AMX NXA-ENET24 Instruction Manual
  1. Manuals
  2. Brands
  3. AMX Manuals
  4. Network Router
  5. NXA-ENET24
  6. Instruction manual
AMX NXA-ENET24 Instruction Manual

AMX NXA-ENET24 Instruction Manual

24-port fast ethernet switch software management guide
Hide thumbs Also See for NXA-ENET24:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
Table of Contents

Advertisement

Quick Links

See also: Installation Manual

instruction manual

NXA-ENET24
24-Port Fast Ethernet Switch
Software Management Guide
C o n t r o l S y s t e m A c c e s s o r i e s

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NXA-ENET24 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for AMX NXA-ENET24

Summary of Contents for AMX NXA-ENET24

  • Page 1: Instruction Manual

    NXA-ENET24 24-Port Fast Ethernet Switch Software Management Guide C o n t r o l S y s t e m A c c e s s o r i e s...
  • Page 2 RMA number. AMX Corporation is not liable for any damages caused by its products or for the failure of its products to perform. This includes any lost profits, lost savings, incidental damages, or consequential damages. AMX Corporation is not liable for any claim made by a third party or by an AMX Dealer for a third party.
  • Page 3 ANY REASON AND UPON WRITTEN NOTICE TO LICENSEE. In the event that AMX terminates this License, the Licensee shall return or destroy all originals and copies of the AMX Software to AMX and certify in writing that all originals and copies have been returned or destroyed.

  • Page 5: Table Of Contents

    Table of Contents Introduction ...1 Key Features ... 1 Description of Software Features ... 2 System Defaults ... 5 Initial Configuration ...9 Connecting to the Switch... 9 Configuration Options ... 9 Required Connections... 10 Remote Connections... 11 Basic Configuration ... 11 Console Connection...
  • Page 6 Table of Contents Configuring SNMP ... 50 Enabling SNMP... 51 Setting Community Access Strings ... 52 Specifying Trap Managers ... 53 Configuring SNMPv3 Management Access ... 54 User Authentication... 60 Configuring User Accounts ... 60 Configuring Local/Remote Logon Authentication... 61 Configuring HTTPS ...
  • Page 7 VLAN Configuration... 131 Overview ... 131 Enabling or Disabling GVRP (Global Setting) ... 133 Displaying Basic VLAN Information ... 134 Displaying Current VLANs ... 134 Creating VLANs ... 136 Adding Static Members to VLANs (VLAN Index) ... 137 Adding Static Members to VLANs (Port Index) ... 138 Configuring VLAN Behavior for Interfaces ...
  • Page 8 Table of Contents Using the Command Line Interface... 171 Accessing the CLI ... 171 Console Connection... 171 Telnet Connection ... 172 Entering Commands ... 173 Keywords and Arguments ... 173 Minimum Abbreviation... 173 Command Completion ... 173 Getting Help on Commands... 173 Partial Keyword Lookup ...
  • Page 9 System Management Commands ... 194 Device Designation Commands ... 194 prompt ... 194 hostname ... 195 User Access Commands... 195 username ... 196 enable password ... 197 IP Filter Commands ... 198 management ... 198 show management... 199 Web Server Commands ... 200 ip http port ...
  • Page 10 Table of Contents logging sendmail level... 220 logging sendmail source-email... 220 logging sendmail destination-email ... 221 logging sendmail ... 221 show logging sendmail... 221 Time Commands ... 222 sntp client ... 222 sntp server ... 223 sntp poll... 224 show sntp ... 224 clock timezone ...
  • Page 11 radius-server key... 248 radius-server retransmit ... 248 radius-server timeout ... 248 show radius-server... 249 TACACS+ Client ... 249 tacacs-server host... 250 tacacs-server port ... 250 tacacs-server key ... 251 show tacacs-server ... 251 Port Security Commands ... 252 port security... 252 802.1x Port Authentication ...
  • Page 12 Table of Contents MAC ACLs ... 277 access-list mac ... 277 permit, deny (MAC ACL) ... 278 show mac access-list ... 280 access-list mac mask-precedence ... 280 mask (MAC ACL) ... 281 show access-list mac mask-precedence... 283 permit offset, deny offset (MAC ACL) ... 283 mac access-group...
  • Page 13 switchport broadcast packet-rate ... 305 clear counters... 306 show interfaces status... 307 show interfaces counters ... 308 show interfaces switchport ... 309 Mirror Port Commands ... 311 port monitor ... 311 show port monitor... 312 Rate Limit Commands... 313 rate-limit ... 313 Link Aggregation Commands ...
  • Page 14 Table of Contents show spanning-tree... 336 VLAN Commands ... 338 Editing VLAN Groups vlan database... 338 vlan... 339 Configuring VLAN Interfaces interface vlan... 340 switchport mode ... 341 switchport acceptable-frame-types ... 341 switchport ingress-filtering... 342 switchport native vlan... 343 switchport allowed vlan ... 343 switchport forbidden vlan ...
  • Page 15 map ip precedence (Global Configuration) ... 361 map ip precedence (Interface Configuration)... 361 map ip dscp (Global Configuration)... 362 map ip dscp (Interface Configuration) ... 362 show map ip port... 363 show map ip precedence ... 364 show map ip dscp ... 365 Multicast Filtering Commands ...
  • Page 16 Table of Contents clear dns cache ... 385 Software Specifications ... 387 Troubleshooting ... 391 Glossary ... 393 NXA-ENET Software Management Guide...

  • Page 17: Nxa-Enet Software Management Guide

    The NXA-ENET24 also provides a full range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.

  • Page 18: Key Features

    Introduction Key Features Key Features Feature Power over Ethernet Configuration Backup and Restore Authentication Access Control Lists Access Control Lists DHCP Client, Relay and Server DNS Server Port Configuration Rate Limiting Port Mirroring Port Trunking Broadcast Storm Control Static Address IEEE 802.1D Bridge Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames Spanning Tree Protocol...

  • Page 19: Nxa-Enet Software Management Guide

    Introduction Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based VLANs provide traffic security and efficient use of network bandwidth.
  • Page 20 Introduction Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity. Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation Control Protocol (LACP).

  • Page 21: Nxa-Enet Software Management Guide

    restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can: Eliminate broadcast storms which severely degrade performance in a flat network. Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection.

  • Page 22: System Defaults

    Introduction then sends traffic for the remote destination via the switch, which uses its own routing table to reach the destination on the other network. Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN.

  • Page 23: Nxa-Enet Software Management Guide

    System Defaults (Cont.) Web Management SNMP Port Configuration Power over Ethernet Rate Limiting Port Trunking Broadcast Storm Protection Spanning Tree Protocol NXA-ENET Software Management Guide HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Port Num- SNMP Agent Enabled Community Strings “public”...
  • Page 24 Introduction System Defaults (Cont.) Address Table Virtual LANs Traffic Prioritization IP Settings Multicast Filtering System Log SNTP Aging Time 300 seconds Default VLAN PVID Acceptable Frame Type Ingress Filtering Disabled Switchport Mode (Egress Hybrid: tagged/untagged Mode) frames GVRP (global) Disabled GVRP (port interface) Disabled Ingress Port Priority...

  • Page 25: Nxa-Enet Software Management Guide

    Initial Configuration Connecting to the Switch Configuration Options This 24-Port Fast Ethernet PoE Switch switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

  • Page 26: Required Connections

    Initial Configuration Configure Class of Service (CoS) priority queuing Configure up to six static or LACP trunks Filter packets using Access Control Lists (ACLs) Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.

  • Page 27: Nxa-Enet Software Management Guide

    Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is assigned via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see Setting an IP Address section on page 12.

  • Page 28: Setting Passwords

    Initial Configuration Setting Passwords If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1.
  • Page 29 Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.

  • Page 30: Enabling Snmp Management Access

    Initial Configuration 2. At the interface-configuration mode prompt, use one of the following commands: To obtain IP settings through DHCP, type “ip address dhcp” and press <Enter>. To obtain IP settings through BOOTP, type “ip address bootp” and press <Enter>. 3.

  • Page 31: Saving Configuration Settings

    To prevent unauthorized access to the switch via SNMP, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,”...

  • Page 32: Managing System Files

    Initial Configuration Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: Configuration —...

  • Page 33: Configuring Power Over Ethernet

    Configuring Power over Ethernet The 24-Port Fast Ethernet PoE Switch’s 24 10/100 Mbps ports support the IEEE 802.3af Power- over-Ethernet (PoE) standard that enables DC power to be supplied to attached devices over the unused pairs of wires in the connecting Ethernet cable. Any 802.3af compliant device attached to a port can directly draw power from the switch over the Ethernet cable without requiring its own separate power source.
  • Page 34 Initial Configuration NXA-ENET Software Management Guide...

  • Page 35: Configuring The Switch

    Configuring the Switch Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).

  • Page 36: Navigating The Web Browser Interface

    Configuring the Switch Navigating the Web Browser Interface To access the Web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “Admin” and 1988 respectively. Home Page When your Web browser connects with the switch’s Web agent, the home page is displayed as shown below.

  • Page 37: Panel Display

    Configuring the Switch Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control).

  • Page 38: Main Menu

    Configuring the Switch Main Menu Using the onboard Web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Switch Main Menu Menu System System Information...
  • Page 39 Switch Main Menu (Cont.) Menu Host-Key Settings Port Security 802.1x Information Configuration Port Configuration Statistics Configuration Mask Configuration Port Binding IP Filter Port Port Information Trunk Information Port Configuration Trunk Configuration Trunk Membership LACP Configuration Aggregation Port Port Counters Information Port Internal Information Port Neighbors Information Broadcast Control...
  • Page 40 Configuring the Switch Switch Main Menu (Cont.) Menu Spanning Tree Information Configuration Port Information Trunk Information Port Configuration Trunk Configuration VLAN 802.1Q VLAN GVRP Status Basic Information Current Table Static List Static Table Static Membership by Port Port Configuration Trunk Configuration Private VLAN Private VLAN Information Private VLAN Configuration...
  • Page 41 Switch Main Menu (Cont.) Menu Copy Settings ACL CoS Priority ACL Marker IGMP Snooping IGMP Configuration Multicast Router Port Information Static Multicast Router Port Configuration Assigns ports that are attached to a neighboring multicast IP Multicast Registration Table IGMP Member Port Table General Configuration Static Host Table Cache...

  • Page 42: Basic Configuration

    Configuring the Switch Basic Configuration Displaying System Information You can easily identify the system by providing a descriptive name, location and contact information. Field Attributes Model Number – The switch model number. S/W Version # – The current software version number. System Name –...
  • Page 43 Configuring the Switch Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that access the Command Line Interface via Telnet.) FIG. 3 System Information NXA-ENET Software Management Guide...
  • Page 44 Configuring the Switch CLI – Specify the hostname, location and contact information. FIG. 4 General Switch Information Console(config)#hostname Intelligent Fast Ethernet PoE Switch195 Console(config)#snmp-server location TPS 1st Floor290 Console(config)#snmp-server contact Geoff290 Console(config)#end Console#show system System description: Intelligent Fast Ethernet PoE Switch; SW version: V2.3.2.5 System OID string: 1.3.6.1.4.1.259.6.10.56 System information...

  • Page 45: Displaying Switch Hardware/Software Versions

    Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board Serial Number – The serial number of the switch. Number of Ports –...

  • Page 46: Displaying Bridge Extension Capabilities

    Configuring the Switch CLI – Use the following command to display version information. Console#show version231 Unit1 Serial number: Service tag: Hardware version: Module A type: Module B type: Number of ports: Main power status Redundant power status :not present Agent (master) Unit ID: Loader version: Boot ROM version:...

  • Page 47: Setting The Ip Address

    GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering. Web – Click System, Bridge Extension. FIG.
  • Page 48 Configuring the Switch Management VLAN – This is the only VLAN through which you can gain management access to the switch. By default, all ports on the switch are members of VLAN 1, so a management station can be connected to any port on the switch. However, if other VLANs are configured and you change the Management VLAN, you may lose management access to the switch.
  • Page 49 Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP. Specify the Management VLAN, set the IP Address Mode to DHCP or BOOTP. Then click Apply to save your changes. The switch will broadcast a request for IP configuration settings on the next power reset.

  • Page 50: Managing Firmware

    Configuring the Switch Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can set the switch to use new firmware without overwriting the previous version.
  • Page 51 Configuring the Switch Web – Click System, File, Copy. Select “tftp to file” from the drop-down menu. Select “opcode” as the file type, then enter the IP address of the TFTP server and the source and destination file names. Click Apply. FIG.

  • Page 52: Saving Or Restoring Configuration Settings

    Configuring the Switch CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has completed the download, set the new file to start up the system and then restart the switch. To start the new firmware, enter the “reload”...
  • Page 53 file to unit - Copies a file from this switch to another unit in the stack. unit to file - Copies a file from another unit in the stack to this switch TFTP Server IP Address – The IP address of a TFTP server. File Name –...
  • Page 54 Configuring the Switch Note that you can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. FIG. 12 Select Configuration File Note that you can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page.

  • Page 55: Console Port Settings

    Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the Web or CLI interface.

  • Page 56: Telnet Settings

    Configuring the Switch Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply. FIG. 13 Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required.
  • Page 57 Command Attributes Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled) Telnet Port Number – Sets the TCP port number for Telnet on the switch. (Default: 23) Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session.

  • Page 58: Configuring Event Logging

    Configuring the Switch Console(config)#line vty180 Console(config-line)#login local180 Console(config-line)#password 0 secret181 Console(config-line)#timeout login response 300182 Console(config-line)#exec-timeout 0183 Console(config-line)#password-thresh 3183 Console(config-line)#end Console#show line187 Console configuration: Password threshold: Interactive timeout: Disabled Login timeout: Disabled Silent time: Baudrate: Databits: Parity: Stopbits: VTY configuration: Password threshold: Interactive timeout: 600 sec Login timeout: 300 sec Console#...
  • Page 59 Command Attributes System Log Status – Enables/disables the logging of debug or error messages to the logging process. Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash.
  • Page 60 Configuring the Switch CLI – Type “show log ram” to display log messages in the RAM buffer. Console#sh log ram [2] 00:00:31 2001-01-01 "Unit 1, Port 13 link-up notification." level: 6, module: 6, function: 1, and event no.: 1 [1] 00:00:31 2001-01-01 "VLAN 1 link-up notification."...
  • Page 61 CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Console(config)#logging on213 Console(config)#logging history ram 6214 Console(config)# Console#show logging flash217 Syslog logging: History logging in FLASH: level errors Console#...
  • Page 62 Configuring the Switch CLI – Enter the syslog server host IP address, choose the facility type and set the minimum level of messages to be logged. Console(config)#logging host 192.168.1.7215 Console(config)#logging facility 23215 Console(config)#logging trap 4216 Console(config)# Console#show logging trap217 Syslog logging: REMOTELOG status: REMOTELOG facility type: REMOTELOG level type:...
  • Page 63 Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server text box and then click Add. To delete an IP address, click the entry in the SMTP Server List and then click Remove.

  • Page 64: Resetting The System

    Configuring the Switch Resetting the System Web – Select System, Reset to reboot the switch. When prompted, confirm that you want reset the switch. FIG. 19 Resetting the Switch CLI – Use the reload command to reboot the system. When restarting the system, it always runs the Power-On Self-Test. Console#reload192 System will be restarted, continue <y/n>? y Console#...
  • Page 65 Web – Select SNTP, Configuration. Modify any of the required parameters and click Apply. FIG. 20 Configuring SNTP CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2223 Console(config)#sntp poll 60224...

  • Page 66: Configuring Snmp

    Configuring the Switch Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply. FIG. 21 Setting the Time Zone CLI - This example shows how to set the time zone for the system clock. Console(config)#clock timezone Pacific hours 8 minute 0 before-UTC 222 Console# Configuring SNMP...

  • Page 67: Enabling Snmp

    security models v1 and v2c. The following table shows the security models and levels available and the system default settings. SNMPv3 Security Models and Levels Model Level noAuthNoPriv noAuthNoPriv noAuthNoPriv noAuthNoPriv noAuthNoPriv noAuthNoPriv noAuthNoPriv AuthNoPriv AuthPriv The predefined default groups and view can be deleted from the system. Enabling SNMP Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).

  • Page 68: Setting Community Access Strings

    Configuring the Switch Setting Community Access Strings You may configure up to five community strings authorized for management access using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes SNMP Community Capability –...

  • Page 69: Specifying Trap Managers

    Specifying Trap Managers Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.

  • Page 70: Configuring Snmpv3 Management Access

    Configuring the Switch Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.
  • Page 71 Command Attributes User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) Group Name – The name of the SNMP group to which the user is assigned. (Range: 1- 32 characters) Model – The user security model; SNMP v1, v2c or v3. Level –...
  • Page 72 Configuring the Switch Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list.
  • Page 73 Command Attributes Group Name – The name of the SNMP group. (Range: 1-32 characters) Model – The group security model; SNMP v1, v2c or v3. Level – The security level used for the group: noAuthNoPriv – There is no authentication or encryption used in SNMP communications.
  • Page 74 Configuring the Switch CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group v3secure v3 priv read defaultview write defaultview296 Console(config)#exit Console#show snmp group297 Group Name: v3secure...
  • Page 75 Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings.

  • Page 76: User Authentication

    Configuring the Switch User Authentication You can restrict management access to this switch and provide secure network access using the following options: User Accounts – Manually configure access rights on the switch for specified users. Authentication Settings – Use remote authentication to configure access rights. HTTPS Settings –...

  • Page 77: Configuring Local/Remote Logon Authentication

    Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
  • Page 78 Configuring the Switch Command Usage By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol.
  • Page 79 Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters) The local switch user database has to be set up by manually entering user names and passwords using the CLI.

  • Page 80: Configuring Https

    Configuring the Switch CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius244 Console(config)#radius-server port 181247 Console(config)#radius-server key green248 Console(config)#radius-server retransmit 5248 Console(config)#radius-server timeout 10248 Console(config)#radius-server 1 host 192.168.1.25246 Console(config)#exit Console#show radius-server249 Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number:...
  • Page 81 A padlock icon should appear in the status bar for Internet Explorer 5.x or above and Netscape Navigator 4.x or above. The following web browsers and operating systems currently support HTTPS: HTTPS Support Web Browser Internet Explorer 5.0 or later Netscape Navigator 4.76 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows To specify a secure-site certificate, see Replacing the Default Secure-site Certificate section on page 65...

  • Page 82: Configuring The Secure Shell

    Configuring the Switch secure, you must obtain a unique certificate and a private key and password from a recognized certification authority. For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased.
  • Page 83 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
  • Page 84 Configuring the Switch e. The switch compares the decrypted bytes to the original bytes it sent. If the two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated. 1.To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file.
  • Page 85 Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. FIG. 32 SSH Host-Key Settings CLI –...
  • Page 86 Configuring the Switch Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. SSH Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.

  • Page 87: Configuring Port Security

    Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port.

  • Page 88: Configuring 802.1X Port Authentication

    Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. FIG.
  • Page 89 verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked. The operation of 802.1x on the switch requires the following: The switch must have an IP address assigned.
  • Page 90 Configuring the Switch CLI – This example enables 802.1x globally for the switch and shows the current setting. Console(config)#dot1x system-auth-control254 Console(config)# Console#show dot1x259 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Authorized disabled disabled 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 26 Console#...
  • Page 91 Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1- 10; Default 2) Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client.
  • Page 92 Configuring the Switch CLI – This example sets the 802.1x parameters on port 2. For a description of the additional fields displayed in this example, see show dot1x section on page 259. Console(config)#interface ethernet 1/2300 Console(config-if)#dot1x port-control auto256 Console(config-if)#dot1x re-authentication257 Console(config-if)#dot1x max-req 5255 Console(config-if)#dot1x timeout quiet-period 40258 Console(config-if)#dot1x timeout re-authperiod 5258...
  • Page 93 Statistical Values 802.1x Statistics Parameter Rx EXPOL Start Rx EAPOL Logoff Rx EAPOL Invalid Rx EAPOL Total Rx EAP Resp/Id Rx EAP Resp/Oth Rx EAP LenError Rx Last EAPOLVer The protocol version number carried in the most recently received EAPOL frame. Rx Last EAPOLSrc The source MAC address carried in the most recently received EAPOL frame.

  • Page 94: Filtering Addresses For Snmp Client Access

    Configuring the Switch CLI – This example displays the 802.1x statistics for port 4. Console#show dot1x statistics interface ethernet 1/4259 Eth 1/4 Rx: EXPOL Start Oth LenError Last EAPOLVer Tx: EAPOL Total 2017 Console# Filtering Addresses for SNMP Client Access The switch allows you to create a list of up to 16 IP addresses or IP address groups that are allowed access to the switch via SNMP management software.

  • Page 95: Access Control Lists

    Web – Click SNMP, SNMP IP Filtering. To add a client, enter the new address, the subnet mask for a node or an address range, and then click “Add IP Filtering Entry.” FIG. 39 Filtering Addresses for SNMP Access CLI – This example allows SNMP access for a specific client Console(config)#snmp ip filter 10.1.2.3 255.255.255.255 Console(config)# Access Control Lists...
  • Page 96 Configuring the Switch You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule. When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules.
  • Page 97 CLI – This example creates a standard IP ACL named bill. Console(config)#access-list ip standard bill264 Console(config-std-acl)# Configuring a Standard IP ACL Command Attributes Action – An ACL can contain permit rules, deny rules, or a combination of both. (Default: Permit rules) Address Type - Specifies the filter type - Any, Host, or IP.
  • Page 98 Configuring the Switch Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
  • Page 99 select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. FIG. 42 Configuring Extended IP ACLs CLI – This example adds three rules: 1.
  • Page 100 Configuring the Switch Source/Destination Bitmask – Hexidecimal mask for source or destination MAC address. VID – VLAN ID. (Range: 1-4095) VID Mask – VLAN bitmask. (Range: 1-4095) Ethernet Type – This option can only be used to filter Ethernet II formatted packets. (Range: 600-fff hex.) A detailed listing of Ethernet protocol types can be found in RFC 1060.

  • Page 101: Configuring Acl Masks

    Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11- 22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
  • Page 102 Configuring the Switch First create the required ACLs and the ingress or egress masks before mapping an ACL to an interface. You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.
  • Page 103 Source/Destination Port Bitmask – Protocol port of rule must match this bitmask. (Range: 0-65535) Control Code Bitmask – Control flags of rule must match this bitmask. (Range: 0-63) Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range.
  • Page 104 Configuring the Switch Command Attributes Source/Destination Address Type – Use “Any” to match any address, “Host” to specify the host address for a single node, or “MAC” to specify a range of addresses. (Options: Any, Host, MAC; Default: Any) Source/Destination Bitmask – Address of rule must match this bitmask. VID Bitmask –...

  • Page 105: Binding A Port To An Access Control List

    CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4277 Console(config-mac-acl)#permit any any278 Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3278 Console(config-mac-acl)#end...

  • Page 106: Filtering Ip Addresses For Management Access

    Configuring the Switch Web – Click ACL, ACL Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply. FIG.
  • Page 107 You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Command Attributes Web IP Filter – Configures IP address(es) for the web group. SNMP IP Filter – Configures IP address(es) for the SNMP group. Telnet IP Filter –...

  • Page 108: Port Configuration

    Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Command Attributes (Web) Name – Interface label. Type –...
  • Page 109 MAC address – The physical layer address for this port. (To access this item on the web, see Setting the IP Address section on page 31.) Configuration: Name – Interface label. Port admin – Shows if the interface is enabled or disabled (i.e., up or down). Speed-duplex –...

  • Page 110: Configuring Interface Connections

    Configuring the Switch CLI – This example shows the connection status for Port 13. Console#show interfaces status ethernet 1/13307 Information of Eth 1/13 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: Broadcast storm: Broadcast storm limit: Flow control: LACP: Port security:...
  • Page 111 Sym (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch chip only supports symmetric pause frames.) FC - Supports flow control Flow control can eliminate frame loss by “blocking”...

  • Page 112: Creating Trunk Groups

    Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13301 Console(config-if)#shutdown305 Console(config-if)#no shutdown Console(config-if)#no negotiation302 Console(config-if)#speed-duplex 100half301 Console(config-if)#flowcontrol304 Console(config-if)#negotiation Console(config-if)#capabilities 100half303 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
  • Page 113 Statically Configuring a Trunk Command Usage When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible. To avoid creating a loop in the network, be sure you add a static trunk via the configuration interface before connecting the ports, and also disconnect the ports before removing a static trunk via the configuration interface.
  • Page 114 Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 1300 Console(config-if)#exit Console(config)#interface ethernet 1/5300 Console(config-if)#channel-group 1315 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#channel-group 1...
  • Page 115 Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. FIG. 52 LACP Port Configuration CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP- enabled trunk ports on another switch to form a trunk.
  • Page 116 Configuring the Switch Ports must have the same LACP System Priority. Ports must have the same LACP port Admin Key. However, if the “port channel” Admin Key is set ( be set to the same value for a port to be allowed to join a channel group. Note –...
  • Page 117 Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.

  • Page 118: Lacp Port Counters

    Configuring the Switch CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1300 Console(config-if)#lacp actor system-priority 3317 Console(config-if)#lacp actor admin-key 120317 Console(config-if)#lacp actor port-priority 128317 Console(config-if)#exit...
  • Page 119 Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. FIG. 54 Displaying LACP Port Counters Information CLI – The following example displays LACP counters for port channel 1. Console#show 1 lacp counters320 Channel group : 1 ------------------------------------------- ------------------------------ Eth 1/ 1 ----------------------------------------------------...
  • Page 120 Configuring the Switch Internal Configuration Information LACP Settings Field Oper Key Admin Key LACPDUs Internal LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority Admin State, Oper State Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information.
  • Page 121 CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show 1 lacp internal320 Channel group : 1 ------------------------------------------------------------ ------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------ ------------- LACPDUs Internal : 30 sec...
  • Page 122 Configuring the Switch Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. FIG. 56 Displaying Remote LACP Port Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.

  • Page 123: Setting Broadcast Storm Thresholds

    Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt. You can protect your network from broadcast storms by setting a threshold for broadcast traffic for all ports.

  • Page 124: Configuring Port Mirroring

    Configuring the Switch CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2. Console(config)#interface ethernet 1/1300 Console(config-if)#no switchport broadcast305 Console(config-if)#exit193 Console(config)#interface ethernet 1/2300 Console(config-if)#switchport broadcast packet-rate 600305...

  • Page 125: Configuring Rate Limits

    Web – Click Port, Mirror. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. FIG. 58 Configuring a Mirror Port CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port.

  • Page 126: Showing Port Statistics

    Configuring the Switch CLI - This example sets the rate limit for input and output traffic passing through port 1 to 600 Mbps. Console(config)#interface ethernet 1/1300 Console(config-if)#rate-limit input 600313 Console(config-if)#rate-limit output 600313 Console(config-if)# Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
  • Page 127 Port Statistics (Cont.) Parameter Transmit Discarded Packets Transmit Errors Etherlike Statistics Alignment Errors Late Collisions FCS Errors Excessive Collisions Single Collision Frames Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to Multiple Collision Frames Carrier Sense Errors SQE Test Errors...
  • Page 128 Configuring the Switch Port Statistics (Cont.) Parameter Fragments 64 Bytes Frames 65-127 Byte Frames 128-255 Byte Frames 256-511 Byte Frames 512-1023 Byte Frames 1024-1518 Byte Frames 1519-1536 Byte Frames Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
  • Page 129 FIG. 61 Displaying Etherlike and RMON Statistics CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13308 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...

  • Page 130: Power Over Ethernet Settings

    Configuring the Switch Power Over Ethernet Settings This switch can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device.

  • Page 131: Setting A Switch Power Budget

    CLI – This example displays the current power status for the switch. Console#show power mainpower243 Unit 1 Mainpower Status Maximum Available Power : 375 watts System Operation Status : on Mainpower Consumption Software Version Console# Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source.

  • Page 132: Configuring Port Poe Power

    Configuring the Switch Web – Click PoE, followed by Power Port Status. FIG. 64 Displaying Port PoE Status CLI – This example displays the PoE status and the priority of port 1. Console#show power inline status Interface Admin ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable 1/ 2...

  • Page 133: Address Table Settings

    Priority – Sets the power priority for the port. (Options: Low, high, or critical; Default: Low) Power Allocation – Sets the power budget for the port. (Range: 3000- 15400 milliwatts; Default: 15400 milliwatts) Web – Click PoE, Power Port Configuration. Enable PoE power on selected ports, set the priority and the power budget, and then click Apply.

  • Page 134: Displaying The Address Table

    Configuring the Switch * Web Only Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. FIG. 66 Mapping Ports to Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.

  • Page 135: Changing The Aging Time

    Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., Interface, MAC Address, or VLAN), the method of sorting the displayed addresses, then click FIG. 67 Displaying the MAC Dynamic Address Table CLI – This example also displays the address table entries for port 11. Console#show mac-address-table ethernet 1/11324 Interface Mac Address --------- ----------------- ---- -----------------...

  • Page 136: Spanning Tree Algorithm Configuration

    Configuring the Switch CLI – This example sets the aging time to 300 seconds. Console(config)#mac-address-table aging-time 300325 Console(config)# Console# Console#show mac-address-table aging-time325 Aging time: 300 sec. Console# Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
  • Page 137 Max Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
  • Page 138 Configuring the Switch Root Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.

  • Page 139: Configuring Global Settings

    Console#show spanning-tree336 Spanning-tree information ------------------------------------------------------------ Spanning tree mode: Spanning tree enabled/disabled: Priority: Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.): Designated Root: Current root port: Current root cost: Number of topology changes: Last topology changes time (sec.):14139...
  • Page 140 Configuring the Switch Command Attributes Basic Configuration of Global Settings Spanning Tree State – Enables/disables STA on this switch. (Default: Enabled) Spanning Tree Type – Specifies the type of spanning tree used on this switch: STP: Spanning Tree Protocol (IEEE 802.1D; i.e., when this option is selected, the switch will use RSTP set to STP forced compatibility mode) RSTP: Rapid Spanning Tree (IEEE 802.1w) RSTP is the default.
  • Page 141 Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] Maximum: 30 Configuration Settings for RSTP The following attributes apply to both STP and RSTP Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface.

  • Page 142: Displaying Interface Settings

    Configuring the Switch CLI – This example enables Spanning Tree Protocol, and then sets the indicated attributes. Console(config)#spanning-tree326 Console(config)#spanning-tree mode327 Console(config)#spanning-tree priority 40000329 Console(config)#spanning-tree hello-time 5328 Console(config)#spanning-tree max-age 38329 Console(config)#spanning-tree forward-time 20328 Console(config)#spanning-tree pathcost method long330 Console(config)#spanning-tree transmission-limit 5331 Console(config)# Displaying Interface Settings The STP Port Information and STP Trunk Information pages display the current status of ports and trunks in the Spanning Tree.
  • Page 143 Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto- detection, as described for Admin Link Type in STA Port Configuration on page 128. Oper Edge Port –...

  • Page 144: Configuring Interface Settings

    Configuring the Switch Auto – The switch automatically determines if the interface is attached to a point-to- point link or to shared media. Web – Click Spanning Tree, STA Port Information or STA Trunk Information. FIG. 71 Displaying STA - Port Status Information CLI –...
  • Page 145 Port – Ports only; i.e., no trunks or trunk port members. STA State – Displays current state of this port within the Spanning Tree: Discarding - Port receives STA configuration messages, but does not forward packets. Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information.
  • Page 146 Configuring the Switch Auto – The switch automatically determines if the interface is attached to a point-to- point link or to shared media. (This is the default setting.) Admin Edge Port (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.

  • Page 147: Vlan Configuration

    VLAN Configuration Overview In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
  • Page 148 Configuring the Switch tagged frames tagged frames FIG. 73 Assigning Ports to VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).

  • Page 149: Enabling Or Disabling Gvrp (Global Setting)

    Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged or untagged VLANs.

  • Page 150: Displaying Basic Vlan Information

    Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes VLAN Version Number* – The VLAN version used by this switch as specified in the IEEE 802.1Q standard.
  • Page 151 Untagged Ports – Shows the untagged VLAN port members. Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. FIG. 76 Displaying VLAN Information by Port Membership Command Attributes (CLI) VLAN – ID of configured VLAN (1-4094, no leading zeroes). Type –...

  • Page 152: Creating Vlans

    Configuring the Switch Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes Current –...

  • Page 153: Adding Static Members To Vlans (Vlan Index)

    Console(config)#vlan database Console(config)#vlan 2 name R&D media ethernet state active Console(config)#end Console#show vlan VLAN Type ---- ------- ---------------- --------- --------------------- ------------- Static 3 Eth1/ 4 Eth1/ 5 8 Eth1/ 9 Eth1/10 Static Console(config-vlan)# Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index.

  • Page 154: Adding Static Members To Vlans (Port Index)

    Configuring the Switch Forbidden: Interface is forbidden from automatically joining the VLAN via GVRP. For more information, see Automatic VLAN Registration on page 132. None: Interface is not a member of the VLAN. Packets associated with this VLAN will not be transmitted by the interface. Trunk Member –...

  • Page 155: Configuring Vlan Behavior For Interfaces

    Web – Click VLAN, 802.1Q VLAN, VLAN Static Membership. Select an interface from the scroll-down box (Port or Trunk). Click Query to display membership information for the interface. Select a VLAN ID, and then click Add to add the interface as a tagged member, or click Remove to remove the interface.
  • Page 156 Configuring the Switch Ingress Filtering – If ingress filtering is enabled, incoming frames for VLANs which do not include this ingress port in their member set will be discarded at the ingress port. However, they do affect VLAN dependent BPDU frames, such as GMRP. Disabled) Ingress filtering only affects tagged frames.

  • Page 157: Private Vlans

    Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. FIG. 80 Configuring VLAN Ports CLI – This example sets port 1 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.

  • Page 158: Displaying Current Private Vlans

    Configuring the Switch 3. Use the Private VLAN Port Configuration menu (page 145) to set the port type to promiscuous (i.e., having access to all ports in the primary VLAN) or host (i.e., having access restricted to community VLAN members, and channeling all other traffic through a promiscuous port). Then assign any promiscuous ports to a primary VLAN and any host ports a secondary VLAN (i.e., community VLAN).

  • Page 159: Configuring Private Vlans

    Configuring Private VLANs The Private VLAN Configuration page is used to create/remove primary or community VLANs. Command Attributes VLAN ID – ID of configured VLAN (1-4094, no leading zeroes). Type – There are two types of VLANs within a private VLAN: Primary VLANs - Conveys traffic between promiscuous ports, and to community ports within secondary VLANs.

  • Page 160: Displaying Private Vlan Interface Information

    Configuring the Switch Web – Click Private VLAN, Private VLAN Association. Select the required primary VLAN from the scroll-down box, highlight one or more community VLANs in the Non-Association list box, and click Add to associate these entries with the selected primary VLAN. (A community VLAN can only be associated with one primary VLAN.) FIG.

  • Page 161: Configuring Private Vlan Interfaces

    Web – Click Private VLAN, Private VLAN Port Information or Private VLAN Trunk Information. FIG. 84 Displaying Private VLAN Port Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6.

  • Page 162: Class Of Service Configuration

    This switch is designed with CoS to specifically support AMX’s MAX audio and video streams, maximizing audio and video performance as it is transmitted throughout the network. With four priority queues for each port, MAX’s packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 163: Setting The Default Priority For Interfaces

    Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port. Command Usage This switch provides four priority queues for each port.

  • Page 164: Mapping Cos Values To Egress Queues

    Configuring the Switch Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5356 Console(config-if)#end Console#sh interfaces switchport ethernet 1/5309 Information of Eth 1/5 Broadcast threshold: LACP status: Ingress rate limit: Egress rate limit: VLAN membership mode: Ingress rule: Acceptable frame type: Native VLAN: Priority for untagged traffic: 5 GVRP status: Allowed VLAN:...

  • Page 165: Traffic Classes Status

    Web – Click Priority, Traffic Classes. Mark an interface and click Select to display the current mapping of CoS values to output queues. Assign priorities to the traffic classes (i.e., output queues) for the selected interface, then click Apply. FIG. 87 Configuring Ports and Trunks for Class of Service CLI –...

  • Page 166: Selecting The Queue Mode

    Configuring the Switch Web – Click Priority, Traffic Classes Status. Check the box to enable the feature. FIG. 88 Enabling Traffic Classes Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round- Robin (WRR) queuing that specifies a relative weight of each queue.

  • Page 167: Mapping Layer 3/4 Priorities To Cos Values

    Command Attributes WRR Setting Table Weight Value – Set a new weight for the selected traffic class. (Range: 1-255) * CLI shows Queue ID. Web – Click Priority, Queue Scheduling. Select a traffic class (i.e., output queue), enter a weight, then click Apply.

  • Page 168: Selecting Ip Precedence/Dscp Priority

    Configuring the Switch Selecting IP Precedence/DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority. Select one of the methods or disable this feature. Command Attributes – Disables both priority services. (This is the default setting.) Disabled IP Precedence IP DSCP...

  • Page 169: Mapping Dscp Priority

    Web – Click Priority, IP Precedence Priority. Select a port or trunk from the Interface field. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. FIG. 92 Mapping IP Precedence to Class of Service Values * Mapping specific values for IP Precedence is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch.
  • Page 170 Configuring the Switch Mapping DSCP Priority IP DSCP Value 10, 12, 14, 16 18, 20, 22, 24 26, 28, 30, 32, 34, 36 38, 40, 42 46, 56 Command Attributes DSCP Priority Table Class of Service Value “0” represents low priority and “7” represent high priority. IP DSCP settings apply to all interfaces.

  • Page 171: Mapping Ip Port Priority

    CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 1 to CoS value 0 on port 5, and then displays all the DSCP Priority settings. Console(config)#map ip dscp362 Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0362 Console(config-if)#end Console#show map ip dscp ethernet 1/5365 DSCP mapping status: disabled...

  • Page 172: Copy Settings

    Configuring the Switch Web – Click Priority, IP Port Priority. Select a port or trunk from the Interface field. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Add IP Port.

  • Page 173: Mapping Cos Values To Acls

    Source Interface – Specifies the port or trunk to copy settings from. Destination Interface – Specifies the ports or trunks to copy settings to. Copy Settings – Carries out the command. Web – Click Priority, Copy Settings. Select the source priority settings to be copied, enter the source port or trunk number and choose the destination interface/s to copy to, then select Copy Settings.
  • Page 174 Configuring the Switch Command Usage You must configure an ACL mask before you can map CoS values to the rule. Command Attributes Port – Selects the port to which the ACL CoS is configured on. Name* – Name of ACL. Type –...

  • Page 175: Changing Priorities Based On Acl Rules

    Changing Priorities Based on ACL Rules You can change traffic priorities for frames matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) This switch can change the IEEE 802.1p priority, IP Precedence, or DSCP Priority of IP frames; or change the IEEE 802.1p priority of Layer 2 frames.

  • Page 176: Multicast Filtering

    Configuring the Switch Web – Click Priority, ACL Marker. Select a port and an ACL rule. To specify a ToS priority, mark the Precedence/DSCP check box, select Precedence or DSCP from the scroll-down box, and enter a priority. To specify an 802.1p priority, mark the 802.1p Priority check box, and enter a priority. Then click Add.

  • Page 177: Configuring Igmp Snooping And Query Parameters

    propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. This procedure is called multicast filtering. The purpose of IP multicast filtering is to optimize a switched network’s performance, so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers/ switches, instead of flooding traffic to all ports in the subnet (VLAN).

  • Page 178: Displaying Interfaces Attached To A Multicast Router

    Configuring the Switch IGMP Version — Sets the protocol version for compatibility with other devices on the network. (Default: 2, Range: 1 - 2) 1.All systems on the subnet must support the same version. 2.Some attributes are only enabled for IGMPv2, including IGMP Report Delay and IGMP Query Timeout.

  • Page 179: Specifying Interfaces Attached To A Multicast Router

    VLAN ID – ID of configured VLAN (1-4094). Multicast Router List – Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch. Web – Click IGMP, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers.

  • Page 180: Displaying Port Members Of Multicast Services

    Configuring the Switch Web – Click IGMP, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have completed adding interfaces to the list, click Apply. FIG.

  • Page 181: Assigning Ports To Multicast Services

    Web – Click IGMP, IP Multicast Registration Table. Select the VLAN ID and and the IP address for a multicast service. The switch will display all the ports that are propagating this multicast service. FIG. 102 Displaying Port Members of Multicast Services CLI –...

  • Page 182: Configuring Domain Name Service

    Configuring the Switch Web – Click IGMP, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and then click Add. After you have completed adding ports to the member list, click Apply.
  • Page 183 When an incomplete host name is received by the DNS server on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.

  • Page 184: Configuring Static Dns Host To Address Entries

    Configuring the Switch CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com380 Console(config)#ip domain-list sample.com.uk381 Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55382 Console(config)#ip domain-lookup383 Console#show dns384...

  • Page 185: Displaying The Dns Cache

    Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. FIG. 105 Mapping IP Addresses to a Host Name CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.
  • Page 186 Configuring the Switch IP – The IP address associated with this record. TTL – The time to live reported by the name server. Domain – The domain name associated with this record. Web – Select DNS, Cache. FIG. 106 Displaying the DNS Cache CLI - This example displays all the resource records learned from the designated name servers.

  • Page 187: Command Line Interface

    Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.

  • Page 188: Telnet Connection

    Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion.

  • Page 189: Entering Commands

    Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,”...
  • Page 190 Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database). You can also display a list of valid keywords for a specific command.

  • Page 191: Partial Keyword Lookup

    Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Console#show s? snmp startup-config...

  • Page 192: Exec Commands

    Command Line Interface Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode).

  • Page 193: Command Line Processing

    To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.

  • Page 194: Command Groups

    Command Line Interface Keystroke Commands (Cont.) Ctrl-W Esc-B Esc-D Esc-F Delete key or backspace key Command Groups The system commands can be broken down into the functional groups shown below Command Group Index Command Group Line General Time System Management Flash/File Power over Ethernet Authentication...

  • Page 195: Line Commands

    The access mode shown in the following tables is indicated by these abbreviations: NE (Normal Exec) PE (Privileged Exec) VC (VLAN Database Configuration GC (Global Configuration) ACL (Access Control List Configuration) and DC (DHCP Pool Configuration) LC (Line Configuration) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial port.

  • Page 196: Line

    Command Line Interface line Use this command to identify a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.

  • Page 197: Password

    Command Usage There are three authentication modes provided by the switch itself at login: login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. login local selects authentication via the user name and password specified by the username command (i.e., default setting).

  • Page 198: Timeout Login Response

    Command Line Interface The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.

  • Page 199: Exec-Timeout

    exec-timeout Use this command to set the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0 - 65535 seconds; 0: no timeout) Default Setting CLI and Telnet: 600 seconds (10 minutes)

  • Page 200: Silent-Time

    Command Line Interface command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. This command applies to both the local console and Telnet connections. Example To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# Related Commands...

  • Page 201: Databits

    databits Use this command to set the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits 7 - Seven data bits per character. 8 - Eight data bits per character.

  • Page 202: Speed

    Command Line Interface Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed Use this command to set the terminal line's baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.

  • Page 203: Stopbits

    stopbits Use this command to set the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} 1 - One stop bit 2 - Two stop bits Default Setting 1 stop bit Command Mode Line Configuration...

  • Page 204: Show Line

    Command Line Interface show line Use this command to display the terminal line's parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access. Default Setting Shows all lines Command Mode Normal Exec, Privileged Exec Example To show all lines, enter this command:...

  • Page 205: General Commands

    General Commands General Commands Command Function enable Activates privileged mode disable Returns to normal mode from privileged mode configure Activates global configuration mode show history Shows the contents of the command history buffer show history Shows the command history buffer reload Restarts the system Returns to Privileged Exec mode...

  • Page 206: Disable

    Command Line Interface Related Commands disable (190) enable password (197) disable Use this command to return to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.

  • Page 207: Show History

    show history Use this command to show the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands. Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history:...

  • Page 208: Reload

    Command Line Interface reload Use this command to restart the system. When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running- config startup-config command. Default Setting None Command Mode...

  • Page 209: Exit

    exit Use this command to return to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...

  • Page 210: System Management Commands

    Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. System Management Commands Command Group Device Designation User Access IP Filter Web Server Telnet Server Secure Shell...

  • Page 211: Hostname

    Example Console(config)#prompt FE-PoE FE-PoE(config)# hostname Use this command to specify or modify the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...

  • Page 212: Username

    Command Line Interface username Use this command to add named users, require authentication at login, specify or change a user's password (or specify that no password is required), or specify or change a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name...

  • Page 213: Enable Password

    enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. Use this command to control access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level]...

  • Page 214: Ip Filter Commands

    Command Line Interface IP Filter Commands IP Filter Commands Command management show management management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address]...

  • Page 215: Show Management

    Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} all-client - Adds IP address(es) to the SNMP, web and Telnet groups.

  • Page 216: Web Server Commands

    Command Line Interface Web Server Commands Web Server Commands Command ip http port ip http server ip http secure-server ip http secure-port Time Commands calendar set show calendar ip http port Use this command to specify the TCP port number used by the Web browser interface. Use the no form to use the default port.

  • Page 217: Ip Http Server

    ip http server Use this command to allow this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip http server Console(config)# Related Commands ip http port (200)

  • Page 218: Ip Http Secure-Port

    Command Line Interface The following web browsers and operating systems currently support HTTPS: HTTPS System Support Web Browser Internet Explorer 5.0 or later Netscape Navigator 4.76 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 65.

  • Page 219: Telnet Server Commands

    Telnet Server Commands Telnet Server Commands Command Function ip telnet port Specifies the port to be used by the Telnet interface ip telnet server Allows the switch to be monitored or configured from Telnet ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.

  • Page 220: Secure Shell Commands

    Command Line Interface Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
  • Page 221 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.

  • Page 222: Ip Ssh Server

    Command Line Interface ip ssh server Use this command to enable the Secure Shell (SSH) server on this switch. Use the no form to disable this service. Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage The SSH server supports up to four client sessions.

  • Page 223: Ip Ssh Authentication-Retries

    The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions. Example Console(config)#ip ssh timeout 60 Console(config)#...

  • Page 224: Ip Ssh Server-Key Size

    Command Line Interface ip ssh server-key size Use this command to set the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-896 bits) Default Setting 768 bits Command Mode...

  • Page 225: Ip Ssh Crypto Host-Key Generate

    ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs.

  • Page 226: Ip Ssh Save Host-Key

    Command Line Interface Example Console#ip ssh crypto zeroize dsa Console# Related Commands ip ssh crypto host-key generate (209) ip ssh save host-key (210) no ip ssh server (206) ip ssh save host-key Use this command to save host key from RAM to flash memory. Syntax ip ssh save host-key [dsa | rsa] dsa –...

  • Page 227: Show Ssh

    show ssh Use this command to display the current Secure Shell (SSH) server connections. Command Mode Privileged Exec Example Console#show ssh Connection cbc-hmac-md5 aes128-cbc-hmac-md5 Console# SSH Information Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state.

  • Page 228: Show Public-Key

    Command Line Interface show public-key Use this command to show the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...

  • Page 229: Event Logging Commands

    Event Logging Commands Event Logging Commands Command Function Time Commands calendar set Set the system clock show calendar Displays the system clock logging on Controls logging of error messages logging history Limits syslog messages saved to switch memory based on severity logging host Adds a syslog server host IP address that will receive logging messages logging facility...

  • Page 230: Logging History

    Command Line Interface logging history Use this command to limit syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).

  • Page 231: Logging Host

    logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...

  • Page 232: Logging Trap

    Command Line Interface logging trap This command enables the logging of system messages to a remote server and limits the messages saved based on severity. Use the no form to disable remote logging. Syntax [no] logging trap [level] level - One of the syslog severity levels. Messages sent include the selected level up through level 0.

  • Page 233: Show Logging

    show logging Use this command to display the logging configuration, along with any system and event messages stored in memory. Syntax show logging {flash | ram | trap} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
  • Page 234 Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: REMOTELOG status: REMOTELOG facility type: REMOTELOG level type: REMOTELOG server IP address: 192.168.1.6 REMOTELOG server IP address: 192.168.1.7 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 Console#...

  • Page 235: Smtp Alert Commands

    SMTP Alert Commands Configures SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. SMTP Commands Command logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail logging sendmail host This command specifies SMTP servers that will be sent alert messages.

  • Page 236: Logging Sendmail Level

    Command Line Interface logging sendmail level This command sets the severity threshold used to trigger alert messages. Syntax logging sendmail level level level - One of the system message levels (page 214). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7) Default Setting Level 7 Command Mode...

  • Page 237: Logging Sendmail Destination-Email

    logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The recipient email address for alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration...

  • Page 238: Time Commands

    Command Line Interface Example Console#show logging sendmail SMTP servers ----------------------------------------------- 1. 192.168.1.4 2. 192.168.1.5 SMTP minimum severity level: 4 SMTP destination email addresses ----------------------------------------------- 1. anyone@this-company.com 2. anyone2@this-company.com SMTP source email address: SMTP status: Console# Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.

  • Page 239: Sntp Server

    The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). This command enables client time requests to time servers specified via the sntp servers command.

  • Page 240: Sntp Poll

    Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...

  • Page 241: Clock Timezone

    clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-29 characters) hours - Number of hours before/after UTC. (Range: 1-12 hours) minutes - Number of minutes before/after UTC.

  • Page 242: Show Calendar

    Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, March 21st, 2003. Console#calendar set 15 12 34 March 21 2003 Console# show calendar Use this command to display the system clock. Default Setting None Command Mode...

  • Page 243: System Status Commands

    System Status Commands System Status Commands Command show startup-config show running-config show system show users show version light unit show startup-config Use this command to display the configuration file stored in non-volatile memory that is used to start up the system. Default Setting None Command Mode...

  • Page 244: Show Running-Config

    Command Line Interface Example Console#show startup-config building startup-config, please wait... username admin access-level 15 username admin password 0 admin username guest access-level 0 username guest password 0 guest enable password level 15 0 super snmp-server community public ro snmp-server community private rw vlan database vlan 1 name DefaultVlan media ethernet state active interface ethernet 1/1...
  • Page 245 SNMP community strings Users (names, access levels, and encrypted passwords) VLAN database (VLAN ID, name and state) VLAN configuration settings for each interface IP address configured for VLANs Spanning tree settings Any configured settings for the console port and Telnet Example Console#show running-config building running-config, please wait...

  • Page 246: Show System

    Command Line Interface show system Use this command to display system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage For a description of the items shown by this command, refer to “Displaying System Information” on page 26. The POST results should all display “PASS.”...

  • Page 247: Show Version

    The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin guest Online users: Line ----------- -------- ----------------- --------------- console VTY 0 Web online users:...

  • Page 248: Light Unit

    Command Line Interface light unit Use this command to display the unit ID of a switch using its front-panel LED indicators. Syntax light unit unit unit - Specifies a unit in a switch stack to light the panel LEDs. Default Setting None Command Mode Normal Exec, Privileged Exec...

  • Page 249: Flash/File Commands

    Flash/File Commands These commands are used to manage the system code or configuration files. Flash/File Commands Command Function copy Copies a code image or a switch configuration to or from flash memory or a TFTP server delete Deletes a file or code image Displays a list of files in flash memory whichboot Displays the files booted...
  • Page 250 Command Line Interface Command Usage The system prompts for data required to complete the copy command. The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
  • Page 251 The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19...

  • Page 252: Delete

    Command Line Interface This example shows how to copy a PoE controller file from another unit in the slack. Console#copy file controller Unit <1-2>: 2 Choose controller type: 1. PoE: 2. VDSL: Source file name: PoE-test Software downloading in progress, please wait... Unit 1 done Console# delete...

  • Page 253: Dir

    Use this command to display a list of files in flash memory. Syntax dir [boot-rom | config | opcode [:filename]] The type of file or image to display includes: boot-rom - Boot ROM (or diagnostic) image file config - Switch configuration file opcode - Run-time operation code image file.

  • Page 254: Whichboot

    Command Line Interface whichboot Use this command to display which files were booted when the system powered up. Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.

  • Page 255: Power Over Ethernet Commands

    Example Console(config)#boot system config: startup Console(config)# Related Commands dir (237) whichboot (238) Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the switch ports. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.

  • Page 256: Power Inline

    Command Line Interface Command Usage Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.

  • Page 257: Power Inline Maximum Allocation

    power inline maximum allocation Use this command to limit the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation [milliwatts] no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 15400 milliwatts).

  • Page 258: Show Power Inline Status

    Command Line Interface A device connected to a critical or high-priority port that causes the switch to exceed its budget is supplied power, but the switch drops power to one or more lower- priority ports. Power is dropped from low-priority ports in sequence starting from port number 1. Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline priority 2...

  • Page 259: Show Power Mainpower

    Example Console#show power inline status Interface Admin ---------- ------- ---- ------------ ------------ -------- 1/ 1 1/ 2 1/ 3 1/ 4 1/ 5 1/ 6 1/ 7 1/23 1/24 Console# show power mainpower Use this command to display the current power status for the switch. Command Mode Privileged Exec Command Usage...

  • Page 260: Authentication Commands

    Command Line Interface Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1x. Authentication Commands Command Group Authentication Sequence RADIUS Client...

  • Page 261: Authentication Enable

    RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. You can specify three authentication methods in a single command to indicate the authentication sequence.

  • Page 262: Radius Client

    Command Line Interface tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.

  • Page 263: Radius-Server Port

    host_alias - Symbolic name of server. (Maximum length: 20 characters) port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.

  • Page 264: Radius-Server Key

    Command Line Interface radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.

  • Page 265: Show Radius-Server

    Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: Retransmit times: Request timeout:...

  • Page 266: Tacacs-Server Host

    Command Line Interface tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server host host_ip_address no tacacs-server host host_ip_address - IP address of a TACACS+ server. Default Setting 10.11.12.13 Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)#...

  • Page 267: Tacacs-Server Key

    tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 20 characters) Default Setting None...

  • Page 268: Port Security Commands

    Command Line Interface Port Security Commands These commands can be used to disable the learning function or manually specify secure addresses for a port. You may want to leave port security off for an initial training period (i.e., enable the learning function) to register all the current VLAN members on the selected port, and then enable port security to ensure that the port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port.
  • Page 269 If you enable port security, the switch will stop dynamically learning new addresses on the specified port. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. To use port security, first allow the switch to dynamically learn the <source MAC address, VLAN>...

  • Page 270: 802.1X Port Authentication

    Command Line Interface 802.1x Port Authentication The switch supports IEEE 802.1x (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).

  • Page 271: Dot1X Default

    dot1x default This command sets all configurable dot1x global and port settings to their default values. Syntax dot1x default Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/ identity packet to the client before it times out the authentication session.

  • Page 272: Dot1X Port-Control

    Command Line Interface dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.

  • Page 273: Dot1X Re-Authenticate

    Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - This is device 1. port - Port number. Command Mode Privileged Exec Example Console#dot1x re-authenticate...

  • Page 274: Dot1X Timeout Quiet-Period

    Command Line Interface dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.

  • Page 275: Dot1X Timeout Tx-Period

    dot1x timeout tx-period This command sets the time that a port on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
  • Page 276 Command Line Interface 802.1X Port Summary – Displays the port access control parameters for each interface, including the following items: Status - Administrative state for port access control. Mode - Dot1x port control mode (page 256). Authorized - Authorization status (yes or n/a - not authorized). 802.1X Port Details –...
  • Page 277 Example Console#show dot1x Global 802.1X Parameters reauth-enabled: yes reauth-period: quiet-period: tx-period: supp-timeout: server-timeout: 30 reauth-max: max-req: 802.1X Port Summary Port Name 802.1X Port Details 802.1X is disabled on port 1 802.1X is enabled on port 12 Max request Quiet period Reauth period Tx period Status...

  • Page 278: Access Control List Commands

    Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.

  • Page 279: Masks For Access Control Lists

    The order in which active ACLs are checked is as follows: 1. User-defined rules in the Egress MAC ACL for egress ports. 2. User-defined rules in the Egress IP ACL for egress ports. 3. User-defined rules in the Ingress MAC ACL for ingress ports. 4.

  • Page 280: Ip Acls

    Command Line Interface IP ACLs IP ACL Commands Command access-list ip permit, deny permit, deny show ip access-list access-list ip mask-precedence mask show access-list ip mask-precedence Shows the ingress or egress rule masks for IP ACLs PE ip access-group show ip access-group map access-list ip show map access-list ip match access-list ip...

  • Page 281: Permit, Deny (Standard Acl)

    When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.

  • Page 282: Permit, Deny (Extended Acl)

    Command Line Interface Example This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)# Related Commands access-list ip (264) permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL.
  • Page 283 flag-bitmask – Decimal number representing the code bits to match. * Includes TCP, UDP or other protocol types. Default Setting None Command Mode Extended ACL Command Usage All new rules are appended to the end of the list. Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.

  • Page 284: Show Ip Access-List

    Command Line Interface This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any dport 80 Console(config-ext-acl)# This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.”...

  • Page 285: Access-List Ip Mask-Precedence

    access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} in – Ingress mask for ingress ACLs. out –...
  • Page 286 Command Line Interface host – The address must be for a host device, not a subnetwork. source-bitmask – Source address of rule must match this bitmask. destination-bitmask – Destination address of rule must match this bitmask. precedence – Check the IP precedence field. tos –...
  • Page 287 the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any” entry. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 Console(config-std-acl)#deny 10.1.1.1 255.255.255.255 Console(config-std-acl)#exit Console(config)#access-list ip mask-precedence in Console(config-ip-mask-acl)#mask host any Console(config-ip-mask-acl)#mask 255.255.255.0 any Console(config-ip-mask-acl)# This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others.

  • Page 288: Show Access-List Ip Mask-Precedence

    Command Line Interface This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL.

  • Page 289: Ip Access-Group

    ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} acl_name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. out –...

  • Page 290: Map Access-List Ip

    Command Line Interface map access-list ip This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself. Use the no form to remove the CoS mapping.

  • Page 291: Show Map Access-List Ip

    show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list ip [interface] interface ethernet unit/port unit - This is device 1.

  • Page 292: Show Marking

    Command Line Interface Command Usage You must configure an ACL mask before you can change frame priorities based on an ACL rule. Traffic priorities may be included in the IEEE 802.1p priority tag. This tag is also incorporated as part of the overall IEEE 802.1Q VLAN tag. To specify this priority, use the set priority keywords.

  • Page 293: Mac Acls

    MAC ACLs MAC ACL Commands Command access-list mac permit, deny show mac access-list access-list mac mask-precedence mask show access-list mac mask-precedence Shows the ingress or egress rule masks for permit/deny offset mac access-group show mac access-group map access-list mac show map access-list mac match access-list mac show marking access-list mac...

  • Page 294: Permit, Deny (Mac Acl)

    Command Line Interface To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. An ACL can contain up to 32 rules. Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny 278 mac access-group (284) show mac access-list (280)
  • Page 295 {any | host destination | destination address-bitmask} tagged-eth2 – Tagged Ethernet II packets. untagged-eth2 – Untagged Ethernet II packets. tagged-802.3 – Tagged Ethernet 802.3 packets. untagged-802.3 – Untagged Ethernet 802.3 packets. any – Any MAC source or destination address. host – A specific MAC address. source –...

  • Page 296: Show Mac Access-List

    Command Line Interface Related Commands access-list mac (277) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800...

  • Page 297: Mask (Mac Acl)

    Example Console(config)#access-list mac mask-precedence in Console(config-mac-mask-acl)# Related Commands mask (MAC ACL) (281) mac access-group (284) mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask. Syntax [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination-bitmask}...
  • Page 298 Command Line Interface Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 Console(config-mac-acl)#end...

  • Page 299: Show Access-List Mac Mask-Precedence

    show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [in | out] in – Ingress mask precedence for ingress ACLs. out – Egress mask precedence for egress ACLs. Command Mode Privileged Exec Example...

  • Page 300: Mac Access-Group

    Command Line Interface Packet filtering based on arbitrary offsets and data patterns can adversely affect switch throughput. Try to avoid using packet filtering based on pattern matching unless this is absolutely necessary to solve a specific problem. Example This example shows how to filter any Ethernet II packets directed to the IP address 10.1.0.23 that havethe Don’t Fragment flag set.

  • Page 301: Show Mac Access-Group

    show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (284) map access-list mac This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue;...

  • Page 302: Show Map Access-List Mac

    Command Line Interface Related Commands queue cos-map (357) show map access-list mac (286) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list mac [interface] interface...

  • Page 303: Acl Information

    Command Usage You must configure an ACL mask before you can change frame priorities based on an ACL rule. Example Console(config)#interface ethernet 1/12 Console(config-if)#match access-list mac a set priority 0 Console(config-if)# Related Commands show marking (276) ACL Information ACL Information Command show access-list show access-group...

  • Page 304: Show Access-Group

    Command Line Interface show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP standard access-list david MAC access-list jerry Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.

  • Page 305: Snmp-Server Community

    snmp-server community Use this command to define the SNMP v1 and v2c community access strings. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.

  • Page 306: Snmp-Server Location

    Command Line Interface Related Commands snmp-server location (290) snmp-server location Use this command to set the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None...

  • Page 307: Snmp-Server Enable Traps

    Default Setting Host Address: None SNMP Version: 1 UDP Port: 162 Command Mode Global Configuration Command Usage If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp- server host command.

  • Page 308: Show Snmp

    Command Line Interface authentication - Keyword to issue authentication failure traps. link-up-down - Keyword to issue link-up or link-down traps. The link-up-down trap can only be enabled/disabled via the CLI. Default Setting Issue authentication and link-up-down traps. Command Mode Global Configuration Command Usage If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent.

  • Page 309: Snmp-Server

    Example Console#show snmp SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables...

  • Page 310: Snmp-Server Engine-Id

    Command Line Interface snmp-server engine-id Use this command to configure an identification string for the SNMP v3 engine. Use the no form to restore the default. Syntax snmp-server engine-id local engineid-string no snmp-server engine-id local engineid-string - String identifying the engine ID. (Range: 1-26 hexadecimal characters) Default Setting A unique engine ID is automatically generated by the switch based on its MAC address.

  • Page 311: Snmp-Server View

    Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 SNMP Engine ID Field Local SNMP engineID Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmpEngineID snmp-server view Use this command to add an SNMP view that controls user access to the MIB.

  • Page 312: Show Snmp View

    Command Line Interface This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view Use this command to show information on the SNMP groups. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2...

  • Page 313: Show Snmp Group

    writeview* - Defines the view for write access. (1-64 characters) Default Setting readview - Every object belonging to the Internet OID space (1.3.6.1). writeview - Nothing is defined. Command Mode Global Configuration Command Usage A group sets the access policy for the assigned users. When authentication is selected, the MD5 or or SHA algorithm is used as specified in the snmp-server user command.

  • Page 314: Snmp-Server User

    Command Line Interface Example Console#show snmp group Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: nonvolatile Row Status: active Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private...

  • Page 315: Show Snmp User

    groupname - Name of an SNMP group to which the user is assigned. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3. encrypted - Accepts the password as encrypted input. auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication.

  • Page 316: Interface Commands

    Command Line Interface SNMP User Field EngineId User Name Authentication Protocol Privacy Protocol Storage Type Row Status Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Interface Commands Command interface description speed-duplex...

  • Page 317: Description

    vlan vlan-id (Range: 1-4094) Default Setting None Command Mode Global Configuration Example To specify the port 25, enter the following command: Console(config)#interface ethernet 1/25 Console(config-if)# description Use this command to add a description to an interface. Use the no form to remove the description. Syntax description string no description...

  • Page 318: Negotiation

    Command Line Interface Default Setting Auto-negotiation is enabled by default. When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.

  • Page 319: Capabilities

    Example The following example configures port 11 to use autonegotiation Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# negotiation (302) speed-duplex (301) capabilities Use this command to advertise the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.

  • Page 320: Flowcontrol

    Command Line Interface Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (302) speed-duplex (301) flowcontrol (304) flowcontrol Use this command to enable flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting...

  • Page 321: Shutdown

    shutdown Use this command to disable an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved.

  • Page 322: Clear Counters

    Command Line Interface Example The following shows how to configure broadcast storm control at 600 packets per second on port 5: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# clear counters Use this command to clear statistics on an interface. Syntax clear counters interface interface...

  • Page 323: Show Interfaces Status

    show interfaces status Use this command to display the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - This is device 1. port - Port number. port-channel channel-id (Range: 1-6) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.

  • Page 324: Show Interfaces Counters

    Command Line Interface show interfaces counters Use this command to display interface statistics. Syntax show interfaces counters [interface] interface ethernet unit/port unit - This is device 1. port - Port number. port-channel channel-id (Range: 1-6) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage...

  • Page 325: Show Interfaces Switchport

    show interfaces switchport Use this command to display the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface ethernet unit/port unit - This is device 1. port - Port number. port-channel channel-id (Range: 1-6) Default Setting Shows all interfaces.
  • Page 326 Command Line Interface Example This example shows the configuration setting for port 25. Console#show interfaces switchport ethernet 1/22 Information of Eth 1/22 Broadcast threshold: Enabled, 500 packets/second Lacp status: Disabled Ingress rate limit: disable,100M bits per second Egress rate limit: disable,100M bits per second VLAN membership mode: Hybrid Ingress rule: Disabled Acceptable frame type: All frames...

  • Page 327: Mirror Port Commands

    Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Mirror Port Commands Command port monitor show port monitor port monitor Use this command to configure a mirror session. Use the no form to clear a mirror session. Syntax port monitor interface [rx | tx | both] no port monitor interface...

  • Page 328: Show Port Monitor

    Command Line Interface show port monitor Use this command to display mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) unit - Switch (unit 1). port - Port number. Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror...

  • Page 329: Rate Limit Commands

    Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

  • Page 330: Link Aggregation Commands

    Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.

  • Page 331: Channel-Group

    If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
  • Page 332 Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.

  • Page 333: Lacp System-Priority

    lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.

  • Page 334: Lacp Admin-Key (Ethernet Interface)

    Command Line Interface lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link.

  • Page 335: Lacp Port-Priority

    Default Setting Command Mode Interface Configuration (Port Channel) Command Usage Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).

  • Page 336: Show Lacp

    Command Line Interface administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner. Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group.
  • Page 337 Console#show lacp 1 internal Channel group : 1 ------------------------------------------------------------- ------------ Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------- ------------ LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP- activity...
  • Page 338 Command Line Interface Console#show lacp 1 neighbors Channel group 1 neighbors ------------------------------------------------------------- ------------ Eth 1/1 ------------------------------------------------------------- ------------ Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...

  • Page 339: Address Table Commands

    Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Address Table Commands Command mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time show mac-address-table aging-time Shows the aging time for the address table mac-address-table static Use this command to map a static address to a destination port in a VLAN.

  • Page 340: Clear Mac-Address-Table Dynamic

    Command Line Interface Static addresses will not be removed from the address table when a given interface link is down. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.

  • Page 341: Mac-Address-Table Aging-Time

    Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learned - Dynamic address entries Permanent - Static entry Delete-on-reset - Static entry to be deleted when system is reset The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.

  • Page 342: Show Mac-Address-Table Aging-Time

    Command Line Interface show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec. Console# Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.

  • Page 343: Spanning-Tree Mode

    Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.

  • Page 344: Spanning-Tree Forward-Time

    Command Line Interface Example The following example configures the switch to use Rapid Spanning Tree. Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time Use this command to configure the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...

  • Page 345: Spanning-Tree Max-Age

    Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# spanning-tree max-age Use this command to configure the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default.

  • Page 346: Spanning-Tree Pathcost Method

    Command Line Interface Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.

  • Page 347: Spanning-Tree Transmission-Limit

    spanning-tree transmission-limit Use this command to configure the minimum interval between the transmission of consecutive RSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count -The transmission limit in seconds. (Range: 1-10) Default Command Mode Global Configuration...

  • Page 348: Spanning-Tree Cost

    Command Line Interface spanning-tree cost Use this command to configure the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 1-200,000,000)) The recommended range is: Ethernet: 200,000-20,000,000 Fast Ethernet: 20,000-2,000,000...

  • Page 349: Spanning-Tree Port-Priority

    spanning-tree port-priority Use this command to configure the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting Command Mode Interface Configuration (Ethernet, Port Channel)

  • Page 350: Spanning-Tree Portfast

    Command Line Interface rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA- related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.

  • Page 351: Spanning-Tree Link-Type

    spanning-tree link-type Use this command to configure the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link.

  • Page 352: Show Spanning-Tree

    Command Line Interface Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol- migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
  • Page 353 Example Console#show spanning-tree Spanning-tree information ------------------------------------------------------------- Spanning tree mode Spanning tree enable/disable Priority Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.) Root Hello Time (sec.) Root Max Age (sec.) Root Forward Delay (sec.) Designated Root Current root port Current root cost Number of topology changes Last topology changes time (sec.):1718...

  • Page 354: Vlan Commands

    Command Line Interface VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.

  • Page 355: Vlan

    Related Commands show vlan (345) vlan Use this command to configure a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] vlan-id - ID of configured VLAN.

  • Page 356: Configuring Vlan Interfaces

    Command Line Interface Configuring VLAN Interfaces Configuring VLAN Interfaces Command interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan switchport gvrp switchport forbidden vlan switchport priority default interface vlan Use this command to enter interface configuration mode for VLANs, and configure a physical interface.

  • Page 357: Switchport Mode

    switchport mode Use this command to configure the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid} no switchport mode trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.

  • Page 358: Switchport Ingress-Filtering

    Command Line Interface Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic passed on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)#...

  • Page 359: Switchport Native Vlan

    switchport native vlan Use this command to configure the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4094, no leading zeroes) Default Setting VLAN 1 Command Mode...

  • Page 360: Switchport Forbidden Vlan

    Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage A port, or a trunk with switchport mode set to hybrid, must be assigned to at least one VLAN as untagged. If a trunk has switchport mode set to trunk (i.e., 1Q Trunk), then you can only assign an interface to VLAN groups as a tagged member.

  • Page 361: Displaying Vlan Information

    This command prevents a VLAN from being automatically added to the specified interface via GVRP. If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface. Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1...

  • Page 362: Configuring Private Vlans

    Command Line Interface Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN Type ---- ------- ----------- ------ --------- Static Eth1/5 Eth1/10 14 Eth1/15 19 Eth1/20 Console# Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLAN ports: promiscuous, and community ports.

  • Page 363: Private-Vlan

    private-vlan Use this command to create a primary or secondary (i.e., community) private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | isolated | primary} no private-vlan vlan-id vlan-id - ID of private VLAN. (Range: 1-4093, no leading zeroes). community –...

  • Page 364: Switchport Mode Private-Vlan

    Command Line Interface Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members. The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN (e.g., servers configured with promiscuous ports) and to resources outside of the primary VLAN (via promiscuous ports).

  • Page 365: Switchport Private-Vlan Host-Association

    switchport private-vlan host-association Use this command to associate an interface with a secondary VLAN. Use the no form to remove this association. Syntax switchport private-vlan host-association secondary-vlan-id no switchport private-vlan host-association secondary-vlan-id – ID of secondary (i.e, community) VLAN. (Range: 1-4093, no leading zeroes). Default Setting None Command Mode...

  • Page 366: Show Vlan Private-Vlan

    Command Line Interface show vlan private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show vlan private-vlan [community | primary] community – Displays all community VLANs, along with their associate primary VLAN and assigned host interfaces. primary –...

  • Page 367: Gvrp And Bridge Extension Commands

    GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.

  • Page 368: Switchport Gvrp

    Command Line Interface Command Usage See “Displaying Basic VLAN Information” on page 134 and “Displaying Bridge Extension Capabilities” on page 30 for a description of the displayed items. Example Console#show bridge-ext Max support vlan numbers: 255 Max support vlan ID: 4094 Extended multicast filtering services: No Static entry individual port: Yes VLAN learning: IVL...

  • Page 369: Garp Timer

    Command Mode Normal Exec, Privileged Exec Example Console#show gvrp configuration ethernet 1/7 Eth 1/ 7: Gvrp configuration: Disabled Console# garp timer Use this command to set the values for the join, leave and leaveall timers. Use the no form to restore the timers' default values.

  • Page 370: Show Garp Timer

    Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (354) show garp timer Use this command to show the GARP timers for the selected interface. Syntax show garp timer [interface] interface ethernet unit/port unit - This is device 1.

  • Page 371: Priority Commands

    Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 372: Switchport Priority Default

    Command Line Interface Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.

  • Page 373: Queue Bandwidth

    Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console (config-if)#switchport priority default 5 queue bandwidth Use this command to assign weighted round-robin (WRR) weights to the four class of service (CoS) priority queues.

  • Page 374: Show Queue Bandwidth

    Command Line Interface Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below. Default CoS Priority Levels Queue Priority...

  • Page 375: Show Queue Cos-Map

    show queue cos-map Use this command to show the class of service priority map. Syntax show queue cos-map [interface] interface ethernet unit/port unit - This is device 1. port - Port number. port-channel channel-id (Range: 1-6) Default Setting None Command Mode Privileged Exec Example Console#show queue cos-map ethernet 1/1...

  • Page 376: Map Ip Port (Global Configuration)

    Command Line Interface map ip port (Global Configuration) Use this command to enable IP port mapping (i.e., class of service mapping for TCP/UDP sockets). Use the no form to disable IP port mapping. Syntax [no] map ip port Default Setting Disabled Command Mode Global Configuration...

  • Page 377: Map Ip Precedence (Global Configuration)

    map ip precedence (Global Configuration) Use this command to enable IP precedence mapping (i.e., IP Type of Service). Use the no form to disable IP precedence mapping. Syntax [no] map ip precedence Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.

  • Page 378: Map Ip Dscp (Global Configuration)

    Command Line Interface IP Precedence values are mapped to default Class of Service values on a one-to-one basis according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. This command sets the IP Precedence for all interfaces. Example The following example shows how to map IP precedence value 1 to CoS value 0: Console(config)#interface ethernet 1/5...

  • Page 379: Show Map Ip Port

    Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Mapping IP DSCP to CoS Values IP DSCP Value 10, 12, 14, 16 18, 20, 22, 24 26, 28, 30, 32, 34, 36 38, 40, 42...

  • Page 380: Show Map Ip Precedence

    Command Line Interface Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console# Related Commands...

  • Page 381: Show Map Ip Dscp

    Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands map ip precedence (Global Configuration) (361)

  • Page 382: Multicast Filtering Commands

    Command Line Interface Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (362)

  • Page 383: Ip Igmp Snooping Vlan Static

    Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static Use this command to add a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4094)

  • Page 384: Ip Igmp Snooping Version

    Command Line Interface ip igmp snooping version Use this command to configure the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2} no ip igmp snooping version 1 - IGMP Version 1 2 - IGMP Version 2 Default Setting IGMP Version 2...

  • Page 385: Show Mac-Address-Table Multicast

    Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Enabled Query count: 2 Query interval: 125 sec Query max response time: 10 sec Query time-out: 300 sec IGMP snooping version: Version 2 Console# show mac-address-table multicast Use this command to show known multicast addresses.

  • Page 386: Igmp Query Commands (Layer 2)

    Command Line Interface IGMP Query Commands (Layer 2) IGMP Query Commands (Layer 2) Command ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time Configures the report delay ip igmp snooping router-port-expire-time ip igmp snooping querier Use this command to enable the switch as an IGMP querier.

  • Page 387: Ip Igmp Snooping Query-Interval

    Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-max- response-time.

  • Page 388: Ip Igmp Snooping Router-Port-Expire-Time

    Command Line Interface Command Mode Global Configuration Command Usage The switch must be using IGMPv2 for this command to take effect. This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.

  • Page 389: Static Multicast Routing Commands

    Related Commands ip igmp snooping version (368) Static Multicast Routing Commands Static Multicast Routing Commands Command ip igmp snooping vlan mrouter show ip igmp snooping mrouter ip igmp snooping vlan mrouter Use this command to statically configure a multicast router port. Use the no form to remove the configuration.

  • Page 390: Show Ip Igmp Snooping Mrouter

    Command Line Interface show ip igmp snooping mrouter Use this command to display information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...

  • Page 391: Ip Address

    ip address Use this command to set the IP address for the currently selected VLAN interface. Use the no form to restore the default IP address. Syntax ip address {ip-address netmask | bootp | dhcp} no ip address ip-address - IP address netmask - Network mask for the associated IP subnet.

  • Page 392: Ip Default-Gateway

    Command Line Interface Related Commands ip dhcp restart (376) ip default-gateway Use this command to a establish a static route between this device and management stations that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway...

  • Page 393: Show Ip Interface

    In the following example, the device is reassigned the same address Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart Console#show ip interface IP interface vlan IP address and netmask: 10.1.0.54 255.255.255.0 on VLAN 1, and address mode: Dhcp. Console# Related Commands ip address (375)

  • Page 394: Ping

    Command Line Interface ping Use this command to send ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] host - IP address or IP alias of the host. count - Number of packets to send. (Range: 1-16, default: 5) size - Number of bytes in a packet.

  • Page 395: Dns Commands

    DNS Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.

  • Page 396: Clear Host

    Command Line Interface Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname Inet address 10.1.0.55 192.168.1.55 Alias Console# clear host This command deletes entries from the DNS table. Syntax clear host {name | *} name - Name of the host.

  • Page 397: Ip Domain-List

    Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (381) ip name-server (382) ip domain-lookup (383) ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation).

  • Page 398: Ip Name-Server

    Command Line Interface Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List:...

  • Page 399: Ip Domain-Lookup

    Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands...

  • Page 400: Show Hosts

    Command Line Interface Related Commands ip domain-name (380) ip name-server (382) show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.

  • Page 401: Clear Dns Cache

    Example Console#show dns cache FLAG pttch_pc.accton.com.tw ahten.accton.com.tw www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net www.yahoo.akadns.net Console# Show DNS Output Description Field Description The entry number for each resource record. FLAG The flag is always “4” indicating a cache entry and therefore unreliable. TYPE This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing...
  • Page 402 Command Line Interface NXA-ENET Software Management Guide...

  • Page 403: Software Specifications

    Software Specifications Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) Power Over Ethernet SNMPv3 Management access via MIB database Trap management to specified hosts DHCP Client, Relay, Server Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex...
  • Page 404 Software Specifications Software Specifications (Cont.) SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards IEEE 802.3 Ethernet, IEEE 802.3u Fast Ethernet IEEE 802.3x full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3z Gigabit Ethernet, IEEE 802.3ab 1000BASE-T IEEE 802.3ac VLAN tagging...
  • Page 405 Software Specifications (Cont.) Management Information Bases Bridge MIB (RFC 1493) Entity MIB (RFC 2737) Ethernet MIB (RFC 2665) Ether-like MIB (RFC 1643) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs...
  • Page 406 Software Specifications NXA-ENET Software Management Guide...

  • Page 407: Troubleshooting

    Troubleshooting Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure you have configured the agent with a valid IP address, subnet mask and default gateway. Web browser, or SNMP soft- • If you are trying to connect to the agent via the IP address for a tagged VLAN group, your ware management station must include the appropriate tag in its transmitted frames.
  • Page 408 Troubleshooting NXA-ENET Software Management Guide...

  • Page 409: Glossary

    Glossary Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol (ARP) ARP converts between IP addresses and MAC (i.e., hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
  • Page 410 Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are...
  • Page 411 Glossary Internet Control Message Protocol (ICMP) A network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier”...
  • Page 412 Glossary Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio. Open Shortest Path First (OSPF) OSPF is a link-state routing protocol that functions better over a larger network such as the Internet, as opposed to distance-vector routing protocols such as RIP.
  • Page 413 Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH canauthenticate users with a cryptographic key, and encrypt data connections betweenmanagement clients and the switch. Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
  • Page 414 Glossary Tunneled Transport Layer Security (TTLS) A proposed wireless security protocol, developed by Funk Software and Certicom, that combines network-based certificates with other authentication such as tokens or passwords. Also known as EAP-TTLS. User Datagram Protocol (UDP) provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services.
  • Page 415 Glossary NXA-ENET Software Management Guide...
  • Page 416 ATLANTA • BOSTON • CHICAGO • CLEVELAND • DALLAS • DENVER • INDIANAPOLIS • LOS ANGELES • MINNEAPOLIS • PHILADELPHIA • PHOENIX • PORTLAND • SPOKANE • TAMPA 3000 RESEARCH DRIVE, RICHARDSON, TX 75082 USA • 800.222.0193 • 469.624.8000 • 469-624-7153 fax • 800.932.6993 technical support • www.amx.com...

This manual is also suitable for:

Nxa-enet24poe

Table of Contents