Download Print this page

Digisol DG-FS4528P Management Manual

Digisol DG-FS4528P Management Manual

Mustang 4000 managed switch series, layer 2 fast ethernet managed poe switch

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

TM

M a n a g e m e n t G u i d e

DG-FS4528P

Layer 2 Fast Ethernet Managed POE Switch

MUSTANG 4000 Managed Switch Series

Management Guide

V1.0

2011-12-12

As our product undergoes continuous development the specifications are subject to change without prior notice

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the DG-FS4528P and is the answer not in the manual?

Questions and answers

Summary of Contents for Digisol DG-FS4528P

Page 1 M a n a g e m e n t G u i d e DG-FS4528P Layer 2 Fast Ethernet Managed POE Switch MUSTANG 4000 Managed Switch Series Management Guide V1.0 2011-12-12 As our product undergoes continuous development the specifications are subject to change without prior notice...
Page 3 ANAGEMENT UIDE THERNET WITCH DG-FS4528P Layer 2 Workgroup Switch with Power over Ethernet, 24 10/100BASE-TX (RJ-45) Ports, 2 10/100/1000BASE-T (RJ-45) Ports and 2 Gigabit Combination Ports (RJ-45/SFP) DG-FS4528P...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Downloading a Configuration File Referenced by a DHCP Server 62...
Page 7 ONTENTS ECTION ONFIGURATION SING THE NTERFACE Connecting to the Web Interface Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Switch Hardware/Software Versions Displaying Bridge Extension Capabilities Setting the Switch’s IP Address Configuring Support for Jumbo Frames Displaying CPU Utilization Displaying Memory Utilization...
Page 8 ONTENTS Configuring Summer Time UPnP UPnP Configuration Switch Clustering Configuring General Settings for Clusters Cluster Member Configuration Displaying Information on Cluster Members Cluster Candidate Information IMPLE ETWORK ANAGEMENT ROTOCOL Overview Setting Community Access Strings Specifying Trap Managers and Trap Types Configuring MAC Notification Traps for Interfaces Enabling the SNMP Agent Setting the Local Engine ID...
Page 9 ONTENTS Displaying the AAA Accounting Summary Configuring Authorization Settings Configuring Authorization EXEC Settings Authorization Summary Configuring HTTPS Configuring Global Settings for HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Configuring the SSH Server Generating the Host Key Pair Importing User Public Keys Configuring Port Security Configuring 802.1X Port Authentication...
Page 10 ONTENTS Configuring a MAC ACL Configuring an ARP ACL Binding a Port to an Access Control List Showing TCAM Utilization ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying the ARP Inspection Log Displaying ARP Inspection Statistics Filtering IP Addresses for Management Access...
Page 11 ONTENTS Setting Unknown Unicast Storm Thresholds Mirror Configuration Configuring Port Mirroring Configuring MAC Address Mirroring Configuring Rate Limits VLAN Trunking Performing Cable Diagnostics Showing Port or Trunk Statistics OWER THERNET ETTINGS Overview Switch Power Status Setting a Switch Power Budget Displaying Port Power Status Configuring Port PoE Power 10 A...
Page 12 ONTENTS Displaying Basic VLAN Information Displaying Current VLANs Configuring VLAN Groups Adding Static Members to VLANs Adding VLAN Groups to Interfaces Configuring VLAN Attributes for Interfaces IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch Adding an Interface to a QinQ Tunnel Traffic Segmentation Configuring Global Settings Configuring Uplink and Downlink Ports...
Page 13 ONTENTS Mapping CoS Values to Egress Queues Selecting the Queue Mode Displaying the Service Weight for Traffic Classes Layer 3/4 Priority Settings Enabling IP DSCP Priority Mapping DSCP Priority 16 Q UALITY OF ERVICE Overview Configuring a Class Map Creating QoS Policies Attaching a Policy Map to a Port 17 V IP T...
Page 14 ONTENTS Displaying MVR Receiver Groups Configuring Static MVR Receiver Group Members 19 D OMAIN ERVICE Configuring General DNS Service Parameters Configuring Static DNS Host to Address Entries Displaying the DNS Cache ECTION OMMAND NTERFACE 20 U SING THE OMMAND NTERFACE Accessing the CLI Console Connection Telnet Connection...
Page 15 ONTENTS reload (Privileged Exec) show reload exit 22 S YSTEM ANAGEMENT OMMANDS Device Designation hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note...
Page 16 ONTENTS delete non-active whichboot upgrade opcode auto upgrade opcode path show upgrade Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging...
Page 17 ONTENTS Time sntp client sntp poll sntp server show sntp ntp authenticate ntp authentication-key ntp client ntp server show ntp clock summer-time (date) clock summer-time (predefined) clock summer-time (recurring) clock timezone clock timezone-predefined calendar set show calendar Time Range time-range absolute periodic show time-range...
Page 18 ONTENTS 23 SNMP C OMMANDS snmp-server snmp-server community snmp-server contact snmp-server location show snmp snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view snmp-server enable traps snmp-server host snmp-server enable traps mac-notification snmp-server enable port-traps mac-notification show snmp-server enable port-traps interface 24 F...
Page 19 ONTENTS authentication login RADIUS Client radius-server acct-port radius-server auth-port radius-server host radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit tacacs-server timeout show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec...
Page 20 ONTENTS ip telnet server Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication dot1x default dot1x eapol-pass-through...
Page 21 ONTENTS show management PPPoE Intermediate Agent pppoe intermediate-agent pppoe intermediate-agent format-type pppoe intermediate-agent port-enable pppoe intermediate-agent port-format-type pppoe intermediate-agent trust pppoe intermediate-agent vendor-tag strip clear pppoe intermediate-agent statistics show pppoe intermediate-agent info show pppoe intermediate-agent statistics 26 G ENERAL ECURITY EASURES Port Security port security...
Page 22 ONTENTS web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCP Snooping ip dhcp snooping ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping verify mac-address ip dhcp snooping vlan ip dhcp snooping information option circuit-id string ip dhcp snooping trust...
Page 23 ONTENTS show ip arp inspection interface show ip arp inspection log show ip arp inspection statistics show ip arp inspection vlan 27 A CCESS ONTROL ISTS IPv4 ACLs access-list ip access-list rule-mode permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list...
Page 24 ONTENTS description flowcontrol giga-phy-mode mdix media-type negotiation shutdown speed-duplex switchport packet-rate clear counters show interfaces brief show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver test cable-diagnostics tdr interface show cable-diagnostics 29 L GGREGATION OMMANDS channel-group lacp lacp admin-key (Ethernet Interface) lacp mode lacp port-priority...
Page 25 ONTENTS port monitor show port monitor 32 R IMIT OMMANDS rate-limit 33 A UTOMATIC RAFFIC ONTROL OMMANDS auto-traffic-control apply-timer auto-traffic-control release-timer auto-traffic-control auto-traffic-control action auto-traffic-control alarm-clear-threshold auto-traffic-control alarm-fire-threshold auto-traffic-control control-release auto-traffic-control auto-control-release snmp-server enable port-traps atc broadcast-alarm-clear snmp-server enable port-traps atc broadcast-alarm-fire snmp-server enable port-traps atc broadcast-control-apply snmp-server enable port-traps atc broadcast-control-release snmp-server enable port-traps atc multicast-alarm-clear...
Page 26 ONTENTS 36 S PANNING OMMANDS spanning-tree spanning-tree cisco-prestandard spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree system-bpdu-flooding spanning-tree transmission-limit max-hops mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection...
Page 27 ONTENTS 37 EAPS C OMMANDS eaps eaps domain control-vlan enable failtime hellotime mode port protect-vlan show eaps 38 ERPS C OMMANDS erps erps domain control-vlan enable guard-timer holdoff-timer meg-level node-id ring-port rpl owner wtr-timer show erps 39 VLAN C OMMANDS GVRP and Bridge Extension Commands bridge-ext gvrp garp timer...
Page 28 ONTENTS Configuring VLAN Interfaces interface vlan switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering switchport mode switchport native vlan vlan-trunking Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid show dot1q-tunnel Configuring L2CP Tunneling l2protocol-tunnel tunnel-dmac...
Page 29 ONTENTS show protocol-vlan protocol-group show protocol-vlan protocol-group-vid Configuring IP Subnet VLANs subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority switchport voice vlan rule switchport voice vlan security show voice vlan 40 C...
Page 30 ONTENTS police service-policy show class-map show policy-map show policy-map interface 42 M ULTICAST ILTERING OMMANDS IGMP Snooping ip igmp snooping ip igmp snooping leave-proxy ip igmp snooping priority ip igmp snooping version ip igmp snooping vlan static ip igmp snooping immediate-leave show ip igmp snooping show ip igmp snooping groups show mac-address-table multicast...
Page 31 ONTENTS show ip igmp throttle interface Multicast VLAN Registration mvr group mvr priority mvr receiver-group mvr receiver-vlan mvr unspecified-source-ip mvr vlan mvr group mvr immediate mvr static-receiver-group mvr type show mvr 43 MLD S NOOPING OMMANDS ipv6 mld snooping ipv6 mld snooping robustness ipv6 mld snooping router-port-expire-time ipv6 mld snooping unknown-multicast mode ipv6 mld snooping version...
Page 32 ONTENTS lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv mac-phy lldp dot3-tlv max-frame lldp dot3-tlv poe lldp med-notification lldp med-tlv extpoe lldp med-tlv inventory lldp med-tlv location lldp med-tlv med-cap...
Page 33 ONTENTS ip dhcp client class-id ip dhcp restart DHCP Relay ip dhcp relay server ip dhcp relay information option ip dhcp relay information policy show ip dhcp relay 47 IP I NTERFACE OMMANDS ip address ip default-gateway show ip interface show ip redirects ping clear arp-cache...
Page 34: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Displaying Bridge Extension Configuration Figure 6: Configuring a Static IP Address Figure 7: Configuring a Dynamic IPv4 Address Figure 8: Configuring Support for Jumbo Frames Figure 9: Displaying CPU Utilization Figure 10: Displaying Memory Utilization Figure 11: Configuring Automatic Code Upgrade...
Page 35 IGURES Figure 32: Choosing a Cluster Member to Manage Figure 33: Configuring a Switch Cluster Figure 34: Configuring Cluster Members Figure 35: Showing Cluster Members Figure 36: Showing Cluster Candidates Figure 37: Setting Community Access Strings Figure 38: Configuring Trap Managers Figure 39: Configuring MAC Notification for Interfaces Figure 40: Enabling the SNMP Agent Figure 41: Configuring the Local Engine ID for SNMP...
Page 36 IGURES Figure 68: Copying the SSH User’s Public Key Figure 69: Configuring Port Security Figure 70: Configuring Port Security Figure 71: Displaying Global Settings for 802.1X Port Authentication Figure 72: Configuring Global Settings for 802.1X Port Authentication Figure 73: Configuring Interface Settings for 802.1X Port Authenticator Figure 74: Configuring Interface Settings for 802.1X Port Supplicant Figure 75: Showing Statistics for 802.1X Port Authenticator Figure 76: Showing Statistics for 802.1X Port Supplicant...
Page 37 IGURES Figure 104: Configuring the Port Mode for DHCP Snooping Figure 105: Displaying the Binding Table for DHCP Snooping Figure 106: Setting the Filter Type for IP Source Guard Figure 107: Configuring Static Bindings for IP Source Guard Figure 108: Showing the IP Source Guard Binding Table Figure 109: Displaying Port Information Figure 110: Configuring Interface Connections Figure 111: Configuring Static Trunks...
Page 38 IGURES Figure 140: Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree 292 Figure 141: Configuring Port Loopback Detection Figure 142: Displaying Global Settings for STA Figure 143: Configuring Global Settings for STA Figure 144: STA Port Roles Figure 145: Displaying Interface Settings for STA Figure 146: Configuring Interface Settings for STA Figure 147: Configuring Edge Port Settings for STA Figure 148: Creating an MST Instance...
Page 39 IGURES Figure 176: Configuring MAC-Based VLANs Figure 177: Configuring LLDP Timing Attributes Figure 178: Configuring LLDP Interface Attributes Figure 179: Displaying Local Device Information for LLDP Figure 180: Displaying Remote Device Information for LLDP Figure 181: Displaying Remote Device Information Details for LLDP Figure 182: Displaying LLDP Device Statistics Figure 183: Displaying LLDP Detailed Device Statistics Figure 184: Setting the Default Port Priority...
Page 40 IGURES Figure 212: Configuring Interface Settings for MVR Figure 213: Assigning Static MVR Groups to a Port Figure 214: Configuring MVR Receiver VLAN and Group Addresses Figure 215: Displaying MVR Receiver Groups Figure 216: Configuring Static MVR Receiver Group Members Figure 217: Configuring General Settings for DNS Figure 218: Configuring Static Entries in the DNS Table Figure 219: Showing Entries in the DNS Cache...
Page 41: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Inserting Option 82 Information Table 8: Logging Levels Table 9: SNMPv3 Security Models and Levels Table 10: Supported Notification Messages...
Page 42 ABLES Table 32: Configuration Command Modes Table 33: Keystroke Commands Table 34: Command Group Index Table 35: General Commands Table 36: System Management Commands Table 37: Device Designation Commands Table 38: Banner Commands Table 39: System Status Commands Table 40: Frame Size Commands Table 41: Flash/File Commands Table 42: File Directory Information Table 43: Line Commands...
Page 43 ABLES Table 68: HTTPS System Support Table 69: Telnet Server Commands Table 70: Secure Shell Commands Table 71: show ssh - display description Table 72: 802.1X Port Authentication Commands Table 73: Management IP Filter Commands Table 74: PPPoE Intermediate Agent Commands Table 75: show pppoe intermediate-agent statistics - display description Table 76: General Security Commands Table 77: Management IP Filter Commands...
Page 44 ABLES Table 104: Address Table Commands Table 105: Spanning Tree Commands Table 106: Recommended STA Path Cost Range Table 107: Recommended STA Path Cost Table 108: Default STA Path Costs Table 109: EAPS Commands Table 110: show eaps - summary display description Table 111: show eaps - detailed display description Table 112: ERPS Commands Table 113: show erps - summary display description...
Page 45 ABLES Table 140: Multicast VLAN Registration Commands Table 141: show mvr - display description Table 142: show mvr interface - display description Table 143: show mvr members - display description Table 144: show mvr receiver members - display description Table 145: MLD Snooping Commands Table 146: LLDP Commands Table 147: Address Table Commands Table 148: show dns cache - display description...
Page 46: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 47 "Initial Switch Configuration"...
Page 47: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 48: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Address Table 8K MAC addresses in the forwarding table, 1K static MAC addresses, 256 L2 multicast groups IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching...
Page 49 | Introduction HAPTER Description of Software Features Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access. MAC address filtering and IP source guard also provide authenticated port access.
Page 50 | Introduction HAPTER Description of Software Features A static address can be assigned to a specific interface on this switch. TATIC DDRESSES Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 51 | Introduction HAPTER Description of Software Features provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). The switch supports up to 255 VLANs.
Page 52 | Introduction HAPTER Description of Software Features classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 53: System Defaults
| Introduction HAPTER System Defaults YSTEM EFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
Page 54 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled...
Page 55 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled Proxy service: Disabled BOOTP Disabled Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled Querier: Disabled Multicast VLAN Registration...
Page 56: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface.
Page 57: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Configure the bandwidth of any port by limiting input or output rates Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 255 IEEE 802.1Q VLANs Enable GVRP automatic VLAN registration Configure IGMP multicast filtering Upload and download system firmware or configuration files via HTTP...
Page 58: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set the data format to 8 data bits, 1 stop bit, and no parity. Set flow control to none. Set the emulation mode to VT100. When using HyperTerminal, select Terminal keys, not Windows keys.
Page 59: Basic Configuration
Press <Enter>. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the DG-FS4528P is opened. To end the CLI session, enter [Exit]. – 59 –...
Page 60: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING AN management access through the network. This can be done in either of the DDRESS following ways: Manual —...
Page 61: Dynamic Configuration
| Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 YNAMIC ONFIGURATION Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received.
Page 62: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: DHCP Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish.
Page 63: Table 3: Options 60, 66 And 67 Statements
| Initial Switch Configuration HAPTER Basic Configuration To successfully transmit a bootup configuration file to the switch the DHCP daemon (using a Linux based system for this example) must be configured with the following information: Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Page 64: Enabling Snmp Management Access
#DHCP Option 60 Vendor class match if option vendor-class-identifier = "DG-FS4528P"; option dhcp-parameter-request-list 1,43,66,67; option tftp-server-name "192.168.255.101"; option bootfile-name "test2"; Use “DG-FS4528P” for the vendor-class-identifier in the dhcpd.conf file. SNMP The switch can be configured to accept management commands from NABLING Simple Network Management Protocol (SNMP) applications.
Page 65: Community Strings (For Snmp Version 1 And 2C Clients)
| Initial Switch Configuration HAPTER Basic Configuration SNMP OMMUNITY TRINGS VERSION C CLIENTS Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
Page 66: Configuring Access For Snmp Version 3 Clients
| Initial Switch Configuration HAPTER Managing System Files authentication and privacy is used for v3 clients. Then press <Enter>. For a more detailed description of these parameters, see “snmp-server host.” The following example creates a trap host for each type of SNMP client. Console(config)#snmp-server host 10.1.19.23 batman Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth...
Page 67: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files switch. The configuration settings from the factory defaults configuration file are copied to this file, which is then used to boot the switch. See "Saving or Restoring Configuration Settings" for more information. Operation Code —...
Page 68: Configuring Power Over Ethernet
| Initial Switch Configuration HAPTER Configuring Power over Ethernet Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. To restore configuration settings from a backup server, enter the following command: From the Privileged Exec mode prompt, type “copy tftp startup-config”...
Page 69 | Initial Switch Configuration HAPTER Configuring Power over Ethernet supplied power. See "Setting a Switch Power Budget" on page 281 details. Console(config)#power mainpower maximum allocation 180 Console(config)# PoE is enabled for all ports by default. Power can be disabled for a port by using the no form of the power inline CLI command, as shown in the example below.
Page 70: Web Configuration
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 71 "Basic Management Tasks" on page 83 "Simple Network Management Protocol"...
Page 71: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 72: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the manufacturer’s web site by clicking on the DIGISOL logo. – 72 –...
Page 73: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 74: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 75 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Summer Time Configures summer time settings SNMP Simple Network Management Protocol Configuration Configures community strings and related trap functions Port Configuration Enables traps when changes occur for dynamic addresses in the MAC address table for a port Trunk Configuration...
Page 76 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Authorization Enables authorization of requested services Settings Configures authorization for various service types EXEC Settings Specifies console or Telnet authorization method Summary Displays authorization information HTTPS Settings...
Page 77 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page ARP Inspection Validates the MAC-to-IP address bindings in ARP packets Configuration Enables inspection globally, configures validation of additional address components, and sets the log rate for packet inspection VLAN Configuration Enables ARP inspection on specified VLANs Port Configuration...
Page 78 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Port VLAN Trunking Allows unknown VLAN groups to pass through the specified port Trunk VLAN Trunking Allows unknown VLAN groups to pass through the specified trunk Cable Test Performs cable diagnostics for selected port to diagnose any cable faults (short, open etc.) and report the cable length...
Page 79 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Trunk Configuration Enables Layer 2 Protocol Tunneling for the specified protocol VLAN Virtual LAN 802.1Q VLAN IEEE 802.1Q VLANs GVRP Status Enables GVRP VLAN registration protocol globally Basic Information Displays information on the VLAN type supported by this switch...
Page 80 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page MAC-based VLAN Configuration Maps traffic with specified source MAC address to a VLAN LLDP Link Layer Discovery Protocol Configuration Configures global LLDP timing parameters Port Configuration Sets the message transmission mode;...
Page 81 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IGMP Snooping IGMP Configuration Enables multicast filtering; configures parameters for multicast query IGMP Immediate Leave Configures immediate leave for multicast services no longer required Multicast Router Port Information Displays the ports that are attached to a neighboring multicast...
Page 82 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Information Option Configuration Enables DHCP Snooping Information Option; and sets the information policy Port Configuration Sets the trust mode for an interface Binding Information Displays the DHCP Snooping binding information IP Source Guard...
Page 83: Basic Management Tasks
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, including contact information. Displaying Switch Hardware/Software Versions – Shows the hardware version, power status, and firmware versions Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Page 84: Displaying System Information
| Basic Management Tasks HAPTER Displaying System Information ISPLAYING YSTEM NFORMATION Use the System > System Information page to identify the system by displaying information such as the device name, location and contact information. CLI R EFERENCES "System Management Commands" on page 442 "SNMP Commands"...
Page 85: Displaying Switch Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Switch Hardware/Software Versions Figure 3: System Information This page also includes a Telnet button that allows access to the Command Line Interface via Telnet. ISPLAYING WITCH ARDWARE OFTWARE ERSIONS Use the System > Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system.
Page 86: Figure 4: General Switch Information
| Basic Management Tasks HAPTER Displaying Switch Hardware/Software Versions Management Software EPLD Version – Version number of EEPROM Programmable Logic Device. Loader Version – Version number of loader code. Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. Operation Code Version –...
Page 87: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Bridge Extension Configuration page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 88: Setting The Switch Sip Address
| Basic Management Tasks HAPTER Setting the Switch’s IP Address NTERFACE To view Bridge Extension information: Click System, then Bridge Extension Configuration. Figure 5: Displaying Bridge Extension Configuration ’ IP A ETTING THE WITCH DDRESS Use the System > IP Configuration page to configure an IP address for management access over the network.
Page 89: Table 7: Inserting Option 82 Information
| Basic Management Tasks HAPTER Setting the Switch’s IP Address not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP/ BOOTP responses can include the IP address, subnet mask, and default gateway.
Page 90 | Basic Management Tasks HAPTER Setting the Switch’s IP Address DHCP request packets are flooded onto the VLAN which received the request if DHCP relay service is enabled on the switch, and the request packet contains a valid (i.e., non-zero) relay agent address field. DHCP reply packets received by the relay agent are handled as follows: When the relay agent receives a DHCP reply packet with Option 82 information on the management VLAN, it first ensures that the...
Page 91 | Basic Management Tasks HAPTER Setting the Switch’s IP Address DHCP Relay Server – Specifies the DHCP servers to be used by the switch’s DHCP relay agent in order of preference. This switch supports DHCP relay service for attached host devices. If DHCP relay is enabled (by specifying the address for at least one DHCP server), and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the...
Page 92: Figure 6: Configuring A Static Ip Address
| Basic Management Tasks HAPTER Setting the Switch’s IP Address and gateway. Specify the required settings for DHCP Relay Option. Enter the DHCP Relay Servers to use in order of preference. Click Apply. Figure 6: Configuring a Static IP Address To obtain an dynamic address through DHCP/BOOTP for the switch: Click System, IP Configuration.
Page 93: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address.
Page 94: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization Click Apply. Figure 8: Configuring Support for Jumbo Frames CPU U ISPLAYING TILIZATION Use the System > Resource > CPU Status page to display information on CPU utilization; or to set thresholds for the CPU utilization alarm. CLI R EFERENCES "show process cpu"...
Page 95: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization Click Apply. Figure 9: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Resource > Memory Status page to display memory utilization parameters; or to set thresholds for the memory utilization alarm.
Page 96: Managing System Files
| Basic Management Tasks HAPTER Managing System Files Figure 10: Displaying Memory Utilization ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. The system can be configured to automatically download an operation code UTOMATIC file when a file newer than the currently installed one is discovered on the PERATION...
Page 97 NetBSD, OpenBSD, and most Linux distributions, etc.) are case- sensitive, meaning that two files in the same directory, dg-fs5628p.bix and DG-FS4528P.BIX are considered to be unique files. Thus, if the upgrade file is stored as DG-FS4528P.BIX (or even dg-fs5628p.bix) on a case-sensitive server, then the switch (requesting dg-fs5628p.bix)
Page 98 Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The DG-FS4528P.bix filename must not be included since it is automatically appended by the switch.
Page 99 | Basic Management Tasks HAPTER Managing System Files upgrade path of the preceding item since it is automatically appended by the switch. XAMPLES The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: tftp://192.168.0.1/ The image file is in the TFTP root directory.
Page 100: Copying Operation Code Via Ftp Or Tftp
| Basic Management Tasks HAPTER Managing System Files Figure 11: Configuring Automatic Code Upgrade If a new image is found at the specified location, the following type of messages will be displayed on the console interface during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0;...
Page 101 | Basic Management Tasks HAPTER Managing System Files file to ftp – Copies a file from the switch to an FTP server. file to tftp – Copies a file from the switch to a TFTP server. ftp to file – Copies a file from an FTP server to the switch. tftp to file –...
Page 102: Saving Or Restoring Configuration Settings
| Basic Management Tasks HAPTER Managing System Files Figure 12: Copying Firmware If you download to a new destination file, go to the System > File Management > Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System >...
Page 103 | Basic Management Tasks HAPTER Managing System Files ftp to startup-config – Copies a file from an FTP server to the startup config. running-config to file – Copies the running configuration to a file. running-config to ftp – Copies the running configuration to an FTP server.
Page 104: Copying Files Using Http
| Basic Management Tasks HAPTER Managing System Files NTERFACE To save the running configuration file: Click System, File Management > Copy Operation. Select “tftp to startup-config” or “tftp to file” and enter the IP address of the TFTP server. If you download from an FTP server, enter the user name and password for an account on the server.
Page 105: Figure 14: Uploading Files Using Http
| Basic Management Tasks HAPTER Managing System Files Destination File Name – Select an existing file on the switch to overwrite, or specify a new file name. NTERFACE To upload files to the switch from your management station using HTTP: Click System, File Management >...
Page 106: Deleting Files
| Basic Management Tasks HAPTER Managing System Files Use the System > File Management > Delete page to delete a file from the ELETING ILES switch. CLI R EFERENCES "delete" on page 465 "delete non-active" on page 465 NTERFACE To delete a file from the switch: Click System, File Management, then Delete.
Page 107: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings Figure 17: Setting the Start-up Code To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. ONSOLE ETTINGS Use the System > Line > Console menu to configure connection parameters for the switch’s console port.
Page 108: Figure 18: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 109: Telnet Settings
| Basic Management Tasks HAPTER Telnet Settings ELNET ETTINGS Use the System > Line > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal).
Page 110: Configuring Event Logging
| Basic Management Tasks HAPTER Configuring Event Logging NTERFACE To configure parameters for the console port: Click System, Line, then Telnet. Specify the connection parameters as required. Click Apply Figure 19: Telnet Connection Settings ONFIGURING VENT OGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Page 111: Table 8: Logging Levels
| Basic Management Tasks HAPTER Configuring Event Logging ARAMETERS These parameters are displayed: System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
Page 112: Remote Log Configuration
| Basic Management Tasks HAPTER Configuring Event Logging Figure 20: Configuring Settings for System Memory Logs To show the error messages logged to system memory: Click System, Log, Logs. This page allows you to scroll through the logged system and event messages.
Page 113: Figure 22: Configuring Settings For Remote Logging Of Error Messages
| Basic Management Tasks HAPTER Configuring Event Logging Logging Facility – Sets the facility type for remote logging of syslog messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service.
Page 114: Sending Simple Mail Transfer Protocol Alerts
| Basic Management Tasks HAPTER Configuring Event Logging Use the System > Log > SMTP page to alert system administrators of ENDING IMPLE problems by sending SMTP (Simple Mail Transfer Protocol) email messages RANSFER ROTOCOL when triggered by logging events of a specified level. The messages are LERTS sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
Page 115: Resetting The System
| Basic Management Tasks HAPTER Resetting the System Figure 23: Configuring SMTP Alert Messages ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, or after a specified delay. CLI R EFERENCES "reload (Privileged Exec)" on page 439 "reload (Global Configuration)"...
Page 116: Figure 24: Restarting The Switch
| Basic Management Tasks HAPTER Resetting the System Reset – Resets the switch after the specified time. If the hour and minute fields are blank, then the switch will reset immediately. Refresh – Refreshes the countdown timer of a pending delayed reset. Cancel –...
Page 117: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 118: Configuring Sntp
| Basic Management Tasks HAPTER Setting the System Clock Figure 25: Manually Setting the System Clock SNTP Use the SNTP > Configuration page to configure the switch to send time ONFIGURING synchronization requests to time servers by enabling SNTP client requests, setting the SNTP polling interval, and specifying the SNTP servers to use.
Page 119: Configuring Ntp
| Basic Management Tasks HAPTER Setting the System Clock Figure 26: Configuring SNTP The NTP client allows you to configure up to 50 NTP servers to poll for time ONFIGURING updates. You can also enable authentication to ensure that reliable updates are received from only authorized NTP servers.
Page 120: Figure 27: Configuring Ntp
| Basic Management Tasks HAPTER Setting the System Clock Key Context – Specifies an MD5 authentication key string. The key string can be up to 32 case-sensitive printable ASCII characters (no spaces). SNTP and NTP clients cannot both be enabled at the same time. NTERFACE To configure NTP: Click SNTP, then Configuration.
Page 121: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Use the SNTP > Time Zone page to set the time zone. SNTP uses ETTING THE Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 122: Configuring Summer Time
| Basic Management Tasks HAPTER Setting the System Clock Figure 28: Setting the Time Zone Use the Summer Time page to set the system clock forward during the ONFIGURING summer months (also known as daylight savings time). UMMER In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
Page 123 | Basic Management Tasks HAPTER Setting the System Clock to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time zone deviates from your regular time zone.
Page 124: Upnp
| Basic Management Tasks HAPTER UPnP Figure 29: Configuring Summer Time Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards.
Page 125: Upnp Configuration
| Basic Management Tasks HAPTER UPnP If a device has a URL for presentation, then the control point can retrieve a page from this URL, load the page into a web browser, and depending on the capabilities of the page, allow a user to control the device and/or view device status.
Page 126: Switch Clustering
| Basic Management Tasks HAPTER Switch Clustering NTERFACE To configure UPnP: Click UPnP, Configuration. Enable UPnP, set the advertising duration and TTL value. Click Apply. Figure 31: Configuring UPnP WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit.
Page 127: Configuring General Settings For Clusters
| Basic Management Tasks HAPTER Switch Clustering After the Commander and Members have been configured, any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu. Figure 32: Choosing a Cluster Member to Manage Use the Administration >...
Page 128: Cluster Member Configuration
| Basic Management Tasks HAPTER Switch Clustering NTERFACE To configure a switch cluster: Click Cluster, Configuration. Set the required attributes for a Commander or a managed candidate. Click Apply Figure 33: Configuring a Switch Cluster Use the Cluster > Member Configuration page to add Candidate switches to LUSTER EMBER the cluster as Members.
Page 129: Displaying Information On Cluster Members
| Basic Management Tasks HAPTER Switch Clustering Figure 34: Configuring Cluster Members Use the Cluster > Member Information page to display information on ISPLAYING current cluster Member switches. NFORMATION ON LUSTER EMBERS CLI R EFERENCES "Switch Clustering" on page 507 ARAMETERS These parameters are displayed: Member ID –...
Page 130: Cluster Candidate Information
| Basic Management Tasks HAPTER Switch Clustering Use the Cluster > Candidate Information page to display information about LUSTER ANDIDATE discovered switches in the network that are already cluster Members or are NFORMATION available to become cluster Members. CLI R EFERENCES "Switch Clustering"...
Page 131: Simple Network Management Protocol
IMPLE ETWORK ANAGEMENT ROTOCOL This chapter describes the following topics: Community Access Strings – Configures the community strings authorized for management access by clients using SNMP v1 and v2c. Trap Managers and Trap Types – Specifies the host devices to be sent traps and the types of traps to send MAC Notification Traps –...
Page 132: Table 9: Snmpv3 Security Models And Levels
| Simple Network Management Protocol HAPTER Overview (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3.
Page 133: Setting Community Access Strings
| Simple Network Management Protocol HAPTER Setting Community Access Strings OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the SNMP > Configuration page to configure the community strings authorized for management access, to enable trap messages, and to specify trap managers so that key events are reported by this switch to your management station.
Page 134: Figure 37: Setting Community Access Strings
| Simple Network Management Protocol HAPTER Setting Community Access Strings ARAMETERS These parameters are displayed: Community String – A community string that acts like a password and permits access to the SNMP protocol. Range: 1-32 characters, case sensitive Default strings: “public” (Read-Only), “private” (Read/Write) Access Mode –...
Page 135: Specifying Trap Managers And Trap Types
| Simple Network Management Protocol HAPTER Specifying Trap Managers and Trap Types PECIFYING ANAGERS AND YPES Use the SNMP > Configuration page specify the host devices to be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers.
Page 136 | Simple Network Management Protocol HAPTER Specifying Trap Managers and Trap Types ARAMETERS These parameters are displayed: Trap Manager Capability – This switch supports up to five trap managers. Trap Manager IP Address – IP address of a new management station to receive notification messages (i.e., the targeted recipient).
Page 137 | Simple Network Management Protocol HAPTER Specifying Trap Managers and Trap Types Enable Authentication Traps – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) Enable User Authentication Traps –...
Page 138: Configuring Mac Notification Traps For Interfaces
| Simple Network Management Protocol HAPTER Configuring MAC Notification Traps for Interfaces Select the trap types required using the check boxes. Click Apply Figure 38: Configuring Trap Managers MAC N ONFIGURING OTIFICATION RAPS FOR NTERFACES Use the SNMP > Port/Trunk Configuration pages to send a trap when dynamic addresses are added to or removed from the MAC address table for an interface.
Page 139: Enabling The Snmp Agent
| Simple Network Management Protocol HAPTER Enabling the SNMP Agent NTERFACE To configure MAC Notification traps for interfaces: Click SNMP, then Port Configuration or Trunk Configuration. Mark the MAC Notification check box for those interfaces on which MAC Notification traps are to be enabled. Click Apply Figure 39: Configuring MAC Notification for Interfaces SNMP A...
Page 140: Setting The Local Engine Id
| Simple Network Management Protocol HAPTER Setting the Local Engine ID ETTING THE OCAL NGINE Use the SNMP > SNMPv3 > Engine ID page to change the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch.
Page 141: Specifying A Remote Engine Id
| Simple Network Management Protocol HAPTER Specifying a Remote Engine ID PECIFYING A EMOTE NGINE Use the SNMP > SNMPv3 > Remote Engine ID) page to configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 142: Configuring Local Snmpv3 Users
| Simple Network Management Protocol HAPTER Configuring Local SNMPv3 Users SNMP ONFIGURING OCAL SERS Use the SNMP > SNMPv3 > Users page to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Page 143: Configuring Remote Snmpv3 Users
| Simple Network Management Protocol HAPTER Configuring Remote SNMPv3 Users Click New to add a user. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified.
Page 144 | Simple Network Management Protocol HAPTER Configuring Remote SNMPv3 Users OMMAND SAGE To grant management access to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user.
Page 145: Figure 44: Configuring Remote Snmpv3 Users
| Simple Network Management Protocol HAPTER Configuring Remote SNMPv3 Users NTERFACE To configure a remote SNMPv3 user: Click SNMP, SNMPv3, Remote Users. Click New to add a user. Enter a name and assign it to a group. Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch.
Page 146: Configuring Snmpv3 Groups
| Simple Network Management Protocol HAPTER Configuring SNMPv3 Groups SNMP ONFIGURING ROUPS Use the SNMP > SNMPv3 > Groups page to add an SNMPv3 group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views.
Page 147: Table 10: Supported Notification Messages
| Simple Network Management Protocol HAPTER Configuring SNMPv3 Groups Table 10: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer...
Page 148 | Simple Network Management Protocol HAPTER Configuring SNMPv3 Groups – 148 –...
Page 149: Setting Snmpv3 Views
| Simple Network Management Protocol HAPTER Setting SNMPv3 Views NTERFACE To configure an SNMP group: Click SNMP, SNMPv3, Groups. Enter a group name, assign a security model and level, and then select read, write, and notify views. Click Apply Figure 45: Creating an SNMP Group SNMP ETTING IEWS...
Page 150: Figure 46: Creating An Snmp View
| Simple Network Management Protocol HAPTER Setting SNMPv3 Views ARAMETERS These parameters are displayed: View Name – The name of the SNMP view. (Range: 1-64 characters) OID Subtree – Specifies the initial object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string.
Page 151: Sampling Traffic Flows
AMPLING RAFFIC LOWS This chapter describes the following topics: sFlow Global Parameters – Enables sampling globally on the switch. sFlow Port Parameters – Sets the destination parameters for the sampled data, payload parameters, and sampling interval VERVIEW The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
Page 152: Configuring Sflow Global Parameters
| Sampling Traffic Flows HAPTER Configuring sFlow Global Parameters ONFIGURING S LOBAL ARAMETERS Use the sFlow > Configuration page to enable sampling globally on the switch, as well as for those ports where it is required. Due to the switch’s hardware design, flow sampling and the sampling rate can only be enabled for specific port groups as shown in the following table.
Page 153: Configuring Sflow Port Parameters
| Sampling Traffic Flows HAPTER Configuring sFlow Port Parameters NTERFACE To globally enable flow sampling: Click sFlow, Configuration. Set the global status for flow sampling, the ports or port groups to be sampled, and the sampling rate. Click Apply Figure 47: Configuring Global Settings for sFlow ONFIGURING S ARAMETERS Use the sFlow >...
Page 154: Figure 48: Configuring Global Settings For Sflow
| Sampling Traffic Flows HAPTER Configuring sFlow Port Parameters Receiver Port – The UDP port on which the sFlow Collector is listening for sFlow streams. (Range: 0-65534; Default: 6343) Time Out – The time that the sFlow process will continuously send samples to the Collector before resetting all sFlow port parameters (receiver owner, time out, max header size, max datagram size, and flow interval).
Page 155: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 156: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. IP Source Guard – Filters untrusted DHCP messages on insecure ports by building and maintaining a DHCP snooping binding table. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 157: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER Configuring Local/Remote Logon Authentication NTERFACE To configure user accounts: Click Security, User Accounts. Specify a user name, select the user's access level, then enter a password and confirm it. Click Apply. Figure 49: Configuring User Accounts ONFIGURING OCAL EMOTE...
Page 158: Figure 50: Authentication Server Operation
| Security Measures HAPTER Configuring Local/Remote Logon Authentication Figure 50: Authentication Server Operation console Telnet 1. Client attempts management access. 2. Switch contacts authentication server. RADIUS/ 3. Authentication server challenges client. 4. Client responds with proper password or key. TACACS+ 5.
Page 159 | Security Measures HAPTER Configuring Local/Remote Logon Authentication RADIUS – User authentication is performed using a RADIUS server only. TACACS – User authentication is performed using a TACACS+ server only. [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. RADIUS Settings Global –...
Page 160: Figure 51: Configuring Authentication Settings
| Security Measures HAPTER Configuring Local/Remote Logon Authentication Timeout for a Reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-540; Default: 5) The local switch user database has to be set up by manually entering user names and passwords (see “Configuring User Accounts.”)
Page 161: Configuring Encryption Keys
| Security Measures HAPTER Configuring Encryption Keys ONFIGURING NCRYPTION Use the Security > Encryption Key page to configure encryption keys for all RADIUS and TACACS+ servers. CLI R EFERENCES "RADIUS Client" on page 547 "TACACS+ Client" on page 551 ARAMETERS These parameters are displayed: RADIUS Settings Global –...
Page 162: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting Click Change. Figure 52: Configuring Encryption Keys AAA A UTHORIZATION AND CCOUNTING The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: Authentication —...
Page 163: Configuring Aaa Radius Group Settings
| Security Measures HAPTER AAA Authorization and Accounting Authorization of users that access management interfaces on the switch through the console and Telnet. To configure AAA on the switch, you need to follow this general process: Configure RADIUS and TACACS+ server access parameters. See “Configuring Local/Remote Logon Authentication.”...
Page 164: Configuring Aaa Tacacs+ Group Settings
| Security Measures HAPTER AAA Authorization and Accounting Click Add. Figure 53: Configuring AAA RADIUS Server Groups Use the AAA > TACACS+ Group Settings screen to define the configured ONFIGURING TACACS+ servers to use for accounting and authorization. TACACS+ G ROUP ETTINGS CLI R...
Page 165: Configuring Aaa Accounting Settings
| Security Measures HAPTER AAA Authorization and Accounting Figure 54: Configuring AAA TACACS+ Server Groups Use the Security > AAA > Accounting > Settings page to enable accounting ONFIGURING of requested services for billing or security purposes. CCOUNTING ETTINGS CLI R EFERENCES "AAA"...
Page 166: Figure 55: Configuring The Methods Used For Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting NTERFACE To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting, Settings. Specify a method name, the type of service request, and a group name.
Page 167: Configuring Aaa Accounting Update Time
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Accounting > Periodic Update page to set the ONFIGURING interval at which accounting updates are sent to accounting servers. CCOUNTING PDATE CLI R EFERENCES "aaa accounting update" on page 559 ARAMETERS These parameters are displayed: Periodic Update - Specifies the interval at which the local accounting...
Page 168: Configuring Aaa Accounting Exec Command Privileges
| Security Measures HAPTER AAA Authorization and Accounting Enter the required accounting method. Click Apply. Figure 57: Configuring 802.1X Port Settings for the Accounting Method Use the Security > AAA > Accounting > Command Privileges page to ONFIGURING specify a method name to apply to commands entered at specific CLI CCOUNTING privilege levels.
Page 169: Configuring Aaa Accounting Exec Settings
| Security Measures HAPTER AAA Authorization and Accounting Figure 58: Configuring AAA Accounting Service for CLI Privilege Levels Use the Security > AAA > Accounting > Exec Settings page to specify a ONFIGURING method name to apply to console and Telnet connections. CCOUNTING ETTINGS CLI R...
Page 170: Displaying The Aaa Accounting Summary
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Accounting > Summary page to display all the ISPLAYING THE configured accounting methods, the methods applied to specified CCOUNTING management interfaces, and basic accounting information recorded for UMMARY user sessions.
Page 171: Configuring Authorization Settings
| Security Measures HAPTER AAA Authorization and Accounting Figure 60: Displaying a Summary of Applied AAA Accounting Methods Use the Security > AAA > Authorization page to configure the authorization ONFIGURING method used for requested services. UTHORIZATION ETTINGS CLI R EFERENCES "aaa authorization exec"...
Page 172: Configuring Authorization Exec Settings
| Security Measures HAPTER AAA Authorization and Accounting ARAMETERS These parameters are displayed: Method Name – Specifies an authorization method for service requests. The “default” method is used for a requested service if no other methods have been defined. (Range: 1-255 characters) Service Request –...
Page 173: Authorization Summary
| Security Measures HAPTER AAA Authorization and Accounting Telnet – Specifies a user defined method name to apply to Telnet connections. (Note that Telnet includes SSH connections.) NTERFACE To configure the authorization method applied to local console and Telnet connections: Click Security, AAA, Authorization, Exec Settings.
Page 174: Configuring Https
| Security Measures HAPTER Configuring HTTPS NTERFACE To display a the configured authorization method and assigned server groups for the Exec service type: Click Security, AAA, Authorization, Summary. Figure 63: Displaying the Applied AAA Authorization Method HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.
Page 175: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS The following web browsers and operating systems currently support HTTPS: Table 12: HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Windows Vista, Windows 7 Netscape 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6...
Page 176 | Security Measures HAPTER Configuring HTTPS message confirming that the connection to the switch is secure, you must obtain a unique certificate and a private key and password from a recognized certification authority. For maximum security, we recommend you obtain a unique AUTION Secure Sockets Layer certificate at the earliest opportunity.
Page 177: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell Figure 65: Downloading the Secure-Site Certificate ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 178 | Security Measures HAPTER Configuring the Secure Shell whether you use public key or password authentication, you still have to generate authentication keys on the switch (SSH Host Key Settings) and enable the SSH server (Authentication Settings). To use the SSH server, complete these steps: Generate a Host Key Pair –...
Page 179 | Security Measures HAPTER Configuring the Secure Shell If a match is found, the connection is allowed. To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file.
Page 180: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Global) page to enable the SSH server ONFIGURING THE and configure basic settings for authentication. SSH S ERVER A host key pair must be configured on the switch before you can enable the SSH server.
Page 181: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell Figure 66: Configuring the SSH Server Use the Security > SSH > Host-Key Settings page to generate a host ENERATING THE public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section “Importing User Public...
Page 182: Figure 67: Generating The Ssh Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory) to flash memory. Otherwise, the host key pair is stored to RAM by default.
Page 183: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH > User Public-Key Settings page to upload a user’s MPORTING public key to the switch. This public key must be stored on the switch for UBLIC the user to be able to log in using the public key authentication mechanism.
Page 184: Figure 68: Copying The Ssh User's Public Key
| Security Measures HAPTER Configuring the Secure Shell Delete – Deletes a selected RSA or DSA public key that has already been imported to the switch. NTERFACE To copy the SSH user’s public key: Click Security, SSH, User Public-Key Settings. Select the user name and the public-key type from the respective drop- down boxes, input the TFTP server IP address and the public key source file name.
Page 185: Configuring Port Security
| Security Measures HAPTER Configuring Port Security ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 186: Figure 69: Configuring Port Security
| Security Measures HAPTER Configuring Port Security None: No action should be taken. (This is the default.) Trap: Send an SNMP trap message. Shutdown: Disable the port. Trap and Shutdown: Send an SNMP trap message and disable the port. Security Status – Enables or disables port security on the port. (Default: Disabled) Max MAC Count –...
Page 187: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication 802.1X P ONFIGURING UTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 188: Displaying 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication The operation of 802.1X on the switch requires the following: The switch must have an IP address assigned. RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. 802.1X must be enabled globally for the switch.
Page 189: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 71: Displaying Global Settings for 802.1X Port Authentication 802.1X Use the Security > 802.1X > Configuration page to configure IEEE 802.1X ONFIGURING port authentication. The 802.1X protocol must be enabled globally for the LOBAL ETTINGS switch system before port settings are active.
Page 190: Configuring Authenticator Port Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 72: Configuring Global Settings for 802.1X Port Authentication Use the Security > 802.1X > Authenticator Port Configuration page to ONFIGURING configure 802.1X port settings for the switch as the local authenticator. UTHENTICATOR When 802.1X is enabled, you need to configure the parameters for the 802.1X...
Page 191 | Security Measures HAPTER Configuring 802.1X Port Authentication Mode – Sets the authentication mode to one of the following options: Auto – Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access.
Page 192: Configuring Supplicant Port Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, 802.1X, Authenticator Port Configuration. Modify the authentication settings for each port as required. Click Apply Figure 73: Configuring Interface Settings for 802.1X Port Authenticator Use the Security >...
Page 193 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed in the web interface: Global Settings Identity Profile User Name – The dot1x supplicant user name. (Range: 1-8 characters) The global supplicant user name and password are used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator.
Page 194: Displaying 802.1X Authenticator Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port supplicant settings for 802.1X: Click Security, 802.1X, Supplicant Port Configuration. Then set the identity user name and password to use when the switch responds an MD5 challenge from the authentication server. Modify the supplicant settings for each port as required.
Page 195: Figure 75: Showing Statistics For 802.1X Port Authenticator
| Security Measures HAPTER Configuring 802.1X Port Authentication Table 13: 802.1X Authenticator Statistics (Continued) Parameter Description Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator. Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator.
Page 196: Displaying 802.1X Supplicant Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication 802.1X Use the Security > 802.1X > Supplicant Statistics page to display statistics ISPLAYING for dot1x supplicant exchanges for any port. UPPLICANT TATISTICS CLI R EFERENCES "show dot1x" on page 590 ARAMETERS These parameters are displayed: Table 14: 802.1X Supplicant Statistics Parameter...
Page 197: Web Authentication
| Security Measures HAPTER Web Authentication NTERFACE To display port supplicant statistics for 802.1X: Click Security, 802.1X > Supplicant Statistics. Select a port from the scroll-down list. Click Query. Figure 76: Showing Statistics for 802.1X Port Supplicant UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 198: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication Use the Security > Web Authentication > Configuration page to edit the ONFIGURING LOBAL global parameters for web authentication. ETTINGS FOR UTHENTICATION CLI R EFERENCES "Web Authentication" on page 618 ARAMETERS These parameters are displayed: System Authentication Control –...
Page 199: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Use the Security > Web Authentication > Port Configuration page to enable ONFIGURING web authentication on a port. NTERFACE ETTINGS CLI R EFERENCES UTHENTICATION "Web Authentication" on page 618 ARAMETERS These parameters are displayed: Port –...
Page 200: Re-Authenticating Web Authenticated Ports
| Security Measures HAPTER Web Authentication Remaining Session Time (seconds) – Indicates the remaining time until the current authorization session for the host expires. NTERFACE To display web authentication information for a port: Click Security, Web Authentication, Port Information. Select a port from the scroll-down list. Click Query.
Page 201: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) Select a port from the Port scroll-down list, and click Query. Select the IP address for a host from the Host IP scroll-down list. Click Re-authenticate. Figure 80: Re-authenticating a Web-Authenticated Host (MAC A ETWORK CCESS...
Page 202: Table 15: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated.
Page 203 | Security Measures HAPTER Network Access (MAC Address Authentication) For example, the attribute “service-policy-in=pp1;rate-limit- input=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps. If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used.
Page 204: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) MAC address authentication is configured on a per-port basis, however ONFIGURING LOBAL there are two configurable parameters that apply globally to all ports on ETTINGS FOR the switch. Use the Security > Network Access (Configure Global) page to ETWORK CCESS configure MAC address authentication aging and reauthentication time.
Page 205: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access > Port Configuration page to configure ONFIGURING MAC authentication on switch ports, including enabling address ETWORK CCESS authentication, setting the maximum MAC count, and enabling dynamic ORTS VLAN or dynamic QoS assignments.
Page 206: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Dynamic QoS – Enables dynamic QoS assignment for an authenticated port. (Default: Disabled) Trunk – Shows if this port is a member of a trunk. NTERFACE To configure MAC authentication on switch ports: Click Security, Network Access, Port Configuration.
Page 207: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Link up and down – All link up and link down events will trigger the port action. Action – The switch can respond in three ways to a link up or down trigger event.
Page 208 | Security Measures HAPTER Network Access (MAC Address Authentication) Query By – Specifies parameters to use in the MAC address query. Port – Specifies a port interface. MAC Address – Specifies a specific MAC address. Attribute – Displays static or dynamic addresses. Address Table Sort Key –...
Page 209: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 84: Showing Addresses Authenticated for Network Access Use the Security > Network Access > MAC Filter Configuration page to ONFIGURING A designate specific MAC addresses or MAC address ranges as exempt from DDRESS ILTER authentication.
Page 210: Access Control Lists
| Security Measures HAPTER Access Control Lists MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC address bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 211: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 64. The maximum number of rules per system is 512 rules. An ACL can have up to 64 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.
Page 212: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists ARP – ARP ACL specifies static IP-to-MAC address bindings used for ARP inspection (see "ARP Inspection"). NTERFACE To configure the name and type of an ACL: Click Security, ACL, Configuration. Fill in the ACL Name field, and select the ACL type. Click Apply.
Page 213: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists NTERFACE To add rules to a Standard IP ACL: Click Security, ACL, Configuration. Click Edit to open the configuration page for the required entry. Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,”...
Page 214 | Security Measures HAPTER Access Control Lists specify a range of addresses with the Address and Subnet Mask fields. (Options: Any, Host, IP; Default: Any) Source/Destination IP Address – Source or destination IP address. Source/Destination Subnet Mask – Subnet mask for source or destination address.
Page 215 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IP ACL: Click Security, ACL, Configuration. Click Edit to open the configuration page for the required entry. Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,”...
Page 216: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL > Configure (IPv6 Standard ACL) page to configure ONFIGURING A a Standard IPv6 ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)" on page 658 "show ipv6 access-list"...
Page 217: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists Figure 89: Configuring a Standard IPv6 ACL Use the Security > ACL > Configure (IPv6 Extended ACL) page to configure ONFIGURING AN an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 659 "show ipv6 access-list"...
Page 218: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL. Click Edit to open the configuration page for the required entry. Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IPv6-prefix). If you select “Host,”...
Page 219 | Security Measures HAPTER Access Control Lists Action – An ACL can contain any combination of permit or deny rules. Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bit Mask fields.
Page 220: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Set any other required criteria, such as VID, Ethernet type, or packet format. Click Add. Figure 91: Configuring a MAC ACL Use the Security > ACL > Configure (ARP ACL) page to configure ACLs ONFIGURING AN based on ARP message addresses.
Page 221 | Security Measures HAPTER Access Control Lists specify a range of addresses with the Address and Mask fields. (Options: Any, Host, IP; Default: Any) Sender/Target IP Address – Source or destination IP address. Sender/Target IP Address Mask – Subnet mask for source or destination address.
Page 222: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists Figure 92: Configuring a ARP ACL After configuring ACLs, use the Security > ACL > Port Binding page to bind INDING A ORT TO AN the ports that need to filter traffic to the appropriate ACLs. You can assign CCESS ONTROL one IP access list and one MAC access list to any port.
Page 223: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Trunk Configuration.” NTERFACE To bind an ACL to a port: Click Security, ACL, Port Binding. Mark the Enabled check box for the port you want to bind to an ACL for ingress traffic, and select the required ACL from the drop-down list.
Page 224: Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To show information on TCAM utilization: Click Security, ACL, TCAM Utilization. Figure 94: Showing TCAM Utilization ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
Page 225: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
Page 226 | Security Measures HAPTER ARP Inspection ARP Inspection Logging By default, logging is active for ARP Inspection, and cannot be disabled. The administrator can configure the log facility rate. When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis.
Page 227: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection, Configuration. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply. Figure 95: Configuring Global Settings for ARP Inspection VLAN Use the Security >...
Page 228: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. ARAMETERS These parameters are displayed: VLAN ID –...
Page 229: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection > Port Configuration page to specify the ONFIGURING ports that require ARP inspection, and to adjust the packet inspection rate. NTERFACE ETTINGS ARP I NSPECTION CLI R EFERENCES "ARP Inspection"...
Page 230: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection Figure 97: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection > Log Information page to show ISPLAYING THE information about entries stored in the log, including the associated VLAN, NSPECTION port, and address components.
Page 231: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection Figure 98: Displaying the ARP Inspection Log Use the Security > ARP Inspection > Statistics page to display statistics ISPLAYING about the number of ARP packets processed, or dropped for various NSPECTION reasons. TATISTICS CLI R EFERENCES "show ip arp inspection statistics"...
Page 232: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection, Statistics. Figure 99: Displaying Statistics for ARP Inspection IP A ILTERING DDRESSES FOR ANAGEMENT CCESS Use the Security > IP Filter page to create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.
Page 233 | Security Measures HAPTER Filtering IP Addresses for Management Access You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. You can delete an address range just by specifying the start address, or by specifying both the start address and end address.
Page 234: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping Figure 100: Creating an IP Address Filter for Management Access DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
Page 235 | Security Measures HAPTER DHCP Snooping When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. Filtering rules are implemented as follows: If the global DHCP snooping is disabled, all DHCP packets are forwarded.
Page 236: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping DHCP S Use the DHCP Snooping > Configuration page to enable DHCP Snooping NOOPING globally on the switch, or to configure MAC Address Verification. ONFIGURATION CLI R EFERENCES "DHCP Snooping" on page 624 ARAMETERS These parameters are displayed: DHCP Snooping Status –...
Page 237: Dhcp Snooping Information Option Configuration
| Security Measures HAPTER DHCP Snooping When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. ARAMETERS These parameters are displayed: VLAN – ID of a configured VLAN. (Range: 1-4094) DHCP Snooping Status –...
Page 238 | Security Measures HAPTER DHCP Snooping information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server. This information may specify the MAC address or IP address of the requesting device (that is, the switch or port to which the client is connected in this context).
Page 239 | Security Measures HAPTER DHCP Snooping DHCP Snooping Information Option 82 Remote ID – Specifies the frame format to use for the remote-id when Option 82 information is generated by the switch. MAC-HEX - Inserts a MAC address in the remote ID sub-option for the DHCP snooping agent (that is, the MAC address of the switch’s CPU in hexadecimal format).
Page 240: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping Figure 103: Configuring DHCP Snooping Information Option Use the DHCP Snooping > Port Configuration page to configure switch ONFIGURING ORTS ports as trusted or untrusted. DHCP S NOOPING CLI R EFERENCES "ip dhcp snooping trust" on page 631 "ip dhcp snooping information option circuit-id string"...
Page 241: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click DHCP Snooping, Port Configuration. Set any ports within the local network or firewall to trusted, and set the string used to identify the port which received a DHCP request packet. Click Apply Figure 104: Configuring the Port Mode for DHCP Snooping DHCP...
Page 242: Ip Source Guard
| Security Measures HAPTER IP Source Guard IP Address – IP address corresponding to the client. IP Address Type – Indicates an IPv4 or IPv6 address type. Lease Time (Seconds) – The time for which this IP address is leased to the client.
Page 243 | Security Measures HAPTER IP Source Guard OMMAND SAGE Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 244: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. NTERFACE To set the IP Source Guard filter for ports: Click IP Source Guard, Port Configuration. Set the required filtering type for each port.
Page 245 | Security Measures HAPTER IP Source Guard Only unicast addresses are accepted for static bindings. ARAMETERS These parameters are displayed: Static Binding Table Counts – The total number of static entries in the table. Current Static Binding Table – The list of current static entries in the table.
Page 246: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard Use the IP Source Guard > Dynamic Binding page to display the source- ISPLAYING guard binding table for a selected interface. NFORMATION FOR IP S YNAMIC OURCE CLI R EFERENCES UARD INDINGS "show ip source-guard binding" on page 638 ARAMETERS These parameters are displayed: Query by...
Page 247: Figure 108: Showing The Ip Source Guard Binding Table
| Security Measures HAPTER IP Source Guard NTERFACE To display the binding table for IP Source Guard: Click IP Source Guard, Dynamic Information. Mark the search criteria, and enter the required values. Click Query Figure 108: Showing the IP Source Guard Binding Table –...
Page 248: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. Trunk Configuration – Configures static or dynamic trunks. Storm Control Configuration – Controls the maximum amount of traffic caused by broadcast, multicast or unknown unicast storms that will be forwarded by the switch.
Page 249: Configuring Interface Connections
| Interface Configuration HAPTER Port Configuration Type – Indicates the port type. (100Base-TX, 1000Base-T, 100Base SFP or 1000Base SFP) Admin Status – Shows if the port is enabled or disabled. Oper Status – Indicates if the link is Up or Down. Speed Duplex Status –...
Page 250 | Interface Configuration HAPTER Port Configuration OMMAND SAGE Auto-negotiation must be disabled before you can configure or force the interface to use the Speed/Duplex mode or Flow Control options. When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities. To set the speed, duplex mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface.
Page 251 | Interface Configuration HAPTER Port Configuration preferred modes ensures that the ports at both ends of a link will eventually cooperate to establish a valid master-slave relationship. Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised.
Page 252: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration NTERFACE To configure port connection parameters: Click Port, Port Configuration. Modify the required interface settings. Click Apply. Figure 110: Configuring Interface Connections RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Page 253: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration OMMAND SAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Page 254: Figure 112: Creating Static Trunks
| Interface Configuration HAPTER Trunk Configuration OMMAND SAGE When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible. To avoid creating a loop in the network, be sure you add a static trunk via the configuration interface before connecting the ports, and also disconnect the ports before removing a static trunk via the...
Page 255: Enabling Lacp On Selected Ports
| Interface Configuration HAPTER Trunk Configuration LACP Use the Interface > Trunk > Configuration page to enable LACP on a port. NABLING ELECTED ORTS Figure 113: Configuring Dynamic Trunks dynamically enabled active backup links link configured members CLI R EFERENCES "lacp"...
Page 256: Configuring Parameters For Lacp Group Members
| Interface Configuration HAPTER Trunk Configuration Click Apply. Figure 114: Enabling LACP on a Port Use the Port > LACP > Dynamic Aggregation Port page to set the ONFIGURING administrative key for a group member, and configure protocol parameters ARAMETERS FOR for local and partner ports.
Page 257 | Interface Configuration HAPTER Trunk Configuration ARAMETERS These parameters are displayed: Configure Aggregation Port - Actor/Partner Port – Port number. (Range: 1-28) System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
Page 258: Configuring Parameters For Lacp Groups
| Interface Configuration HAPTER Trunk Configuration Figure 115: Configuring LACP Parameters on a Port Use the Port > LACP > Aggregation Group page to set the administrative ONFIGURING key for an aggregation group. ARAMETERS FOR LACP G ROUPS CLI R EFERENCES "lacp admin-key (Port Channel)"...
Page 259: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration NTERFACE To configure the admin key for a dynamic trunk: Click Port, LACP, Aggregation Group. Set the Admin Key for the required LACP group. Click Apply. Figure 116: Configuring the LACP Aggregator Admin Key LACP Use the Port >...
Page 260: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Table 18: LACP Port Counters (Continued) Parameter Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 261: Figure 118: Displaying Lacp Port Internal Information
| Interface Configuration HAPTER Trunk Configuration Table 19: LACP Internal Configuration Information (Continued) Parameter Description LACPDUs Interval Number of seconds before invalidating received LACPDU information. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; Defaulted –...
Page 262: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration LACP Use the Port > LACP > Port Neighbors Information page to display the ISPLAYING configuration settings and operational state for the remote side of a link ETTINGS AND TATUS aggregation. FOR THE EMOTE CLI R EFERENCES "show lacp"...
Page 263: Storm Control Configuration
| Interface Configuration HAPTER Storm Control Configuration Figure 119: Displaying LACP Port Remote Information TORM ONTROL ONFIGURATION The switch can be configured to control the maximum amount of traffic caused by broadcast, multicast or unknown unicast storms that will be forwarded.
Page 264: Setting Broadcast Storm Thresholds
| Interface Configuration HAPTER Storm Control Configuration Use the Port > Port Broadcast Control or Trunk Broadcast Control page to ETTING ROADCAST configure broadcast storm control thresholds. Broadcast storms may occur TORM HRESHOLDS when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Page 265: Setting Multicast Storm Thresholds
| Interface Configuration HAPTER Storm Control Configuration Figure 120: Configuring Broadcast Storm Control Use the Port > Port Multicast Control or Trunk Multicast Control page to ETTING ULTICAST protect your network from excess multicast traffic by setting thresholds for TORM HRESHOLDS each port.
Page 266: Setting Unknown Unicast Storm Thresholds
| Interface Configuration HAPTER Storm Control Configuration NTERFACE To configure multicast storm control thresholds: Click Port, Port Multicast Control. Set the threshold, and mark Enabled for the desired interface. Click Apply. Figure 121: Configuring Multicast Storm Control Use the Port > Port Unknown Unicast Control or Trunk Unknown Unicast ETTING NKNOWN Control page to protect your network from excess unknown unicast traffic...
Page 267: Figure 122: Configuring Unknown Unicast Storm Control
| Interface Configuration HAPTER Storm Control Configuration Threshold – Threshold level as a rate; i.e., kilobits per second. (Range: 64-100000 kilobits per second for Fast Ethernet ports; 64- 1000000 kilobits per second for Gigabit ports; Default: 64 kilobits per second) Trunk –...
Page 268: Mirror Configuration
| Interface Configuration HAPTER Mirror Configuration IRROR ONFIGURATION The switch can mirror traffic from a source port to a target port, packets containing a specified source address from any port on the switch to a target port, or traffic from one or more source VLANs to a target port. (Port mirroring and MAC address mirroring are described in this section.
Page 269: Configuring Mac Address Mirroring
| Interface Configuration HAPTER Mirror Configuration Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both. (Default: Rx) Target Port – The port that will mirror the traffic on the source port. NTERFACE To configure a mirror session: Click Port, Mirror Port Configuration.
Page 270: Figure 125: Mirroring Packets Based On The Source Mac Address
| Interface Configuration HAPTER Mirror Configuration When mirroring port traffic, the target port must be included in the same VLAN as the source port when using MSTP (see "Spanning Tree Commands"). When mirroring VLAN traffic (see "Configuring VLAN Mirroring") or packets based on a source MAC address, the target port cannot be set to the same target ports as that used for port mirroring (see "Configuring Port...
Page 271: Configuring Rate Limits
| Interface Configuration HAPTER Configuring Rate Limits ONFIGURING IMITS Use the Port > Rate Limit pages to apply rate limiting to ingress or egress ports or trunks. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 272: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking Figure 126: Configuring Rate Limits VLAN T RUNKING Use the Port > Port VLAN Trunking or Trunk VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking"...
Page 273: Figure 128: Configuring Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking VLAN trunking is mutually exclusive with the “access” switchport mode (see "Adding Static Members to VLANs"). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
Page 274: Performing Cable Diagnostics
| Interface Configuration HAPTER Performing Cable Diagnostics ERFORMING ABLE IAGNOSTICS Use the Port > Cable Test page to test the cable attached to a port. The cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault.
Page 275: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Showing Port or Trunk Statistics Link Status – Shows if the port link is up or down. Test Result – The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
Page 276: Table 21: Port Statistics
| Interface Configuration HAPTER Showing Port or Trunk Statistics ARAMETERS These parameters are displayed: Table 21: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Page 277 | Interface Configuration HAPTER Showing Port or Trunk Statistics Table 21: Port Statistics (Continued) Parameter Description Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Alignment Errors The number of alignment errors (missynchronized data packets). FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check.
Page 278 | Interface Configuration HAPTER Showing Port or Trunk Statistics Table 21: Port Statistics (Continued) Parameter Description Port Utilization Input Rate Shows the ingress rate in kilobits/second, packets/second, and utilization/second. Output Rate Shows the egress rate in kilobits/second, packets/second, and utilization/second. NTERFACE To show a list of port statistics: Click Port, Port Statistics.
Page 279: Figure 130: Showing Port Statistics
| Interface Configuration HAPTER Showing Port or Trunk Statistics Figure 130: Showing Port Statistics – 279 –...
Page 280: Power Over Ethernet Settings
OWER THERNET ETTINGS This chapter describes the following topics: Switch Power Status – Displays the status of global power parameters. Setting a Switch Power Budget – Configures the power budget for the switch. Displaying Port Power Status – Displays the status of port power parameters.
Page 281: Switch Power Status
| Power Over Ethernet Settings HAPTER Switch Power Status WITCH OWER TATUS Use the Power > Power Status page to display the Power over Ethernet settings for the switch. CLI R EFERENCES "show power mainpower" on page 707 ARAMETERS These parameters are displayed: Maximum Available Power –...
Page 282: Displaying Port Power Status
| Power Over Ethernet Settings HAPTER Displaying Port Power Status CLI R EFERENCES "power inline maximum allocation" on page 704 ARAMETERS These parameters are displayed: Power Allocation – The power budget for the switch. If devices connected to the switch require more power than the switch budget, the port power priority settings are used to control the supplied power.
Page 283: Configuring Port Poe Power
| Power Over Ethernet Settings HAPTER Configuring Port PoE Power NTERFACE To display the current PoE power status for all ports: Click PoE, Port Power Status. Figure 133: Displaying Port PoE Status ONFIGURING OWER Use the Power > Power Port Configuration page to configure port power parameters.
Page 284: Figure 134: Configuring Port Poe Power
| Power Over Ethernet Settings HAPTER Configuring Port PoE Power Power is dropped from low-priority ports in sequence starting from port number 1. ARAMETERS These parameters are displayed: Port – The port number on the switch. (Range: 1-28) Admin Status – Enables PoE power on the port. Power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the switch or port power budget.
Page 285: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 286 | Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed: Static Address Counts – The number of manually configured addresses. Current Static Address Table – Lists all the static addresses. Interface – Port or trunk associated with the device assigned a static address.
Page 287: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table ISPLAYING THE YNAMIC DDRESS ABLE Use the Address Table > Dynamic Addresses page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 288: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Figure 136: Displaying the Dynamic MAC Address Table HANGING THE GING Use the Address Table > Address Aging page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
Page 289: Figure 137: Setting The Address Aging Time
| Address Table Settings HAPTER Changing the Aging Time Click Apply. Figure 137: Setting the Address Aging Time – 289 –...
Page 290: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback BPDUs. Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Page 291: Figure 138: Stp Root Ports And Designated Ports
| Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 138: STP Root Ports and Designated Ports Designated Root...
Page 292: Figure 139: Mstp Region, Internal Spanning Tree, Multiple Spanning Tree
| Spanning Tree Algorithm HAPTER Overview Figure 139: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 293: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Port Loopback Detection or Trunk Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 294: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Port Loopback Detection. Modify the required loopback detection attributes. Click Apply Figure 141: Configuring Port Loopback Detection ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA > Information page to display a summary of the current bridge STA information that applies to the entire switch.
Page 295: Figure 142: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA “ports” in this section mean “interfaces,” which includes both ports and trunks.) Hello Time – Interval (in seconds) at which the root device transmits a configuration message. Forward Delay – The maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding).
Page 296: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA ONFIGURING LOBAL ETTINGS FOR Use the Spanning Tree > STA > Configuration page to configure global settings for the spanning tree that apply to the entire switch. CLI R EFERENCES "Spanning Tree Commands"...
Page 297 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. ARAMETERS These parameters are displayed: Basic Settings...
Page 298 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Page 299 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Region Revision – The revision for this MSTI. (Range: 0-65535; Default: 0) Region Name – The name for this MSTI. (Maximum length: 32 characters; switch’s MAC address) Maximum Hop Count – The maximum number of hops allowed in the MST region before a BPDU is discarded.
Page 300: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 143: Configuring Global Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA > Port Information page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 301 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA STA Status – Displays current state of this port within the Spanning Tree: Discarding - Port receives STA configuration messages, but does not forward packets. Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information.
Page 302: Figure 144: Sta Port Roles
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Port Role – Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge (i.e., root port), connecting a LAN through the bridge to the root bridge (i.e., designated port), is the MSTI regional root (i.e., master port), or is an alternate or backup port that may provide connectivity if other bridges, bridge ports, or LANs fail or are removed.
Page 303: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > STA > Port Configuration page to configure STA attributes for specific interfaces, including port priority, path cost, link type, and edge port. You may use a different priority or path cost for ports of the same media type to indicate the preferred path, link type to indicate a point-to-point connection or shared-media connection, and edge port to indicate if the attached device can support fast forwarding.
Page 304: Table 22: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 305: Figure 146: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Admin Link Type – The link type attached to this interface. Point-to-Point – A connection to exactly one other bridge. Shared – A connection to two or more bridges. Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Page 306: Spanning Tree Edge Port Configuration
| Spanning Tree Algorithm HAPTER Spanning Tree Edge Port Configuration PANNING ONFIGURATION Use the Spanning Tree > STA > Port Edge Port Configuration or Trunk Edge Port Configuration page to enable additional STA options when an interface is attached to a LAN segment that is at the end of a bridged LAN or is attached to an end node.
Page 307: Figure 147: Configuring Edge Port Settings For Sta
| Spanning Tree Algorithm HAPTER Spanning Tree Edge Port Configuration enters forwarding state (see "Displaying Interface Settings for STA"). BPDU Guard – This feature protects edge ports from receiving BPDUs. It prevents loops by shutting down an edge port when a BPDU is received instead of putting it into the spanning tree discarding state.
Page 308: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP > VLAN Configuration page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands"...
Page 309: Figure 148: Creating An Mst Instance
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees MST ID – Instance identifier to configure. (Range: 0-4094) VLAN ID – VLAN to assign to this MST instance. (Range: 1-4094) The other global attributes are described under “Displaying Global Settings STA.”...
Page 310: Displaying Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for MSTP MSTP ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP > Port Information or Trunk Information page to display the current status of ports and trunks in the selected MST instance.
Page 311: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP > Port Configuration or Trunk Configuration page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands"...
Page 312: Figure 150: Configuring Mstp Interface Settings
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 22 on page 304. The recommended path cost is listed in Table 23 on page 304. The default path costs are listed in Table 24 on page 304.
Page 313: Layer 2 Protocol Tunneling
AYER ROTOCOL UNNELING This chapter describes the following basic topics: Configuring the Tunnel Address – Configures the destination address for BPDU tunneling. Enabling L2PT Tunneling – Enables Layer 2 Protocol Tunneling for the specified interface. VERVIEW L2 Protocol Tunnelling (L2PT) is used to tunnel local network protocols across a service provider’s network.
Page 314: Enabling Tunneling For Interfaces
| Layer 2 Protocol Tunneling HAPTER Enabling Tunneling for Interfaces protocol and MAC address information, and then floods them onto the same VLANs at the customer’s remote site. For L2PT to function properly, QinQ must be enabled on the switch (see "Enabling QinQ Tunneling on the Switch"...
Page 315 | Layer 2 Protocol Tunneling HAPTER Enabling Tunneling for Interfaces OMMAND SAGE When L2PT is not used, protocol packets (such as STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports. This creates disconnected protocol domains in the customer’s network.
Page 316 | Layer 2 Protocol Tunneling HAPTER Enabling Tunneling for Interfaces with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported. Processing Cisco-compatible protocol packets When a Cisco-compatible L2PT packet is received on an uplink port, and recognized as a CDP/VTP/STP protocol packet (where STP means STP/MSTP/PVST+), it is forwarded to the following ports in the same S-VLAN: (a) all access ports for which L2PT has been...
Page 317: Figure 152: Enabling Layer 2 Protocol Tunneling
| Layer 2 Protocol Tunneling HAPTER Enabling Tunneling for Interfaces Cisco Discovery Protocol - Cisco Discovery Protocol Cisco VTP - Cisco VLAN Trunking Protocol Cisco PVST+ - Cisco Per VLAN Spanning Tree Plus NTERFACE To enable tunneling on an interface: Click L2 Protocol Tunnel, Port Configuration or Trunk Configuration.
Page 318: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 319 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLANs can be easily organized to reflect departmental groups (such as Marketing or R&D), usage groups (such as e-mail), or multicast groups (used for multimedia applications such as video conferencing). VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets.
Page 320: Figure 153: Vlan Compliant And Vlan Non-Compliant Devices
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 153: VLAN Compliant and VLAN Non-compliant Devices tagged frames VA: VLAN Aware VU: VLAN Unaware tagged untagged frames frames VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 321: Figure 154: Using Gvrp
| VLAN Configuration HAPTER IEEE 802.1Q VLANs boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs. If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in "Adding Static Members to VLANs").
Page 322: Configuring Global Settings For Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > 802.1Q VLAN > GVRP Status page to enable GVRP globally ONFIGURING LOBAL on the switch. ETTINGS FOR VLAN YNAMIC CLI R EFERENCES EGISTRATION "GVRP and Bridge Extension Commands" on page 793 ARAMETERS These parameters are displayed: GVRP –...
Page 323: Displaying Current Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To display basic information on the VLAN type supported by the switch: Click VLAN, 802.1Q VLAN, Basic Information. Figure 156: Displaying Basic VLAN Information Use the VLAN > 802.1Q VLAN > Current Table page to shows the current ISPLAYING URRENT port members of each VLAN and whether or not the port supports VLAN...
Page 324: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To shows the current port members of each VLAN: Click VLAN, 802.1Q VLAN, Current Table. Figure 157: Displaying Current VLANs VLAN Use the VLAN > 802.1Q VLAN > Static List page to create or remove VLAN ONFIGURING groups.
Page 325: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Remove – Removes a VLAN group from the current list. If any port is assigned to this group as untagged, it will be reassigned to VLAN group 1 as untagged. NTERFACE To create static VLANs: Click VLAN, 802.1Q VLAN, Static List.
Page 326 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Tagged: Interface is a member of the VLAN. All packets transmitted by the port will be tagged, that is, carry a tag and therefore carry VLAN or CoS information. Untagged: Interface is a member of the VLAN. All packets transmitted by the port will be untagged, that is, not carry a tag and therefore not carry VLAN or CoS information.
Page 327: Adding Vlan Groups To Interfaces
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 159: Adding Static Members to VLANs VLAN Use the VLAN > 802.1Q > Static Membership by Port page to assign VLAN DDING groups to the selected interface as a tagged member. ROUPS TO NTERFACES CLI R EFERENCES...
Page 328: Configuring Vlan Attributes For Interfaces
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 160: Adding VLAN Groups to an Interface VLAN Use the VLAN > 802.1Q VLAN > Port Configuration or Trunk Configuration ONFIGURING to configure VLAN attributes for specific interfaces, including the default TTRIBUTES FOR VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP NTERFACES status, GARP timers, and mode of operation (Hybrid, 1Q Trunk or Access...
Page 329 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STP.
Page 330: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling NTERFACE To to configure VLAN attributes for specific interfaces: Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Enter in the required settings for each interface. Click Apply. Figure 161: Adding VLAN Groups to an Interface IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying...
Page 331: Figure 162: Qinq Operational Concept
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling requires a separate SPVLAN, but this VLAN supports all of the customer's internal VLANs. The QinQ tunnel uplink port that passes traffic from the edge switch into the service provider’s metro network must also be added to this SPVLAN.
Page 332 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling After successful source and destination lookup, the ingress process sends the packet to the switching process with two tags. If the incoming packet is untagged, the outer tag is an SPVLAN tag, and the inner tag is a dummy tag (8100 0000).
Page 333 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling If the destination address lookup fails, the packet is sent to all member ports of the outer tag's VLAN. After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. The switch sends the packet to the proper egress port.
Page 334: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configure the SPVLAN ID as the native VID on the QinQ tunnel uplink port (see "Configuring VLAN Attributes for Interfaces"). Configure the QinQ tunnel uplink port to Tunnel Uplink mode (see "Adding an Interface to a QinQ Tunnel").
Page 335: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 163: Enabling QinQ Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > 802.1Q VLAN > Tunnel Port Configuration TO A UNNEL or Tunnel Trunk Configuration page to set the tunnel mode for any...
Page 336: Traffic Segmentation
| VLAN Configuration HAPTER Traffic Segmentation NTERFACE To add an interface to a QinQ tunnel: Click VLAN, 802.1Q VLAN, Tunnel Port/Trunk Configuration. Set the mode for any tunnel access port to Tunnel and the tunnel uplink port to Tunnel Uplink. Click Apply.
Page 337: Configuring Uplink And Downlink Ports
| VLAN Configuration HAPTER Traffic Segmentation Uplink-to-Uplink – Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. (Default: Blocking) NTERFACE To enable traffic segmentation: Click VLAN, Traffic Segmentation, Status. Set the traffic segmentation status or uplink-to-uplink forwarding mode.
Page 338: Private Vlans
| VLAN Configuration HAPTER Private VLANs NTERFACE To configure the members of the traffic segmentation group: Click VLAN, Traffic Segmentation, Session Configuration. Set the session number, specify whether an uplink or downlink is to be used, and select the interface. Click Apply.
Page 339: Displaying Private Vlans
| VLAN Configuration HAPTER Private VLANs Use the Private VLAN Port Configuration page to set the port type to promiscuous (i.e., having access to all ports in the primary VLAN), or host (i.e., having access restricted to community VLAN members, and channeling all other traffic through promiscuous ports).
Page 340: Creating Private Vlans
| VLAN Configuration HAPTER Private VLANs Use the VLAN > Private VLAN > Configuration page to create primary or REATING RIVATE community VLANs. VLAN CLI R EFERENCES "private-vlan" on page 821 ARAMETERS These parameters are displayed in the web interface: VLAN ID –...
Page 341: Associating Private Vlans
| VLAN Configuration HAPTER Private VLANs Use the VLAN > Private VLAN > Association page to associate each SSOCIATING RIVATE community VLAN with a primary VLAN. VLAN CLI R EFERENCES "private vlan association" on page 822 ARAMETERS These parameters are displayed in the web interface: Primary VLAN –...
Page 342: Figure 170: Displaying Private Vlan Interfaces
| VLAN Configuration HAPTER Private VLANs ARAMETERS These parameters are displayed in the web interface: Port/Trunk – The switch interface. PVLAN Port Type – Displays private VLAN port types. Normal – The port is not configured in a private VLAN. Host –...
Page 343: Configuring Private Vlan Interfaces
| VLAN Configuration HAPTER Private VLANs Use the VLAN > Private VLAN > Port Configuration or Trunk Configuration ONFIGURING RIVATE page to set the private VLAN interface type, and assign the interfaces to a VLAN I NTERFACES private VLAN. CLI R EFERENCES "switchport private-vlan mapping"...
Page 344: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs Figure 171: Configuring Interfaces for Private VLANs VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 345: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol VLAN > Configuration page to create protocol ONFIGURING groups. VLAN ROTOCOL ROUPS CLI R EFERENCES "protocol-vlan protocol-group (Configuring Groups)" on page 826 ARAMETERS These parameters are displayed: Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group.
Page 346: Mapping Protocol Groups To Vlans
| VLAN Configuration HAPTER Protocol VLANs Figure 172: Configuring Protocol VLANs Use the VLAN > Protocol VLAN > System Configuration page to map a APPING ROTOCOL protocol group to each VLAN that will participate in the group. VLAN ROUPS TO CLI R EFERENCES "protocol-vlan protocol-group (Configuring Interfaces)"...
Page 347: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring Figure 173: Assigning Protocols to VLANs VLAN M ONFIGURING IRRORING Use the VLAN > VLAN Mirror Configuration page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 348: Figure 174: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring ARAMETERS These parameters are displayed: Source VLAN – A VLAN whose traffic will be monitored. (Range: 1-4094) Target Port – The destination port that receives the mirrored traffic from the source VLAN. (Range: 1-28) NTERFACE To configure VLAN mirroring: Click VLAN, VLAN Mirror Configuration.
Page 349: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet VLAN > Configuration page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 350: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet VLAN, Configuration. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured.
Page 351: Figure 176: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ARAMETERS These parameters are displayed: MAC Address – A source MAC address which is to be mapped to a specific VLAN.
Page 352: Link Layer Discovery Protocol
AYER ISCOVERY ROTOCOL This chapter includes the following topics: LLDP Timing Attributes – Sets timing attributes for general functions. LLDP Interface Attributes – Specifies the advertised attributes for individual interfaces. LLDP Local Device Information – Displays information about the switch. LLDP Remote Port Information –...
Page 353: Setting Lldp Timing Attributes
| Link Layer Discovery Protocol HAPTER Setting LLDP Timing Attributes LLDP T ETTING IMING TTRIBUTES Use the LLDP > Configuration page to set attributes for general functions such as globally enabling LLDP on the switch, setting the message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB.
Page 354: Figure 177: Configuring Lldp Timing Attributes
| Link Layer Discovery Protocol HAPTER Setting LLDP Timing Attributes Notification Interval – Configures the allowed interval for sending SNMP notifications about LLDP MIB changes. (Range: 5-3600 seconds; Default: 5 seconds) This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management.
Page 355: Configuring Lldp Interface Attributes
| Link Layer Discovery Protocol HAPTER Configuring LLDP Interface Attributes LLDP I ONFIGURING NTERFACE TTRIBUTES Use the LLDP > Port Configuration or Trunk Configuration page to specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Page 356 | Link Layer Discovery Protocol HAPTER Configuring LLDP Interface Attributes Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 357 | Link Layer Discovery Protocol HAPTER Configuring LLDP Interface Attributes MED TLV Type – Configures the information included in the MED TLV field of advertised messages. Port Capabilities – This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch.
Page 358: Displaying Lldp Local Device Information
| Link Layer Discovery Protocol HAPTER Displaying LLDP Local Device Information Figure 178: Configuring LLDP Interface Attributes LLDP L ISPLAYING OCAL EVICE NFORMATION Use the LLDP > Local Information page to display information about the switch, such as its MAC address, chassis ID, management IP address, and port information.
Page 359: Table 26: System Capabilities
| Link Layer Discovery Protocol HAPTER Displaying LLDP Local Device Information Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. System Name – A string that indicates the system’s administratively assigned name (see "Displaying System Information").
Page 360: Displaying Lldp Remote Port Information
| Link Layer Discovery Protocol HAPTER Displaying LLDP Remote Port Information Figure 179: Displaying Local Device Information for LLDP LLDP R ISPLAYING EMOTE NFORMATION Use the LLDP > Remote Port Information page to display information about devices connected directly to the switch’s ports which are advertising information through LLDP.
Page 361: Displaying Lldp Remote Information Details
| Link Layer Discovery Protocol HAPTER Displaying LLDP Remote Information Details NTERFACE To display LLDP information for a remote port: Click LLDP, Remote Port Information. Figure 180: Displaying Remote Device Information for LLDP LLDP R ISPLAYING EMOTE NFORMATION ETAILS Use the LLDP > Remote Information Details page to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Page 362 | Link Layer Discovery Protocol HAPTER Displaying LLDP Remote Information Details Table 27: Port ID Subtype (Continued) ID Basis Reference MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863) Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned Port Description –...
Page 363: Displaying Device Statistics
| Link Layer Discovery Protocol HAPTER Displaying Device Statistics Figure 181: Displaying Remote Device Information Details for LLDP ISPLAYING EVICE TATISTICS Use the LLDP > Device Statistics page to display statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Page 364: Displaying Detailed Device Statistics
| Link Layer Discovery Protocol HAPTER Displaying Detailed Device Statistics Port/Trunk Num Frames Received – Number of LLDP PDUs received. Num Frames Sent – Number of LLDP PDUs transmitted. Num Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV.
Page 365: Figure 183: Displaying Lldp Detailed Device Statistics
| Link Layer Discovery Protocol HAPTER Displaying Detailed Device Statistics Frames Sent – Number of LLDP PDUs transmitted. TLVs Unrecognized – A count of all TLVs not recognized by the receiving LLDP local agent. TLVs Discarded – A count of all LLDPDUs received and then discarded due to insufficient memory space, missing or out-of-sequence attributes, or any other reason.
Page 366: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 367: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. ARAMETERS These parameters are displayed: Default Priority – The priority that is assigned to untagged frames received on the specified interface.
Page 368: Table 29: Cos Priority Levels
| Class of Service HAPTER Layer 2 Queue Settings mapped to the switch’s output queues in any way that benefits application traffic for the network. Table 29: CoS Priority Levels Priority Level Traffic Type Background (Spare) 0 (default) Best Effort Excellent Effort Controlled Load Video, less than 100 milliseconds latency and jitter...
Page 369: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings Figure 185: Mapping CoS Values to Egress Queues Use the Priority > Queue Mode page to set the queue mode for the egress ELECTING THE queues on all interfaces. The switch can be set to service the queues based UEUE on a strict rule that requires all traffic in a higher priority queue to be processed before the lower priority queues are serviced, or to use...
Page 370: Displaying The Service Weight For Traffic Classes
| Class of Service HAPTER Layer 2 Queue Settings NTERFACE To configure the queue mode: Click Priority, Queue Mode. Set the queue mode. Click Apply. Figure 186: Setting the Queue Mode Use the Priority > Queue Scheduling page to display the weighted round- ISPLAYING THE robin (WRR) bandwidth allocation for the four priority queues.
Page 371: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 187: Showing the Queue Bandwidth Allocation 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Page 372: Mapping Dscp Priority
| Class of Service HAPTER Layer 3/4 Priority Settings Disabled – Disables the priority service. (Default Setting: Disabled) IP DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point Mapping. NTERFACE To enable or disable IP DSCP priority: Click Priority, IP DSCP Priority Status. Select Disabled or IP DSCP from the drop down menu.
Page 373: Figure 189: Mapping Ip Dscp Priority Values
| Class of Service HAPTER Layer 3/4 Priority Settings Table 30: Mapping DSCP Priority Values (Continued) IP DSCP Value CoS Value 46, 56 ARAMETERS These parameters are displayed: DSCP Priority Table – Shows the DSCP Priority to CoS map. Class of Service Value – Maps a CoS value to the selected DSCP Priority value.
Page 374: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 375: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Class Map (Add Class) page to designate a class name for a specific category of traffic.
Page 376 | Quality of Service HAPTER Configuring a Class Map Up to 1024 class statements can be configured for the system. ARAMETERS These parameters are displayed: Class Map Modify Name and Description – Configures the name and a brief description of a class map. (Range: 1-16 characters for the name; 1-64 characters for the description) Edit Rules –...
Page 377: Figure 190: Creating A Class Map
| Quality of Service HAPTER Configuring a Class Map NTERFACE To create a class map: Click QoS, DiffServ, Class Map. Click Add Class. Enter a class name and a description. Click Add. Figure 190: Creating a Class Map To edit the rules for a class map: Click QoS, DiffServ, Class Map.
Page 378: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies Figure 191: Adding Rules to a Class Map REATING OLICIES Use the QoS > DiffServ > Policy Map page to create a policy map that can be attached to multiple interfaces. CLI R EFERENCES "Quality of Service Commands"...
Page 379 | Quality of Service HAPTER Creating QoS Policies The class of service can be assigned to matching packets. In addition, the flow rate of inbound traffic can be monitored and the response to non- conforming traffic specified. To configure a Policy Map, follow these steps: Create a Class Map as described on page 375.
Page 380 | Quality of Service HAPTER Creating QoS Policies Remove Policy – Deletes a specified policy. Policy Configuration (Add Policy) Policy Name – Name of policy map. (Range: 1-16 characters) Description – A brief description of a policy map. (Range: 1-64 characters) Add –...
Page 381: Figure 192: Creating A Policy Map
| Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether the traffic that exceeds the specified rate or burst will be dropped or the DSCP service level will be reduced. Set – Decreases DSCP priority for out of conformance traffic. (Range: 0-63).
Page 382: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port Figure 193: Adding Rules to a Policy Map TTACHING A OLICY AP TO A Use the QoS > DiffServ > Service Policy page to bind a policy map to an ingress port.
Page 383: Figure 194: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port ARAMETERS These parameters are displayed: Port – Specifies a port. Ingress – Applies the selected rule to ingress traffic. Enabled – Check this to enable a policy map on the specified port. Policy Map –...
Page 384: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. Port Settings – Configures the way in which a port is added to the Voice VLAN, the filtering of non-VoIP packets, the method of detecting VoIP traffic, and the priority assigned to voice traffic.
Page 385: Configuring Voip Traffic
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic IP T ONFIGURING RAFFIC Use the QoS > VoIP Traffic Setting > Configuration page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 386: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 195: Configuring a Voice VLAN IP T ONFIGURING RAFFIC ORTS Use the QoS > VoIP Traffic Setting > Port Configuration page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority.
Page 387: Figure 196: Configuring Port Settings For A Voice Vlan
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports are assigned to manufacturers and form the first three octets of a device MAC address. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.
Page 388: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 389 | VoIP Traffic Configuration HAPTER Configuring Telephony OUI – 389 –...
Page 390: Ulticast Iltering
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP – Configuring snooping and query parameters. Filtering and Throttling – Filtering specified multicast service, or throttling the maximum of multicast groups allowed on an interface. Multicast VLAN Registration (MVR) –...
Page 391: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 392: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. IGMP snooping will not function unless a multicast router port is enabled on the switch.
Page 393 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/switch on the LAN performing IP multicasting, one of these devices is elected “querier”...
Page 394: Enabling Igmp Immediate Leave
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Report Delay – Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list. (Range: 5-25 seconds;...
Page 395 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) OMMAND SAGE If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period.
Page 396: Displaying Interfaces Attached To A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast routers that are attached to ports on the switch use information ISPLAYING obtained from IGMP, along with a multicast routing protocol such as DVMRP NTERFACES or PIM, to support IP multicasting across the Internet. These routers may TTACHED TO A be dynamically discovered by the switch or statically assigned to an ULTICAST...
Page 397: Displaying Port Members Of Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) attached router. This can ensure that multicast traffic is passed to all the appropriate interfaces within the switch. CLI R EFERENCES "Static Multicast Routing" on page 869 ARAMETERS These parameters are displayed: Interface –...
Page 398: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast IP Address – The IP address for a specific multicast service. Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
Page 399: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. ARAMETERS These parameters are displayed: Interface – Activates the Port or Trunk scroll down list. VLAN ID –...
Page 400: Enabling Igmp Filtering And Throttling
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups profile can contain one or more addresses, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile.
Page 401: Configuring Igmp Filter Profiles
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 205: Enabling IGMP Filtering and Throttling IGMP Use the IGMP Snooping > IGMP Filter Profile Configuration page to set the ONFIGURING access mode and multicast groups to filter for an IGMP profile. ILTER ROFILES CLI R...
Page 402: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To configure an IGMP filter profile: Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile number you want to configure, and click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list.
Page 403: Figure 207: Configuring Igmp Filtering And Throttling Interface Settings
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed: Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.
Page 404: Multicast Vlan Registration
| Multicast Filtering HAPTER Multicast VLAN Registration VLAN R ULTICAST EGISTRATION Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.
Page 405: Configuring Global Mvr Settings
| Multicast Filtering HAPTER Multicast VLAN Registration Although MVR operates on the underlying mechanism of IGMP snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and leave messages from multicast groups configured under MVR.
Page 406: Displaying Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration Count – The number of contiguous MVR group addresses. (Range: 1-1024; Default: 0) NTERFACE To configure global settings for MVR: Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, and then click Apply.
Page 407: Displaying Port Members Of Multicast Groups
| Multicast Filtering HAPTER Multicast VLAN Registration Immediate Leave – Shows if immediate leave is enabled or disabled. Trunk Member – Shows if port is a trunk member. NTERFACE To display information about the interfaces attached to the MVR VLAN: Click MVR, Port Information or Trunk Information.
Page 408: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To display the multicast groups assigned to the MVR VLAN: Click MVR, Group IP Information. Figure 211: Displaying Port Members of Multicast Groups Use the MVR > Port Configuration or Trunk Configuration page to configure ONFIGURING each interface that participates in the MVR protocol as a source port or NTERFACE...
Page 409 | Multicast Filtering HAPTER Multicast VLAN Registration Subscribers should not be directly connected to source ports. Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query message to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before...
Page 410: Assigning Static Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure interface settings for MVR: Click MVR, Port Configuration or Trunk Configuration. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached.
Page 411: Configuring Mvr Receiver Vlan And Group Addresses
| Multicast Filtering HAPTER Multicast VLAN Registration Non-Member – Shows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface. NTERFACE To assign a static MVR group to a port: Click MVR, Group Member Configuration. Select a port or trunk from the “Interface”...
Page 412: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration MVR Receiver Group IP Address – Specifies groups to be managed through the receiver VLAN. NTERFACE To configure the MVR Receiver VLAN and assigned addresses: Click MVR, Receiver Configuration. Select a VLAN from the MVR Receiver VLAN list. Enter the required multicast groups in the member list, and then click the Add or Remove button to modify the list.
Page 413: Configuring Static Mvr Receiver Group Members
| Multicast Filtering HAPTER Multicast VLAN Registration Figure 215: Displaying MVR Receiver Groups Use the MVR > Receiver Group Member Configuration page to statically ONFIGURING TATIC assign a multicast receiver group to the selected interface. MVR R ECEIVER ROUP EMBERS CLI R EFERENCES "mvr static-receiver-group"...
Page 414 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 216: Configuring Static MVR Receiver Group Members – 414 –...
Page 415: Domain Name Service
OMAIN ERVICE Domain Name Service (DNS) on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 416 | Domain Name Service HAPTER Configuring General DNS Service Parameters ARAMETERS These parameters are displayed: Domain Lookup Status – Enables DNS host name-to-address translation. (Default: Enabled) Default Domain Name – Defines the default domain name appended to incomplete host names. (Range: 1-64 alphanumeric characters) Domain Name List –...
Page 417: Configuring Static Dns Host To Address Entries
| Domain Name Service HAPTER Configuring Static DNS Host to Address Entries DNS H ONFIGURING TATIC OST TO DDRESS NTRIES Use the DNS > Static Host Table page to manually configure static entries in the DNS table that are used to map domain names to IP addresses. CLI R EFERENCES "ip host"...
Page 418: Displaying The Dns Cache
| Domain Name Service HAPTER Displaying the DNS Cache Figure 218: Configuring Static Entries in the DNS Table DNS C ISPLAYING THE ACHE Use the DNS - Cache page to display entries in the DNS cache that have been learned via the designated name servers. CLI R EFERENCES "show dns cache"...
Page 419: Figure 219: Showing Entries In The Dns Cache
| Domain Name Service HAPTER Displaying the DNS Cache NTERFACE To display entries in the DNS cache: Click DNS, Cache. Figure 219: Showing Entries in the DNS Cache – 419 –...
Page 420: Ection
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 422 "General Commands" on page 434 "System Management Commands"...
Page 421 | Command Line Interface ECTION "ERPS Commands" on page 779 "VLAN Commands" on page 792 "Class of Service Commands" on page 840 "Quality of Service Commands" on page 848 "Multicast Filtering Commands" on page 859 "MLD Snooping Commands" on page 891 "LLDP Commands"...
Page 422: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the DG-FS4528P is opened. To end the CLI session, enter [Exit]. Console# – 422 –...
Page 423: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the DG-FS4528P is opened. To end the CLI session, enter [Exit]. Vty-0# – 423 –...
Page 424: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 425: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. If you enter a “?”...
Page 426: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands reload Shows the reload settings running-config Information on the running configuration sflow Shows the sflow information snmp Simple Network Management Protocol statistics snmp-server Displays SNMP server configuration sntp Simple Network Time Protocol configuration spanning-tree Spanning-tree configuration Secure shell server connections...
Page 427: Negating The Effect Of Commands
| Using the Command Line Interface HAPTER Entering Commands For many configuration commands you can enter the prefix keyword “no” EGATING THE FFECT to cancel the effect of a command or reset the configuration to the default OMMANDS value. For example, the logging command will log system messages to a host server.
Page 428: Configuration Commands
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the DG-FS4528P is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the DG-FS4528P is opened.
Page 429: Table 32: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode. Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits.
Page 430: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Table 32: Configuration Command Modes (Continued) Mode Command Prompt Page Policy Map policy-map Console(config-pmap) Server Group aaa group server {radius | tacacs+} Console(config-sg-radius) Console(config-sg-tacacs+) Time Range time-range Console(config-time-range) VLAN vlan database Console(config-vlan) For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode...
Page 431: Output Modifiers And Redirection
| Using the Command Line Interface HAPTER CLI Command Groups UTPUT ODIFIERS AND EDIRECTION Many of the show commands include options for output modifiers. For example, the “show ip interface” command includes the following keyword options: Console#show ip interface ? Output modifiers <cr>...
Page 432 | Using the Command Line Interface HAPTER CLI Command Groups Table 34: Command Group Index (Continued) Command Group Description Page General Security Segregates traffic for clients attached to common data Measures ports; and prevents unauthorized access by configuring valid static or dynamic addresses, web authentication, MAC address authentication, filtering DHCP requests and replies, and discarding invalid ARP responses Access Control List...
Page 433 | Using the Command Line Interface HAPTER CLI Command Groups Table 34: Command Group Index (Continued) Command Group Description Page Dynamic Host Configures DHCP client functions Configuration Protocol IP Interface Configures IP address for the switch The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration)
Page 434: General Commands
ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 35: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 435: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 436: Enable
| General Commands HAPTER OMMAND SAGE This command resets the entire system. Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 437: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (439) enable password (543) quit This command exits the configuration program. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 438: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 439: Disable
| General Commands HAPTER disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes.”...
Page 440: Show Reload
| General Commands HAPTER show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 441 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 441 –...
Page 442: System Management Commands
YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 36: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 443: Hostname
| System Management Commands HAPTER Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 444: Banner Configure
| System Management Commands HAPTER Banner Information Table 38: Banner Commands (Continued) Command Function Mode banner configure Configures the Manager contact information that is manager-info displayed by banner banner configure mux Configures the MUX information that is displayed by banner banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading...
Page 445: Banner Configure Company
| System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
Page 446: Banner Configure Dc-Power-Info
| System Management Commands HAPTER Banner Information banner configure This command is use to configure DC power information displayed in the banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 447: Banner Configure Equipment-Info
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 448: Banner Configure Equipment-Location
HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id DG-FS4528P floor 3 row 10 rack 15 shelf-rack 12 manufacturer DIGISOL Console(config)# banner configure This command is used to configure the equipment location information displayed in the banner. Use the no form to restore the default setting.
Page 449: Banner Configure Lp-Number
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 450: Banner Configure Manager-Info
| System Management Commands HAPTER Banner Information banner configure This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 451: Banner Configure Note
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 452: Show Banner
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis DIGISOL- DG-FS4528P Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 453: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status show access-list This command shows utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, tcam-utilization the number of free entries, and the overall percentage of TCAM in use. OMMAND Privileged Exec OMMAND...
Page 454: Show Running-Config
| System Management Commands HAPTER System Status XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# show running- This command displays the configuration information currently in use. config YNTAX show running-config interface interface ethernet unit/port unit - Unit identifier.
Page 455: Show Startup-Config
| System Management Commands HAPTER System Status XAMPLE Console#show running-config Building startup configuration. Please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-17-7c-00-00-fd_00</stackingMac> sntp server 0.0.0.0 0.0.0.0 0.0.0.0 no dot1q-tunnel system-tunnel-control snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca...
Page 456: Show System
For a description of the items shown by this command, refer to “Displaying System Information.” XAMPLE Console#show system System Description: DIGISOL FE L2 Switch DG-FS4528P System OID String: 1.3.6.1.4.1.36293.1.1.1.8 System Information System Up Time: 0 days, 0 hours, 5 minutes, and 41.90 seconds...
Page 457: Show Tech-Support
XAMPLE Console#show tech-support show system: System Description: DIGISOL FE L2 Switch DG-FS4528P System OID String: 1.3.6.1.4.1.36293.1.1.1.8 System Information System Up Time: 0 days, 2 hours, 17 minutes, and 6.23 seconds...
Page 458: Show Version
| System Management Commands HAPTER System Status XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key --------- --------- ---------- admin 15 None guest 0 None steve Online Users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14...
Page 459: Frame Size
| System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 40: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames jumbo frame This command enables support for jumbo frames for Gigabit Ethernet ports.
Page 460: File Management
| System Management Commands HAPTER File Management ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 461: Boot System
| System Management Commands HAPTER File Management boot system This command specifies the file or image used to start up the system. YNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image.
Page 462: Copy
| System Management Commands HAPTER File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 463 | System Management Commands HAPTER File Management The Boot ROM and Loader can be downloaded from an FTP/TFTP server, but cannot be uploaded from the switch to a file server. For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate.” For information on configuring the switch to use HTTPS for a secure connection, see the ip http secure- server command.
Page 464 | System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 465: Delete
| System Management Commands HAPTER File Management delete This command deletes a file or image. YNTAX delete filename filename - Name of configuration file or code image. OMMAND Privileged Exec OMMAND SAGE If the file type is used for system startup, then this file cannot be deleted.
Page 466: Dir
| System Management Commands HAPTER File Management XAMPLE This example deletes all non-startup files. Console#delete non-active Are you sure to delete non-active file(s)? [Y]es/[N]o: Unit 1: Success to delete [DG-FS4528P_op_V1.4.2.1.bix] Factory Default Configuration file couldn't be deleted. Console# ELATED OMMANDS dir (466) delete public-key (575) This command displays a list of files in flash memory.
Page 467: Whichboot
File Management XAMPLE The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: DG-FS4528P-DIAG-V1.2.1.0.bix Boot-Rom Image 1404800 DG-FS4528P_OP_V1.4.8.2.bix Operation Code 4842204 Factory_Default_Config.cfg Config File startup1.cfg Config File 3972...
Page 468 The name for the new image stored on the TFTP server must be DG-FS4528P.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
Page 469: Upgrade Opcode Path
| System Management Commands HAPTER File Management upgrade opcode This command specifies an TFTP server and directory in which the new opcode is stored. Use the no form of this command to clear the current path setting. YNTAX upgrade opcode path opcode-dir-url no upgrade opcode path opcode-dir-url - The location of the new code.
Page 470: Show Upgrade
Console#show upgrade Status : Enabled Path : tftp://192.168.0.1/SM24/ File Name : DG-FS4528P.bix Console# You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 471: Line
| System Management Commands HAPTER Line Table 43: Line Commands (Continued) Command Function Mode disconnect Terminates a line connection show line Displays a terminal line's parameters NE, PE * These commands only apply to the serial port. line This command identifies a specific line for configuration, and to process subsequent line configuration commands.
Page 472: Databits
| System Management Commands HAPTER Line databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. YNTAX databits {7 | 8} no databits 7 - Seven data bits per character.
Page 473: Login
| System Management Commands HAPTER Line OMMAND SAGE If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. This command applies to both the local console and Telnet connections. The timeout for Telnet cannot be disabled. Using the command without specifying a timeout restores the default setting.
Page 474: Parity
| System Management Commands HAPTER Line This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. XAMPLE Console(config-line)#login local Console(config-line)# ELATED OMMANDS...
Page 475: Password
| System Management Commands HAPTER Line password This command specifies the password for a line. Use the no form to remove the password. YNTAX password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password.
Page 476: Password-Thresh
| System Management Commands HAPTER Line password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. YNTAX password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120;...
Page 477: Speed
| System Management Commands HAPTER Line OMMAND Line Configuration XAMPLE To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# ELATED OMMANDS password-thresh (476) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.
Page 478: Stopbits
| System Management Commands HAPTER Line stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. YNTAX stopbits {1 | 2} no stopbits 1 - One stop bit 2 - Two stop bits EFAULT ETTING...
Page 479: Disconnect
| System Management Commands HAPTER Line Using the command without specifying a timeout restores the default setting. XAMPLE To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. YNTAX disconnect session-id session-id –...
Page 480: Event Logging
| System Management Commands HAPTER Event Logging XAMPLE To show all lines, enter this command: Console#show line Console Configuration: Password Threshold : 3 times Inactive Timeout : Disabled Login Timeout : Disabled Silent Time : Disabled Baud Rate : Auto Data Bits Parity : None...
Page 481: Logging Facility
| System Management Commands HAPTER Event Logging logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. YNTAX logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Page 482: Logging Host
| System Management Commands HAPTER Event Logging Table 45: Logging Levels (Continued) Level Severity Name Description warnings Warning conditions (e.g., return false, unexpected return) errors Error conditions (e.g., invalid input, default used) critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) alerts Immediate action needed...
Page 483: Logging On
| System Management Commands HAPTER Event Logging XAMPLE Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process. YNTAX [no] logging on EFAULT ETTING None...
Page 484: Clear Log
| System Management Commands HAPTER Event Logging EFAULT ETTING Disabled Level 7 OMMAND Global Configuration OMMAND SAGE Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default.
Page 485: Show Log
| System Management Commands HAPTER Event Logging show log This command displays the log messages stored in local memory. YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 486: Table 46: Show Logging Flash/Ram - Display Description
| System Management Commands HAPTER Event Logging XAMPLE The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: Enabled...
Page 487: Smtp Alerts
| System Management Commands HAPTER SMTP Alerts ELATED OMMANDS show logging sendmail (490) SMTP A LERTS These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 48: Event Logging Commands Command Function Mode...
Page 488: Logging Sendmail Host
| System Management Commands HAPTER SMTP Alerts EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command specifies SMTP servers that will be sent alert messages.
Page 489: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts logging sendmail This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page 481).
Page 490: Show Logging Sendmail
| System Management Commands HAPTER Time XAMPLE Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail OMMAND Normal Exec, Privileged Exec XAMPLE Console#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com...
Page 491: Sntp Client
| System Management Commands HAPTER Time Table 49: Time Commands (Continued) Command Function Mode ntp server Specifies NTP servers to poll for time updates show ntp Shows current NTP configuration settings NE, PE Manual Configuration Commands clock summer-time Configures summer time for the switch’s internal (date) clock...
Page 492: Sntp Poll
| System Management Commands HAPTER Time Current Time: Dec 23 02:52:44 2002 Poll Interval: 60 Current Mode: unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# ELATED OMMANDS sntp server (492) sntp poll (492) show sntp (493) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode.
Page 493: Show Sntp
| System Management Commands HAPTER Time EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received.
Page 494: Ntp Authenticate
| System Management Commands HAPTER Time ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication. YNTAX [no] ntp authenticate EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
Page 495: Ntp Client
| System Management Commands HAPTER Time OMMAND SAGE The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch. Re-enter this command for each server you want to configure. Note that NTP authentication key numbers and values must match on both the server and client.
Page 496: Ntp Server
| System Management Commands HAPTER Time XAMPLE Console(config)#ntp client Console(config)# ELATED OMMANDS sntp client (491) ntp server (496) ntp server This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list.
Page 497: Show Ntp
| System Management Commands HAPTER Time XAMPLE Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)# ELATED OMMANDS ntp client (495) show ntp (497) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated.
Page 498: Clock Summer-Time (Date)
| System Management Commands HAPTER Time clock summer-time This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form (date) to disable summer time. YNTAX clock summer-time name date b-month b-day b-year b-hour b- minute e-month e-day e-year e-hour e-minute offset no clock summer-time...
Page 499: Clock Summer-Time (Predefined)
| System Management Commands HAPTER Time This command sets the summer-time time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone.
Page 500: Clock Summer-Time (Recurring)
| System Management Commands HAPTER Time Table 50: Predefined Summer-Time Parameters Region Start Time, Day, End Time, Day, Rel. Offset Week, & Month Week, & Month Australia 00:00:00, Sunday, 23:59:59, Sunday, 60 min Week 5 of October Week 5 of March Europe 00:00:00, Sunday, 23:59:59, Sunday,...
Page 501 | System Management Commands HAPTER Time e-day - The day of the week summer time will end. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-hour - The hour when summer time will end.
Page 502: Clock Timezone
| System Management Commands HAPTER Time clock timezone This command sets the time zone for the switch’s internal clock. YNTAX clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC.
Page 503: Calendar Set
| System Management Commands HAPTER Time EFAULT ETTING GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London OMMAND Global Configuration OMMAND SAGE This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 504: Show Calendar
| System Management Commands HAPTER Time Range XAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15:12:34 1 February 2002 Console# show calendar This command displays the system clock. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec XAMPLE...
Page 505: Absolute
| System Management Commands HAPTER Time Range EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE This command sets a time range for use by other functions, such as Access Control Lists. XAMPLE Console(config)#time-range r&d Console(config-time-range)# ELATED OMMANDS Access Control Lists (649) absolute This command sets the time range for the execution of a command.
Page 506: Periodic
| System Management Commands HAPTER Time Range XAMPLE This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)# periodic This command sets the time range for the periodic execution of a command.
Page 507: Show Time-Range
| System Management Commands HAPTER Switch Clustering show time-range This command shows configured time ranges. YNTAX show time-range [name] name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#showtime-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic Daily 01:01 to...
Page 508: Cluster
| System Management Commands HAPTER Switch Clustering then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Page 509: Cluster Commander
| System Management Commands HAPTER Switch Clustering XAMPLE Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. YNTAX [no] cluster commander EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE...
Page 510: Cluster Member
| System Management Commands HAPTER Switch Clustering OMMAND SAGE An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
Page 511: Rcommand
There is no need to enter the username and password for access to the Member switch CLI. XAMPLE Console#rcommand id 1 CLI session with the DG-FS4528P is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration.
Page 512: Show Cluster Members
Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-17-7C-00-00-FE Description: DIGISOL FE L2 Switch DG-FS4528P Console# show cluster This command shows the discovered Candidate switches in the network. candidates OMMAND Privileged Exec...
Page 513: Upnp Device
| System Management Commands HAPTER UPnP Table 53: UPnP Commands (Continued) Command Function Mode upnp device advertise Sets the advertisement duration of the device duration show upnp Displays UPnP status and parameters upnp device This command enables UPnP on the device. Use the no form to disable UPnP.
Page 514: Upnp Device Advertise Duration
| System Management Commands HAPTER UPnP OMMAND SAGE UPnP devices and control points must be within the local network, that is within the TTL value for multicast messages. XAMPLE In the following example, the TTL is set to 6. Console(config)#upnp device ttl 6 Console(config)# upnp device This command sets the duration for which a device will advertise its...
Page 515 | System Management Commands HAPTER UPnP TTL: Console# – 515 –...
Page 516: Snmp Commands
SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 517: Snmp-Server
| SNMP Commands HAPTER Table 54: SNMP Commands (Continued) Command Function Mode SNMP Trap Commands snmp-server enable traps Enables the device to send SNMP traps (i.e., SNMP notifications) snmp-server host Specifies the recipient of an SNMP notification operation MAC Notification Commands snmp-server enable traps Globally enables traps when changes occur for mac-notification...
Page 518: Snmp-Server Community
| SNMP Commands HAPTER OMMAND Global Configuration XAMPLE Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to community remove the specified community string. YNTAX snmp-server community string [ro | rw] no snmp-server community string...
Page 519: Snmp-Server Location
| SNMP Commands HAPTER EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server contact Paul Console(config)# ELATED OMMANDS snmp-server location (519) snmp-server This command sets the system location string. Use the no form to remove the location string. location YNTAX snmp-server location text no snmp-server location text - String that describes the system location.
Page 520: Snmp-Server Engine-Id
| SNMP Commands HAPTER OMMAND SAGE This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. XAMPLE Console#show snmp SNMP Agent : Enabled...
Page 521 | SNMP Commands HAPTER engineid-string - String identifying the engine ID. (Range: 1-26 hexadecimal characters) EFAULT ETTING A unique engine ID is automatically generated by the switch based on its MAC address. OMMAND Global Configuration OMMAND SAGE An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device.
Page 522: Snmp-Server Group
| SNMP Commands HAPTER snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.
Page 523: Snmp-Server User
| SNMP Commands HAPTER snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. YNTAX snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]...
Page 524: Snmp-Server View
| SNMP Commands HAPTER Before you configure a remote user, use the snmp-server engine-id command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/ privacy digests from the user’s password.
Page 525: Show Snmp Engine-Id
| SNMP Commands HAPTER XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Page 526: Show Snmp Group
| SNMP Commands HAPTER show snmp group Four default groups are provided – SNMPv1 read-only access and read/ write access, and SNMPv2c read-only access and read/write access. OMMAND Privileged Exec XAMPLE Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none...
Page 527: Show Snmp User
| SNMP Commands HAPTER Table 56: show snmp group - display description (Continued) Field Description notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users. OMMAND Privileged Exec XAMPLE...
Page 528: Show Snmp View
| SNMP Commands HAPTER show snmp view This command shows information on the SNMP views. OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 529 | SNMP Commands HAPTER OMMAND Global Configuration OMMAND SAGE If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 530: Snmp-Server Host
| SNMP Commands HAPTER snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. YNTAX snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - Internet address of the host (the targeted recipient).
Page 531 | SNMP Commands HAPTER enable multiple hosts, you must issue a separate snmp-server host command for each host. The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally.
Page 532: Snmp-Server Enable Traps Mac-Notification
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server host 10.1.19.23 batman Console(config)# ELATED OMMANDS snmp-server enable traps (528) snmp-server enable This command globally enables the sending of trap messages when dynamic addresses are added to or removed from the MAC address table. traps mac- Use the no form without any keywords to disable these traps.
Page 533: Snmp-Server Enable Port-Traps Mac-Notification
| SNMP Commands HAPTER XAMPLE This example enables MAC notification traps, and sets the reporting interval to 10 seconds. Console(config)#snmp-server enable traps mac-notification interval 10 Console(config)# ELATED OMMANDS show snmp (519) snmp-server enable This command sends a trap when dynamic addresses are added to or removed from the MAC address table for an interface.
Page 534: Show Snmp-Server Enable Port-Traps Interface
| SNMP Commands HAPTER show snmp-server This command shows if trap messages will be sent when changes occur to dynamic entries in the MAC address table for an interface. enable port-traps interface YNTAX show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier.
Page 535: Flow Sampling Commands
AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 536: Sflow Source
| Flow Sampling Commands HAPTER OMMAND Global Configuration OMMAND SAGE Flow sampling must be enabled globally on the switch, as well as for those ports where it is required (see the sflow source command). XAMPLE Console(config)#sflow Console(config)# sflow source This command enables sFlow on the source ports to be monitored. Use the no form to disable sFlow on the specified ports.
Page 537: Sflow Sample
| Flow Sampling Commands HAPTER sflow sample This command configures the packet sampling rate. Use the no form to restore the default rate. YNTAX sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken.
Page 538: Sflow Owner
| Flow Sampling Commands HAPTER sflow owner This command configures the name of the receiver (i.e., sFlow Collector). Use the no form to remove this name. YNTAX sflow owner name no sflow owner name - The name of the receiver. (Range: 1-256 characters) EFAULT ETTING None...
Page 539: Sflow Destination
| Flow Sampling Commands HAPTER XAMPLE This example sets the time out to 1000 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow timeout 10000 Console(config-if)# sflow destination This command configures the IP address and UDP port used by the Collector. Use the no form to restore the default settings. YNTAX sflow destination ipv4 ip-address [destination-udp-port] no sflow destination...
Page 540: Sflow Max-Datagram-Size
| Flow Sampling Commands HAPTER OMMAND Interface Configuration (Ethernet) XAMPLE Console(config)#interface ethernet 1/9 Console(config-if)#sflow max-header-size 256 Console(config-if)# sflow max- This command configures the maximum size of the sFlow datagram payload. Use the no form to restore the default setting. datagram-size YNTAX sflow max-datagram-size max-datagram-size no max-datagram-size...
Page 541 | Flow Sampling Commands HAPTER XAMPLE Console#show sflow sFlow global status : Enabled Console#sh sf int e 1/9 Interface of Ethernet Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.4 Owner socket port : 6343 Time out : 10000 Maximum header size : 256...
Page 542: Authentication Commands
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 543: User Accounts
| Authentication Commands HAPTER User Accounts CCOUNTS The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 470), user authentication via a remote authentication server (page 542), and host access authentication...
Page 544: Username
| Authentication Commands HAPTER User Accounts XAMPLE Console(config)#enable password level 15 0 admin Console(config)# ELATED OMMANDS enable (436) authentication enable (545) username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level.
Page 545: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence XAMPLE This example shows how the set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access.
Page 546: Authentication Login
| Authentication Commands HAPTER Authentication Sequence RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. You can specify three authentication methods in a single command to indicate the authentication sequence.
Page 547: Radius Client
| Authentication Commands HAPTER RADIUS Client “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Page 548: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client OMMAND Global Configuration XAMPLE Console(config)#radius-server acct-port 181 Console(config)# radius-server auth- This command sets the RADIUS server network port. Use the no form to restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 549: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 550: Radius-Server Retransmit
| Authentication Commands HAPTER RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit YNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 551: Show Radius-Server
| Authentication Commands HAPTER TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port: 1812 Accounting Port: 1813 Retransmit Times: Request Timeout: Server 1: Server IP Address:...
Page 552: Tacacs-Server
| Authentication Commands HAPTER TACACS+ Client Table 65: TACACS+ Client Commands (Continued) Command Function Mode tacacs-server timeout Sets the interval before resending an authentication request show tacacs-server Shows the current TACACS+ settings tacacs-server This command specifies the TACACS+ server and other optional parameters.
Page 553: Tacacs-Server Key
| Authentication Commands HAPTER TACACS+ Client OMMAND Global Configuration XAMPLE Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. YNTAX tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
Page 554: Tacacs-Server Retransmit
| Authentication Commands HAPTER TACACS+ Client XAMPLE Console(config)#tacacs-server port 181 Console(config)# tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit YNTAX tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Page 555: Show Tacacs-Server
| Authentication Commands HAPTER show tacacs-server This command displays the current settings for the TACACS+ server. EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Server Port Number: Retransmit Times Request Times Server 1: Server IP address: 1.2.3.4 Server port number:...
Page 556: Aaa Accounting Commands
| Authentication Commands HAPTER Table 66: AAA Commands (Continued) Command Function Mode accounting dot1x Applies an accounting method to an interface for 802.1X service requests accounting commands Applies an accounting method to CLI commands Line entered by a user accounting exec Applies an accounting method to local console, Telnet Line or SSH connections...
Page 557: Aaa Accounting Dot1X
| Authentication Commands HAPTER TACACS+ server, and do not actually send any information to the server about the methods to use. XAMPLE Console(config)#aaa accounting commands 15 default start-stop group tacacs+ Console(config)# aaa accounting This command enables the accounting of requested 802.1X services for network access.
Page 558: Aaa Accounting Exec
| Authentication Commands HAPTER aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. YNTAX aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
Page 559: Aaa Accounting Update
| Authentication Commands HAPTER aaa accounting This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. update YNTAX aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Page 560: Aaa Group Server
| Authentication Commands HAPTER EFAULT ETTING Authorization is not enabled No servers are specified OMMAND Global Configuration OMMAND SAGE This command performs authorization to determine if a user is allowed to run an Exec shell. AAA authentication must be enabled before authorization is enabled. If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method...
Page 561: Server
| Authentication Commands HAPTER server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. YNTAX [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server.
Page 562: Accounting Commands
| Authentication Commands HAPTER XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting This command applies an accounting method to entered CLI commands. Use the no form to disable accounting for entered CLI commands. commands YNTAX accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands.
Page 563: Authorization Exec
| Authentication Commands HAPTER OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...
Page 564: Show Accounting
| Authentication Commands HAPTER show accounting This command displays the current accounting settings per function and per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information. level - Displays command accounting information for a specifiable command level.
Page 565: Web Server
| Authentication Commands HAPTER Web Server ERVER This section describes commands used to configure web browser management access to the switch. Table 67: Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface ip http secure-port Specifies the UDP port number for HTTPS...
Page 566: Ip Http Secure-Port
| Authentication Commands HAPTER Web Server ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. YNTAX ip http secure-port port-number no ip http secure-port port-number –...
Page 567: Table 68: Https System Support
| Authentication Commands HAPTER Web Server OMMAND SAGE Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port-number] When you start HTTPS, the connection is established in this way: The client authenticates the server using the server’s digital...
Page 568: Ip Http Server
| Authentication Commands HAPTER Telnet Server ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#ip http server Console(config)#...
Page 569: Ip Telnet Server
| Authentication Commands HAPTER Secure Shell ip telnet server This command allows this device to be monitored or configured from Telnet. It also specifies the TCP port number used by the Telnet interface. Use the no form without the “port” keyword to disable this function. Use the no from with the “port”...
Page 570 | Authentication Commands HAPTER Secure Shell Table 70: Secure Shell Commands (Continued) Command Function Mode copy tftp public-key Copies the user’s public key from a TFTP server to the switch delete public-key Deletes the public key for the specified user disconnect Terminates a line connection ip ssh crypto host-key...
Page 571 | Authentication Commands HAPTER Secure Shell Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch with the username command.)
Page 572: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Page 573: Ip Ssh Server
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS show ip ssh (577) ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. YNTAX [no] ip ssh server EFAULT ETTING Disabled OMMAND...
Page 574: Ip Ssh Timeout
| Authentication Commands HAPTER Secure Shell EFAULT ETTING 768 bits OMMAND Global Configuration OMMAND SAGE The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits. XAMPLE Console(config)#ip ssh server-key size 512 Console(config)#...
Page 575: Delete Public-Key
| Authentication Commands HAPTER Secure Shell delete public-key This command deletes the specified user’s public key. YNTAX delete public-key username [dsa | rsa] username – Name of an SSH user. (Range: 1-8 characters) dsa – DSA public key type. rsa – RSA public key type. EFAULT ETTING Deletes both the DSA and RSA key.
Page 576: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell XAMPLE Console#ip ssh crypto host-key generate dsa Console# ELATED OMMANDS ip ssh crypto zeroize (576) ip ssh save host-key (577) ip ssh crypto This command clears the host key from memory (i.e. RAM). zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa –...
Page 577: Ip Ssh Save Host-Key
| Authentication Commands HAPTER Secure Shell ip ssh save host-key This command saves the host key from RAM to flash memory. YNTAX ip ssh save host-key EFAULT ETTING Saves both the DSA and RSA key. OMMAND Privileged Exec XAMPLE Console#ip ssh save host-key dsa Console# ELATED OMMANDS...
Page 578: Show Ssh
| Authentication Commands HAPTER Secure Shell OMMAND SAGE If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.
Page 579: Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication Table 71: show ssh - display description (Continued) Field Description State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication.
Page 580: Dot1X Default
| Authentication Commands HAPTER 802.1X Port Authentication Table 72: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout auth-period Sets the time that a supplicant port waits for a response from the authenticator dot1x timeout held-period Sets the time a port waits after the maximum start count has been exceeded before attempting to find another authenticator dot1x timeout start-period...
Page 581: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# dot1x system-auth- This command enables IEEE 802.1X port authentication globally on the switch.
Page 582: Dot1X Max-Req
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 583: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT Single-host OMMAND Interface Configuration OMMAND SAGE The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command. In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
Page 584: Dot1X Re-Authentication
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x re- This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication. authentication YNTAX [no] dot1x re-authentication OMMAND Interface Configuration OMMAND SAGE The re-authentication process verifies the connected client’s user ID...
Page 585: Dot1X Timeout Re-Authperiod
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re- This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. authperiod YNTAX dot1x timeout re-authperiod seconds...
Page 586: Dot1X Timeout Tx-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command sets the timeout for EAP-request frames other than EAP- request/identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information.
Page 587: Dot1X Identity Profile
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Privileged Exec OMMAND SAGE The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
Page 588: Dot1X Max-Start
| Authentication Commands HAPTER 802.1X Port Authentication dot1x max-start This command sets the maximum number of times that a port supplicant will send an EAP start frame to the client before assuming that the client is 802.1X unaware. Use the no form to restore the default value. YNTAX dot1x max-start count no dot1x max-start...
Page 589: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication A port cannot be configured as a dot1x supplicant if it is a member of a trunk or LACP is enabled on the port. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#dot1x pae supplicant Console(config-if)# dot1x timeout auth- This command sets the time that a supplicant port waits for a response from the authenticator.
Page 590: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# dot1x timeout start- This command sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator. Use the no form to restore the period default setting.
Page 591 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command displays the following information: Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (page 581). Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 580).
Page 592 | Authentication Commands HAPTER 802.1X Port Authentication Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session. Backend State Machine State – Current state (including request, response, success, fail, timeout, idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response.
Page 593: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Authenticator State Machine State : Authenticated Reauth Count Current Identifier Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch.
Page 594: Show Management
| Authentication Commands HAPTER Management IP Filter OMMAND SAGE If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 595: Pppoe Intermediate Agent
| Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address...
Page 596: Pppoe Intermediate-Agent
| Authentication Commands HAPTER PPPoE Intermediate Agent pppoe intermediate- This command enables the PPPoE Intermediate Agent globally on the switch. Use the no form to disable this feature. agent YNTAX [no] pppoe intermediate-agent EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the...
Page 597: Pppoe Intermediate-Agent Port-Enable
| Authentication Commands HAPTER PPPoE Intermediate Agent EFAULT ETTING Access Node Identifier: IP address of the management interface Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added. OMMAND Global Configuration OMMAND SAGE The switch uses the access-node-identifier to generate the circuit-id for PPPoE discovery stage packets sent to the BRAS, but does not modify the source or destination MAC address of these PPPoE discovery...
Page 598: Pppoe Intermediate-Agent Port-Format-Type
| Authentication Commands HAPTER PPPoE Intermediate Agent pppoe intermediate- This command sets the circuit-id or remote-id for an interface. Use the no form to restore the default settings. agent port-format- type YNTAX pppoe intermediate-agent port-format-type {circuit-id | remote-id} id-string circuit-id - String identifying the circuit identifier (or interface) on this switch to which the user is connected.
Page 599: Pppoe Intermediate-Agent Trust
| Authentication Commands HAPTER PPPoE Intermediate Agent pppoe intermediate- This command sets an interface to trusted mode to indicate that it is connected to a PPPoE server. Use the no form to set an interface to agent trust untrusted mode. YNTAX [no] pppoe intermediate-agent trust EFAULT...
Page 600: Clear Pppoe Intermediate-Agent Statistics
| Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console(config)#int ethernet 1/5 Console(config-if)#pppoe intermediate-agent vendor-tag strip Console(config-if)# clear pppoe This command clears statistical counters for the PPPoE Intermediate Agent. intermediate-agent statistics YNTAX clear pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Stack unit.
Page 601: Show Pppoe Intermediate-Agent Statistics
| Authentication Commands HAPTER PPPoE Intermediate Agent PPPoE Intermediate Agent Generic Error Message PPPoE Discover packet too large to process. Try reducing the number of tags added. Consoleshowpppoe intermediate-agent info interface ethernet 1/1 Interface PPPoE IA Trusted Vendor-Tag Strip Circuit-ID Remote-ID --------- -------- ------- ---------------- ------------ ----------------- Eth 1/1...
Page 602: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 603: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 604 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE When port security is enabled with this command, the switch first clears all dynamically learned entries from the address table. It then starts learning new MAC addresses on the specified port, and stops learning addresses when it reaches a configured maximum number.
Page 605: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 606: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
Page 607: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. This command is different from configuring static addresses with the mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
Page 608: Network-Access Dynamic-Qos
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
Page 609: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan EFAULT ETTING Enabled OMMAND Interface Configuration OMMAND...
Page 610: Network-Access Link-Detection
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The VLAN to be used as the guest VLAN must be defined and set as active (See the vlan database command). When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan”...
Page 611: Network-Access Link-Detection Link-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.
Page 612: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.
Page 613: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed.
Page 614: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Page 615: Mac-Authentication Intrusion-Action
| General Security Measures HAPTER Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...
Page 616: Clear Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) clear network- Use this command to clear entries from the secure MAC addresses table. access mac- address-table YNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 617: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048...
Page 618: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication 00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. XAMPLE Console#show network-access mac-address-table Interface MAC Address RADIUS Server Time Attribute --------- ----------------- --------------- ------------------------- --------- Eth 1/ 1 00-17-7c-94-34-64 0.0.0.0 2001y 01m 01d 05h 57m 43s Static Eth 1/ 1 00-00-01-02-03-04...
Page 619: Web-Auth Login-Attempts
| General Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence"). Web authentication cannot be configured on trunk ports. Table 80: Web Authentication Command Function Mode web-auth login-attempts Defines the limit for failed web authentication login attempts...
Page 620: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication web-auth quiet- This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 621: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication web-auth system- This command globally enables web authentication for the switch. Use the no form to restore the default. auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 622: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication web-auth re- This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 623: Show Web-Auth
| General Security Measures HAPTER Web Authentication show web-auth This command displays global web authentication parameters. OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# show web-auth This command displays interface-specific web authentication parameters...
Page 624: Show Web-Auth Summary
| General Security Measures HAPTER DHCP Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 625: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping Table 81: DHCP Snooping Commands Command Function Mode show ip dhcp snooping Shows the DHCP snooping configuration settings show ip dhcp snooping Shows the DHCP snooping binding table entries binding ip dhcp snooping This command enables DHCP snooping globally.
Page 626 | General Security Measures HAPTER DHCP Snooping If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
Page 627: Ip Dhcp Snooping Information Option
| General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and specifies the frame format to use for the remote-id when information option Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no- subtype keyword to enable use of sub-type and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to...
Page 628: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
Page 629: Ip Dhcp Snooping Verify Mac-Address
| General Security Measures HAPTER DHCP Snooping OMMAND SAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Page 630: Ip Dhcp Snooping Vlan
| General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. vlan YNTAX [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) EFAULT ETTING Disabled...
Page 631: Ip Dhcp Snooping Information Option Circuit-Id String
| General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command sets the string used in the circuit-id sub-option field in DHCP Option 82 information. Use the no form to restore the default setting. information option circuit-id string YNTAX ip dhcp snooping information option circuit-id string string no ip dhcp snooping information option circuit-id string string - An arbitrary string inserted into the circuit identifier field.
Page 632: Clear Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping command, DHCP packet filtering will be performed on any untrusted ports within the VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command.
Page 633: Show Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping XAMPLE Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp This command shows the DHCP snooping configuration settings. snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping status: disabled DHCP Snooping Information Option Status: disabled DHCP Snooping Information Option Sub-option Format: extra subtype included DHCP Snooping Information Option Remote ID: mac address (hex encoded) DHCP Snooping Information Policy: replace...
Page 634: Ip Source Guard
| General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping").
Page 635 | General Security Measures HAPTER IP Source Guard OMMAND SAGE Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command.
Page 636: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...
Page 637: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: If DHCP snooping is disabled (see page 625), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 638: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard OMMAND SAGE This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 639: Arp Inspection
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 640: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 83: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...
Page 641: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 642: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 643: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 644: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
Page 645: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 646: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection show ip arp This command displays the global configuration settings for ARP Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 647: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection show ip arp This command shows information about entries stored in the log, including the associated VLAN, port, and address components. inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 648 | General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# – 648 –...
Page 649: Access Control Lists
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address or DSCP traffic class), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 650: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 651: Access-List Rule-Mode
| Access Control Lists HAPTER IPv4 ACLs access-list rule- This command restricts access lists to only extended rules, or permits both standard and extended rules. Use the no form to restore the default mode setting. YNTAX access-list rule-mode {extended | mixed} no access-list rule-mode extended –...
Page 652: Permit, Deny (Standard Ip Acl)
| Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 653: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 654 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 655: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 656: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 657: Ipv6 Acls
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (652) ip access-group (655) 6 ACL The commands in this section configure ACLs based on IPv6 addresses, next header type, and flow label.
Page 658: Permit, Deny (Standard Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
Page 659: Permit, Deny (Extended Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 660: Show Ipv6 Access-List
| Access Control Lists HAPTER IPv6 ACLs undefined fields. (The switch only checks the first 64 bits of the destination address.) prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
Page 661: Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ipv6 access-list standard IPv6 standard access-list david: permit host 2009:DB9:2229::79 permit 2009:DB9:2229:5::/64 Console# ELATED OMMANDS permit, deny (Standard IPv6 ACL) (658) permit, deny (Extended IPv6 ACL) (659) ipv6 access-group (661) ipv6 access-group This command binds a port to an IPv6 ACL.
Page 662: Show Ipv6 Access-Group
| Access Control Lists HAPTER MAC ACLs show ipv6 access- This command shows the ports assigned to IPv6 ACLs. group OMMAND Privileged Exec XAMPLE Console#show ip access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# ELATED OMMANDS ipv6 access-group (661) MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
Page 663: Permit, Deny (Mac Acl)
| Access Control Lists HAPTER MAC ACLs OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
Page 664 | Access Control Lists HAPTER MAC ACLs no {permit | deny} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [cos cos cos-bitmask] [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] [time-range time-range-name]...
Page 665: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs vid-bitmask – VLAN bitmask. (Range: 0-4095) protocol – A specific Ethernet protocol number. (Range: 600-ffff hex.) protocol-bitmask – Protocol bitmask. (Range: 600-ffff hex.) time-range-name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING None...
Page 666: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs EFAULT ETTING None OMMAND Interface Configuration (Ethernet) OMMAND SAGE Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Page 667: Arp Acls
| Access Control Lists HAPTER ARP ACLs XAMPLE Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# ELATED OMMANDS permit, deny (663) mac access-group (665) ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages.
Page 668: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs An ACL can contain up to 64 rules. XAMPLE Console(config)#access-list arp factory Console(config-arp-acl)# ELATED OMMANDS permit, deny (668) show arp access-list (669) permit, deny (ARP This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages.
Page 669: Show Arp Access-List
| Access Control Lists HAPTER ARP ACLs OMMAND ARP ACL OMMAND SAGE New rules are added to the end of the list. XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)#...
Page 670: Acl Information
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 89: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules show access-group This command shows the port assignments of ACLs.
Page 671: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 90: Interface Commands Command Function Mode interface Configures an interface type and enters interface configuration mode capabilities Advertises the capabilities of a given interface for use...
Page 672: Interface
| Interface Commands HAPTER interface This command configures an interface type and enter interface configuration mode. Use the no form with a trunk to remove an inactive interface. YNTAX [no] interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 673: Description
| Interface Commands HAPTER EFAULT ETTING 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The 1000BASE-T standard does not support forced mode. Auto- negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 674: Flowcontrol
| Interface Commands HAPTER OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 675: Giga-Phy-Mode
| Interface Commands HAPTER XAMPLE The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (678) capabilities (flowcontrol, symmetric) (672) giga-phy-mode This command forces two connected ports into a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports 25-28. Use the no form to restore the default mode.
Page 676: Mdix
| Interface Commands HAPTER PHY modes at both ends of the link. Note that using one of the preferred modes ensures that the ports at both ends of a link will eventually cooperate to establish a valid master-slave relationship. XAMPLE This forces the switch port to master mode on port 24.
Page 677: Media-Type
| Interface Commands HAPTER XAMPLE This example forces the Port 1 to MDI mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport mdix straight Console(config-if)# ELATED OMMANDS negotiation (678) media-type This command forces the port type selected for combination ports 25-28. Use the no form to restore the default mode. YNTAX media-type mode no media-type...
Page 678: Negotiation
| Interface Commands HAPTER negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation. YNTAX [no] negotiation EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 679: Speed-Duplex
| Interface Commands HAPTER OMMAND SAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. XAMPLE The following example disables port 5.
Page 680: Switchport Packet-Rate
| Interface Commands HAPTER the speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. XAMPLE The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS...
Page 681: Clear Counters
| Interface Commands HAPTER This means that when multicast storm control is enabled, broadcast storm control is also enabled (using the threshold value set by the multicast storm control command). And when unknown unicast storm control is enabled, broadcast and multicast storm control are also enabled (using the threshold value set by the unknown unicast storm control command).
Page 682: Show Interfaces Brief
| Interface Commands HAPTER OMMAND Privileged Exec OMMAND SAGE Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 683 | Interface Commands HAPTER EFAULT ETTING Shows the counters for all interfaces. OMMAND Normal Exec, Privileged Exec OMMAND SAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk Statistics.”...
Page 684: Show Interfaces Status
| Interface Commands HAPTER show interfaces This command displays the status for an interface. status YNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-8) vlan vlan-id (Range: 1-4094) EFAULT ETTING Shows the status for all interfaces.
Page 685: Show Interfaces Switchport
| Interface Commands HAPTER Operation Speed-duplex: 100full Port Uptime: 14s (14 seconds) Flow Control Type: None Console# show interfaces This command displays the administrative and operational status of the specified interfaces. switchport YNTAX show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier.
Page 686: Table 91: Show Interfaces Switchport - Display Description
| Interface Commands HAPTER Table 91: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled Threshold it also shows the threshold level (page 680). Multicast Shows if multicast storm suppression is enabled or disabled; if enabled it Threshold also shows the threshold level (page...
Page 687: Show Interfaces Transceiver
| Interface Commands HAPTER show interfaces This command displays identifying information for the specified transceiver, as well as the temperature, voltage, bias current, transmit power, and transceiver receive power. YNTAX show interfaces transceiver [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Page 688: Test Cable-Diagnostics Tdr Interface
| Interface Commands HAPTER test cable- This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.) and report the cable length. diagnostics tdr interface YNTAX test cable-diagnostics tdr interface interface interface ethernet unit/port unit - Unit identifier.
Page 689: Show Cable-Diagnostics
| Interface Commands HAPTER show cable- This command shows the results of a cable diagnostics test. diagnostics YNTAX show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) OMMAND Privileged Exec XAMPLE Console#show cable-diagnostics tdr interface ethernet 1/1 Port...
Page 690: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 691: Channel-Group
| Link Aggregation Commands HAPTER Any of the 100BASE-TX ports can be trunked together. Any of the Gigabit ports (Ports 25-28) on the front panel can also be trunked together, including ports of different media types. All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Page 692: Lacp
| Link Aggregation Commands HAPTER XAMPLE The following example creates trunk 1 and then adds port 10: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. YNTAX [no] lacp EFAULT...
Page 693: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER Console#show interfaces status port-channel 1 Information of Trunk 1 Basic Information: Port Type: 100TX Mac Address: 00-17-7C-61-24-37 Configuration: Name: Port Admin: MDIX mode: Auto Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow Control: Disabled VLAN Trunking: Disabled Port Security: Disabled...
Page 694: Lacp Mode
| Link Aggregation Commands HAPTER Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 695: Lacp Port-Priority
| Link Aggregation Commands HAPTER lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 696: Lacp System-Priority
| Link Aggregation Commands HAPTER lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 697: Show Lacp
| Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 698: Table 93: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent: LACPDUs Received: Marker Sent: Marker Received: LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 Table 93: show lacp counters - display description Field Description LACPDUs Sent...
Page 699: Table 95: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Table 94: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired –...
Page 700: Table 96: Show Lacp Sysid - Display Description
| Link Aggregation Commands HAPTER Table 95: show lacp neighbors - display description (Continued) Field Description Partner Oper Operational port number assigned to this aggregation port by the port’s Port Number protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner.
Page 701: Power Over Ethernet Commands
OWER OVER THERNET OMMANDS The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-24 on the switch. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per- port power priority can be set so that the switch never exceeds its allocated power budget.
Page 702: Power Inline Compatible
| Power over Ethernet Commands HAPTER OMMAND Global Configuration OMMAND SAGE Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Page 703: Power Inline
| Power over Ethernet Commands HAPTER XAMPLE Console(config)#power inline compatible Console(config)#end Console#show power inline status Unit: 1 Compatible mode : Enabled Used Overload Interface Admin Oper Power Power Priority Auto-recover --------- -------- ---- -------- -------- -------- ------------ 1/ 1 Enabled 15400 mW 0 mW Disabled...
Page 704: Power Inline Maximum Allocation
| Power over Ethernet Commands HAPTER power inline This command limits the power allocated to specific ports. Use the no form to restore the default setting. maximum allocation YNTAX power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 15400 milliwatts) EFAULT ETTING...
Page 705: Power Inline Priority
| Power over Ethernet Commands HAPTER If auto-recovery is enabled, when an overload condition is detected on a port, the switch will continuously power-cycle the port to check its status. If the overload is no longer detected on the port, it will be automatically re-enabled.
Page 706: Show Power Inline Status
| Power over Ethernet Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#power inline priority 2 Console(config-if)# show power inline This command displays the current power status for all ports or for specific ports. status YNTAX show power inline status [interface] interface ethernet unit - Unit identifier.
Page 707: Show Power Mainpower
| Power over Ethernet Commands HAPTER Table 98: show power inline status - display description (Continued) Field Description Priority The port’s power priority setting (see power inline priority) Overload Shows if automatic recovery from power overload is enabled. Auto-recover show power Use this command to display the current power status for the switch.
Page 708: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch for analysis at the target port using software monitoring tools or a hardware probe. This section describes how to mirror traffic from a source port to a target port.
Page 709: Show Port Monitor
| Port Mirroring Commands HAPTER OMMAND Interface Configuration (Ethernet, destination port) OMMAND SAGE You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 710 | Port Mirroring Commands HAPTER OMMAND Privileged Exec OMMAND SAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). When the source is a VLAN, only the destination port and source VLAN are displayed. When the source is a MAC address, only the destination port and MAC address are displayed.
Page 711: Rate Limit Commands
IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 712 | Rate Limit Commands HAPTER by the storm control command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (685) – 712 –...
Page 713: Automatic Traffic Control Commands
UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 102: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...
Page 714 | Automatic Traffic Control Commands HAPTER Table 102: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...
Page 715: Auto-Traffic-Control Apply-Timer
| Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release timer expires, traffic control will be stopped and a Traffic Control Release Trap sent and logged.
Page 716: Auto-Traffic-Control Release-Timer
| Automatic Traffic Control Commands HAPTER EFAULT ETTING 300 seconds OMMAND Global Configuration OMMAND SAGE After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply...
Page 717: Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER XAMPLE This example sets the release timer to 800 seconds for all ports. Console(config)#auto-traffic-control broadcast release-timer 800 Console(config)# auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. YNTAX [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic.
Page 718: Auto-Traffic-Control Action
| Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the control action to limit ingress traffic or shut down the offending port. Use the no form to restore the default setting. action YNTAX auto-traffic-control {broadcast | multicast} action {rate-control | shutdown} no auto-traffic-control {broadcast | multicast} action broadcast - Specifies automatic storm control for broadcast traffic.
Page 719: Auto-Traffic-Control Alarm-Clear-Threshold
| Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent. Use the no form to restore the default alarm-clear- setting. threshold YNTAX auto-traffic-control {broadcast | multicast} alarm-clear-threshold threshold no auto-traffic-control {broadcast | multicast} alarm-clear-threshold...
Page 720: Auto-Traffic-Control Alarm-Fire-Threshold
| Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires. Use the alarm-fire-threshold no form to restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold no auto-traffic-control {broadcast | multicast}...
Page 721: Auto-Traffic-Control Auto-Control-Release
| Automatic Traffic Control Commands HAPTER OMMAND Privileged Exec OMMAND SAGE This command can be used to manually stop a control response any time after the specified action has been triggered. XAMPLE Console#auto-traffic-control broadcast control-release interface ethernet 1/1 Console# auto-traffic-control This command automatically releases a control response after the time specified in the auto-traffic-control release-timer...
Page 722: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Fire
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# ELATED OMMANDS auto-traffic-control action (718) auto-traffic-control alarm-clear-threshold (719) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. port-traps atc broadcast-alarm-fire YNTAX...
Page 723: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Release
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-fire-threshold (720) auto-traffic-control apply-timer (715) snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the port-traps atc release timer expires.
Page 724: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Fire
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# ELATED OMMANDS auto-traffic-control action (718) auto-traffic-control alarm-clear-threshold (719) snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. port-traps atc multicast-alarm-fire YNTAX...
Page 725: Snmp-Server Enable Port-Traps Atc Multicast-Control-Release
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-fire-threshold (720) auto-traffic-control apply-timer (715) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the port-traps atc release timer expires.
Page 726: Show Auto-Traffic-Control Interface
| Automatic Traffic Control Commands HAPTER Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for the specified port. control interface YNTAX show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier.
Page 727: Loopback Detection Commands
OOPBACK ETECTION OMMANDS The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back. Table 103: Loopback Detection Commands Command Function...
Page 728: Loopback-Detection
| Loopback Detection Commands HAPTER loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. YNTAX [no] loopback-detection EFAULT ETTING Disabled OMMAND Global Configuration Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Loopback detection must be enabled globally for the switch by this...
Page 729: Loopback-Detection Recover-Time
| Loopback Detection Commands HAPTER OMMAND SAGE When using vlan-based mode, loopback detection control frames are untagged or tagged depending on the port’s VLAN membership type. When using vlan-based mode, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
Page 730: Loopback-Detection Transmit-Interval
| Loopback Detection Commands HAPTER loopback-detection This command specifies the interval at which to transmit loopback detection control frames. Use the no form to restore the default setting. transmit-interval YNTAX loopback-detection transmit-interval seconds [no] loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Page 731 | Loopback Detection Commands HAPTER OMMAND Privileged Exec XAMPLE Console#show loopback-detection Loopback Detection Global Information Global Status : Enabled Transmit Interval : 10 Recover Time : 60 Mode : Port-based Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------- Eth 1/ 1...
Page 732: Address Table Commands
DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 104: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 733: Mac-Address-Table Static
| Address Table Commands HAPTER mac-address-table This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 734: Clear Mac-Address-Table Dynamic
| Address Table Commands HAPTER clear mac-address- This command removes any learned entries from the forwarding database. table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database. table YNTAX show mac-address-table [address mac-address [mask]]...
Page 735: Show Mac-Address-Table Aging-Time
| Address Table Commands HAPTER bit “0” means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” The maximum number of address entries is 8191. XAMPLE Console#show mac-address-table Interface MAC Address...
Page 736: Spanning Tree Commands
PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 105: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree cisco- Configures spanning tree operation to be compatible prestandard...
Page 737: Spanning-Tree
| Spanning Tree Commands HAPTER Table 105: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback- Enables BPDU loopback SNMP trap notification for a detection trap port spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST priority...
Page 738: Spanning-Tree Cisco-Prestandard
| Spanning Tree Commands HAPTER XAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree cisco- This command configures spanning tree operation to be compatible with Cisco prestandard versions. Use the no form to restore the default setting. prestandard [no] spanning-tree cisco-prestandard EFAULT...
Page 739: Spanning-Tree Hello-Time
| Spanning Tree Commands HAPTER OMMAND SAGE This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 740: Spanning-Tree Max-Age
| Spanning Tree Commands HAPTER spanning-tree max- This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 741 | Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 742: Spanning-Tree Pathcost Method
| Spanning Tree Commands HAPTER spanning-tree This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method YNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.
Page 743: Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 744: Spanning-Tree System-Bpdu-Flooding
| Spanning Tree Commands HAPTER spanning-tree This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is system-bpdu- disabled globally on the switch or disabled on a specific port. Use the no flooding form to restore the default.
Page 745: Max-Hops
| Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. YNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) EFAULT ETTING...
Page 746: Mst Vlan
| Spanning Tree Commands HAPTER EFAULT ETTING 32768 OMMAND MST Configuration OMMAND SAGE MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 747: Name
| Spanning Tree Commands HAPTER which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (page 747) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree.
Page 748: Spanning-Tree Bpdu-Filter
| Spanning Tree Commands HAPTER EFAULT ETTING OMMAND MST Configuration OMMAND SAGE The MST region name (page 747) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 749: Spanning-Tree Bpdu-Guard
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# ELATED OMMANDS spanning-tree edge-port (751) spanning-tree portfast (757) spanning-tree bpdu- This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form to disable this feature. guard YNTAX [no] spanning-tree bpdu-guard...
Page 750: Spanning-Tree Cost
| Spanning Tree Commands HAPTER spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. YNTAX spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method , 1-200,000,000 for long path cost method)
Page 751: Spanning-Tree Edge-Port
| Spanning Tree Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 752: Spanning-Tree Link-Type
| Spanning Tree Commands HAPTER If the “auto” option is used, the port will be automatically configured as an edge port if the port state has transitioned from discarding to forwarding, and the edge delay time expires without receiving any RSTP or MSTP BPDUs.
Page 753: Spanning-Tree Loopback-Detection
| Spanning Tree Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges.
Page 754: Spanning-Tree Loopback-Detection Release-Mode
| Spanning Tree Commands HAPTER spanning-tree This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no loopback-detection form to restore the default. release-mode YNTAX spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the...
Page 755: Spanning-Tree Loopback-Detection Trap
| Spanning Tree Commands HAPTER spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default. loopback-detection trap YNTAX [no] spanning-tree loopback-detection trap EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap...
Page 756: Spanning-Tree Mst Port-Priority
| Spanning Tree Commands HAPTER This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. Use the no spanning-tree mst cost command to specify auto- configuration mode.
Page 757: Spanning-Tree Portfast
| Spanning Tree Commands HAPTER ELATED OMMANDS spanning-tree mst cost (755) spanning-tree This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. portfast YNTAX [no] spanning-tree portfast EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This command is used to enable/disable the fast spanning-tree mode...
Page 758: Spanning-Tree Port-Bpdu-Flooding
| Spanning Tree Commands HAPTER spanning-tree port- This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port. Use the no form to restore the bpdu-flooding default setting. YNTAX [no] spanning-tree port-bpdu-flooding EFAULT ETTING Enabled...
Page 759: Spanning-Tree Root-Guard
| Spanning Tree Commands HAPTER Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree port-priority 0 ELATED OMMANDS spanning-tree cost (750) spanning-tree root- This command prevents a designated port from taking superior BPDUs into account and allowing a new STP root port to be elected.
Page 760: Spanning-Tree Spanning-Disabled
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# spanning-tree This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the spanning-disabled specified interface. YNTAX [no] spanning-tree spanning-disabled EFAULT...
Page 761: Spanning-Tree Protocol-Migration
| Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree loopback-detection release ethernet 1/1 Console# spanning-tree This command re-checks the appropriate BPDU format to send on the selected interface. protocol-migration YNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 762: Show Spanning-Tree
| Spanning Tree Commands HAPTER show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id | stp-enabled-only] interface ethernet unit/port unit - Unit identifier.
Page 763 | Spanning Tree Commands HAPTER Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.): Max Hops: Remaining Hops: Designated Root: 32768.0.00177CF8D8C6 Current Root Port: Current Root Cost: 100000 Number of Topology Changes: Last Topology Change Time (sec.): 14142 Transmission Limit: Path Cost Method: Long...
Page 764: Show Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER show spanning-tree This command shows the configuration of the multiple spanning tree. mst configuration OMMAND Privileged Exec XAMPLE Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4094 Console# –...
Page 765: Eaps Commands
EAPS C OMMANDS The information provided in this section is based on RFC 3619. Ethernet Automatic Protection Switching (EAPS) can be used to increase the availability and robustness of Ethernet rings. An Ethernet ring built using EAPS can have resilience comparable to that provided by SONET BSHR or SDH MS-SPRing configurations, at a lower cost and with fewer constraints (for example, ring size).
Page 766 | EAPS Commands HAPTER When the master node receives this “link down” control frame, the master node moves from the “normal” state to the ring-fault state and unblocks its secondary port. The master node also flushes its bridging table, and sends a control frame to all other ring nodes, instructing them to flush their bridging tables as well.
Page 767 | EAPS Commands HAPTER Health Messages Primary Port Master Secondary Port (blocked unless primary ring fails) Functional Description Setting port status on the master node: When the master node is in the Complete state, the primary and secondary ports will be set to the status described below.
Page 768: Table 109: Eaps Commands
| EAPS Commands HAPTER master node enters failed state and sends a control message to make all transit nodes flush their FDB. Handling EAPS control message events: Control messages are sent to nodes on the domain ring to maintain ring status. The master node sends health-check packets to ensure that the domain ring is unchanged.
Page 769 | EAPS Commands HAPTER Table 109: EAPS Commands(Continued) Command Function Mode protect-vlan Adds a Protected VLAN to an EAPS domain EAPS show eaps Displays status information for configured EAPS domains Configuration Guidelines for EAPS Create or delete an EAPS domain: Create or delete a domain using the eaps domain command.
Page 770: Eaps
| EAPS Commands HAPTER Enable or disable EAPS: Before enabling a domain as described in the next step, first use the eaps command to globally enable the EAPS function on the switch. If EAPS has not yet been enabled or has been disabled with the no eaps command, no EAPS domains will work.
Page 771: Eaps Domain
| EAPS Commands HAPTER eaps domain This command creates an EAPS domain and enters EAPS configuration mode for the specified domain. Use the no form to delete an EAPS domain. YNTAX [no] eaps domain name name - Name of a specific EAPS domain. (Range: 1-32 characters) EFAULT ETTING None...
Page 772: Enable
| EAPS Commands HAPTER Once the domain has been activated with the enable command, the configuration of the Control VLAN cannot be modified. Use the enable command to stop the EAPS domain before making any configuration changes to this domain. XAMPLE Console(config-eaps)#control-vlan 2 Console(config-eaps)#...
Page 773: Hellotime
| EAPS Commands HAPTER EFAULT ETTING 3 seconds OMMAND EAPS Domain Configuration OMMAND SAGE The fail time should be set on the master node. Once set, the master node sends the newly configured fail time to all transit nodes, forcing each node to update its fail timer.
Page 774: Mode
| EAPS Commands HAPTER OMMAND EAPS Domain Configuration OMMAND SAGE The hello time should be set on the master node. Once set, the master node will send a health-check packet at the interval specified by this timer to all transit nodes. The transit nodes check for a health-check packet at the interval specified by the failtime command.
Page 775: Port
| EAPS Commands HAPTER ELATED OMMANDS port (775) port This command sets the port type attached to the ring as primary or secondary. Each node must connect to the ring through two ports as part of the protection switching scheme – one port as the primary port and another as the secondary port.
Page 776: Protect-Vlan
| EAPS Commands HAPTER protect-vlan This command adds a Protected VLAN to an EAPS domain. Protected VLANs are used to send and receive data traffic on the EAPS ring. Use the no form to clear the Protected VLANs. YNTAX [no] protect-vlan vlan-id vlan-id - VLAN ID (Range: 1-4094, no leading zeroes) EFAULT ETTING...
Page 777: Table 110: Show Eaps - Summary Display Description
| EAPS Commands HAPTER OMMAND SAGE Enter the show eaps command without any argument to display a summary of status information for all configured EAPS domains. Enter the show eaps command followed by a domain name to display detailed status information for the specified domain. XAMPLE This example displays a summary of all the EAPS domains configured on the switch.
Page 778: Table 111: Show Eaps - Detailed Display Description
| EAPS Commands HAPTER This example displays detailed information for the specified EAPS domain. Console#show eaps r&d Name : r&d Admin Status : Enabled State : Init Mode : Master Primary Port : Eth 1/24 Port Status : Down Secondary Port : Eth 1/25 Port Status : Down Hello Timer Interval...
Page 779: Erps Commands
ERPS C OMMANDS Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links. The mechanisms and protocol defined in G.8032 achieve highly reliable and stable protection;...
Page 780 | ERPS Commands HAPTER Switching protocol request (R-APS, as defined in Y.1731) is received which has a higher priority than any other local request. A link/node failure is detected by the nodes adjacent to the failure. These nodes block the failed link and report the failure to the ring using R-APS (SF) messages.
Page 781: Table 112: Erps Commands
| ERPS Commands HAPTER One VLAN must be added to an EAPS domain as the CVLAN. This can be designated as any VLAN, other than the management VLAN. The CVLAN should only contain ring ports, and must not be configured with an IP address.
Page 782: Erps
| ERPS Commands HAPTER wtr-timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Configure the ERPS Control VLAN (CVLAN): Use the control-vlan command to create the VLAN used to pass R-APS ring maintenance commands.
Page 783: Erps Domain
| ERPS Commands HAPTER erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain. Use the no form to delete a ring. YNTAX [no] eaps domain name name - Name of a specific ERPS ring. (Range: 1-32 characters) EFAULT ETTING None...
Page 784: Enable
| ERPS Commands HAPTER XAMPLE Console(config)#vlan database Console(config-vlan)#vlan 2 name rdc media ethernet state active Console(config-vlan)#exit Console(config)#interface ethernet 1/21 Console(config-if)#switchport allowed vlan add 2 tagged Console(config-if)#interface ethernet 1/22 Console(config-if)#switchport allowed vlan add 2 tagged Console(config-if)#exit Console(config)#erps domain rd1 Console(config-erps)#control-vlan 2 Console(config-erps)# enable This command activates the current ERPS ring.
Page 785: Guard-Timer
| ERPS Commands HAPTER guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. YNTAX guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Page 786: Meg-Level
| ERPS Commands HAPTER server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero.
Page 787: Node-Id
| ERPS Commands HAPTER node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. YNTAX node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 788: Rpl Owner
| ERPS Commands HAPTER OMMAND SAGE Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports. Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction.
Page 789: Show Erps
| ERPS Commands HAPTER EFAULT ETTING 5 minutes OMMAND ERPS Configuration OMMAND SAGE If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to-restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal operating) state.
Page 790: Table 114: Show Erps Domain - Detailed Display Description
| ERPS Commands HAPTER Table 113: show erps - summary display description (Continued) Field Description State Shows the following ERPS states: Init – The ERPS ring has started but has not yet determined the status of the ring. Idle – If all nodes in a ring are in this state, it means that all the links in the ring are up.
Page 791 | ERPS Commands HAPTER Table 114: show erps domain - detailed display description (Continued) Field Description West Port Shows the west ring port for this node, and the interface state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed.
Page 792: Vlan Commands
VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 793: Gvrp And Bridge Extension Commands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 794: Garp Timer
| VLAN Commands HAPTER GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 795: Switchport Forbidden Vlan
| VLAN Commands HAPTER GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 796: Show Bridge-Ext
| VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" for a description of the displayed items.
Page 797: Show Gvrp Configuration
| VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer: 20 centiseconds Leave Timer: 60 centiseconds Leaveall Timer: 1000 centiseconds Console# ELATED OMMANDS garp timer (794) show gvrp This command shows if GVRP is enabled. configuration YNTAX show gvrp configuration [interface]...
Page 798: Vlan Database
| VLAN Commands HAPTER Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete VLANs.
Page 799: Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING By default only VLAN 1 exists and is active. OMMAND VLAN Database Configuration OMMAND SAGE no vlan vlan-id deletes the VLAN. no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active).
Page 800: Interface Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces Table 118: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport priority default Sets a port priority for incoming untagged frames vlan-trunking Allows unknown VLANs to cross the switch interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface.
Page 801: Switchport Allowed Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. XAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged...
Page 802: Switchport Ingress-Filtering
| VLAN Commands HAPTER Configuring VLAN Interfaces Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress. If none of the intermediate network devices nor the host at the other end of the connection supports VLANs, the interface should be added to these VLANs as an untagged member.
Page 803: Switchport Mode
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
Page 804: Switchport Native Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces ELATED OMMANDS switchport acceptable-frame-types (800) switchport native This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. vlan YNTAX switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Page 805: Figure 222: Configuring Vlan Trunking
| VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE Use this command to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong. The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E.
Page 806: Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information VLAN I ISPLAYING NFORMATION This section describes commands used to display VLAN information. Table 119: Commands for Displaying VLAN Information Command Function Mode show interfaces status Displays status for the specified VLAN interface NE, PE vlan show interfaces...
Page 807: Configuring Ieee 802.1Q Tunneling
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S) Eth1/26(S) Eth1/27(S) Eth1/28(S) Console# IEEE 802.1Q T ONFIGURING UNNELING IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer- specific VLAN IDs.
Page 808: Dot1Q-Tunnel System-Tunnel-Control
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Configure the SPVLAN ID as the native VID on the QinQ tunnel uplink port (switchport native vlan). Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan).
Page 809: Switchport Dot1Q-Tunnel Mode
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling switchport dot1q- This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. tunnel mode YNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access –...
Page 810: Switchport Dot1Q-Tunnel Service Match Cvid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no form to delete a VLAN mapping entry. tunnel service match cvid YNTAX switchport dot1q-tunnel service outer-vlan match cvid inner-vlan outer-vlan - VLAN ID for the outer VLAN tag (SPVID).
Page 811: Switchport Dot1Q-Tunnel Tpid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling switchport dot1q- This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. tunnel tpid YNTAX switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid –...
Page 812: Configuring L2Cp Tunneling
| VLAN Commands HAPTER Configuring L2CP Tunneling Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/3 is Normal mode, TPID is 0x8100.
Page 813: Switchport L2Protocol-Tunnel
| VLAN Commands HAPTER Configuring L2CP Tunneling provider’s edge switch, replacing the destination MAC address with a proprietary MAC address used for tunneling Layer 2 protocols or a user- defined address. When a tunneled BPDU or other specified protocol type enters the tunnel egress port attached to a remote portion of the customer’s network, the switch decapsulates these packets, restores the proper protocol and MAC address information, and then floods them onto the...
Page 814 | VLAN Commands HAPTER Configuring L2CP Tunneling In this way, normally segregated network segments can be configured to function inside a common protocol domain. L2PT encapsulates protocol packets entering ingress ports on the service provider’s edge switch, replacing the destination MAC address with a reserved address for the specified protocol type (as defined in IEEE 802.1ad –...
Page 815 | VLAN Commands HAPTER Configuring L2CP Tunneling Processing Cisco-compatible protocol packets When a Cisco-compatible L2PT packet is received on an uplink port, and recognized as a CDP/VTP/STP protocol packet (where STP means STP/RSTP/MSTP/PVST+), it is forwarded to the following ports in the same S-VLAN: (a) all access ports for which L2PT has been disabled, and (b) all uplink ports.
Page 816: Show L2Protocol-Tunnel
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation show l2protocol- This command shows settings for Layer 2 Protocol Tunneling (L2PT). tunnel OMMAND Privileged Exec XAMPLE Console#show l2protocol-tunnel Layer 2 Protocol Tunnel Tunnel MAC Address : 00-17-7C-00-00-02 Interface Protocol ---------------------------------------------------------- Eth 1/ 1 Spanning Tree Console# ONFIGURING...
Page 817: Pvlan Uplink/Downlink
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below. Table 123: Traffic Segmentation Forwarding Destination Session #1 Session #1...
Page 818: Pvlan Session
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation interface-list – One or more uplink or downlink interfaces. ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-8) EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE A port cannot be configured in both an uplink and downlink list.
Page 819: Pvlan Up-To-Up
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation OMMAND SAGE Use this command to create a new traffic-segmentation client session. Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode. XAMPLE Console(config)#pvlan session 1 Console(config)#...
Page 820: Configuring Private Vlans
| VLAN Commands HAPTER Configuring Private VLANs XAMPLE Console#show pvlan Private VLAN Status Enabled Uplink-to-Uplink Mode : Forwarding Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------- Ethernet 1/25 Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet Console# VLAN ONFIGURING RIVATE Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups.
Page 821: Private-Vlan
| VLAN Commands HAPTER Configuring Private VLANs Table 124: Private VLAN Commands Command Function Mode switchport private-vlan Maps an interface to a primary VLAN mapping Display Private VLAN Information show vlan private-vlan Shows private VLAN information NE, PE To configure private VLANs, follow these steps: Use the private-vlan command to designate one or more community...
Page 822: Private Vlan Association
| VLAN Commands HAPTER Configuring Private VLANs OMMAND VLAN Configuration OMMAND SAGE Private VLANs are used to restrict traffic to ports within the same community, and channel traffic passing outside the community through promiscuous ports. When using community VLANs, they must be mapped to an associated “primary”...
Page 823: Switchport Mode Private-Vlan
| VLAN Commands HAPTER Configuring Private VLANs XAMPLE Console(config-vlan)#private-vlan 2 association 3 Console(config)# switchport mode Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. private-vlan YNTAX switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan host –...
Page 824: Switchport Private-Vlan Mapping
| VLAN Commands HAPTER Configuring Private VLANs EFAULT ETTING None OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE All ports assigned to a secondary (i.e., community) VLAN can pass traffic between group members, but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN.
Page 825: Show Vlan Private-Vlan
| VLAN Commands HAPTER Configuring Protocol-based VLANs show vlan private- Use this command to show the private VLAN configuration settings on this switch. vlan YNTAX show vlan private-vlan [community | primary] community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces.
Page 826: Protocol-Vlan Protocol-Group (Configuring Groups)
| VLAN Commands HAPTER Configuring Protocol-based VLANs Table 125: Protocol-based VLAN Commands (Continued) Command Function Mode show protocol-vlan Shows the configuration of protocol groups protocol-group show protocol-vlan Shows the mapping of protocol groups to VLAN protocol-group-vid To configure protocol-based VLANs, follow these steps: First configure VLAN groups for the protocols you want to use (page 798).
Page 827: Protocol-Vlan Protocol-Group (Configuring Interfaces)
| VLAN Commands HAPTER Configuring Protocol-based VLANs protocol - Protocol type. The protocols supported each frame type includes: ethernet - arp, ip, pppoe, rarp llc-other - ipx-raw rfc-1042 - arp, ip, rarp. EFAULT ETTING No protocol groups are configured. OMMAND Global Configuration XAMPLE The following creates protocol group 1, and specifies Ethernet frames with...
Page 828: Show Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs When a frame enters the switch and protocol VLANs have been configured, the frame is processed in the following manner: If the frame is tagged, it will be processed according to the standard rules applied to tagged frames.
Page 829: Show Protocol-Vlan Protocol-Group-Vid
| VLAN Commands HAPTER Configuring IP Subnet VLANs show protocol-vlan This command shows the mapping from protocol groups to VLANs. protocol-group-vid YNTAX show interfaces protocol-vlan protocol-group-vid EFAULT ETTING The mapping for all interfaces is displayed. OMMAND Privileged Exec XAMPLE This shows that traffic matching the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group ProtocolGroup ID...
Page 830: Subnet-Vlan
| VLAN Commands HAPTER Configuring IP Subnet VLANs subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. YNTAX subnet-vlan subnet ip-address mask vlan vlan-id no subnet-vlan subnet {ip-address mask | all} ip-address –...
Page 831: Show Subnet-Vlan
| VLAN Commands HAPTER Configuring MAC Based VLANs show subnet-vlan This command displays IP Subnet VLAN assignments. OMMAND Privileged Exec OMMAND SAGE Use this command to display subnet-to-VLAN mappings. The last matched entry is used if more than one entry can be matched. XAMPLE The following example displays all configured IP subnet-based VLANs.
Page 832: Mac-Vlan
| VLAN Commands HAPTER Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. YNTAX mac-vlan mac-address mac-address vlan vlan-id no mac-vlan mac-address {mac-address | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses.
Page 833: Configuring Voice Vlans
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example displays all configured MAC address-based VLANs. Console#show mac-vlan MAC address VLAN ID ------------------- --------- 00-00-00-11-22-33 Console# VLAN ONFIGURING OICE The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic.
Page 834: Voice Vlan Aging
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND Global Configuration OMMAND SAGE When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality.
Page 835: Voice Vlan Mac-Address
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example configures the Voice VLAN aging time as 3000 minutes. Console(config)#voice vlan aging 3000 Console(config)# voice vlan mac- This command specifies MAC address ranges to add to the OUI Telephony list.
Page 836: Switchport Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs switchport voice This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. vlan YNTAX switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
Page 837: Switchport Voice Vlan Rule
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. XAMPLE The following example sets the CoS priority to 5 on port 1.
Page 838: Switchport Voice Vlan Security
| VLAN Commands HAPTER Configuring Voice VLANs switchport voice This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port. vlan security YNTAX [no] switchport voice vlan security EFAULT ETTING Disabled OMMAND Interface Configuration...
Page 839 | VLAN Commands HAPTER Configuring Voice VLANs Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority -------- -------- -------- --------- -------- Eth 1/ 1 Auto Enabled Eth 1/ 2 Disabled Disabled OUI Eth 1/ 3 Manual Enabled Eth 1/ 4 Auto...
Page 840: Class Of Service Commands
LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port.
Page 841: Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) queue mode This command sets the scheduling mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. YNTAX queue mode {strict | wrr} no queue mode...
Page 842: Queue Cos-Map
| Class of Service Commands HAPTER Priority Commands (Layer 2) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 3). Use the no form set the CoS map to the default values.
Page 843: Switchport Priority Default
| Class of Service Commands HAPTER Priority Commands (Layer 2) switchport priority This command sets a priority for incoming untagged frames. Use the no form to restore the default value. default YNTAX switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic.
Page 844: Show Queue Bandwidth
| Class of Service Commands HAPTER Priority Commands (Layer 2) show queue This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. bandwidth EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show queue bandwidth Queue ID Weight -------- ------ Console#...
Page 845: Show Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show queue mode This command shows the current queue mode. OMMAND Privileged Exec XAMPLE Console#show queue mode Queue Mode: wrr Console# RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Page 846: Map Ip Dscp (Interface Configuration)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map ip dscp This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. (Interface Configuration) YNTAX map ip dscp dscp-value cos cos-value no map ip dscp dscp-value - 8-bit DSCP value.
Page 847: Show Map Ip Dscp
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show map ip dscp This command shows the IP DSCP priority map. YNTAX show map ip dscp [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-8) EFAULT ETTING...
Page 848: Quality Of Service Commands
UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 849: Class-Map
| Quality of Service Commands HAPTER Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode. Use the class command to identify the class map, and enter Policy Map Class configuration mode.
Page 850: Description
| Quality of Service Commands HAPTER tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the match commands.
Page 851 | Quality of Service Commands HAPTER EFAULT ETTING None OMMAND Class Map Configuration OMMAND SAGE First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use match command to specify the fields within ingress packets that must match to qualify for this class map.
Page 852: Rename
| Quality of Service Commands HAPTER rename This command redefines the name of a class map or policy map. YNTAX rename map-name map-name - Name of the class map or policy map. (Range: 1-16 characters) OMMAND Class Map Configuration Policy Map Configuration XAMPLE Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9...
Page 853: Class
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 854: Police
| Quality of Service Commands HAPTER rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 10000 1522 exceed-action drop Console(config-pmap-c)# police This command defines a policer for classified traffic based on the metered flow rate.
Page 855: Set
| Quality of Service Commands HAPTER Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# This command services IP traffic by setting a CoS or DSCP value in a matching packet (as specified by the match command). Use the no form to remove the traffic classification. YNTAX [no] set {cos new-cos | ip dscp new-dscp} new-cos - New Class of Service (CoS) value.
Page 856: Show Class-Map
| Quality of Service Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Only one policy map can be assigned to an interface. First define a class map, then define a policy map, and finally use the service-policy command to bind the policy map to the required interface.
Page 857: Show Policy-Map
| Quality of Service Commands HAPTER show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. YNTAX show policy-map [policy-map-name [class class-map-name]] policy-map-name - Name of the policy map. (Range: 1-16 characters) class-map-name - Name of the class map.
Page 858 | Quality of Service Commands HAPTER XAMPLE Console#show policy-map interface 1/5 input Service-policy rd-policy Console# – 858 –...
Page 859: Multicast Filtering Commands
ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 860: Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping Table 136: IGMP Snooping Commands (Continued) Command Function Mode show ip igmp snooping Shows known multicast addresses learned through groups IGMP snooping show mac-address-table Shows the IGMP snooping multicast list multicast ip igmp snooping This command enables IGMP snooping globally on the switch.
Page 861: Ip Igmp Snooping Priority
| Multicast Filtering Commands HAPTER IGMP Snooping The leave-proxy feature does not function when a switch is set as the querier. When the switch a non-querier, the receiving port is not the last dynamic member port in the group, the receiving port is not a router port, and no IGMPv1 member port exists in the group, the switch will generate and send a GS-query to the member port which received the leave message, and then start the last member query timer for that...
Page 862: Ip Igmp Snooping Version
| Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore the default. version YNTAX ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093) 1 - IGMP Version 1 2 - IGMP Version 2...
Page 863: Ip Igmp Snooping Immediate-Leave
| Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Static multicast entries are never aged out. When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Page 864: Show Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following shows how to enable immediate leave. Console(config)#ip igmp snooping immediate-leave Console(config)# show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings. snooping OMMAND Privileged Exec OMMAND SAGE This command displays global and VLAN-specific IGMP configuration settings.
Page 865: Show Mac-Address-Table Multicast
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following shows the multicast entries learned through IGMP snooping: Console#show ip igmp snooping groups VLAN IP Addressses Member Port Type ---- --------------- ------------ ------------- 1 239.255.255.250 Eth 1/ 1 IGMP Snooping Console# show mac-address- This command shows known multicast addresses.
Page 866: Igmp Query Commands
| Multicast Filtering Commands HAPTER IGMP Query Commands IGMP Q UERY OMMANDS This section describes commands used to configure IGMP query on the switch. Table 137: IGMP Query Commands Command Function Mode ip igmp snooping querier Allows this device to act as the querier for IGMP snooping ip igmp snooping query- Configures the query count...
Page 867: Ip Igmp Snooping Query-Count
| Multicast Filtering Commands HAPTER IGMP Query Commands ip igmp snooping This command configures the query count. Use the no form to restore the default count. query-count YNTAX ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Page 868: Ip Igmp Snooping Query-Max-Response-Time
| Multicast Filtering Commands HAPTER IGMP Query Commands OMMAND Global Configuration XAMPLE The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping This command configures the query report delay. Use the no form to restore the default.
Page 869: Ip Igmp Snooping Router-Port-Expire-Time
| Multicast Filtering Commands HAPTER Static Multicast Routing ip igmp snooping This command configures the querier timeout. Use the no form to restore the default. router-port-expire- time YNTAX ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Page 870: Ip Igmp Snooping Vlan Mrouter
| Multicast Filtering Commands HAPTER Static Multicast Routing ip igmp snooping This command statically configures a (Layer 2) multicast router port on the specified VLAN. Use the no form to remove the configuration. vlan mrouter YNTAX [no] ip igmp snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port...
Page 871: Igmp Filtering And Throttling
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE Multicast router port types displayed include Static. XAMPLE The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/10...
Page 872: Ip Igmp Filter (Global Configuration)
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling ip igmp filter (Global This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Configuration) YNTAX [no] ip igmp filter EFAULT ETTING Disabled OMMAND Global Configuration...
Page 873: Permit, Deny
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode;...
Page 874: Ip Igmp Filter (Interface Configuration)
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling EFAULT ETTING None OMMAND IGMP Profile Configuration OMMAND SAGE Enter this command multiple times to specify more than one multicast address or address range for a profile. XAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)#...
Page 875: Ip Igmp Max-Groups
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. YNTAX ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Page 876: Show Ip Igmp Filter
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
Page 877: Show Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling show ip igmp profile This command displays IGMP filtering profiles created on the switch. YNTAX show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) EFAULT ETTING None OMMAND...
Page 878: Multicast Vlan Registration
| Multicast Filtering Commands HAPTER Multicast VLAN Registration XAMPLE Console#show ip igmp throttle interface ethernet 1/1 1/1 Information status : true action : deny max multicast groups : 32 current multicast groups : 0 Console# VLAN R ULTICAST EGISTRATION This section describes commands used to configure Multicast VLAN Registration (MVR).
Page 879: Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command enables Multicast VLAN Registration (MVR) globally on the switch. Use the no form of this command to globally disable MVR. YNTAX [no] mvr EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group (see the...
Page 880: Mvr Priority
| Multicast Filtering Commands HAPTER Multicast VLAN Registration The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. IGMP snooping and MVR can share a maximum number of 255 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN.
Page 881: Mvr Receiver-Group
| Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr receiver-group This command specifies MVR multicast groups to be managed through the MVR receiver VLAN. Use the no form of this command to remove a group from the receiver VLAN. YNTAX [no] mvr receiver-group ip-address ip-address - IP address for an MVR multicast group.
Page 882: Mvr Unspecified-Source-Ip
| Multicast Filtering Commands HAPTER Multicast VLAN Registration OMMAND Global Configuration OMMAND SAGE Multicast traffic forwarded to subscribers is normally stripped of frame tags to prevent the hosts from discovering the identity of the MVR VLAN. To allow multicast traffic with tagged frames to be sent to subscribers without revealing the identity of the MVR VLAN, both the mvr receiver-group and mvr receiver-vlan must be specifically...
Page 883: Mvr Vlan
| Multicast Filtering Commands HAPTER Multicast VLAN Registration XAMPLE Console(config)#mvr unspecified-source-ip Console(config)# mvr vlan This command specifies the MVR VLAN identifier. Use the no form of this command to restore the default MVR VLAN. YNTAX mvr vlan vlan-id no mvr vlan vlan-id - MVR VLAN ID (Range: 1-4094) EFAULT ETTING...
Page 884: Mvr Immediate
| Multicast Filtering Commands HAPTER Multicast VLAN Registration EFAULT ETTING No receiver port is a member of any configured multicast group. OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Multicast groups can be statically assigned to a receiver port using this command.
Page 885: Mvr Static-Receiver-Group
| Multicast Filtering Commands HAPTER Multicast VLAN Registration disrupting services to other group members attached to the same interface. Immediate leave does not apply to multicast groups which have been statically assigned to a port. XAMPLE The following enables immediate leave on a receiver port. Console(config)#interface ethernet 1/5 Console(config-if)#mvr immediate Console(config-if)#...
Page 886: Mvr Type
| Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. YNTAX [no] mvr type {receiver | source} receiver - Configures the interface as a subscriber port that can receive multicast data.
Page 887: Show Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Console(config-if)#mvr type receiver Console(config-if)#exit Console(config)#interface ethernet 1/7 Console(config-if)#mvr type receiver Console(config-if)# show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, the multicast groups assigned to the MVR VLAN using the members keyword or the interfaces assigned to MVR receiver groups using the receiver-group members keyword.
Page 888: Table 141: Show Mvr - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 141: show mvr - display description Field Description MVR Status Shows if MVR is globally enabled on the switch. MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied.
Page 889: Table 143: Show Mvr Members - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status Receiver VLAN Members ---------------- -------- ------------- ------- 225.0.0.1 ACTIVE VLAN2 eth1/1(d), eth1/2(s) 225.0.0.2...
Page 890: Table 144: Show Mvr Receiver Members - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 144: show mvr receiver members - display description Field Description MVR Group IP Multicast groups assigned to the MVR Receiver VLAN. Status Shows whether or not the there are active subscribers for this multicast group.
Page 891: Nooping Commands
MLD S NOOPING OMMANDS Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs.
Page 892: Ipv6 Mld Snooping
| MLD Snooping Commands HAPTER ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping. YNTAX [no] ipv6 mld snooping EFAULT ETTING Disabled OMMAND Global Configuration XAMPLE The following example enables MLD Snooping: Console(config)#ipv6 mld snooping Console(config)# ipv6 mld snooping...
Page 893: Ipv6 Mld Snooping Router-Port-Expire-Time
| MLD Snooping Commands HAPTER ipv6 mld snooping This command configures the MLD query timeout. Use the no form to restore the default. router-port-expire- time YNTAX ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port. (Range: 300-500 seconds) EFAULT ETTING...
Page 894: Ipv6 Mld Snooping Version
| MLD Snooping Commands HAPTER When set to “router-port,” any received IPv6 multi cst packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. XAMPLE Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping This command configures the MLD snooping version.
Page 895: Ipv6 Mld Snooping Vlan Static
| MLD Snooping Commands HAPTER OMMAND Global Configuration OMMAND SAGE Depending on your network connections, MLD snooping may not always be able to locate the MLD querier. Therefore, if the MLD querier is a known multicast router/switch connected over the network to an interface (port or trunk) on the switch, you can manually configure that interface to join all the current multicast groups.
Page 896: Ipv6 Mld Snooping Immediate-Leave
| MLD Snooping Commands HAPTER ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service when a leave packet is received at that port and immediate-leave is immediate-leave enabled for the parent VLAN. Use the no form to restore the default. YNTAX [no] ipv6 mld snooping immediate-leave EFAULT...
Page 897: Show Ipv6 Mld Snooping Group
| MLD Snooping Commands HAPTER Unknown Flood Behavior : To Router Port MLD Snooping Version : Version 2 Console# show ipv6 mld This command shows statistics about MLD Snooping groups. snooping group YNTAX show ipv6 mld snooping group OMMAND Privileged Exec XAMPLE The following shows MLD Snooping group configuration information: Console#show ipv6 mld snooping group...
Page 898: Lldp Commands
LLDP C OMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 899 | LLDP Commands HAPTER Table 146: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system- Configures an LLDP-enabled port to advertise its name system name lldp dot1-tlv proto- Configures an LLDP-enabled port to advertise ident the supported protocols lldp dot1-tlv proto-vid Configures an LLDP-enabled port to advertise port related VLAN information lldp dot1-tlv pvid...
Page 900: Lldp
| LLDP Commands HAPTER lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. YNTAX [no] lldp EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP advertisements.
Page 901: Lldp Med-Fast-Start-Count
| LLDP Commands HAPTER lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. count YNTAX lldp med-fast-start-count packets packets - Amount of packets. (Range: 1-10 packets; Default: 4 packets) EFAULT ETTING...
Page 902: Lldp Refresh-Interval
| LLDP Commands HAPTER should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. XAMPLE Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements.
Page 903: Lldp Tx-Delay
| LLDP Commands HAPTER OMMAND Global Configuration OMMAND SAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. XAMPLE Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Page 904: Lldp Admin-Status
| LLDP Commands HAPTER lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. YNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.
Page 905: Lldp Basic-Tlv Port-Description
| LLDP Commands HAPTER enterprise specific or other starting points for the search, such as the Interface or Entity MIB. Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
Page 906: Lldp Basic-Tlv System-Capabilities
| LLDP Commands HAPTER lldp basic-tlv This command configures an LLDP-enabled port to advertise its system capabilities. Use the no form to disable this feature. system-capabilities YNTAX [no] lldp basic-tlv system-capabilities EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The system capabilities identifies the primary function(s) of the system and...
Page 907: Lldp Basic-Tlv System-Name
| LLDP Commands HAPTER lldp basic-tlv This command configures an LLDP-enabled port to advertise the system name. Use the no form to disable this feature. system-name YNTAX [no] lldp basic-tlv system-name EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The system name is taken from the sysName object in RFC 3418, which...
Page 908: Lldp Dot1-Tlv Proto-Vid
| LLDP Commands HAPTER lldp dot1-tlv proto- This command configures an LLDP-enabled port to advertise port related VLAN information. Use the no form to disable this feature. YNTAX [no] lldp dot1-tlv proto-vid EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises the port-based and protocol-based VLANs configured...
Page 909: Lldp Dot1-Tlv Vlan-Name
| LLDP Commands HAPTER lldp dot1-tlv vlan- This command configures an LLDP-enabled port to advertise its VLAN name. Use the no form to disable this feature. name YNTAX [no] lldp dot1-tlv vlan-name EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises the name of all VLANs to which this interface has...
Page 910: Lldp Dot3-Tlv Mac-Phy
| LLDP Commands HAPTER lldp dot3-tlv mac- This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. YNTAX [no] lldp dot3-tlv mac-phy EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises MAC/PHY configuration/status which includes...
Page 911: Lldp Dot3-Tlv Poe
| LLDP Commands HAPTER lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power- over-Ethernet (PoE) capabilities. Use the no form to disable this feature. YNTAX [no] lldp dot3-tlv poe EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises Power-over-Ethernet capabilities, including whether...
Page 912: Lldp Med-Tlv Extpoe
| LLDP Commands HAPTER An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-notification Console(config-if)# lldp med-tlv extpoe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information.
Page 913: Lldp Med-Tlv Location
| LLDP Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This option advertises device details useful for inventory management, such as manufacturer, model, software version and other pertinent information. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp medtlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details.
Page 914: Lldp Med-Tlv Network-Policy
| LLDP Commands HAPTER OMMAND SAGE This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network policy configuration.
Page 915: Show Lldp Config
| LLDP Commands HAPTER OMMAND SAGE This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Page 916 | LLDP Commands HAPTER LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- ------------------- Eth 1/1 | Tx-Rx True Eth 1/2 | Tx-Rx True Eth 1/3 | Tx-Rx True Eth 1/4 | Tx-Rx True Eth 1/5 | Tx-Rx True Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx...
Page 917: Show Lldp Info Local-Device
LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : DIGISOL FE L2 Switch DG-FS4528P System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information...
Page 918: Show Lldp Info Remote-Device
Chassis Id : 00-01-02-03-04-05 PortID Type : MAC Address PortID : 00-01-02-03-04-06 SysName SysDescr : DIGISOL FE L2 Switch DG-FS4528P PortDescr : Ethernet Port on unit 1, port 1 SystemCapSupported : Bridge SystemCapEnabled : Bridge Remote Management Address : 192.168.0.3 (IPv4)
Page 919: Show Lldp Info Statistics
| LLDP Commands HAPTER Remote power pair controlable : No Remote power pairs : Spare Remote power classification : Class1 Remote Link Aggregation : Remote link aggregation capable : Yes Remote link aggregation enable : No Remote link aggregation port id : 0 Remote Max Frame Size : 1522 LLDP-MED Capability : Device Class...
Page 920 | LLDP Commands HAPTER Frames Invalid Frames Received : 12 Frames Sent : 13 TLVs Unrecognized : 0 TLVs Discarded Neighbor Ageouts Console# – 920 –...
Page 921: Domain Name Service Commands
OMAIN ERVICE OMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server...
Page 922: Ip Domain-Lookup
| Domain Name Service Commands HAPTER OMMAND Global Configuration OMMAND SAGE Domain names are added to the end of the list one at a time. When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 923: Ip Domain-Name
| Domain Name Service Commands HAPTER If all name servers are deleted, DNS will automatically be disabled. XAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp...
Page 924: Ip Host
| Domain Name Service Commands HAPTER Domain Name List: Name Server List: Console# ELATED OMMANDS ip domain-list (921) ip name-server (925) ip domain-lookup (922) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address.
Page 925: Ip Name-Server
| Domain Name Service Commands HAPTER ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. YNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IP address of domain-name server.
Page 926: Clear Dns Cache
| Domain Name Service Commands HAPTER clear dns cache This command clears all entries in the DNS cache. OMMAND Privileged Exec XAMPLE Console#clear dns cache Console#show dns cache Flag Type IP Address Domain ------- ------- ------- --------------- ------- -------- Console# clear host This command deletes dynamic entries from the DNS table.
Page 927: Show Dns
| Domain Name Service Commands HAPTER show dns This command displays the configuration of the DNS service. OMMAND Privileged Exec XAMPLE Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console#...
Page 928: Show Hosts
| Domain Name Service Commands HAPTER show hosts This command displays the static host name-to-address mapping table. OMMAND Privileged Exec XAMPLE Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts Hostname Inet address...
Page 929: Dhcp Commands
DHCP C OMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. You can configure any VLAN interface to be automatically assigned an IP address via DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Page 930: Ip Dhcp Restart
| DHCP Commands HAPTER DHCP Client OMMAND Interface Configuration (VLAN) OMMAND SAGE This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Page 931: Dhcp Relay
| DHCP Commands HAPTER DHCP Relay XAMPLE In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart Console#show ip interface IP Address and Netmask: 192.168.1.54 255.255.255.0 on VLAN 1, Address Mode: DHCP Console#...
Page 932: Ip Dhcp Relay Information Option
| DHCP Commands HAPTER DHCP Relay SAGE UIDELINES DHCP relay service applies to DHCP client requests received on any configured VLAN, both the management VLAN and non-management VLANs. This command is used to configure DHCP relay for host devices attached to the switch. If DHCP relay service is enabled (by specifying the address for at least one DHCP server), and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so the DHCP server will know the subnet where the client is located.
Page 933: Table 152: Inserting Option 82 Information - Display Description
| DHCP Commands HAPTER DHCP Relay mac-address - Includes a MAC address field for the relay agent (that is, the MAC address of the switch’s CPU). ip-address - Includes the IP address field for the relay agent (that is, the IP address of the management interface). encode - Indicates encoding in ASCII or hexadecimal.
Page 934 | DHCP Commands HAPTER DHCP Relay DHCP request packets are flooded onto the VLAN which received the request if DHCP relay service is enabled on the switch, and the request packet contains a valid (i.e., non-zero) relay agent address field. DHCP reply packets received by the relay agent are handled as follows: When the relay agent receives a DHCP reply packet with Option 82 information over the management VLAN, it first ensures that the...
Page 935: Ip Dhcp Relay Information Policy
| DHCP Commands HAPTER DHCP Relay ip dhcp relay This command specifies how to handle client requests which already contain DHCP Option 82 information. information policy YNTAX ip dhcp relay information policy {drop | keep | replace} drop - Floods the request packet onto the VLAN that received the original request instead of relaying it.
Page 936: Show Ip Dhcp Relay
| DHCP Commands HAPTER DHCP Relay show ip dhcp relay This command displays the configuration settings for DHCP relay service. OMMAND Privileged Exec XAMPLE Console#show ip dhcp relay Status of DHCP relay information: Insertion of relay information: disabled. DHCP option policy :drop. DHCP relay-server address 192.168.0.4 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 DHCP sub-option format: extra subtype included DHCP remote id sub-option: mac address (hex encoded)
Page 937: Ip Interface Commands
IP I NTERFACE OMMANDS An IP address may be used for management access to the switch over the network. You can manually configure a specific IP address or direct the switch to obtain an IP address from a BOOTP or DHCP server when it is powered on.
Page 938: Ip Address
| IP Interface Commands HAPTER ip address This command sets the IP address for the currently selected VLAN interface. Use the no form to restore the default IP address. YNTAX ip address {ip-address netmask | bootp | dhcp} [default-gateway gateway] no ip address ip-address - IP address netmask - Network mask for the associated IP subnet.
Page 939: Ip Default-Gateway
| IP Interface Commands HAPTER A gateway must be defined if the management station is located in a different IP segment. XAMPLE In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# ELATED OMMANDS...
Page 940: Show Ip Interface
| IP Interface Commands HAPTER show ip interface This command displays the settings of an IP interface. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip interface IP Address and Netmask: 192.168.0.2 255.255.255.0 on VLAN 1, Address Mode: DHCP Console# ELATED OMMANDS ip address (938) show ip redirects...
Page 941 | IP Interface Commands HAPTER OMMAND Normal Exec, Privileged Exec OMMAND SAGE Use the ping command to see if another site on the network can be reached. The following are some results of the ping command: Normal response - The normal response occurs in one to ten seconds, depending on network traffic.
Page 942: Clear Arp-Cache
| IP Interface Commands HAPTER clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. OMMAND Privileged Exec XAMPLE This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# show arp...
Page 943: Ection
ECTION PPENDICES This section provides additional information and includes these items: "Software Specifications" on page 944 "Troubleshooting" on page 948 – 943 –...
Page 944: A Software Specifications
OFTWARE PECIFICATIONS OFTWARE EATURES Local, RADIUS, TACACS+, Port Authentication (802.1X), AAA, HTTPS, SSH, ANAGEMENT IP Filter UTHENTICATION Access Control Lists (IP/MAC; 1000 rules per system), Port Authentication LIENT CCESS (802.1X), MAC Authentication, Web Authentication, Port Security, ARP ONTROL Inspection, DHCP Snooping, IP Source Guard 100BASE-TX: 10/100 Mbps, half/full duplex ONFIGURATION 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex...
Page 945: Management Features
| Software Specifications PPENDIX Management Features VLAN S Up to 255 groups; port-based or tagged (802.1Q), protocol-based, UPPORT private VLANs, voice VLANs, IP subnet, MAC-based, GVRP for automatic VLAN learning Supports four levels of priority LASS OF ERVICE Strict or Weighted Round Robin (WRR) Layer 3/4 priority mapping: IP DSCP DiffServ supports class maps, policy maps, and service policies UALITY OF...
Page 946: Standards
| Software Specifications PPENDIX Standards RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) TANDARDS IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs...
Page 947: Management Information Bases
| Software Specifications PPENDIX Management Information Bases ANAGEMENT NFORMATION ASES Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) DNS Resolver MIB (RFC 1612) Entity MIB (RFC 2737) Ether-like MIB (RFC 3635) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233)
Page 948: Problems Accessing The Management Interface
ROUBLESHOOTING ROBLEMS CCESSING THE ANAGEMENT NTERFACE Table 154: Troubleshooting Chart Symptom Action Cannot connect using Be sure the switch is powered up. Telnet, web browser, or Check network cabling between the management station and SNMP software the switch. Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Page 949: B Troubleshooting
| Troubleshooting PPENDIX Using System Logs SING YSTEM If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 950: Glossary
LOSSARY Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 951 LOSSARY Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 952 LOSSARY IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 953 LOSSARY IGMP Q On each subnetwork, one IGMP-capable device will act as the querier — UERY that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Page 954 LOSSARY MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 955 LOSSARY Defines a network link aggregation and trunking method which specifies RUNK how to create a single high-speed logical link that combines several lower- speed physical links. The IEEE 802.3af standard for providing Power over Ethernet (PoE) OWER OVER THERNET capabilities.
Page 956 LOSSARY SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. Secure Shell is a secure replacement for remote access functions, including Telnet.
Page 957 LOSSARY VLAN Virtual LAN. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 958: Ommand Ist
OMMAND aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server absolute access-list arp access-list ip access-list ipv6 access-list mac access-list rule-mode accounting commands accounting dot1x accounting exec authentication enable authentication login authorization exec auto-traffic-control auto-traffic-control action...
Page 959 OMMAND banner configure note dot1x timeout re-authperiod boot system dot1x timeout start-period bridge-ext gvrp dot1x timeout supp-timeout calendar set dot1x timeout tx-period capabilities eaps channel-group eaps domain class enable class-map enable clear arp-cache enable clear counters enable password clear dns cache clear host erps clear ip dhcp snooping database flash...
Page 960 OMMAND ip http server lldp basic-tlv management-ip-address ip igmp filter (Global Configuration) lldp basic-tlv port-description ip igmp filter (Interface Configuration) lldp basic-tlv system-capabilities lldp basic-tlv system-description ip igmp max-groups lldp basic-tlv system-name ip igmp max-groups action lldp dot1-tlv proto-ident ip igmp profile lldp dot1-tlv proto-vid ip igmp snooping lldp dot1-tlv pvid...
Page 961 OMMAND max-hops power inline mdix power inline compatible media-type power inline maximum allocation meg-level power inline overload-auto-recover mode mst priority power inline priority mst vlan power mainpower maximum allocation mvr group pppoe intermediate-agent mvr group pppoe intermediate-agent format-type mvr immediate mvr priority pppoe intermediate-agent port-enable mvr receiver-group...
Page 962 OMMAND sflow timeout show l2protocol-tunnel show access-group show lacp show access-list show line show access-list tcam-utilization show lldp config show accounting show lldp info local-device show arp show lldp info remote-device show arp access-list show lldp info statistics show auto-traffic-control show log show auto-traffic-control interface 726 show logging...
Page 963 OMMAND show spanning-tree mst configuration spanning-tree edge-port spanning-tree forward-time show ssh spanning-tree hello-time show startup-config spanning-tree link-type show subnet-vlan spanning-tree loopback-detection show system spanning-tree loopback-detection show tacacs-server release show tech-support spanning-tree loopback-detection show time-range release-mode show upgrade spanning-tree loopback-detection trap show upnp show users spanning-tree max-age...
Page 964 OMMAND tacacs-server timeout voice vlan test cable-diagnostics tdr interface 688 voice vlan aging timeout login response voice vlan mac-address time-range web-auth upgrade opcode auto web-auth login-attempts upgrade opcode path web-auth quiet-period upnp device web-auth re-authenticate (IP) upnp device advertise duration web-auth re-authenticate (Port) upnp device ttl web-auth session-timeout...
Page 965 NDEX aging time, setting 288 UMERICS administrative users, displaying 457 802.1Q tunnel 330 ARP ACL 220 access 335 ARP inspection 224 configuration, guidelines 333 ACL filter 227 configuration, limitations 333 additional validation criteria 643 description 330 ARP ACL 228 ethernet type 334 enabling globally 226 –...
Page 966 NDEX description 850 policy map 378 DiffServ 849 policy map, description 376 Class of Service See CoS QoS policy 378 service policy 382 command modes 427 showing commands 425 default domain name 415 clustering switches, management access 126 displaying the cache 418 command line interface See CLI domain name list 415 community ports 338...
Page 967 NDEX – RPL owner 788 filtering & throttling, interface settings 874 status, displaying 789 filtering & throttling, status 400 wait-to-restore timer 788 groups, displaying 397 WTR timer 788 immediate leave, status 394 Ethernet Automatic Protection Switching See EAPS Layer 2 391 Ethernet Ring Protection Switching See ERPS query 391 event logging 110...
Page 968 NDEX group members, configuring parameters 256 – MAC address authentication 201 local parameters 260 ports, configuring 205 partner parameters 262 reauthentication 204 protocol message statistics 259 MAC address, mirroring 269 protocol parameters 252 main menu, web interface 74 layer 2 protocol tunnel 313 management access, filtering per address 232 layer 2 protocol tunnel, protocol types 314 management access, IP filter 232...
Page 969 NDEX primary VLAN 339 priority, default port ingress 366 network access private key 177 authentication 201 private VLANs, configuring 338 dynamic QoS assignment 206 private VLANs, displaying 339 dynamic VLAN assignment 205 problems, troubleshooting 948 port configuration 205 promiscuous ports 338 reauthentication 204 protocol migration 305 secure MAC information 207...
Page 970 NDEX link type 301 loopback detection 293 secure shell 177 MSTP interface settings, configuring 311 configuration 177 MSTP path cost 311 security, general measures 155 path cost 301 serial port, configuring 107 path cost method 298 sFlow port priority 303 –...
Page 971 NDEX configuration 252 mirroring 347 LACP 252 port members, displaying 323 static 253 private 338 tunneling unknown VLANs, VLAN trunking 272 protocol 344 Type Length Value protocol, configuring 345 See LLDP TLV protocol, configuring groups 345 protocol, interface configuration 346 protocol, system configuration 345 PVID 328 tunneling unknown groups 272...
Page 973 DG-FS4528P...