1. Manuals
  2. Brands
  3. MiLAN Manuals
  4. Switch
  5. MIL-SM24004TG
  6. User manual

MiLAN MIL-SM24004TG User Manual

24-port + 4 combo sfp slots gigabit ethernet multi-layer management switch
Hide thumbs Also See for MIL-SM24004TG:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
Table of Contents

Advertisement

Quick Links

Download this manual

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the MIL-SM24004TG and is the answer not in the manual?

Questions and answers

Related Manuals for MiLAN MIL-SM24004TG

Summary of Contents for MiLAN MIL-SM24004TG

  • Page 3 In no event shall MiLAN Technology be liable for incidental or consequential damages, costs, or expenses arising out of or in connection with the performance of the product delivered hereunder.
  • Page 4 You can reach MiLAN Technology technical support at: E-mail: support@milan.com Telephone: +1.408.744.2751 Fax: +1.408.744.2771 MiLAN Technology 1329 Moffett Park Drive Sunnyvale, CA 94089 United States of America Telephone: +1.408.744.2775 Fax: +1.408.744.2793 http://www.milan.com info@milan.com © Copyright 2005 MiLAN Technology P/N: 90000441 REV. A...

  • Page 5: Table Of Contents

    Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings Trap Receivers Saving Configuration Settings Managing System Files Chapter 3: Configuring the Switch Using the Web Interface Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu...
  • Page 6 Contents System Log Configuration Remote Log Configuration Displaying Log Messages Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol Setting Community Access Strings Specifying Trap Managers and Trap Types User Authentication Configuring the Logon Password Configuring Local/Remote Logon Authentication...
  • Page 7 Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Showing Port Statistics Address Table Settings Setting Static Addresses Displaying the Address Table Changing the Aging Time Spanning Tree Algorithm Configuration Displaying Global Settings...
  • Page 8 Contents Mapping CoS Values to ACLs Changing Priorities Based on ACL Rules Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Displaying Interfaces Attached to a Multicast Router Specifying Static Interfaces for a Multicast Router Displaying Port Members of Multicast Services Assigning Ports to Multicast Services Configuring Domain Name Service...
  • Page 9 disconnect show line General Commands enable disable configure show history reload exit quit System Management Commands Device Designation Commands prompt hostname User Access Commands username enable password IP Filter Commands management show management Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands...
  • Page 10 Contents logging facility logging trap clear logging show logging SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar System Status Commands...
  • Page 11 TACACS+ Client tacacs-server host tacacs-server port tacacs-server key show tacacs-server Port Security Commands port security 802.1X Port Authentication dot1x system-auth-control authentication dot1x default dot1x default dot1x max-req dot1x port-control dot1x operation-mode dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period show dot1x Access Control List Commands...
  • Page 12 Contents show map access-list mac match access-list mac ACL Information show access-list show access-group SNMP Commands snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps show snmp DNS Commands ip host clear host ip domain-name ip domain-list ip name-server ip domain-lookup show hosts show dns...
  • Page 13 lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Address Table Commands mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time show mac-address-table aging-time Spanning Tree Commands spanning-tree spanning-tree mode spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree priority spanning-tree pathcost method spanning-tree transmission-limit...
  • Page 14 Contents switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring Private VLANs pvlan show pvlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext...
  • Page 15 show ip igmp snooping show mac-address-table multicast IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter IP Interface Commands ip address...
  • Page 16 Contents...
  • Page 17 Tables Table 1-1. Key Features Table 1-2. System Defaults Table 3-1 Web Page Configuration Buttons Table 3-2 Switch Main Menu Table 3-3 Logging Levels Table 3-4 HTTPS System Support Table 3-5 802.1X Statistics Table 3-6 LACP Port Counters Table 3-7...
  • Page 18 Tables Table 4-27 Authentication Commands Table 4-28 Authentication Sequence Commands Table 4-29 RADIUS Client Commands Table 4-30 TACACS+ Client Commands Table 4-31 Port Security Commands Table 4-32 802.1X Port Authentication Commands Table 4-33 Access Control List Commands Table 4-34 IP ACL Commands Table 4-35 Mapping CoS Values to IP ACLs Table 4-36...
  • Page 19 Displaying Bridge Extension Configuration Figure 3-6 IP Interface Configuration - Manual Figure 3-7 IP Interface Configuration - DHCP Figure 3-8 Downloading Firmware to the Switch Figure 3-9 Setting the Startup Code Figure 3-10 Downloading Configuration Settings Figure 3-11 Setting the Startup Configuration Settings...
  • Page 20 Figures Figure 3-43 LACP - Aggregation Port Figure 3-44 LACP - Port Counters Information Figure 3-45 LACP - Port Internal Information Figure 3-46 LACP - Port Neighbors Information Figure 3-47 Port Broadcast Control Figure 3-48 Mirror Port Configuration Figure 3-49 Rate Limit Configuration Figure 3-50 Port Statistics...
  • Page 21 Figure 3-88 DNS General Configuration Figure 3-89 DNS Static Host Table Figure 3-90 DNS Cache Figures 3-148 3-150 3-151...
  • Page 22 Figures...

  • Page 23: Chapter 1: Introduction

    Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.

  • Page 24: Description Of Software Features

    Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings. Authentication – This switch authenticates management access via the console port, Telnet or web browser.
  • Page 25 Description of Software Features Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.
  • Page 26 GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can: •...

  • Page 27: System Defaults

    System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-18). The following table lists some of the basic system defaults.
  • Page 28 Introduction Table 1-2. System Defaults Function Parameter Port Configuration Admin Status Auto-negotiation Flow Control Port Capability Module Port Capability Rate Limiting Input and output limits Port Trunking Static Trunks LACP (all ports) Broadcast Storm Status Protection Broadcast Limit Rate Spanning Tree Status Protocol Fast Forwarding (Edge Port)
  • Page 29 Table 1-2. System Defaults Function Parameter IP Settings IP Address Subnet Mask Default Gateway DHCP BOOTP DNS Server Lookup Multicast Filtering IGMP Snooping System Log Status Messages Logged Messages Logged to Flash SMTP Email Alerts Event Handler SNTP Clock Synchronization System Defaults Default 0.0.0.0...
  • Page 30 Introduction...

  • Page 31: Chapter 2: Initial Configuration

    (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.

  • Page 32: Required Connections

    Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.

  • Page 33: Remote Connections

    IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...

  • Page 34: Setting Passwords

    This can be done in either of the following ways: Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.

  • Page 35: Dynamic Configuration

    “netmask” is the network mask for the network. Press <Enter>. Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway.

  • Page 36: Enabling Snmp Management Access

    When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.

  • Page 37: Trap Receivers

    Console(config)#snmp-server community private Console(config)# Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp-server host host-address community-string,” where “host-address” is the IP address for the trap receiver and “community-string”...

  • Page 38: Managing System Files

    The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.

  • Page 39: Chapter 3: Configuring The Switch

    (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”...

  • Page 40: Navigating The Web Browser Interface

    The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side.

  • Page 41: Configuration Options

    Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-67.

  • Page 42: Main Menu

    Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Switch Main Menu...
  • Page 43 Table 3-2 Switch Main Menu (Continued) Menu Description 802.1X Port authentication Information Displays global configuration settings Configuration Configures protocol parameters Port Configuration Sets the authentication mode for individual ports Statistics Displays protocol statistics for the selected port Configuration Configures packet filtering based on IP or MAC addresses...
  • Page 44 802.1Q VLAN GVRP Status Enables GVRP VLAN registration protocol Basic Information Displays information on the VLAN type supported by this switch Current Table Shows the current port members of each VLAN and whether or not the port is tagged or untagged...
  • Page 45 Static Multicast Router Port Assigns ports that are attached to a neighboring multicast router Configuration IP Multicast Registration Displays all multicast groups active on this switch, including Table multicast IP addresses and VLAN ID IGMP Member Port Table Indicates multicast addresses associated with the selected...
  • Page 46 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description General Configuration Enables DNS; configures domain name and domain list; and specifies IP address of name servers for dynamic lookup Static Host Table Configures static entries for domain name to address mapping...

  • Page 47: Basic Configuration

    Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. • Location – Specifies the system location. • Contact – Administrator responsible for the system.

  • Page 48: Displaying Switch Hardware/Software Versions

    • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master (i.e., operating stand-alone). 3-10 4-25...

  • Page 49: Displaying Bridge Extension Capabilities

    GMRP (GARP Multicast Registration Protocol). • Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-126.) • Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses.

  • Page 50: Figure 3-5 Displaying Bridge Extension Configuration

    Configuring the Switch • Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 3-111.) •...

  • Page 51: Setting The Switch's Ip Address

    This section describes how to configure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your...

  • Page 52: Manual Configuration

    Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 IP Interface Configuration - Manual CLI –...

  • Page 53: Using Dhcp/Bootp

    In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface.

  • Page 54: Managing Firmware

    You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version.

  • Page 55: Saving Or Restoring Configuration Settings

    Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes • TFTP Server IP Address – The IP address of a TFTP server.

  • Page 56: Downloading Configuration Settings From A Server

    Web – Click System, File, Configuration. Enter the IP address of the TFTP server, enter the name of the file to download, select a file on the switch to overwrite or specify a new file name, and then click Transfer from Server.

  • Page 57: Configuring Event Logging

    Console#reload Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.

  • Page 58: Remote Log Configuration

    Configuring the Switch • RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level.

  • Page 59: Figure 3-13 Remote Logs

    The attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.

  • Page 60: Displaying Log Messages

    Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.

  • Page 61: Sending Simple Mail Transfer Protocol Alerts

    • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list.

  • Page 62: Figure 3-15 Enabling And Configuring Smtp Alerts

    Configuring the Switch Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add. To delete an IP address, click the entry in the SMTP Server List and click Remove.

  • Page 63: Resetting The System

    CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.

  • Page 64: Setting The System Clock

    You can also manually set the clock using the CLI. (See “calendar set” on page 4-55.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

  • Page 65: Setting The Time Zone

    CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp client Console(config)#sntp poll 16 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 16...

  • Page 66: Simple Network Management Protocol

    HP OpenView. Access rights to the onboard agent are controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication. The options for configuring community strings, trap functions, and restricting access to clients with specified IP addresses are described in the following sections.

  • Page 67: Specifying Trap Managers And Trap Types

    Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).

  • Page 68: User Authentication

    Console(config)#snmp-server host 192.168.1.19 private version 2c Console(config)#snmp-server enable traps User Authentication You can restrict management access to this switch using the following options: • Passwords – Configures the password for the current user. • Authentication Settings – Use remote authentication to configure access rights.

  • Page 69: Configuring Local/Remote Logon Authentication

    Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
  • Page 70 - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) •...

  • Page 71: Figure 3-21 Authentication Server Settings

    Note: The local switch user database has to be set up by manually entering user names and passwords using the CLI. (See “username” on page 4-26.) Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply.

  • Page 72: Configuring Https

    Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] •...

  • Page 73: Replacing The Default Secure-Site Certificate

    If you want this warning to be replaced by a message confirming that the connection to the switch is secure, you must obtain a unique certificate and a private key and password from a recognized certification authority.

  • Page 74: Configuring The Secure Shell

    Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key> Note: The switch must be reset for the new certificate to be activated. To reset the switch, type: Console#reload Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems.
  • Page 75 Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access. The following exchanges take place during this process: The client sends its public key to the switch.

  • Page 76: Generating The Host Key Pair

    A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).

  • Page 77: Figure 3-23 Ssh Host-Key Settings

    Web – Click Security, SSH Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-23 SSH Host-Key Settings CLI –...

  • Page 78: Configuring The Ssh Server

    The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.

  • Page 79: Configuring Port Security

    Console#disconnect 0 Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.

  • Page 80: Figure 3-25 Port Security

    Configuring the Switch • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-67). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-124).

  • Page 81: Configuring 802.1X Port Authentication

    (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client.

  • Page 82: Displaying 802.1X Global Settings

    EAP request packet to the client before it times out the authentication session. • Timeout For Quiet Period – Indicates the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.

  • Page 83: Figure 3-26 802.1X Information

    Web – Click Security, 802.1X, Information. Figure 3-26 802.1X Information CLI – This example shows the default protocol settings for 802.1X. For a description of the additional entries displayed in the CLI, See “show dot1x” on page 4-84. Console#show dot1x Global 802.1X Parameters reauth-enabled: yes reauth-period:...

  • Page 84: Configuring 802.1X Global Settings

    EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Timeout For Quiet Period – Sets the time that a switch port waits after the dot1X Max Request Count has been exceeded before attempting to acquire a new client.

  • Page 85: Configuring Port Authorization Mode

    Web – Select Security, 802.1X, Configuration. Enable dot1x globally for the switch, modify any of the parameters required, and then click Apply. Figure 3-27 802.1X Configuration CLI – This enables re-authentication and sets all of the global parameters for 802.1X.

  • Page 86: Displaying 802.1X Statistics

    Console(config)#interface ethernet 1/2 Console(config-if)#dot1x port-control auto Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-5 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.

  • Page 87: Figure 3-29 802.1X Port Statistics

    Table 3-5 802.1X Statistics (Continued) Parameter Description Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator. Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid.

  • Page 88: Filtering Ip Addresses For Management Access

    • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.

  • Page 89: Figure 3-30 Ip Filter

    Web – Click Security, IP Filter. Enter the addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 3-30 IP Filter CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 Console(config)#end Console#show management all-client Management Ip Filter...

  • Page 90: Access Control Lists

    Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.

  • Page 91: Setting The Acl Name And Type

    Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 characters) • Type – There are three filtering modes: - Standard: IP ACL mode that filters packets based on the source IP address.

  • Page 92: Configuring An Extended Ip Acl

    Configuring the Switch with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
  • Page 93 • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Src/Dst Port – Source/destination port number for the specified protocol type. (Range: 0-65535) •...

  • Page 94: Figure 3-33 Acl Configuration - Extended Ip

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.

  • Page 95: Configuring A Mac Acl

    Configuring a MAC ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules) • Source/Destination MAC – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.

  • Page 96: Figure 3-34 Acl Configuration - Mac

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range.

  • Page 97: Configuring Acl Masks

    Configuring ACL Masks You can specify optional masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL.

  • Page 98: Configuring An Ip Acl Mask

    Configuring the Switch Configuring an IP ACL Mask This mask defines the fields to check in the IP header. Command Usage • Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes.

  • Page 99: Figure 3-36 Acl Mask Configuration - Ip

    Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types.

  • Page 100: Configuring A Mac Acl Mask

    Configuring the Switch Configuring a MAC ACL Mask This mask defines the fields to check in the packet header. Command Usage You must configure a mask for an ACL rule before you can bind it to a port. Command Attributes •...

  • Page 101: Binding A Port To An Access Control List

    Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.

  • Page 102: Port Configuration

    Configuring the Switch Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply.

  • Page 103: Figure 3-39 Port - Port Information

    • Port type – Indicates the port type. (1000BASE-T or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-13.) Configuration: • Name – Interface label.
  • Page 104 Configuring the Switch • Broadcast storm – Shows if broadcast storm control is enabled or disabled. • Broadcast storm limit – Shows the broadcast storm threshold. (500 - 262143 packets per second) • Flow control – Shows if flow control is enabled or disabled.

  • Page 105: Configuring Interface Connections

    - FC - Supports flow control Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation.

  • Page 106: Figure 3-40 Port - Port Configuration

    Configuring the Switch • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-69. Note: Auto-negotiation must be disabled before you can configure or force the interface to use the Speed/Duplex Mode or Flow Control options.

  • Page 107: Creating Trunk Groups

    LACP-configured ports on another device. You can configure any number of ports on the switch as LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them.

  • Page 108: Statically Configuring A Trunk

    Web – Click Port, Trunk Membership. Enter a trunk ID of 1-6 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.

  • Page 109: Enabling Lacp On Selected Ports

    ID. • If more than four ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.

  • Page 110: Figure 3-42 Lacp Trunk Configuration

    Configuring the Switch Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-42 LACP Trunk Configuration CLI –...

  • Page 111: Configuring Lacp Parameters

    - Ports must be configured with the same system priority to join the same LAG. - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.

  • Page 112: Figure 3-43 Lacp - Aggregation Port

    Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
  • Page 113 CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 Console(config-if)#lacp actor system-priority 3 Console(config-if)#lacp actor admin-key 120 Console(config-if)#lacp actor port-priority 128 Console(config-if)#exit Console(config)#interface ethernet 1/6...

  • Page 114: Displaying Lacp Port Counters

    Configuring the Switch Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 3-6 LACP Port Counters Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group.

  • Page 115: Displaying Lacp Settings And Status For The Local Side

    Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-7 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.

  • Page 116: Figure 3-45 Lacp - Port Internal Information

    Configuring the Switch Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-45 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.

  • Page 117: Displaying Lacp Settings And Status For The Remote Side

    Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-8 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol.

  • Page 118: Setting Broadcast Storm Thresholds

    • Broadcast Storm Control is enabled by default. • The default threshold is 500 packets per second. • Broadcast control does not effect IP multicast traffic. • The specified threshold applies to all ports on the switch. Command Attributes • Port –...

  • Page 119: Figure 3-47 Port Broadcast Control

    Web – Click Port, Port/Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold and click Apply. Figure 3-47 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.

  • Page 120: Configuring Port Mirroring

    Configuring the Switch Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.

  • Page 121: Configuring Rate Limits

    Rate limiting is configured on interfaces at the edge of a network to limit traffic coming out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

  • Page 122: Showing Port Statistics

    This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading). RMON statistics provide access to a broad range of statistics, including a total count of different frame types and sizes passing through each port.
  • Page 123 Table 3-9 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
  • Page 124 Configuring the Switch Table 3-9 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets.

  • Page 125: Figure 3-50 Port Statistics

    Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-50 Port Statistics 3-87...

  • Page 126: Address Table Settings

    Setting Static Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.

  • Page 127: Displaying The Address Table

    Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.

  • Page 128: Figure 3-52 Dynamic Addresses

    Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-52 Dynamic Addresses CLI – This example also displays the address table entries for port 1.

  • Page 129: Changing The Aging Time

    This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.

  • Page 130: Displaying Global Settings

    STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network. • Bridge ID – A unique identifier for this bridge, consisting of the bridge priority and MAC address (where the address is taken from the switch system).
  • Page 131 Tree that this switch has accepted as the root device. • Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.

  • Page 132: Figure 3-54 Sta Information

    Configuring the Switch information that would make it return to a discarding state; otherwise, temporary data loops might result. • Root Hold Time – The interval (in seconds) during which no more than two bridge configuration protocol data units shall be transmitted by this node.
  • Page 133 CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode Spanning tree enable/disable Instance Vlans configuration Priority Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.) Root Hello Time (sec.) Root Max Age (sec.) Root Forward Delay (sec.)

  • Page 134: Configuring Global Settings

    RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
  • Page 135 • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
  • Page 136 Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST.

  • Page 137: Figure 3-55 Sta Configuration

    Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-55 STA Configuration 3-99...

  • Page 138: Displaying Interface Settings

    - A port on a network segment with no other STA compliant bridging device is always forwarding. - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
  • Page 139 • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-103. •...

  • Page 140: Figure 3-56 Sta Port Information

    • Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops.

  • Page 141: Configuring Interface Settings

    • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This...
  • Page 142 • Point-to-Point – A connection to exactly one other bridge. • Shared – A connection to two or more bridges. • Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.) •...

  • Page 143: Configuring Multiple Spanning Trees

    By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region. This switch supports up to 65 instances. You should try to group VLANs which cover the same general area of your network.

  • Page 144: Figure 3-58 Mstp Vlan Configuration

    Configuring the Switch Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440;...
  • Page 145 CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 Spanning-tree information --------------------------------------------------------------- Spanning tree mode Spanning tree enable/disable Instance Vlans configuration Priority Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.) Root Hello Time (sec.) Root Max Age (sec.)

  • Page 146: Displaying Interface Settings For Mstp

    Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes • MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,”...

  • Page 147: Configuring Interface Settings For Mstp

    • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.

  • Page 148: Figure 3-60 Mstp Port Configuration

    Configuring the Switch • MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set...

  • Page 149: Vlan Configuration

    • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
  • Page 150 VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
  • Page 151 VLAN-aware devices (including the destination host), the switch must first strip off the VLAN tag before forwarding the frame. When the switch receives a tagged frame, it will pass this frame onto the VLAN(s) indicated by the frame tag.

  • Page 152: Enabling Or Disabling Gvrp (Global Setting)

    VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network. GVRP must be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. (Default: Disabled) Web – Click VLAN, 802.1Q VLAN, GVRP Status. Enable or disable GVRP, and click Apply.

  • Page 153: Displaying Current Vlans

    • VLAN ID – ID of configured VLAN (1-4094). • Up Time at Creation – Time this VLAN was created (i.e., System Up Time). • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP.

  • Page 154: Creating Vlans

    Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes •...

  • Page 155: Adding Static Members To Vlans (Vlan Index)

    Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.

  • Page 156: Figure 3-65 Vlan Static Table - Adding Static Members

    Configuring the Switch • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN. All packets transmitted by the port will be tagged, that is, carry a tag and therefore carry VLAN or CoS information.

  • Page 157: Adding Static Members To Vlans (Port Index)

    Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
  • Page 158 STP. However, they do affect VLAN dependent BPDU frames, such as GMRP. • GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect. (See “Displaying Bridge Extension Capabilities” on page 3-11.) When disabled, any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports.

  • Page 159: Figure 3-67 Vlan Port Configuration

    • Mode – Indicates VLAN membership mode for an interface. (Default: 1Q Trunk) - 1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.

  • Page 160: Configuring Private Vlans

    VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function.

  • Page 161: Configuring Uplink And Downlink Ports

    Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.

  • Page 162: Configuring Protocol Groups

    Configuring the Switch Configuring Protocol Groups Create a protocol group for one or more protocols. Command Attributes • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • Frame Type – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) •...

  • Page 163: Figure 3-71 Protocol Vlan Port Configuration

    - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Command Attributes •...

  • Page 164: Class Of Service Configuration

    Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.

  • Page 165: Figure 3-72 Default Port Priority

    Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-72 Default Port Priority CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)#end Console#show interfaces switchport ethernet 1/3...

  • Page 166: Mapping Cos Values To Egress Queues

    The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.

  • Page 167: Selecting The Queue Mode

    Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.

  • Page 168: Setting The Service Weight For Traffic Classes

    Console# Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-128, the traffic classes are mapped to one of the eight egress queues provided for each port.

  • Page 169: Figure 3-75 Queue Scheduling

    Web – Click Priority, Queue Scheduling. Select the interface, highlight a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-75 Queue Scheduling CLI – The following example shows how to assign WRR weights to each of the priority queues.

  • Page 170: Layer 3/4 Priority Settings

    Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.

  • Page 171: Mapping Ip Precedence

    Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).

  • Page 172: Mapping Dscp Priority

    Configuring the Switch CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings. Console(config)#map ip precedence Console(config)#interface ethernet 1/1...

  • Page 173: Figure 3-78 Ip Dscp Priority

    Class of Service Value field, then click Apply. Figure 3-78 IP DSCP Priority CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.

  • Page 174: Mapping Ip Port Priority

    Configuring the Switch Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110.

  • Page 175: Mapping Cos Values To Acls

    CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays the IP Port Priority settings for that port. Console(config)#map ip port Console(config)#interface ethernet 1/5...

  • Page 176: Changing Priorities Based On Acl Rules

    You can change traffic priorities for frames matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) This switch can change the IEEE 802.1p priority, IP Precedence, or DSCP Priority of IP frames; or change the IEEE 802.1p priority of Layer 2 frames.

  • Page 177: Figure 3-82 Acl Marker

    Command Attributes • Port – Port identifier. • Name – Name of ACL. • Type – Type of ACL (IP or MAC). • Precedence – IP Precedence value. (Range: 0-7) • DSCP – Differentiated Services Code Point value. (Range: 0-63) •...

  • Page 178: Multicast Filtering

    It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. This procedure is called multicast filtering.

  • Page 179: Configuring Igmp Snooping And Query Parameters

    (Default: Enabled) • IGMP Query Count — Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group. (Range: 2-10, Default: 2) • IGMP Query Interval — Sets the frequency at which the switch sends IGMP host-query messages.

  • Page 180: Figure 3-83 Igmp Configuration

    Configuring the Switch Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-83 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.

  • Page 181: Displaying Interfaces Attached To A Multicast Router

    IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.

  • Page 182: Displaying Port Members Of Multicast Services

    Configuring the Switch Command Attributes • Interface – Activates the Port or Trunk scroll down list. • VLAN ID – Selects the VLAN to propagate all multicast traffic coming from the attached multicast router. • Port or Trunk – Specifies the interface attached to a multicast router.

  • Page 183: Assigning Ports To Multicast Services

    Parameters” on page 3-141. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.

  • Page 184: Configuring Domain Name Service

    Console# Configuring Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.

  • Page 185: Configuring General Dns Server Parameters

    • If there is no domain list, the default domain name is used. If there is a domain list, the default domain name is not used. • When an incomplete host name is received by the DNS server on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
  • Page 186 Configuring the Switch Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-88 DNS General Configuration CLI - This example sets a default domain name and a domain list.

  • Page 187: Configuring Static Dns Host To Address Entries

    Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
  • Page 188 Configuring the Switch Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-89 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.

  • Page 189: Displaying The Dns Cache

    Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...
  • Page 190 Configuring the Switch CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache FLAG TYPE CNAME 207.46.134.222 CNAME 207.46.134.190 CNAME 207.46.134.155 CNAME 207.46.249.222 CNAME 207.46.249.27 ALIAS POINTER TO:4 CNAME 207.46.68.27 ALIAS POINTER TO:6 CNAME 65.54.131.192...

  • Page 191: Chapter 4: Command Line Interface

    Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
  • Page 192 Command Line Interface To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0...

  • Page 193: Entering Commands

    Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.

  • Page 194: Showing Commands

    Login by tacacs server users Display information about terminal lines version System hardware and software status vlan Switch VLAN Virtual Interface Console#show The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters...

  • Page 195: Partial Keyword Lookup

    Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Console#show s? snmp sntp...

  • Page 196: Understanding Command Modes

    You must be in Global Configuration mode to access any of the other configuration modes. Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>”...

  • Page 197: Configuration Commands

    Username: guest Password: [guest login password] CLI session with the MIL-SM24004TG 24-Port 10/100/1000 ports + 4 Gigabit SFP Combo ports L2+ Management Switch is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.

  • Page 198: Table 4-2 Configuration Command Modes

    Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 4-2 Configuration Command Modes Mode Command Line line {console | vty} Access access-list ip standard Control List...

  • Page 199: Command Line Processing

    Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...

  • Page 200: Command Groups

    Controls system logs, system passwords, user name, browser management options, and a variety of other system information Flash/File Manages code image or switch configuration files Authentication Configures logon access using local or remote authentication; also configures port security and IEEE 802.1x port access control...

  • Page 201: Line Commands

    The access mode shown in the following tables is indicated by these abbreviations: NE (Normal Exec) PE (Privileged Exec) GC (Global Configuration) ACL (Access Control List Configuration) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.

  • Page 202: Line

    Command Line Interface line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.

  • Page 203: Password

    Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.

  • Page 204: Exec-Timeout

    Command Line Interface number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server.

  • Page 205: Password-Thresh

    password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.

  • Page 206: Databits

    Command Line Interface Example To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# Related Commands password-thresh (4-15) databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits...

  • Page 207: Parity

    parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity • none - No parity • even - Even parity • odd - Odd parity Default Setting No parity Command Mode...

  • Page 208: Stopbits

    Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.

  • Page 209: Show Line

    Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (4-41) show users (4-61) show line This command displays the terminal line’s parameters.

  • Page 210: General Commands

    Command Line Interface General Commands Table 4-6 General Commands Command Function enable Activates privileged mode disable Returns to normal mode from privileged mode configure Activates global configuration mode show history Shows the command history buffer reload Restarts the system Returns to Privileged Exec mode exit Returns to the previous configuration mode, or exits the CLI quit...

  • Page 211: Disable

    This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 4-6.

  • Page 212: Show History

    Command Line Interface Related Commands end (4-23) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.

  • Page 213: End

    Command Mode Privileged Exec Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.

  • Page 214: Quit

    Table 4-7 System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch User Access Configures the basic user names and passwords for management access IP Filter Configures IP addresses that are allowed management access...

  • Page 215: Device Designation Commands

    Table 4-8 Device Designation Commands Command Function prompt Customizes the prompt used in PE and NE mode hostname Specifies the host name for the switch snmp-server contact Sets the system contact string snmp-server location Sets the system location string prompt This command customizes the CLI prompt.

  • Page 216: User Access Commands

    User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-11), user authentication via a remote authentication server (page 4-68), and host access authentication for specific ports (page 4-78).

  • Page 217: Enable Password

    Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.

  • Page 218: Ip Filter Commands

    Global Configuration Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.

  • Page 219: Show Management

    • When entering addresses for the same group (i.e., SNMP, Web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses.

  • Page 220: Web Server Commands

    Specifies the port to be used by the Web browser interface ip http server Allows the switch to be monitored or configured from a browser GC ip http secure-server Enables HTTPS/SSL for encrypted communications ip http secure-port...

  • Page 221: Ip Http Secure-Server

    This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s Web interface. Use the no form to disable this function. Syntax [no] ip http secure-server...

  • Page 222: Ip Http Secure-Port

    (4-63) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s Web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...

  • Page 223: Telnet Server Commands

    Specifies the port to be used by the Telnet interface ip telnet server Allows the switch to be monitored or configured from Telnet ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.

  • Page 224: Secure Shell Commands

    Telnet. When a client contacts the switch via the SSH protocol, the switch uses a public-key that the client must match along with a local user name and password for access authentication.
  • Page 225 Configure Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key...

  • Page 226: Ip Ssh Server

    The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.

  • Page 227: Ip Ssh Timeout

    Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.

  • Page 228: Ip Ssh Server-Key Size

    Command Mode Global Configuration Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512...

  • Page 229: Ip Ssh Crypto Host-Key Generate

    Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...

  • Page 230: Ip Ssh Save Host-Key

    Command Line Interface Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console#...

  • Page 231: Show Ssh

    Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh Use this command to display the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Session-Started Console#...

  • Page 232: Show Public-Key

    Command Line Interface show public-key Use this command to show the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...

  • Page 233: Event Logging Commands

    Clears messages from the logging buffer show logging Displays the state of logging configuration logging on This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None...

  • Page 234: Logging History

    Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...

  • Page 235: Logging Host

    The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.

  • Page 236: Logging Trap

    Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.

  • Page 237: Show Logging

    Related Commands show logging (4-47) show logging This command displays the logging configuration, along with any system and event messages stored in memory. Syntax show logging {flash | ram | sendmail | trap} • flash - Event history stored in flash memory (i.e., permanent memory). •...

  • Page 238: Smtp Alert Commands

    Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...

  • Page 239: Logging Sendmail Host

    If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval.

  • Page 240: Logging Sendmail Source-Email

    Command Mode Global Configuration Command Usage You may use a symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example This example will send email alerts for system errors from level 3 through 0.

  • Page 241: Logging Sendmail

    Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.

  • Page 242: Time Commands

    • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).

  • Page 243: Sntp Server

    Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.

  • Page 244: Sntp Poll

    - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode Global Configuration Command Usage This command is only applicable when the switch is set to SNTP client mode. Example Console(config)#sntp poll 60 Console# Related Commands sntp client (4-52)

  • Page 245: Clock Timezone

    (4-54) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...

  • Page 246: Show Calendar

    Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, February 1st, 2004. Console#calendar set 15 12 34 1 February 2004 Console# show calendar This command displays the system clock. Default Setting None Command Mode...

  • Page 247: System Status Commands

    System Status Commands Table 4-23 System Status Commands Command Function show startup-config Displays the contents of the configuration file (stored in flash memory) that is used to start up the system show running-config Displays the configuration data currently in use show system Displays system information show users...

  • Page 248: Show Running-Config

    Command Line Interface Example Console#show startup-config building startup-config, please wait... username admin access-level 15 username admin password 0 admin username guest access-level 0 username guest password 0 guest enable password level 15 0 super snmp-server community public ro snmp-server community private rw vlan database vlan 1 name DefaultVlan media ethernet state active interface vlan 1...
  • Page 249 - VLAN configuration settings for each interface - Multiple spanning tree instances (name and interfaces) - IP address configured for VLANs - Spanning tree settings - Any configured settings for the console port and Telnet Example Console#show running-config building running-config, please wait... phymap 00-00-a3-42-00-80 sntp server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community private rw...

  • Page 250: Show System

    “FAIL,” contact your distributor for assistance. Example Console#show system System description: 24-Port 10/100/1000 ports + 4 Gigabit SFP Combo ports L2+ Management Switch System OID string: 1.3.6.1.4.1.835.6.10.51 System information System Up time: 0 days, 1 hours, 23 minutes, and 44.61 seconds System Name...

  • Page 251: Show Users

    This command displays hardware and software version information for the system. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-10 for detailed information on the items displayed by this command. System Management Commands 0:14:14 0:00:00 192.168.1.19 0:00:06 192.168.1.19...

  • Page 252: Frame Size Commands

    Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.

  • Page 253: Flash/File Commands

    This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
  • Page 254 TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Due to the size limit of the flash memory, the switch supports only two operation code files.

  • Page 255: Delete

    \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate...

  • Page 256: Dir

    The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. • config - Switch configuration file. • opcode - Run-time operation code image file. • filename - Name of the file or image. If this file exists but contains errors, information on this file cannot be shown.

  • Page 257: Whichboot

    Example The following example shows how to display all file information: Console#dir file name -------------------------------- -------------- ------- ----------- Unit1: Diag.bix Boot-Rom image V1204 Operation Code Factory_Default_Config.cfg startup ------------------------------------------------------------------- Console# whichboot This command displays which files were booted when the system powered up. Default Setting None Command Mode...

  • Page 258: Authentication Commands

    (4-66) whichboot (4-67) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1x.

  • Page 259: Authentication Sequence

    Authentication Sequence Table 4-28 Authentication Sequence Commands Command Function authentication login Defines logon authentication method and precedence authentication enable Defines the authentication method and precedence for command mode change authentication login This command defines the login authentication method and precedence. Use the no form to restore the default.

  • Page 260: Authentication Enable

    Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-20). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable...

  • Page 261: Radius Client

    RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Table 4-29 RADIUS Client Commands Command...

  • Page 262: Radius-Server Key

    This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1 - 30) Default Setting Command Mode...

  • Page 263: Radius-Server Timeout

    RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting Command Mode Global Configuration...

  • Page 264: Tacacs+ Client

    TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Table 4-30 TACACS+ Client Commands Command...

  • Page 265: Tacacs-Server Key

    Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.

  • Page 266: Port Security Commands

    MAC address that is unknown or has been previously learned from another port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.
  • Page 267 Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.

  • Page 268: 802.1X Port Authentication

    Command Line Interface 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).

  • Page 269: Authentication Dot1X Default

    Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.

  • Page 270: Dot1X Port-Control

    Command Line Interface Command Mode Global Configuration Example Console(config)#dot1x max-req 2 Console(config)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control •...

  • Page 271: Dot1X Operation-Mode

    dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.

  • Page 272: Dot1X Re-Authenticate

    Console(config)#dot1x re-authentication Console(config)# dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax...

  • Page 273: Dot1X Timeout Re-Authperiod

    Console(config)#dot1x timeout re-authperiod 300 Console(config)# dot1x timeout tx-period This command sets the time that the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.

  • Page 274: Show Dot1X

    Command Line Interface show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - This is device 1.
  • Page 275 • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.

  • Page 276: Access Control List Commands

    MAC address and the Ethernet frame type (RFC 1060). The following restrictions apply to ACLs: • This switch supports ACLs for both ingress and egress filtering. However, you can only bind one IP ACL and one MAC ACL to any port for ingress filtering, and one IP ACL and one MAC ACL to any port for egress filtering.

  • Page 277: Ip Acls

    • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.

  • Page 278: Access-List Ip

    Command Line Interface Table 4-34 IP ACL Commands Command Function mask Sets a precedence mask for the ACL rules show access-list ip Shows the ingress or egress rule masks for IP ACLs mask-precedence ip access-group Adds a port to an IP ACL show ip access-group Shows port assignments for IP ACLs map access-list ip...

  • Page 279: Permit, Deny (Standard Acl)

    Example Console(config)#access-list ip standard david Console(config-std-acl)# Related Commands permit, deny 4-89 ip access-group (4-97) show ip access-list (4-92) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...

  • Page 280: Permit, Deny (Extended Acl)

    Command Line Interface permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule. Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source}...
  • Page 281 Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...

  • Page 282: Show Ip Access-List

    Command Line Interface Related Commands access-list ip (4-88) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. •...

  • Page 283: Mask (Ip Acl)

    Command Usage • A mask can only be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but instead by the order of the masks; i.e., the first mask that matches a rule will determine the rule that is applied to a packet.
  • Page 284 Command Line Interface Command Mode IP Mask Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered. •...
  • Page 285 This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit any Console(config-std-acl)#deny host 171.69.198.102 Console(config-std-acl)#end Console#show access-list IP standard access-list A2: deny host 171.69.198.102 permit any Console#configure...

  • Page 286: Show Access-List Ip Mask-Precedence

    (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask. Switch(config)#access-list ip extended A6 Switch(config-ext-acl)#permit any any Switch(config-ext-acl)#deny tcp any any control-flag 2 2 Switch(config-ext-acl)#end Console#show access-list IP extended access-list A6:...

  • Page 287: Ip Access-Group

    • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.

  • Page 288: Map Access-List Ip

    Command Line Interface Related Commands ip access-group (4-97) map access-list ip This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself.

  • Page 289: Show Map Access-List Ip

    show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list ip [interface] interface • ethernet unit/port - unit - This is device 1.

  • Page 290: Show Marking

    Note that the IP frame header can include either the IP Precedence or DSCP priority type. • The precedence for priority mapping by this switch is IP Precedence or DSCP Priority, and then 802.1p priority.

  • Page 291: Mac Acls

    MAC ACLs Table 4-36 MAC ACL Commands Command Function access-list mac Creates a MAC ACL and enters configuration mode permit, deny Filters packets matching a specified source and destination address, packet format, and Ethernet type show mac access-list Displays the rules for configured MAC ACLs access-list mac Changes to the mode for configuring access control masks GC mask-precedence...

  • Page 292: Permit, Deny (Mac Acl)

    Command Line Interface Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny 4-102 mac access-group (4-107) show mac access-list (4-103) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.

  • Page 293: Show Mac Access-List

    • destination – Destination MAC address range with bitmask. • address-bitmask* – Bitmask for MAC address (in hexidecimal format). • vid – VLAN ID. (Range: 1-4095) • vid-bitmask* – VLAN bitmask. (Range: 1-4095) • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) •...

  • Page 294: Access-List Mac Mask-Precedence

    Command Line Interface Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny 4-102 mac access-group (4-107) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} •...

  • Page 295: Mask (Mac Acl)

    mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask. Syntax [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination-bitmask} [vid [vid-bitmask]] [ethertype [ethertype-bitmask]] •...
  • Page 296 Command Line Interface Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 Console(config-mac-acl)#end...

  • Page 297: Show Access-List Mac Mask-Precedence

    • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.

  • Page 298: Show Mac Access-Group

    Command Line Interface Related Commands show mac access-list (4-103) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (4-107) map access-list mac This command sets the output queue for packets matching an ACL rule.

  • Page 299: Show Map Access-List Mac

    Example Console(config)#int eth 1/5 Console(config-if)#map access-list mac M5 cos 0 Console(config-if)# Related Commands queue cos-map (4-193) show map access-list mac (4-109) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list mac [interface]...

  • Page 300: Match Access-List Mac

    Command Line Interface match access-list mac This command changes the IEEE 802.1p priority of a Layer 2 frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker. Syntax match access-list mac acl_name set priority priority no match access-list mac acl_name...

  • Page 301: Acl Information

    ACL Information Table 4-38 ACL Information Commands Command Function show access-list Show all ACLs and associated rules show access-group Shows the ACLs assigned to each port show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.

  • Page 302: Snmp Commands

    Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. Table 4-39 SNMP Commands Command Function snmp-server community Sets up the community access string to permit access to...

  • Page 303: Snmp-Server Contact

    Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None...

  • Page 304: Snmp-Server Host

    • Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled. • The switch can send SNMP version 1 or version 2c notifications to a host IP address, depending on the SNMP version that the management station supports.

  • Page 305: Snmp-Server Enable Traps

    Related Commands snmp-server enable traps (4-115) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps (SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] • authentication - Keyword to issue authentication failure traps. •...
  • Page 306 Command Line Interface Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp System Contact: Paul System Location: WC-19...

  • Page 307: Dns Commands

    DNS Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation.

  • Page 308: Clear Host

    Command Line Interface Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device.

  • Page 309: Ip Domain-List

    • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS server on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.

  • Page 310: Ip Name-Server

    Command Line Interface Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List:...

  • Page 311: Ip Domain-Lookup

    Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands...

  • Page 312: Show Hosts

    Command Line Interface Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (4-118) ip name-server (4-120) show hosts...

  • Page 313: Show Dns

    show dns This command displays the configuration of the DNS server. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.

  • Page 314: Clear Dns Cache

    Command Line Interface clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache FLAG TYPE Console# 4-124 DOMAIN...

  • Page 315: Interface Commands

    Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-42 Interface Commands Command Function interface Configures an interface type and enters interface configuration mode description Adds a description to an interface configuration speed-duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled...

  • Page 316: Description

    Command Line Interface Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.

  • Page 317: Negotiation

    Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.

  • Page 318: Capabilities

    • symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames.) Default Setting •...

  • Page 319: Flowcontrol

    Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation.

  • Page 320: Combo-Forced-Mode

    Default Setting sfp-preferred-auto Command Mode Interface Configuration (Ethernet) Example This forces the switch to use the built-in RJ-45 port for the combination port 22. Console(config)#interface ethernet 1/22 Console(config-if)#combo-forced-mode copper-forced Console(config-if)# shutdown This command disables an interface. To restart a disabled interface, use the no form.

  • Page 321: Switchport Broadcast Packet-Rate

    • When broadcast traffic exceeds the specified threshold, packets above that threshold are dropped. • This command can enable or disable broadcast storm control for the selected interface. However, the specified threshold value applies to all ports on the switch. Interface Commands 4-131...

  • Page 322: Clear Counters

    Command Line Interface Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface •...

  • Page 323: Show Interfaces Status

    show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.

  • Page 324: Show Interfaces Counters

    Command Line Interface show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage...

  • Page 325: Show Interfaces Switchport

    show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows all interfaces.

  • Page 326: Mirror Port Commands

    [rx | tx | both] no port monitor interface • interface - ethernet unit/port (source port) - unit - Switch (unit 1). - port - Port number. • rx - Mirror received packets. • tx - Mirror transmitted packets.

  • Page 327: Show Port Monitor

    However, you should avoid sending too much traffic to the destination port from multiple source ports. Example The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both...

  • Page 328: Rate Limit Commands

    Command Line Interface Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/11 Source port(monitored port) Mode Console# Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface.

  • Page 329: Link Aggregation Commands

    Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to six trunks. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.

  • Page 330: Channel-Group

    • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. Example The following example creates trunk 1 and then adds port 11:...

  • Page 331: Lacp

    • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. • If more than four ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.

  • Page 332: Lacp System-Priority

    • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.

  • Page 333: Lacp Admin-Key (Ethernet Interface)

    lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. •...

  • Page 334: Lacp Admin-Key (Port Channel)

    Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch. (Range: 0-65535) Default Setting Command Mode Interface Configuration (Port Channel) Command Usage •...

  • Page 335: Show Lacp

    Command Mode Interface Configuration (Ethernet) Command Usage • Setting a lower value indicates a higher effective priority. • If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.

  • Page 336: Table 4-47 Show Lacp Counters - Display Description

    Command Line Interface Example Console#show lacp 1 counters Port Channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-47 show lacp counters - display description Field Description...

  • Page 337: Table 4-48 Show Lacp Internal - Display Description

    Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation, long timeout, LACP-activity...

  • Page 338: Table 4-49 Show Lacp Neighbors - Display Description

    Command Line Interface Console#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...

  • Page 339: Address Table Commands

    Console# Table 4-50 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. System Priority* LACP system priority for this channel group. System MAC Address* System MAC address. * The LACP system priority and system MAC address are concatenated to form the LAG system ID.

  • Page 340: Mac-Address-Table Static

    • port-channel channel-id (Range: 1-6) • vlan-id - VLAN ID (Range: 1-4094) • action - - delete-on-reset - Assignment lasts until the switch is reset. - permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent.

  • Page 341: Clear Mac-Address-Table Dynamic

    clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database.

  • Page 342: Show Mac-Address-Table Aging-Time

    Command Line Interface means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address...

  • Page 343: Spanning Tree Commands

    Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-52 Spanning Tree Commands Command Function spanning-tree Enables the spanning tree protocol...

  • Page 344: Spanning-Tree

    This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp no spanning-tree mode •...

  • Page 345: Spanning-Tree Forward-Time

    RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.

  • Page 346: Spanning-Tree Hello-Time

    Example Console(config)#spanning-tree forward-time 20 Console(config)# spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds.

  • Page 347: Spanning-Tree Max-Age

    Example Console(config)#spanning-tree max-age 40 Console(config)# spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...

  • Page 348: Spanning-Tree Pathcost Method

    Command Line Interface Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.

  • Page 349: Spanning-Tree Transmission-Limit

    Use this command to change to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address. Command Mode Global Configuration Example...

  • Page 350: Mst Vlan

    • By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 58 instances. You should try to group VLANs which cover the same general area of your network.

  • Page 351: Mst Priority

    MAC address will then become the root device. • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384.

  • Page 352: Revision

    The MST region name and revision number (page 4-162) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.

  • Page 353: Spanning-Tree Spanning-Disabled

    max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting Command Mode MST Configuration Command Usage...

  • Page 354: Spanning-Tree Cost

    Command Line Interface spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 1-200,000,000)) The recommended range is: •...

  • Page 355: Spanning-Tree Edge-Port

    • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.

  • Page 356: Spanning-Tree Portfast

    Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# Related Commands spanning-tree portfast (4-166) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel)

  • Page 357: Spanning-Tree Link-Type

    • When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.

  • Page 358: Spanning-Tree Mst Port-Priority

    Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the 4-168...

  • Page 359: Spanning-Tree Protocol-Migration

    Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e.,...

  • Page 360: Show Spanning-Tree

    Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).

  • Page 361: Show Spanning-Tree Mst Configuration

    Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode Spanning tree enable/disable Instance Vlans configuration Priority Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.) Root Hello Time (sec.) Root Max Age (sec.) Root Forward Delay (sec.) Max hops Remaining hops Designated Root...

  • Page 362: Vlan Commands

    Command Line Interface Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name:00 00 a3 42 00 80 Revision level:0 Instance Vlans -------------------------------------------------------------- 1-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.

  • Page 363: Vlan

    Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.

  • Page 364: Configuring Vlan Interfaces

    Command Line Interface • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.

  • Page 365: Switchport Mode

    Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-130) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.

  • Page 366: Switchport Acceptable-Frame-Types

    Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...

  • Page 367: Switchport Native Vlan

    Command Usage • Ingress filtering only affects tagged frames. • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).

  • Page 368: Switchport Allowed Vlan

    VLAN groups as a tagged member. • Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress.

  • Page 369: Switchport Forbidden Vlan

    Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.

  • Page 370: Displaying Vlan Information

    Command Line Interface Displaying VLAN Information Table 4-56 Show VLAN Commands Command Function show vlan Shows VLAN information show interfaces status vlan Displays status for the specified VLAN interface show interfaces switchport Displays the administrative and operational status of an interface show vlan This command shows VLAN information.

  • Page 371: Configuring Private Vlans

    VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the uplink port. • Private VLANs and normal VLANs can exist simultaneously within the same switch. • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN.

  • Page 372: Show Pvlan

    This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility. To avoid these problems, you can configure this switch with protocol-based VLANs that divide the physical network into logical VLAN groups for each required protocol.

  • Page 373: Protocol-Vlan Protocol-Group (Configuring Groups)

    protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame_type frame protocol-type protocol] no protocol-vlan protocol-group group-id •...

  • Page 374: Show Protocol-Vlan Protocol-Group

    Command Line Interface Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-173), these interfaces will admit traffic of any protocol type into the associated VLAN.

  • Page 375: Show Interfaces Protocol-Vlan Protocol-Group

    show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. •...

  • Page 376: Gvrp And Bridge Extension Commands

    Sets the GARP timer for the selected function show garp timer Shows the GARP timer for the selected function bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting...

  • Page 377: Show Bridge-Ext

    show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-114 and “Displaying Bridge Extension Capabilities” on page 3-11 for a description of the displayed items.

  • Page 378: Show Gvrp Configuration

    Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-6) Default Setting Shows both global and interface-specific configuration.

  • Page 379: Show Garp Timer

    Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration/deregistration.

  • Page 380: Priority Commands

    The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 381: Queue Mode

    Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.

  • Page 382: Switchport Priority Default

    IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command.

  • Page 383: Queue Bandwidth

    queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight8 no queue bandwidth weight1...weight8 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler.

  • Page 384: Show Queue Mode

    Command Line Interface Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.

  • Page 385: Show Queue Bandwidth

    Example Console#show queue mode Queue mode: strict Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight --------...

  • Page 386: Priority Commands (Layer 3 And 4)

    Command Line Interface Example Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 CoS Value : 0 1 2 3 4 5 6 7 Priority Queue: 0 1 2 3 4 5 6 7 Console# Priority Commands (Layer 3 and 4) Table 4-63 Priority Commands (Layer 3 and 4) Command Function...

  • Page 387: Map Ip Precedence (Global Configuration)

    Example The following example shows how to enable TCP/UDP port mapping globally: Console(config)#map ip port Console(config)# map ip port (Interface Configuration) This command enables IP port mapping (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port number cos cos-value no map ip port port-number...

  • Page 388: Map Ip Precedence (Interface Configuration)

    Command Line Interface Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled. Enabling one of these priority types will automatically disable the other type. Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence...

  • Page 389: Map Ip Dscp (Global Configuration)

    map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage •...

  • Page 390: Show Map Ip Port

    Command Line Interface Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-65 Mapping IP DSCP to CoS Values IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24...

  • Page 391: Show Map Ip Precedence

    Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port ethernet 1/5 TCP port mapping status: enabled Port Port no. --------- ---------- --- Eth 1/ 5 Console# Related Commands map ip port (Global Configuration) (4-196)

  • Page 392: Show Map Ip Dscp

    Command Line Interface Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands...

  • Page 393: Multicast Filtering Commands

    (Interface Configuration) (4-199) Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.

  • Page 394: Igmp Snooping Commands

    Shows the IGMP snooping and query configuration show mac-address-table Shows the IGMP snooping MAC multicast list multicast ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled...

  • Page 395: Ip Igmp Snooping Version

    Version 1. • Some commands are only enabled for IGMPv2, including ip igmp query-max-response-time and ip igmp query-timeout. Example The following configures the switch to use IGMP Version 1: Console(config)#ip igmp snooping version 1 Console(config)# show ip igmp snooping This command shows the IGMP snooping configuration.

  • Page 396: Show Mac-Address-Table Multicast

    Command Line Interface Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-141 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Enabled Query count: 2 Query interval: 125 sec Query max response time: 10 sec...

  • Page 397: Ip Igmp Snooping Querier

    Configures the query timeout router-port-expire-time ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode...

  • Page 398: Ip Igmp Snooping Query-Interval

    This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages. (Range: 60-125) Default Setting 125 seconds...

  • Page 399: Ip Igmp Snooping Query-Max-Response-Time

    Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries...

  • Page 400: Static Multicast Routing Commands

    Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)#...

  • Page 401: Show Ip Igmp Snooping Mrouter

    Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.

  • Page 402: Ip Interface Commands

    An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.

  • Page 403: Ip Dhcp Restart

    DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch. Note: Before you can change the IP address, you must first clear the current address with the no form of this command.

  • Page 404: Ip Default-Gateway

    Command Line Interface ip default-gateway This command establishes a static route between this switch and management stations that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No static route is established.

  • Page 405: Show Ip Redirects

    • size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. • count - Number of packets to send. (Range: 1-16, default: 5) Default Setting This command has no default for the host.
  • Page 406 Command Line Interface Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...

  • Page 407: Appendix A: Software Specifications

    Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) DHCP Client DNS Server Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH: 1000 Mbps, full duplex Flow Control Full Duplex: IEEE 802.3x...

  • Page 408: Management Features

    Software Specifications Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1, 2, 3, 9) SMTP Email Alerts Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading...

  • Page 409: Management Information Bases

    Management Information Bases RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 1907) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933)
  • Page 410 Software Specifications...

  • Page 411: Appendix B: Troubleshooting

    • Be sure the management station has an IP address in the same subnet as the switch’s IP interface to which it is connected. • If you are trying to connect to the switch via the IP address for a tagged VLAN group, your management station, and the ports connecting intermediate switches in the network, must be configured with the appropriate tag.

  • Page 412: Using System Logs

    Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.

  • Page 413: Glossary

    EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification.
  • Page 414 An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. IEEE 802.1x Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
  • Page 415 Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
  • Page 416 An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group.
  • Page 417 A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25.

  • Page 418: User Datagram Protocol (Udp)

    Glossary User Datagram Protocol (UDP) provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.

  • Page 419: Index

    Index Numerics 802.1x, port authentication 3-43, 4-78 acceptable frame type 3-120, 4-176 Access Control List See ACL Extended IP 3-53, 4-86, 4-87, 4-90 MAC 3-53, 4-86, 4-101, 4-101–4-103 Standard IP 3-53, 4-86, 4-87, 4-89 address table 3-88, 4-149 aging time 3-91, 4-152 BOOTP 3-15, 4-212 BPDU 3-92 broadcast storm, threshold 3-80, 4-131...
  • Page 420 Index HTTPS 3-34, 4-31 HTTPS, secure server 3-34, 4-31 IEEE 802.1D 3-91, 4-154 IEEE 802.1s 4-154 IEEE 802.1w 3-91, 4-154 IEEE 802.1x 3-43, 4-78 IGMP groups, displaying 3-144, 4-206 Layer 2 3-140, 4-204 query 3-140, 4-207 query, Layer 2 3-141, 4-207 snooping 3-140, 4-204 snooping, configuring 3-141, 4-204 ingress filtering 3-120, 4-176...
  • Page 421 RADIUS, logon authentication 3-31, 4-71 rate limits, setting 3-83, 4-138 restarting the system 3-25, 4-22 RSTP 3-91, 4-154 global configuration 3-92, 4-154 Secure Shell 3-36, 4-34 configuration 3-36, 4-37 Secure Shell configuration 4-37 serial port configuring 4-11 Simple Network Management Protocol See SNMP SNMP 3-28 community string 3-28, 4-112...
  • Page 422 Index Index-4...
  • Page 424 P/N: 90000441 REV.A MIL-SM24004TG...

Table of Contents