 629: Cluster Ip-Pool
| System Management Commands HAPTER Switch Clustering OMMAND SAGE Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
Page 630: Cluster Member
| System Management Commands HAPTER Switch Clustering cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. YNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch.
Page 631: Show Cluster
| System Management Commands HAPTER Switch Clustering XAMPLE Console#rcommand id 1 CLI session with the DG-FS4526E is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration. OMMAND Privileged Exec XAMPLE Console#show cluster...
Page 632: Show Cluster Candidates
This command shows the discovered Candidate switches in the network. candidates OMMAND Privileged Exec XAMPLE Console#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Active member 00-17-7C-00-00-FE DG-FS4526E CANDIDATE 00-17-7C-0B-47-A0 DG-FS4526E Console# – 632 –...
Page 633: Snmp Commands
SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 634: Snmp-Server
| SNMP Commands HAPTER Table 60: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs ATC Trap Commands...
Page 635: Snmp-Server Community
| SNMP Commands HAPTER snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to community remove the specified community string. YNTAX snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Page 636: Snmp-Server Location
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server contact Paul Console(config)# ELATED OMMANDS snmp-server location (636) snmp-server This command sets the system location string. Use the no form to remove the location string. location YNTAX snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) EFAULT ETTING...
Page 637: Snmp-Server Enable Traps
| SNMP Commands HAPTER Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled Link-up-down : Enabled SNMP Communities : 1. public, and the access level is read-only 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied...
Page 638: Snmp-Server Host
| SNMP Commands HAPTER no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. The snmp-server enable traps command is used in conjunction with snmp-server host command.
Page 639 | SNMP Commands HAPTER prior to using the snmp-server host command. (Maximum length: 32 characters) version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
Page 640 | SNMP Commands HAPTER To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 634). Create a view with the required notification messages (page 644). Create a group that includes the required notify view (page 642).
Page 641: Snmp-Server Engine-Id
| SNMP Commands HAPTER snmp-server This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device.
Page 642: Snmp-Server Group
| SNMP Commands HAPTER ELATED OMMANDS snmp-server host (638) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.
Page 643: Snmp-Server User
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Page 644: Snmp-Server View
| SNMP Commands HAPTER Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch. The SNMP engine ID is used to compute the authentication/privacy digests from the password.
Page 645: Show Snmp Engine-Id
| SNMP Commands HAPTER OMMAND SAGE Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.
Page 646: Show Snmp Group
| SNMP Commands HAPTER Table 61: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. show snmp group Four default groups are provided –...
Page 647: Show Snmp User
| SNMP Commands HAPTER Table 62: show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 648: Show Snmp View
| SNMP Commands HAPTER show snmp view This command shows information on the SNMP views. OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 649: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Disabling logging with this command does not delete the entries stored in the notification log. XAMPLE This example enables the notification logs A1. Console(config)#nlm A1 Console(config)# snmp-server notify- This command creates an SNMP notification log. Use the no form to remove this log.
Page 650: Show Nlm Oper-Status
| SNMP Commands HAPTER To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 651: Show Snmp Notify-Filter
| SNMP Commands HAPTER show snmp notify- This command displays the configured notification logs. filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23 Console# –...
Page 652 | SNMP Commands HAPTER – 652 –...
Page 653: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 654: Rmon Alarm
| Remote Monitoring Commands HAPTER rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 655: Rmon Event
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 656: Rmon Collection History
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface.
Page 657: Rmon Collection Rmon1
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# rmon collection This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection. rmon1 YNTAX rmon collection rmon1 controlEntry index [owner name]...
Page 658: Show Rmon Alarms
| Remote Monitoring Commands HAPTER show rmon alarms This command shows the settings for all configured alarms. OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 show rmon events...
Page 659: Show Rmon Statistics
| Remote Monitoring Commands HAPTER show rmon This command shows the information collected for all configured entries in the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets,...
Page 660 | Remote Monitoring Commands HAPTER – 660 –...
Page 661: Authentication Commands
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 662: Enable Password
| Authentication Commands HAPTER User Accounts enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 663: Username
| Authentication Commands HAPTER User Accounts username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Page 664: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 69: Authentication Sequence Commands Command Function Mode...
Page 665: Authentication Login
| Authentication Commands HAPTER Authentication Sequence XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (662) authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login...
Page 666: Radius Client
| Authentication Commands HAPTER RADIUS Client ELATED OMMANDS username - for setting the local user names and passwords (663) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 667: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client radius-server auth- This command sets the RADIUS server network port. Use the no form to restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 668: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server key This command sets the RADIUS encryption key.
Page 669: Radius-Server Timeout
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# radius-server This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...
Page 670: Tacacs+ Client
| Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout RADIUS Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C...
Page 671: Tacacs-Server Key
| Authentication Commands HAPTER TACACS+ Client port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Page 672: Tacacs-Server Port
| Authentication Commands HAPTER TACACS+ Client tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 673: Aaa
| Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 72: AAA Commands Command Function Mode...
Page 674: Aaa Accounting Dot1X
| Authentication Commands HAPTER group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters) EFAULT ETTING Accounting is not enabled...
Page 675: Aaa Accounting Exec
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 676: Aaa Accounting Update
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 677: Aaa Authorization Exec
| Authentication Commands HAPTER Using the command without specifying an interim interval enables updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form to disable the authorization service.
Page 678: Aaa Group Server
| Authentication Commands HAPTER aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 679: Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 680: Authorization Exec
| Authentication Commands HAPTER XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...
Page 681: Web Server
| Authentication Commands HAPTER Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show accounting Accounting Type : dot1x...
Page 682: Ip Http Port
| Authentication Commands HAPTER Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Page 683: Ip Http Secure-Server
| Authentication Commands HAPTER Web Server ip http secure- This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted server connection) to the switch’s web interface. Use the no form to disable this function.
Page 684: Ip Http Secure-Port
| Authentication Commands HAPTER Web Server To specify a secure-site certificate, see “Replacing the Default Secure- site Certificate” on page 303. Also refer to the copy tftp https-certificate command. XAMPLE Console(config)#ip http secure-server Console(config)# ELATED OMMANDS ip http secure-port (684) copy tftp https-certificate (591) show system (585)
Page 685: Telnet Server
| Authentication Commands HAPTER Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 75: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 686: Ip Telnet Port
| Authentication Commands HAPTER Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 687: Show Ip Telnet
| Authentication Commands HAPTER Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE HELL...
Page 688 | Authentication Commands HAPTER Secure Shell Table 76: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 689 | Authentication Commands HAPTER Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 690: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell The client sends a signature generated using the private key to the switch. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.
Page 691: Ip Ssh Server-Key Size
| Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 692: Ip Ssh Timeout
| Authentication Commands HAPTER Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. YNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING...
Page 693: Ip Ssh Crypto Host-Key Generate
| Authentication Commands HAPTER Secure Shell XAMPLE Console#delete public-key admin dsa Console# ip ssh crypto host- This command generates the host key pair (i.e., public and private). key generate YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...
Page 694: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell ip ssh crypto This command clears the host key from memory (i.e. RAM). zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. EFAULT ETTING Clears both the DSA and RSA key.
Page 695: Show Ip Ssh
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (693) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. OMMAND Privileged Exec XAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 696: Show Ssh
| Authentication Commands HAPTER Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# show ssh This command displays the current SSH server connections. OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5...
Page 697: Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 698: Dot1X Default
| Authentication Commands HAPTER 802.1X Port Authentication Table 78: 802.1X Port Authentication Commands (Continued) Command Function Mode Display Information Commands show dot1x Shows all dot1x related information dot1x default This command sets all configurable dot1x global and port settings to their default values.
Page 699: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# dot1x system-auth- This command enables IEEE 802.1X port authentication globally on the switch.
Page 700: Dot1X Max-Req
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 701: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT Single-host OMMAND Interface Configuration OMMAND SAGE The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command. In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
Page 702: Dot1X Re-Authentication
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x re- This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication. authentication YNTAX [no] dot1x re-authentication OMMAND Interface Configuration OMMAND SAGE The re-authentication process verifies the connected client’s user ID...
Page 703: Dot1X Timeout Re-Authperiod
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re- This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. authperiod YNTAX dot1x timeout re-authperiod seconds...
Page 704: Dot1X Timeout Tx-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command sets the timeout for EAP-request frames other than EAP- request/identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information.
Page 705: Dot1X Identity Profile
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Privileged Exec OMMAND SAGE The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
Page 706: Dot1X Max-Start
| Authentication Commands HAPTER 802.1X Port Authentication dot1x max-start This command sets the maximum number of times that a port supplicant will send an EAP start frame to the client before assuming that the client is 802.1X unaware. Use the no form to restore the default value. YNTAX dot1x max-start count no dot1x max-start...
Page 707: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication A port cannot be configured as a dot1x supplicant if it is a member of a trunk or LACP is enabled on the port. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#dot1x pae supplicant Console(config-if)# dot1x timeout auth- This command sets the time that a supplicant port waits for a response from the authenticator.
Page 708: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# dot1x timeout start- This command sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator. Use the no form to restore the period default setting.
Page 709 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command displays the following information: Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (page 699). Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 698).
Page 710 | Authentication Commands HAPTER 802.1X Port Authentication Backend State Machine State – Current state (including request, response, success, fail, timeout, idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Page 711: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Current Identifier Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch. Table 79: Management IP Filter Commands Command Function...
Page 712: Show Management
| Authentication Commands HAPTER Management IP Filter OMMAND SAGE If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 713 | Authentication Commands HAPTER Management IP Filter XAMPLE Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address...
Page 714 | Authentication Commands HAPTER Management IP Filter – 714 –...
Page 715: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 716: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 717 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE When port security is enabled with this command, the switch first clears all dynamically learned entries from the address table. It then starts learning new MAC addresses on the specified port, and stops learning addresses when it reaches a configured maximum number.
Page 718: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 719: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
Page 720: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. This command is different from configuring static addresses with the mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
Page 721: Network-Access Dynamic-Qos
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
Page 722: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan...
Page 723: Network-Access Guest-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x authentication is rejected. Use the no form of this command to guest-vlan disable guest VLAN assignment. YNTAX network-access guest-vlan vlan-id no network-access guest-vlan...
Page 724: Network-Access Link-Detection Link-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.
Page 725: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.
Page 726: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 727: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Page 728: Mac-Authentication Intrusion-Action
| General Security Measures HAPTER Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...
Page 729: Clear Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) clear network- Use this command to clear entries from the secure MAC addresses table. access YNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 730: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048...
Page 731: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication XAMPLE Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s Console#...
Page 732: Web-Auth Login-Attempts
| General Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 664). Web authentication cannot be configured on trunk ports. Table 84: Web Authentication Command Function Mode...
Page 733: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth login-attempts 2 Console(config)# web-auth quiet- This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 734: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form to restore the default. auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE...
Page 735: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication web-auth re- This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 736: Show Web-Auth
| General Security Measures HAPTER Web Authentication show web-auth This command displays global web authentication parameters. OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# show web-auth This command displays interface-specific web authentication parameters...
Page 737: Show Web-Auth Summary
| General Security Measures HAPTER DHCP Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 738: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are received from an outside source.
Page 739 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the...
Page 740: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 741 | General Security Measures HAPTER DHCP Snooping OMMAND SAGE DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 742: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. information policy YNTAX ip dhcp snooping information policy {drop | keep | replace} drop - Drops the client’s request packet instead of relaying it.
Page 743: Ip Dhcp Snooping Vlan
| General Security Measures HAPTER DHCP Snooping XAMPLE This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# ELATED OMMANDS ip dhcp snooping (738) ip dhcp snooping vlan (743) ip dhcp snooping trust (744) ip dhcp snooping This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Page 744: Ip Dhcp Snooping Trust
| General Security Measures HAPTER DHCP Snooping ELATED OMMANDS ip dhcp snooping (738) ip dhcp snooping trust (744) ip dhcp snooping This command configures the specified interface as trusted. Use the no form to restore the default setting. trust YNTAX [no] ip dhcp snooping trust EFAULT ETTING...
Page 745: Clear Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping clear ip dhcp This command removes all dynamically learned snooping entries from flash memory. snooping database flash OMMAND Privileged Exec XAMPLE Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp This command shows the DHCP snooping configuration settings. snooping OMMAND Privileged Exec...
Page 746: Ip Source Guard
| General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 747 | General Security Measures HAPTER IP Source Guard OMMAND SAGE Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command...
Page 748: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...
Page 749: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: If DHCP snooping is disabled (see page 738), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 750: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard OMMAND SAGE This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 751: Arp Inspection
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 752: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 87: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...
Page 753: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 754: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 755: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 756: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
Page 757: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 758: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection show ip arp This command displays the global configuration settings for ARP Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 759: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection show ip arp This command shows information about entries stored in the log, including the associated VLAN, port, and address components. inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 760 | General Security Measures HAPTER ARP Inspection OMMAND Privileged Exec XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# – 760 –...
Page 761: Access Control Lists
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 762: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 763: Permit, Deny (Standard Ip Acl)
| Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 764: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 765 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 766: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 767: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 768: Ipv6 Acls
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (763) ip access-group (766) 6 ACL The commands in this section configure ACLs based on IPv6 addresses, next header type, and flow label.
Page 769: Permit, Deny (Standard Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
Page 770: Permit, Deny (Extended Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 771 | Access Control Lists HAPTER IPv6 ACLs undefined fields. (The switch only checks the first 64 bits of the destination address.) prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
Page 772: Show Ipv6 Access-List
| Access Control Lists HAPTER IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (768) Time Range (624) show ipv6 access- This command displays the rules for configured IPv6 ACLs. list YNTAX show ipv6 access-list {standard | extended} [acl-name]...
Page 773: Show Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Interface Configuration (Ethernet) OMMAND SAGE A port can only be bound to one ACL. If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one.
Page 774: Mac Acls
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 775: (Mac Acl)
| Access Control Lists HAPTER MAC ACLs ELATED OMMANDS permit, deny (775) mac access-group (777) show mac access-list (778) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 776 | Access Control Lists HAPTER MAC ACLs {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 –...
Page 777: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs XAMPLE This rule permits packets from any source MAC address to the destination address 00-17-7c-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-17-7c-94-34-de ethertype 0800 Console(config-mac-acl)# ELATED OMMANDS access-list mac (774) Time Range (624) mac access-group This command binds a MAC ACL to a port.
Page 778: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs show mac access- This command shows the ports assigned to MAC ACLs. group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS mac access-group (777) show mac access- This command displays the rules for configured MAC ACLs.
Page 779: Arp Acls
| Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
Page 780: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs permit, deny (ARP This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
Page 781: Show Arp Access-List
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (779) show arp access-list This command displays the rules for configured ARP ACLs.
Page 782: Acl Information
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 93: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules show access-group This command shows the port assignments of ACLs.
Page 783: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 94: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 784: Interface
| Interface Commands HAPTER Table 94: Interface Commands (Continued) Command Function Mode Power Savings power-save Enables power savings mode on the specified port show power-save Shows the configuration settings for power savings Enabling hardware-level storm control with this command on a port will disable software-level automatic storm control on the same port if configured by the auto- traffic-control...
Page 785: Alias
| Interface Commands HAPTER alias This command configures an alias name for the interface. Use the no form to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 786: Description
| Interface Commands HAPTER EFAULT ETTING 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The 1000BASE-T standard does not support forced mode. Auto- negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 787: Flowcontrol
| Interface Commands HAPTER OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 788: Media-Type
| Interface Commands HAPTER XAMPLE The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (789) capabilities (flowcontrol, symmetric) (785) media-type This command forces the port type selected for combination ports 9-10. Use the no form to restore the default mode.
Page 789: Negotiation
| Interface Commands HAPTER negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation. YNTAX [no] negotiation EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 790: Speed-Duplex
| Interface Commands HAPTER OMMAND SAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. XAMPLE The following example disables port 5.
Page 791: Switchport Packet-Rate
| Interface Commands HAPTER the speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. XAMPLE The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS...
Page 792: Clear Counters
| Interface Commands HAPTER The rate limits set by this command are also used by automatic storm control when the control response is set to rate limiting by the auto- traffic-control action command. Using both rate limiting and storm control on the same interface may lead to unexpected results.
Page 793: Show Interfaces Brief
| Interface Commands HAPTER XAMPLE The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# show interfaces This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, brief and port type for all ports. OMMAND Privileged Exec XAMPLE...
Page 794 | Interface Commands HAPTER XAMPLE Console#show interfaces counters ethernet 1/1 Ethernet 1/ 1 ===== IF table Stats ===== 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protos Input 0 QLen Output ===== Extended Iftable Stats =====...
Page 795: Show Interfaces Status
| Interface Commands HAPTER show interfaces This command displays the status for an interface. status YNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-13) vlan vlan-id (Range: 1-4093) EFAULT ETTING Shows the status for all interfaces.
Page 796: Show Interfaces Switchport
| Interface Commands HAPTER show interfaces This command displays the administrative and operational status of the specified interfaces. switchport YNTAX show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-13) EFAULT ETTING Shows all interfaces.
Page 797: Show Interfaces Transceiver
| Interface Commands HAPTER Table 95: show interfaces switchport - display description (Continued) Field Description Unknown-unicast Shows if unknown unicast storm suppression is enabled or disabled; if Threshold enabled it also shows the threshold level (page 791). LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 806).
Page 798: Test Cable-Diagnostics
| Interface Commands HAPTER OMMAND SAGE The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm...
Page 799: Show Cable-Diagnostics
| Interface Commands HAPTER OMMAND SAGE Cable diagnostics are performed using Digital Signal Processing (DSP) test methods. This cable test is only accurate for cables 7 - 140 meters long. The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length of each cable pair.
Page 800: Power-Save
| Interface Commands HAPTER XAMPLE Console#show cable-diagnostics interface ethernet 1/10 Console#show cable-diagnostics interface e 1/10 Port Type Link Status Pair A (meters) Pair B (meters) Last Update -------- ---- ----------- ---------------- ---------------- ----------------- Eth 1/10 OK (21) OK (21) 2009-11-13 09:44:19 Console# power-save This command enables power savings mode on the specified port.
Page 801: Show Power-Save
| Interface Commands HAPTER analyzes cable length to determine whether or not it can reduce the signal amplitude used on a particular link. Power-savings mode on a active link only works when the connection speed is 100 Mbps or higher at linkup, and line length is less than 60 meters.
Page 802 | Interface Commands HAPTER – 802 –...
Page 803: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 804: Port Channel Load-Balance
| Link Aggregation Commands HAPTER Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
Page 805 | Link Aggregation Commands HAPTER OMMAND SAGE This command applies to all static and dynamic trunks on the switch. To ensure that the switch traffic load is distributed evenly across all links in a trunk, select the source and destination addresses used in the load-balance calculation to provide the best result for trunk connections: dst-ip: All traffic with the same destination IP address is output on...
Page 806: Channel-Group
| Link Aggregation Commands HAPTER channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. YNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-13) EFAULT ETTING The current port will be added to this trunk. OMMAND Interface Configuration (Ethernet) OMMAND...
Page 807 | Link Aggregation Commands HAPTER A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 808: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER lacp admin-key This command configures a port's LACP administration key. Use the no form to restore the default setting. (Ethernet Interface) YNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 809: Lacp Port-Priority
| Link Aggregation Commands HAPTER lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 810: Lacp System-Priority
| Link Aggregation Commands HAPTER lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 811: Show Lacp
| Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 812: Table 97: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent : 12 LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 97: show lacp counters - display description Field Description LACPDUs Sent...
Page 813: Table 99: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Table 98: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired –...
Page 814: Table 100: Show Lacp Sysid - Display Description
| Link Aggregation Commands HAPTER Table 99: show lacp neighbors - display description (Continued) Field Description Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner.
Page 815: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 816 | Port Mirroring Commands HAPTER Local Port Mirroring Commands mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. EFAULT ETTING No mirror session is defined. When enabled for an interface, default mirroring is for both received and transmitted packets. When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Page 817: Show Port Monitor
| Port Mirroring Commands HAPTER Local Port Mirroring Commands show port monitor This command displays mirror information. YNTAX show port monitor [interface | vlan vlan-id | mac-address mac-address] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number.
Page 818: Rspan Mirroring Commands
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands RSPAN M IRRORING OMMANDS Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port. Table 103: RSPAN Commands Command Function Mode vlan rspan Creates a VLAN dedicated to carrying RSPAN traffic rspan source...
Page 819: Rspan Source
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands Only two mirror sessions are allowed. Both sessions can be allocated to remote mirroring, unless local mirroring is enabled (which is limited to a single session). Spanning Tree – If the spanning tree is disabled, BPDUs will not be flooded onto the RSPAN VLAN.
Page 820: Rspan Destination
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands EFAULT ETTING Both TX and RX traffic is mirrored OMMAND Global Configuration OMMAND SAGE One or more source ports can be assigned to the same RSPAN session, either on the same switch or on different switches. Only ports can be configured as an RSPAN source –...
Page 821: Rspan Remote Vlan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND Global Configuration OMMAND SAGE Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Only ports can be configured as an RSPAN destination –...
Page 822: No Rspan Session
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands interface - ethernet unit/port ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port –...
Page 823: Show Rspan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND SAGE The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database (see the vlan command). XAMPLE Console(config)#no rspan session 1 Console(config)# show rspan Use this command to displays the configuration settings for an RSPAN...
Page 824 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands – 824 –...
Page 825: Rate Limit Commands
IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 826 | Rate Limit Commands HAPTER by the storm control command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (796) – 826 –...
Page 827: Automatic Traffic Control Commands
UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 105: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...
Page 828 | Automatic Traffic Control Commands HAPTER Table 105: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...
Page 829: Auto-Traffic-Control Apply-Timer
| Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release timer expires, traffic control will be stopped and a Traffic Control Release Trap sent and logged.
Page 830: Auto-Traffic-Control Release-Timer
| Automatic Traffic Control Commands HAPTER EFAULT ETTING 300 seconds OMMAND Global Configuration OMMAND SAGE After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply...
Page 831: Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER XAMPLE This example sets the release timer to 800 seconds for all ports. Console(config)#auto-traffic-control broadcast release-timer 800 Console(config)# auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. YNTAX [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic.
Page 832: Auto-Traffic-Control Action
| Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the control action to limit ingress traffic or shut down the offending port. Use the no form to restore the default setting. action YNTAX auto-traffic-control {broadcast | multicast} action {rate-control | shutdown} no auto-traffic-control {broadcast | multicast} action broadcast - Specifies automatic storm control for broadcast traffic.
Page 833: Auto-Traffic-Control Alarm-Clear-Threshold
| Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent. Use the no form to restore the default alarm-clear- setting. threshold YNTAX auto-traffic-control {broadcast | multicast} alarm-clear-threshold threshold no auto-traffic-control {broadcast | multicast} alarm-clear-threshold...
Page 834: Auto-Traffic-Control Alarm-Fire-Threshold
| Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires. Use the alarm-fire-threshold no form to restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold no auto-traffic-control {broadcast | multicast}...
Page 835: Auto-Traffic-Control Auto-Control-Release
| Automatic Traffic Control Commands HAPTER auto-traffic-control This command automatically releases a control response after the time specified in the auto-traffic-control release-timer command has expired. auto-control-release YNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Page 836: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Clear
| Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap. broadcast-alarm- clear YNTAX [no] snmp-server enable port-traps atc broadcast-alarm-clear...
Page 837: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Apply
| Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. broadcast-control- apply YNTAX [no] snmp-server enable port-traps atc broadcast-control-apply...
Page 838: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Clear
| Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap. multicast-alarm- clear YNTAX [no] snmp-server enable port-traps atc multicast-alarm-clear...
Page 839: Snmp-Server Enable Port-Traps Atc Multicast-Control-Apply
| Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. multicast-control- apply YNTAX [no] snmp-server enable port-traps atc multicast-control-apply...
Page 840: Show Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER show auto-traffic- This command shows global configuration settings for automatic storm control. control OMMAND Privileged Exec XAMPLE Console#show auto-traffic-control Storm Control Broadcast Apply Timer (sec) : 300 Release Timer (sec) : 900 Storm Control Multicast Apply Timer (sec) : 300 Release Timer (sec) : 900...
Page 841: Ddress Able Ommands
DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 106: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 842: Mac-Address-Table Static
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 843: Clear Mac-Address-Table Dynamic
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table static 00-17-7c-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
Page 844: Show Mac-Address-Table Aging-Time
| Address Table Commands HAPTER Learn - Dynamic address entries Config - Static entry The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0”...
Page 845: Show Mac-Address-Table Count
| Address Table Commands HAPTER show mac-address- This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface. table count YNTAX show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Page 846 | Address Table Commands HAPTER – 846 –...
Page 847: Spanning Tree Commands
PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 107: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree cisco- Configures spanning tree operation to be compatible prestandard...
Page 848: Spanning-Tree
| Spanning Tree Commands HAPTER Table 107: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback- Enables BPDU loopback SNMP trap notification for a detection trap port spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST priority...
Page 849: Spanning-Tree Cisco-Prestandard
| Spanning Tree Commands HAPTER XAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree cisco- This command configures spanning tree operation to be compatible with Cisco prestandard versions. Use the no form to restore the default setting. prestandard [no] spanning-tree cisco-prestandard EFAULT...
Page 850: Spanning-Tree Hello-Time
| Spanning Tree Commands HAPTER OMMAND SAGE This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 851: Spanning-Tree Max-Age
| Spanning Tree Commands HAPTER spanning-tree max- This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 852 | Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 853: Spanning-Tree Pathcost Method
| Spanning Tree Commands HAPTER spanning-tree This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method YNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.
Page 854: Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 855: Spanning-Tree System-Bpdu-Flooding
| Spanning Tree Commands HAPTER spanning-tree This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is system-bpdu- disabled globally on the switch or disabled on a specific port. Use the no flooding form to restore the default.
Page 856: Max-Hops
| Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. YNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) EFAULT ETTING...
Page 857: Mst Vlan
| Spanning Tree Commands HAPTER EFAULT ETTING 32768 OMMAND MST Configuration OMMAND SAGE MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 858: Name
| Spanning Tree Commands HAPTER which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (page 858) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree.
Page 859: Spanning-Tree Bpdu-Filter
| Spanning Tree Commands HAPTER EFAULT ETTING OMMAND MST Configuration OMMAND SAGE The MST region name (page 858) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 860: Spanning-Tree Bpdu-Guard
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# ELATED OMMANDS spanning-tree edge-port (862) spanning-tree bpdu- This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form without any keywords to guard disable this feature, or with a keyword to restore the default settings.
Page 861: Spanning-Tree Cost
| Spanning Tree Commands HAPTER ELATED OMMANDS spanning-tree edge-port (862) spanning-tree spanning-disabled (869) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. YNTAX spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Page 862: Spanning-Tree Edge-Port
| Spanning Tree Commands HAPTER Path cost takes precedence over port priority. When the path cost method (page 853) is set to short, the maximum value for path cost is 65,535. XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree edge- This command specifies an interface as an edge port.
Page 863: Spanning-Tree Link-Type
| Spanning Tree Commands HAPTER spanning-tree link- This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. type YNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Page 864: Spanning-Tree Loopback-Detection Release-Mode
| Spanning Tree Commands HAPTER OMMAND SAGE If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
Page 865: Spanning-Tree Loopback-Detection Trap
| Spanning Tree Commands HAPTER When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree...
Page 866: Spanning-Tree Mst Port-Priority
| Spanning Tree Commands HAPTER shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 867: Spanning-Tree Port-Bpdu-Flooding
| Spanning Tree Commands HAPTER OMMAND SAGE This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 868: Spanning-Tree Port-Priority
| Spanning Tree Commands HAPTER spanning-tree port- This command configures the priority for the specified interface. Use the no form to restore the default. priority YNTAX spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) EFAULT ETTING OMMAND...
Page 869: Spanning-Tree Spanning-Disabled
| Spanning Tree Commands HAPTER OMMAND SAGE A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period.
Page 870: Spanning-Tree Loopback-Detection Release
| Spanning Tree Commands HAPTER spanning-tree This command manually releases a port placed in discarding state by loopback-detection. loopback-detection release YNTAX spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-13) OMMAND Privileged Exec...
Page 871: Show Spanning-Tree
| Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id] interface...
Page 872 | Spanning Tree Commands HAPTER XAMPLE Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance VLANs Configured : 1-4093 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.)
Page 873: Show Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER show spanning-tree This command shows the configuration of the multiple spanning tree. mst configuration OMMAND Privileged Exec XAMPLE Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4093 Console# –...
Page 874 | Spanning Tree Commands HAPTER – 874 –...
Page 875: Erps Commands
ERPS C OMMANDS The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS. Table 110: ERPS Commands Command Function Mode erps...
Page 876: Erps
| ERPS Commands HAPTER brings down any other link in the ring, the RPL will be unblocked (Protection state) to ensure proper connectivity among all ring nodes until the failure is recovered. Configure ERPS timers: Use the guard-timer command to set the timer is used to prevent ring nodes from receiving outdated R-APS messages, holdoff-timer command to filter out intermittent link faults, and the...
Page 877: Erps Domain
| ERPS Commands HAPTER XAMPLE Console(config)#erps Console(config)# ELATED OMMANDS enable (878) erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain. Use the no form to delete a ring. YNTAX [no] erps domain name name - Name of a specific ERPS ring.
Page 878: Enable
| ERPS Commands HAPTER The Control VLAN must not be configured as a Layer 3 interface (with an IP address), a dynamic VLAN (with GVRP enabled), nor as a private VLAN. In addition, only ring ports may be added to the Control VLAN. No other ports can be members of this VLAN.
Page 879: Guard-Timer
| ERPS Commands HAPTER XAMPLE Console(config-erps)#enable Console(config-erps)# ELATED OMMANDS erps (876) guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. YNTAX guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Page 880: Meg-Level
| ERPS Commands HAPTER EFAULT ETTING 0 milliseconds OMMAND ERPS Configuration OMMAND SAGE In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer.
Page 881: Node-Id
| ERPS Commands HAPTER node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. YNTAX node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 882: Rpl Owner
| ERPS Commands HAPTER Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction. XAMPLE Console(config-erps)#ring-port east interface ethernet 1/12 Console(config-erps)#...
Page 883: Show Erps
| ERPS Commands HAPTER OMMAND ERPS Configuration OMMAND SAGE If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to-restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal operating) state.
Page 884: Table 112: Show Erps Domain - Detailed Display Description
| ERPS Commands HAPTER Table 111: show erps - summary display description (Continued) Field Description State Shows the following ERPS states: Init – The ERPS ring has started but has not yet determined the status of the ring. Idle – If all nodes in a ring are in this state, it means that all the links in the ring are up.
Page 885 | ERPS Commands HAPTER Table 112: show erps domain - detailed display description (Continued) Field Description West Port Shows the west ring port for this node, and the interface state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed.
Page 886 | ERPS Commands HAPTER – 886 –...
Page 887: Vlan Commands
VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 888: Gvrp And Bridge Extension Commands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 889: Garp Timer
| VLAN Commands HAPTER GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 890: Switchport Forbidden Vlan
| VLAN Commands HAPTER GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 891: Show Bridge-Ext
| VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" on page 105 for a description of the displayed items.
Page 892: Show Gvrp Configuration
| VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# ELATED OMMANDS garp timer (889) show gvrp This command shows if GVRP is enabled.
Page 893: Vlan Database
| VLAN Commands HAPTER Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete VLANs.
Page 894: Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces VLAN 1 (the switch’s default VLAN), nor VLAN 4093 (the VLAN used for switch clustering). For more information on configuring RSPAN through the CLI, see "RSPAN Mirroring Commands" on page 818. EFAULT ETTING By default only VLAN 1 exists and is active.
Page 895: Interface Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces Table 116: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport ingress- Enables ingress filtering on an interface filtering switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default Sets a port priority for incoming untagged frames vlan-trunking...
Page 896: Switchport Acceptable-Frame-Types
| VLAN Commands HAPTER Configuring VLAN Interfaces switchport This command configures the acceptable frame types for a port. Use the no form to restore the default. acceptable-frame- types YNTAX switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Page 897: Switchport Ingress-Filtering
| VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING All ports are assigned to VLAN 1 by default. The default frame type is untagged. OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE A port, or a trunk with switchport mode set to hybrid, must be assigned to at least one VLAN as untagged.
Page 898: Switchport Mode
| VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE Ingress filtering only affects tagged frames. If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 899: Switchport Native Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# ELATED OMMANDS switchport acceptable-frame-types (896) switchport native This command configures the PVID (i.e., default VLAN ID) for a port.
Page 900: Vlan-Trunking
| VLAN Commands HAPTER Configuring VLAN Interfaces vlan-trunking This command allows unknown VLAN groups to pass through the specified interface. Use the no form to disable this feature. YNTAX [no] vlan-trunking EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use this command to configure a tunnel across one or more...
Page 901: Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information enabled. (In other words, VLAN trunking will still be effectively enabled for the unknown VLAN). XAMPLE The following example enables VLAN trunking on ports 9 and 10 to establish a path across the switch for unknown VLAN groups: Console(config)#interface ethernet 1/9 Console(config-if)#vlan-trunking Console(config-if)#interface ethernet 1/10...
Page 902: Configuring Ieee 802.1Q Tunneling
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Console# IEEE 802.1Q T ONFIGURING...
Page 903: Dot1Q-Tunnel System-Tunnel-Control
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). Set the Tag Protocol Identifier (TPID) value of the tunnel uplink port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 904: Switchport Dot1Q-Tunnel Mode
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling ELATED OMMANDS show dot1q-tunnel (907) show interfaces switchport (796) switchport dot1q- This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. tunnel mode YNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode...
Page 905: Switchport Dot1Q-Tunnel Service Match Cvid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no form to delete a VLAN mapping entry. tunnel service match cvid YNTAX switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] svid - VLAN ID for the outer VLAN tag (Service Provider VID).
Page 906: Switchport Dot1Q-Tunnel Tpid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling XAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# In the following examples, ports 1 and 2 are configured as follows: Port 1 = Access, PVID = 100, VLAN = 100(u), 101(u)
Page 907: Show Dot1Q-Tunnel
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Page 908: Configuring L2Cp Tunneling
| VLAN Commands HAPTER Configuring L2CP Tunneling Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/3 is Normal mode, TPID is 0x8100.
Page 909 | VLAN Commands HAPTER Configuring L2CP Tunneling EFAULT ETTING 01-12-CF-.00-00-02, proprietary tunnel address OMMAND Global Configuration OMMAND SAGE When L2PT is not used, protocol packets (such as STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports.
Page 910 | VLAN Commands HAPTER Configuring L2CP Tunneling with the destination address 01-80-C2-00-00-00,0B~0F (C-VLAN), L2PT is enabled on the port, the frame is forwarded to all QinQ uplink ports and QinQ access ports on which L2PT is enabled for that protocol in the same S-VLAN. L2PT is disabled on the port, the frame is decapsulated and processed locally by the switch if the protocol is supported.
Page 911: Switchport L2Protocol-Tunnel
| VLAN Commands HAPTER Configuring L2CP Tunneling L2PT is disabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is disabled, and (b) all uplink ports. For L2PT to function properly, QinQ must be enabled on the switch using the dot1q-tunnel system-tunnel-control command, and the...
Page 912: Show L2Protocol-Tunnel
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation Console(config-if)#switchport l2protocol-tunnel spanning-tree Console(config-if)# show l2protocol- This command shows settings for Layer 2 Protocol Tunneling (L2PT). tunnel OMMAND Privileged Exec XAMPLE Console#show l2protocol-tunnel Layer 2 Protocol Tunnel Interface Protocol ---------------------------------------------------------- Eth 1/ 1 Spanning Tree Console# ONFIGURING...
Page 913: Show Traffic-Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation OMMAND Global Configuration OMMAND SAGE Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group.
Page 914: Configuring Protocol-Based Vlans
| VLAN Commands HAPTER Configuring Protocol-based VLANs VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 915: Protocol-Vlan Protocol-Group (Configuring Groups)
| VLAN Commands HAPTER Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.
Page 916: Show Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 917: Show Interfaces Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the selected interfaces.
Page 918: Configuring Ip Subnet Vlans
| VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Page 919: Show Subnet-Vlan
| VLAN Commands HAPTER Configuring IP Subnet VLANs mapping is found, the PVID of the receiving port is assigned to the frame. The IP subnet cannot be a broadcast or multicast IP address. When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Page 920: Configuring Mac Based Vlans
| VLAN Commands HAPTER Configuring MAC Based VLANs MAC B VLAN ONFIGURING ASED When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Page 921: Show Mac-Vlan
| VLAN Commands HAPTER Configuring Voice VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. XAMPLE The following example assigns traffic from source MAC address 00-00-00- 11-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10 Console(config)# show mac-vlan...
Page 922: Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs Table 124: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings voice vlan This command enables VoIP traffic detection and defines the Voice VLAN...
Page 923: Voice Vlan Aging
| VLAN Commands HAPTER Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. YNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) EFAULT ETTING...
Page 924: Switchport Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Page 925: Switchport Voice Vlan Priority
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# switchport voice This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port.
Page 926: Switchport Voice Vlan Security
| VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING OUI: Enabled LLDP: Disabled OMMAND Interface Configuration OMMAND SAGE When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command.
Page 927: Show Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables security filtering on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan security Console(config-if)# show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list.
Page 928 | VLAN Commands HAPTER Configuring Voice VLANs – 928 –...
Page 929: Class Of Service Commands
LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 930: Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Page 931: Queue Weight
| Class of Service Commands HAPTER Priority Commands (Layer 2) Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Page 932: Switchport Priority Default
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. Console(config)#queue weight 1 2 3 4 Console(config)# ELATED OMMANDS queue mode (930) show queue weight (933)
Page 933: Show Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# ELATED OMMANDS show interfaces switchport (796) show queue mode This command shows the current queue mode.
Page 934: Priority Commands (Layer 3 And 4)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 127: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 935: Table 128: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) EFAULT ETTING Table 128: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) OMMAND Interface Configuration (Port, Static Aggregation) OMMAND...
Page 936: Qos Map Dscp-Mutation
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) qos map dscp- This command maps DSCP values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to mutation restore the default settings. YNTAX qos map dscp-mutation phb drop-precedence from dscp0 ...
Page 937: Qos Map Phb-Queue
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. Random Early Detection starts dropping yellow and red packets when the buffer fills up to 0x60 packets, and then starts dropping any packets regardless of color when the buffer fills up to 0x80 packets.
Page 938: Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting.
Page 939: Show Qos Map Dscp-Mutation
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show qos map This command shows the ingress DSCP to internal DSCP map. dscp-mutation YNTAX show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 940: Show Qos Map Cos-Dscp
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) OMMAND Privileged Exec XAMPLE Console#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 phb-queue map: phb: ------------------------------------------------------- queue: Console# show qos map cos- This command shows ingress CoS/CFI to internal DSCP map. dscp YNTAX show qos map cos-dscp interface interface...
Page 941: Show Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show qos map trust- This command shows the QoS mapping mode. mode YNTAX show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 942 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) – 942 –...
Page 943: Quality Of Service Commands
UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 944: Class-Map
| Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an...
Page 945: Description
| Quality of Service Commands HAPTER OMMAND SAGE First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. One or more class maps can be assigned to a policy map (page 947).
Page 946: Match
| Quality of Service Commands HAPTER match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. YNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list.
Page 947: Rename
| Quality of Service Commands HAPTER This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Page 948: Class
| Quality of Service Commands HAPTER OMMAND SAGE Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. A policy map can contain multiple class statements that can be applied to the same interface with the service-policy...
Page 949: Police Flow
| Quality of Service Commands HAPTER set ip dscp command sets the IP DSCP value in matching packets. (This modifies packet priority in the IP header.) police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
Page 950 | Quality of Service Commands HAPTER OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the...
Page 951: Police Srtcm-Color
| Quality of Service Commands HAPTER police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. YNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp}...
Page 952 | Quality of Service Commands HAPTER The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Page 953: Police Trtcm-Color
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst...
Page 954 | Quality of Service Commands HAPTER violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action.
Page 955: Set Cos
| Quality of Service Commands HAPTER When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
Page 956: Set Ip Dscp
| Quality of Service Commands HAPTER OMMAND SAGE The set cos command is used to set the CoS value in the VLAN tag for matching packets. The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command.
Page 957: Set Phb
| Quality of Service Commands HAPTER OMMAND SAGE The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets. XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,”...
Page 958: Service-Policy
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
Page 959: Show Class-Map
| Quality of Service Commands HAPTER show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. YNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) EFAULT ETTING Displays all class maps. OMMAND Privileged Exec XAMPLE...
Page 960: Show Policy-Map Interface
| Quality of Service Commands HAPTER Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface YNTAX show policy-map interface interface input interface...
Page 961: Multicast Filtering Commands
ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 962 | Multicast Filtering Commands HAPTER IGMP Snooping Table 133: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Floods unregistered multicast traffic into the attached unregistered-data-flood VLAN ip igmp snooping Specifies how often the upstream interface should unsolicited-report- transmit unsolicited IGMP reports (when proxy interval reporting is enabled) ip igmp snooping version...
Page 963: Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it. YNTAX [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Enabled...
Page 964: Ip Igmp Snooping Proxy-Reporting
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE Console(config)#ip igmp snooping priority 6 Console(config)# ELATED OMMANDS show ip igmp snooping (978) ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to restore the default setting. proxy-reporting YNTAX [no] ip igmp snooping proxy-reporting...
Page 965: Ip Igmp Snooping Querier
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command enables the switch as an IGMP querier. Use the no form to disable it. querier YNTAX [no] ip igmp snooping querier EFAULT ETTING Enabled OMMAND Global Configuration OMMAND SAGE IGMP snooping querier is not supported for IGMPv3 snooping (see igmp snooping...
Page 966: Ip Igmp Snooping Router-Port-Expire-Time
| Multicast Filtering Commands HAPTER IGMP Snooping (such as when using proxy routing), it should ignore version 2 or 3 queries that do not contain the Router Alert option. XAMPLE Console(config)#ip igmp snooping router-alert-option-check Console(config)# ip igmp snooping This command configures the querier time out. Use the no form to restore the default.
Page 967 | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change.
Page 968: Ip Igmp Snooping Tcn-Query-Solicit
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation when a spanning tree topology change notification (TCN) tcn-query-solicit occurs. Use the no form to disable this feature. YNTAX [no] ip igmp snooping tcn-query-solicit EFAULT...
Page 969: Ip Igmp Snooping Unsolicited-Report-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN. XAMPLE Console(config)#ip igmp snooping unregistered-data-flood Console(config)# ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled.
Page 970: Ip Igmp Snooping Version
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore the default. version YNTAX ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093) 1 - IGMP Version 1 2 - IGMP Version 2...
Page 971: Ip Igmp Snooping Vlan General-Query-Suppression
| Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Global: Disabled VLAN: Disabled OMMAND Global Configuration OMMAND SAGE If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
Page 972: Ip Igmp Snooping Vlan Immediate-Leave
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate-leave is enabled for vlan immediate- the parent VLAN. Use the no form to restore the default. leave YNTAX [no] ip igmp snooping vlan vlan-id immediate-leave...
Page 973: Ip Igmp Snooping Vlan Last-Memb-Query-Count
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command configures the number of IGMP proxy group-specific or group-and-source-specific query messages that are sent out before the vlan last-memb- system assumes there are no more local members. Use the no form to query-count restore the default.
Page 974: Ip Igmp Snooping Vlan Mrd
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group- specific or group-and-source-specific query message, and starts a timer.
Page 975: Ip Igmp Snooping Vlan Proxy-Address
| Multicast Filtering Commands HAPTER IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. This command may also be used to disable multicast router solicitation messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN.
Page 976: Ip Igmp Snooping Vlan Proxy-Query-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping This command configures the interval between sending IGMP proxy general queries.
Page 977: Ip Igmp Snooping Vlan Proxy-Query-Resp-Intvl
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command configures the maximum time the system waits for a response to proxy general queries. Use the no form to restore the default. vlan proxy-query- resp-intvl YNTAX ip igmp snooping vlan vlan-id proxy-query-resp-intvl interval no ip igmp snooping vlan vlan-id proxy-query-resp-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The maximum time the system waits for a response to...
Page 978: Show Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE Static multicast entries are never aged out. When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Page 979: Show Ip Igmp Snooping Group
| Multicast Filtering Commands HAPTER IGMP Snooping Proxy reporting : Using global status (Enabled) Multicast Router Discovery : Enabled show ip igmp This command shows known multicast group, source, and host port mappings for the specified VLAN interface, or for all interfaces if none is snooping group specified.
Page 980: Static Multicast Routing
| Multicast Filtering Commands HAPTER Static Multicast Routing TATIC ULTICAST OUTING This section describes commands used to configure static multicast routing on the switch. Table 134: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Page 981: Show Ip Igmp Snooping Mrouter
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling show ip igmp This command displays information on statically configured and dynamically learned multicast router ports. snooping mrouter YNTAX show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Displays multicast router ports for all configured VLANs.
Page 982: Ip Igmp Filter (Global Configuration)
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling Table 135: IGMP Filtering and Throttling Commands (Continued) Command Function Mode ip igmp max-groups Sets the IGMP throttling action for an interface action show ip igmp filter Displays the IGMP filtering status show ip igmp profile Displays IGMP profiles and settings show ip igmp throttle...
Page 983: Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. YNTAX [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Page 984: Range
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. YNTAX [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Page 985: Ip Igmp Max-Groups
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. Only one profile can be assigned to an interface. A profile can also be assigned to a trunk interface.
Page 986: Ip Igmp Max-Groups Action
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling action for an interface on the switch. action YNTAX ip igmp max-groups action {replace | deny} replace - The new multicast group replaces an existing group. deny - The new multicast group join report is dropped.
Page 987: Show Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Page 988: Multicast Vlan Registration
| Multicast Filtering Commands HAPTER Multicast VLAN Registration EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Using this command without specifying an interface displays all interfaces. XAMPLE Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console#...
Page 989: Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command enables Multicast VLAN Registration (MVR) globally on the switch. Use the no form of this command to globally disable MVR. YNTAX [no] mvr EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Page 990: Mvr Priority
| Multicast Filtering Commands HAPTER Multicast VLAN Registration The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. IGMP snooping and MVR can share a maximum number of 1024 groups.
Page 991: Mvr Upstream-Source-Ip
| Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr upstream- This command configures the source IP address assigned to all MVR control packets sent upstream on the specified domain. Use the no form to restore source-ip the default setting. YNTAX mvr upstream-source-ip source-ip-address no mvr upstream-source-ip source-ip-address –...
Page 992: Mvr Immediate-Leave
| Multicast Filtering Commands HAPTER Multicast VLAN Registration command, but MVR receiver ports should not be statically configured as members of this VLAN. XAMPLE Console(config)#mvr vlan 228 Console(config)# mvr immediate- This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group.
Page 993: Mvr Type
| Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. YNTAX [no] mvr type {receiver | source} receiver - Configures the interface as a subscriber port that can receive multicast data.
Page 994: Mvr Vlan Group
| Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr vlan group This command statically binds a multicast group to a port which will receive long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. YNTAX [no] mvr vlan vlan-id group ip-address vlan-id - Receiver VLAN to which the specified multicast traffic is...
Page 995: Show Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
Page 996: Table 137: Show Mvr - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 137: show mvr - display description Field Description MVR Config Status Shows if MVR is globally enabled on the switch. MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied.
Page 997: Table 139: Show Mvr Members - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Expire : Group remaining time (m:s). Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------- 234.5.6.8 00:00:01:31 2(P) 2 Eth 1/ 1(S) 1 Eth 1/ 3(R) 0(H) Console# Table 139: show mvr members - display description Field...
Page 998 | Multicast Filtering Commands HAPTER Multicast VLAN Registration – 998 –...
Page 999: Lldp Commands
LLDP C OMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 1000 | LLDP Commands HAPTER Table 140: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system- Configures an LLDP-enabled port to advertise its name system name lldp dot1-tlv proto- Configures an LLDP-enabled port to advertise ident the supported protocols lldp dot1-tlv proto-vid Configures an LLDP-enabled port to advertise port-based protocol related VLAN information lldp dot1-tlv pvid...