Page 1: Management Guide
MANAGEMENT GUIDE SMC6128PL2 TigerSwitch 10/100 24-Port 10/100 Managed Switch with PoE, IP Clustering and 4 Gigabit Ports...
Page 3 TigerSwitch 10/100 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 20 Mason March 2008 Pub. # 149100032800A Irvine, CA 92618 E032008-EK-R04 Phone: (949) 679-8000...
Page 4 No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice.
Page 5: Limited Warranty
“Active” SMC product. A product is considered to be “Active” while it is listed on the current SMC price list. As new technologies emerge, older technologies become obsolete and SMC will, at its discretion, replace an older product in its product line with one that incorporates these newer technologies.
Page 6 WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
Page 7: About This Guide
About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 8 viii...
Page 9: Table Of Contents
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 10 Contents Saving or Restoring Configuration Settings 3-21 Downloading Configuration Settings from a Server 3-22 Console Port Settings 3-23 Telnet Settings 3-25 Configuring Event Logging 3-28 Displaying Log Messages 3-28 System Log Configuration 3-28 Remote Log Configuration 3-30 Simple Mail Transfer Protocol 3-32 Resetting the System 3-34...
Page 11 Contents Configuring the SSH Server 3-76 Generating the Host Key Pair 3-77 Importing User Public Keys 3-79 Configuring Port Security 3-82 Configuring 802.1X Port Authentication 3-83 Displaying 802.1X Global Settings 3-85 Configuring 802.1X Global Settings 3-86 Configuring Port Settings for 802.1X 3-86 Displaying 802.1X Statistics 3-89...
Page 12 Contents Switch Power Status 3-136 Setting a Switch Power Budget 3-137 Displaying Port Power Status 3-137 Configuring Port PoE Power 3-138 Address Table Settings 3-140 Setting Static Addresses 3-140 Displaying the Address Table 3-141 Changing the Aging Time 3-142 Spanning Tree Algorithm Configuration 3-143 Configuring Port and Trunk Loopback Detection 3-145...
Page 13 Contents Displaying Detailed Device Statistics 3-198 Class of Service Configuration 3-199 Layer 2 Queue Settings 3-199 Setting the Default Priority for Interfaces 3-199 Mapping CoS Values to Egress Queues 3-201 Enabling CoS 3-202 Selecting the Queue Mode 3-203 Setting the Service Weight for Traffic Classes 3-203 Layer 3/4 Priority Settings 3-204...
Page 14 Contents IP Source Guard 3-246 IP Source Guard Port Configuration 3-246 Static IP Source Guard Binding Configuration 3-247 Dynamic IP Source Guard Binding Information 3-249 Switch Clustering 3-250 Cluster Configuration 3-250 Cluster Member Configuration 3-251 Cluster Member Information 3-252 Cluster Candidate Information 3-253 UPnP 3-254...
Page 15 Contents show line 4-18 General Commands 4-19 enable 4-20 disable 4-20 configure 4-21 show history 4-21 reload 4-22 reload cancel 4-23 show reload 4-23 4-24 exit 4-24 quit 4-25 System Management Commands 4-25 Device Designation Commands 4-26 prompt 4-26 hostname 4-26 Banner 4-27...
Page 16 Contents ip ssh timeout 4-48 ip ssh authentication-retries 4-48 ip ssh server-key size 4-49 delete public-key 4-49 ip ssh crypto host-key generate 4-50 ip ssh crypto zeroize 4-50 ip ssh save host-key 4-51 show ip ssh 4-51 show ssh 4-52 show public-key 4-53 Event Logging Commands...
Page 17 Contents show startup-config 4-77 show running-config 4-79 show system 4-81 show users 4-81 show version 4-82 Frame Size Commands 4-83 jumbo frame 4-83 Flash/File Commands 4-84 copy 4-84 delete 4-87 4-88 whichboot 4-89 boot system 4-89 Authentication Commands 4-90 Authentication Sequence 4-90 authentication login 4-91...
Page 18 Contents Port Security Commands 4-110 port security 4-110 802.1X Port Authentication 4-112 dot1x system-auth-control 4-112 dot1x default 4-113 dot1x max-req 4-113 dot1x port-control 4-113 dot1x operation-mode 4-114 dot1x re-authenticate 4-115 dot1x re-authentication 4-115 dot1x timeout quiet-period 4-115 dot1x timeout re-authperiod 4-116 dot1x timeout tx-period 4-116...
Page 19 Contents Access Control List Commands 4-139 IP ACLs 4-140 access-list ip 4-140 permit, deny (Standard ACL) 4-141 permit, deny (Extended ACL) 4-142 show ip access-list 4-143 ip access-group 4-144 show ip access-group 4-144 MAC ACLs 4-145 access-list mac 4-145 permit, deny (MAC ACL) 4-146 show mac access-list 4-147...
Page 20 Contents show interfaces switchport 4-175 Mirror Port Commands 4-177 port monitor 4-177 show port monitor 4-178 Rate Limit Commands 4-179 rate-limit 4-179 Link Aggregation Commands 4-180 channel-group 4-181 lacp 4-181 lacp system-priority 4-183 lacp admin-key (Ethernet Interface) 4-183 lacp admin-key (Port Channel) 4-184 lacp port-priority 4-185...
Page 21 Contents spanning-tree port-priority 4-210 spanning-tree edge-port 4-211 spanning-tree portfast 4-212 spanning-tree link-type 4-212 spanning-tree loopback-detection 4-213 spanning-tree loopback-detection release-mode 4-214 spanning-tree loopback-detection trap 4-214 spanning-tree mst cost 4-215 spanning-tree mst port-priority 4-216 spanning-tree protocol-migration 4-217 show spanning-tree 4-217 show spanning-tree mst configuration 4-219 VLAN Commands 4-219...
Page 22 Contents show vlan private-vlan 4-242 Configuring Protocol-based VLANs 4-243 protocol-vlan protocol-group (Configuring Groups) 4-244 protocol-vlan protocol-group (Configuring VLANs) 4-244 show protocol-vlan protocol-group 4-245 show protocol-vlan protocol-group-vid 4-246 LLDP Commands 4-246 lldp 4-248 lldp holdtime-multiplier 4-248 lldp medFastStartCount 4-249 lldp notification-interval 4-249 lldp refresh-interval 4-250...
Page 23 Contents show queue mode 4-272 show queue bandwidth 4-272 show queue cos-map 4-272 Priority Commands (Layer 3 and 4) 4-273 map ip dscp (Global Configuration) 4-273 map ip dscp (Interface Configuration) 4-274 show map ip dscp 4-275 Quality of Service Commands 4-276 class-map 4-277...
Page 24 Contents IGMP Filtering and Throttling Commands 4-301 ip igmp filter (Global Configuration) 4-302 ip igmp profile 4-302 permit, deny 4-303 range 4-303 ip igmp filter (Interface Configuration) 4-304 ip igmp max-groups 4-305 ip igmp max-groups action 4-305 show ip igmp filter 4-306 show ip igmp profile 4-307...
Page 25 Contents show cluster candidates 4-332 UPnP Commands 4-333 upnp device 4-333 upnp device ttl 4-334 upnp device advertise duration 4-334 show upnp 4-335 Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs Glossary Index...
Page 26 Contents xviii...
Page 27 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-29 Table 3-5 Supported Notification Messages 3-47 Table 3-6 HTTPS System Support 3-71 Table 3-7 802.1X Statistics 3-89 Table 3-8 LACP Port Counters 3-122 Table 3-9...
Page 28 Tables Table 4-28 File Directory Information 4-88 Table 4-29 Authentication Commands 4-90 Table 4-30 Authentication Sequence 4-90 Table 4-31 RADIUS Client Commands 4-93 Table 4-32 TACACS Commands 4-97 Table 4-34 Port Security Commands 4-110 Table 4-35 802.1X Port Authentication 4-112 Table 4-36 Network Access 4-121...
Page 29 Tables Table 4-77 Multicast Filtering Commands 4-291 Table 4-78 IGMP Snooping Commands 4-291 Table 4-79 IGMP Query Commands (Layer 2) 4-296 Table 4-80 Static Multicast Routing Commands 4-299 Table 4-81 IGMP Filtering and Throttling Commands 4-301 Table 4-82 Multicast VLAN Registration Commands 4-308 Table 4-83 show mvr - display description...
Page 30 Tables xxii...
Page 31 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-12 Figure 3-4 Switch Information 3-14 Figure 3-5 Bridge Extension Configuration 3-15 Figure 3-6 Manual IP Configuration 3-17 Figure 3-7 DHCP IP Configuration 3-18 Figure 3-8 Jumbo Frames Configuration 3-19 Figure 3-9 Copy Firmware...
Page 32 Figures Figure 3-43 AAA Authorization Settings 3-69 Figure 3-44 AAA Authorization Exec Settings 3-70 Figure 3-45 AAA Authorization Summary 3-71 Figure 3-46 HTTPS Settings 3-72 Figure 3-47 HTTPS Settings 3-73 Figure 3-48 SSH Server Settings 3-77 Figure 3-49 SSH Host-Key Settings 3-78 Figure 3-50 SSH User Public-Key Settings...
Page 33 Figures Figure 3-88 Configuring a Dynamic Address Table 3-141 Figure 3-89 Setting the Address Aging Time 3-142 Figure 3-90 Configuring Port Loopback Detection 3-145 Figure 3-91 Displaying Spanning Tree Information 3-147 Figure 3-92 Configuring Spanning Tree 3-151 Figure 3-93 Displaying Spanning Tree Port Information 3-154 Figure 3-94 Configuring Spanning Tree per Port...
Page 34 Figures Figure 3-133 Telephony OUI List 3-219 Figure 3-134 IGMP Configuration 3-223 Figure 3-135 IGMP Immediate Leave 3-224 Figure 3-136 Displaying Multicast Router Port Information 3-225 Figure 3-137 Static Multicast Router Port Configuration 3-226 Figure 3-138 IP Multicast Registration Table 3-227 Figure 3-139 IGMP Member Port Table 3-228...
Page 35: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 36: Description Of Software Features
Introduction Table 1-1 Key Features Feature Description Traffic Prioritization Default port priority, traffic class map, queue scheduling, or Differentiated Services Code Point (DSCP), and TCP/UDP Port Quality of Service Supports Differentiated Services (DiffServ) Multicast Filtering Supports IGMP snooping and query, as well as Multicast VLAN Registration Switch Clustering Supports up to 36 Member switches in a cluster Description of Software Features...
Page 37 Description of Software Features possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard.
Page 38 Introduction network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection. Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard.
Page 39 Description of Software Features Quality of Service – Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists.
Page 40: System Defaults
Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-21). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 41 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Status Enabled (all ports) Protection Broadcast Limit Rate 64 kbits per second...
Page 42 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default System Log Status Enabled Messages Logged Levels 0-6 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled Clock Synchronization Disabled DHCP Snooping Status...
Page 43: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 44: Required Connections
Initial Configuration • Configure up to 8 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 45: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 46: Setting Passwords
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Page 47: Dynamic Configuration
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Page 48: Enabling Snmp Management Access
Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end...
Page 49: Trap Receivers
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 50: Configuring Access For Snmp Version 3 Clients
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Page 51: Managing System Files
Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: •...
Page 52 Initial Configuration 2-10...
Page 53: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above).
Page 54: Navigating The Web Browser Interface
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Page 55: Configuration Options
Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 56: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 57 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-44 Users Configures SNMP v3 users on this switch 3-44 Remote Users Configures SNMP v3 users from a remote device 3-46 Groups Configures SNMP v3 groups...
Page 58 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page 802.1X 3-83 Information Displays global configuration settings for 802.1X Port 3-86 authentication Configuration Configures the global configuration settings 3-86 Port Configuration Sets parameters for individual ports 3-86 Statistics Displays protocol statistics for the selected port 3-89 Web Authentication 3-90...
Page 59 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Port Internal Information Displays settings and operational state for the local side 3-124 Port Neighbors Information Displays settings and operational state for the remote side 3-126 Port Broadcast Control Sets the broadcast storm threshold for each port 3-127 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk...
Page 60 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Port Information Displays port settings for a specified MST instance 3-160 Trunk Information Displays trunk settings for a specified MST instance 3-160 Port Configuration Configures port settings for a specified MST instance 3-162 Trunk Configuration Configures trunk settings for a specified MST instance...
Page 61 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page LLDP 3-189 Configuration Configures global LLDP timing parameters 3-189 Port Configuration Configures parameters for individual ports 3-191 Trunk Configuration Configures parameters for trunks 3-191 Local Information Displays LLDP information about the local device 3-194 Remote Port Information Displays LLDP information about a remote device connected to...
Page 62 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page IGMP Snooping 3-220 IGMP Configuration Enables multicast filtering; configures parameters for multicast 3-221 query IGMP Filter Configuration Configures IGMP filtering 3-194 IGMP Immediate Leave Enables the immediate leave function 3-223 Multicast Router Displays the ports that are attached to a neighboring multicast...
Page 63 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page IP Source Guard 3-246 Port Configuration Enables IP source guard and selects filter type per port 3-246 Static Configuration Adds a static addresses to the source-guard binding table 3-247 Dynamic Information Displays the source-guard binding table for a selected interface 3-249 Cluster...
Page 64: Basic Configuration
Configuring the Switch Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. •...
Page 65: Displaying Switch Hardware/Software Versions
Basic Configuration CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-26 Console(config)#snmp-server location WC 9 4-153 Console(config)#snmp-server contact Ted 4-152 Console(config)#exit Console#show system 4-81 System description : 24 10/100 ports and 4 gigabit ports with PoE System OID string : 1.3.6.1.4.1.202.20.65 System information...
Page 66: Figure 3-4 Switch Information
Configuring the Switch Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version 4-82 Unit 1 Serial number: Hardware version: EPLD Version: 0.02 Number of ports: Main power status: Redundant power status: Not present Agent (master)
Page 67: Displaying Bridge Extension Capabilities
Basic Configuration Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 68: Setting The Switch's Ip Address
Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-221 Max support VLAN numbers: Max support VLAN ID: 4092 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
Page 69: Manual Configuration
Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Page 70: Using Dhcp/Bootp
Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Page 71: Enabling Jumbo Frames
Basic Configuration Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Page 72: Downloading System Software From A Server
Configuring the Switch • File Type – Specify opcode (operational code) to copy firmware. • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Page 73: Saving Or Restoring Configuration Settings
Basic Configuration To delete a file, select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-10 Deleting Files CLI –...
Page 74: Downloading Configuration Settings From A Server
Configuring the Switch - tftp to running-config – Copies a file from a TFTP server to the running config. - tftp to startup-config – Copies a file from a TFTP server to the startup config. • TFTP Server IP Address – The IP address of a TFTP server. •...
Page 75: Console Port Settings
Basic Configuration Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-12 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch.
Page 76: Figure 3-13 Console Port Settings
Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded.
Page 77: Telnet Settings
Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-11 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret 4-12...
Page 78: Figure 3-14 Enabling Telnet
Configuring the Switch • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Page 79 Basic Configuration CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. Console(config)#line vty 4-11 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret 4-12...
Page 80: Configuring Event Logging
Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages.
Page 81: Table 3-3 Logging Levels
Basic Configuration The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logged to RAM. Command Attributes •...
Page 82: Remote Log Configuration
Configuring the Switch CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Console(config)#logging on 4-54 Console(config)#logging history ram 0 4-55 Console(config)#end Console#show logging flash...
Page 83: Figure 3-17 Remote Logs
Basic Configuration Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-17 Remote Logs CLI –...
Page 84: Simple Mail Transfer Protocol
Configuring the Switch Simple Mail Transfer Protocol SMTP (Simple Mail Transfer Protocol) is used to send email messages between servers. The messages can be retrieved using POP or IMAP clients. Command Attributes • Admin Status – Enables/disables the SMTP function. (Default: Enabled) •...
Page 85: Figure 3-18 Enabling And Configuring Smtp
Basic Configuration Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type the new IP address in the Server IP Address box, and then click Add. To delete an IP address, click the entry in the Server IP List, and then click Remove. Figure 3-18 Enabling and Configuring SMTP CLI –...
Page 86: Resetting The System
Configuring the Switch Resetting the System This feature restarts the system. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Command Attributes • Hours – Specifies the amount of hours to wait, combined with the minutes, before the switch resets.
Page 87: Setting The System Clock
Basic Configuration Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 88: Configuring Ntp
Configuring the Switch Figure 3-20 SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-65 Console(config)#sntp poll 60 4-66 Console(config)#sntp client 4-64 Console(config)#exit Console#show sntp...
Page 89: Figure 3-21 Ntp Client Configuration
Basic Configuration Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and click Apply. Figure 3-21 NTP Client Configuration CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 4-70 Console(config)#ntp authentication-key 30 md5 ntpkey30...
Page 90: Setting The Time Zone
Configuring the Switch Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 91: Simple Network Management Protocol
Simple Network Management Protocol Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 92: Setting Community Access Strings
Configuring the Switch Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write) noAuthNoPriv user defined user defined user defined user defined Community string only noAuthNoPriv public defaultview none...
Page 93: Specifying Trap Managers And Trap Types
Simple Network Management Protocol Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-23 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw 4-152 Console(config)#...
Page 94: Enabling Snmp Agent Status
Configuring the Switch Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.
Page 95: Configuring Snmpv3 Management Access
Simple Network Management Protocol Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: If you want to change the default engine ID, it must be changed first before configuring other parameters. Specify read and write access views for the switch MIB tree. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy).
Page 96: Specifying A Remote Engine Id
Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 97: Figure 3-28 Configuring Snmpv3 Users
Simple Network Management Protocol • Authentication Password – A minimum of eight plain text characters is required. • Privacy – The encryption algorithm use for data privacy; only 56-bit DES is currently available. • Actions – Enables the user to be assigned to another SNMPv3 group. Web –...
Page 98: Configuring Remote Snmpv3 Users
Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 99: Configuring Snmpv3 Groups
Simple Network Management Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 100 Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP linkDown entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
Page 101: Figure 3-30 Configuring Snmpv3 Groups
Simple Network Management Protocol Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description pethMainPower 1.3.6.1.4.1.202.20.65.173.2.1.0.45 This notification indicates PSE Threshold UsageOnNotification usage indication is on; the power usage is above the threshold. pethMainPower 1.3.6.1.4.1.202.20.65.173.2.1.0.46 This notification indicates that the PSE UsageOffNotification Threshold usage indication is off;...
Page 102: Setting Snmpv3 Views
Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...
Page 103: Figure 3-31 Configuring Snmpv3 Views
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Page 104: User Authentication
Configuring the Switch User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: •...
Page 105: Figure 3-32 Access Levels
User Authentication Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 106: Configuring Local/Remote Logon Authentication
Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 107 User Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Page 108: Figure 3-33 Authentication Settings
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings 3-56...
Page 109 User Authentication CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-91 Console(config)#radius-server auth-port 181 4-95 Console(config)#radius-server key green 4-95 Console(config)#radius-server retransmit 5 4-96 Console(config)#radius-server timeout 10 4-96 Console(config)#radius-server 1 host 192.168.1.25 4-94 Console(config)#end Console#show radius-server 4-96 Global Settings: Communication Key with RADIUS Server:...
Page 110: Configuring Encryption Keys
Configuring the Switch Configuring Encryption Keys The Encryption Key feature provides a central location for the management of all RADIUS and TACACS+ server encryption keys. Command Attributes • RADIUS Settings - Global – Provides globally applicable RADIUS encryption key settings. - ServerIndex –...
Page 111 User Authentication CLI – This example sets a global encryption key for RADIUS and TACACS servers. Console(config)#radius-server key green 4-95 Console(config)#end Console#show radius-server 4-96 Remote RADIUS Server Configuration: Global settings: Communication Key with RADIUS Server: ***** Auth-Port: Acct-port: 1813 Retransmit times: Request timeout: Server 1: Server IP address: 192.168.1.25...
Page 112: Aaa Authorization And Accounting
Configuring the Switch AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. •...
Page 113: Configuring Aaa Radius Group Settings
AAA Authorization and Accounting Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) •...
Page 114: Configuring Aaa Accounting
Configuring the Switch Web – Click Security, AAA, TACACS+ Group Settings. Enter the TACACS+ group name, followed by the number of the server, then click Add. Figure 3-36 AAA TACACS+ Group Settings CLI – Specify the group name for a list of TACACS+ servers, and then specify the index number of a TACACS+ server to add it to the group.
Page 115: Figure 3-37 Aaa Accounting Settings
AAA Authorization and Accounting Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-37 AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius 4-102 Console(config)#...
Page 116: Aaa Accounting Update
Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web –...
Page 117: Aaa Accounting 802.1X Port Settings
AAA Authorization and Accounting AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-61).
Page 118: Aaa Accounting Exec Command Privileges
Configuring the Switch AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level.
Page 119: Aaa Accounting Exec Settings
AAA Authorization and Accounting AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 120: Figure 3-42 Aaa Accounting Summary
Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-109 Accounting Type : dot1x Method List : default Group List : radius Interface...
Page 121: Authorization Settings
AAA Authorization and Accounting Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type : exec Username : admin Interface : vty 0 Time elapsed since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services.
Page 122: Authorization Exec Settings
Configuring the Switch Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 123: Configuring Https
AAA Authorization and Accounting Web – Click Security, AAA, Authorization, Summary. Figure 3-45 AAA Authorization Summary Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.
Page 124: Replacing The Default Secure-Site Certificate
Configuring the Switch Command Attributes HTTPS Settings • HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Copy HTTPS Certificate For more information on this function, see “Replacing the Default Secure-site Certificate”...
Page 125: Figure 3-47 Https Settings
AAA Authorization and Accounting When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one. Command Attributes • TFTP Server IP Address – Specifies the IP address of the TFTP server which contains the certificate file.
Page 126: Configuring The Secure Shell
Configuring the Switch Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 127 AAA Authorization and Accounting Import Client’s Public Key to the Switch – See “Importing User Public Keys” on page 3-79, or use the copy tftp public-key command (page 4-84) to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Page 128: Configuring The Ssh Server
Configuring the Switch Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process.
Page 129: Generating The Host Key Pair
AAA Authorization and Accounting Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. Figure 3-48 SSH Server Settings CLI –...
Page 130: Figure 3-49 Ssh Host-Key Settings
Configuring the Switch - DSA (Version 2): The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard (DSS). The last string is the encoded modulus. • Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys).
Page 131: Importing User Public Keys
AAA Authorization and Accounting CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. Console#ip ssh crypto host-key generate 4-47 Console#ip ssh save host-key 4-47 Console#show public-key host 4-47...
Page 132: Figure 3-50 Ssh User Public-Key Settings
Configuring the Switch • Source File Name – The IP address of the TFTP server where the public key file to be imported is located. (Default: 0.0.0.0) • Copy Public Key – This button initiates the public key TFTP import process. If you are replacing an outdated public key file, it is not necessary to first delete the original key from the switch.
Page 133 AAA Authorization and Accounting CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. 4-84 Console#copy tftp public-key TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2.
Page 134: Configuring Port Security
Configuring the Switch Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 135: Configuring 802.1X Port Authentication
AAA Authorization and Accounting Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-51 Configuring Port Security CLI –...
Page 136 Configuring the Switch This switch uses the Extensible Authentication Protocol over LANs (EAPOL) 802.1x to exchange authentication client protocol messages with the client, and a remote RADIUS 1. Client attempts to access a switch port. authentication server to verify 2. Switch sends client an identity request. user identity and access RADIUS 3.
Page 137: Displaying 802.1X Global Settings
AAA Authorization and Accounting Displaying 802.1X Global Settings The 802.1X protocol provides client authentication. Command Attributes • 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 3-52 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-117 Global 802.1X Parameters...
Page 138: Configuring 802.1X Global Settings
Configuring the Switch Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes • 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
Page 139: Figure 3-54 802.1X Port Configuration
AAA Authorization and Accounting • Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Page 140 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-117. Console(config)#interface ethernet 1/2 4-166 Console(config-if)#dot1x port-control auto 4-113 Console(config-if)#dot1x re-authentication 4-115 Console(config-if)#dot1x max-req 5 4-113...
Page 141: Displaying 802.1X Statistics
AAA Authorization and Accounting Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 142: Web Authentication
Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-55 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-117 Eth 1/4...
Page 143: Configuring Web Authentication
AAA Authorization and Accounting Notes: 1. MAC authentication, web authentication, 802.1X, and port security cannot be configured together on the same port. Only one security mechanism can be applied. RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication”...
Page 144: Configuring Web Authentication For Ports
Configuring the Switch CLI – This example globally enables the system authentication control, configures the session timeout, quiet period and login attempts, and displays the configured global parameters. Console(config)#mac-authentication reauth-time 3000 4-128 Console(config)#web-auth system-auth-control 4-135 Console(config)#web-auth session-timeout 1800 4-134 Console(config)#web-auth quiet-period 20 4-134 Console(config)#web-auth login-attempts 2 4-132...
Page 145: Displaying Web Authentication Port Information
AAA Authorization and Accounting CLI – This example enables web authentication for ethernet port 1/5 and displays a summary of web authentication parameters. Console(config)#interface ethernet 1/5 4-166 Console(config-if)#web-auth 4-135 Console(config-if)#end Console#show web-auth summary 4-138 Global Web-Auth Parameters System Auth Control : Enabled Port Status...
Page 146: Re-Authenticating Web Authenticated Ports
Configuring the Switch Web – Click Security, Web Authentication, Port Information. Figure 3-58 Web Authentication Port Information CLI – This example displays web authentication parameters for port 1/5. Console#show web-auth interface ethernet 1/5 4-136 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ----------------------...
Page 147: Network Access - Mac Address Authentication
AAA Authorization and Accounting CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 4-137 Failed to reauth . Console# Network Access MAC Address Authentication – Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 148: Configuring The Mac Authentication Reauthentication Time
Configuring the Switch Configuring the MAC Authentication Reauthentication Time MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally to all ports on the switch. Command Attributes • Authenticated Age – The secure MAC address table aging time. This parameter setting is the same as switch MAC address table aging time and is only configurable from the Address Table, Aging Time web page (see page 3-142).
Page 149: Configuring Mac Authentication For Ports
AAA Authorization and Accounting Configuring MAC Authentication for Ports Configures MAC authentication on switch ports, including setting the maximum MAC count, applying a MAC address filter, and enabling dynamic VLAN assignment. Command Attributes • Mode – Enables MAC authentication on a port. (Default: None) •...
Page 150: Configuring Port Link Detection
Configuring the Switch CLI – This example configures MAC authentication for port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access mode mac-authentication 4-122 Console(config-if)#network-access max-mac-count 10 4-123 Console(config-if)#mac-authentication max-mac-count 24 4-123 Console(config-if)#network-access dynamic-vlan 4-125 Console(config-if)#network-access dynamic-qos 4-124 Console(config-if)#network-access guest-vlan 4-125 Console(config-if)#network-access link-detection 4-126 Console(config-if)#network-access link-detection link-up action trap4-127 Console(config-if)#end Console#show network-access interface ethernet 1/1...
Page 151: Displaying Secure Mac Address Information
AAA Authorization and Accounting Web – Click Security, Network Access, Port Link Detection Configuration. Modify the Status, Condition and Action. Click Apply. Figure 3-62 Network Access Port Link Detection Configuration CLI – This example configures Port Link Detection to send an SNMP trap for all link events on port 1.
Page 152: Figure 3-63 Network Access Mac Address Information
Configuring the Switch • Attribute – Indicates a static or dynamic address. • Remove – Click the Remove button to remove selected MAC addresses from the secure MAC address table. Web – Click Security, Network Access, MAC Address Information. Restrict the displayed addresses by port, MAC Address, or attribute, then select the method of sorting the displayed addresses.
Page 153: Mac Authentication
AAA Authorization and Accounting MAC Authentication Each port’s MAC authentication settings are configured independently. Configuring MAC authentication parameters for ports Use the MAC Authentication Port Configuration page to designate MAC authentication maximum MAC counts and the intrusion action for each port. Command Attributes •...
Page 154: Access Control Lists
Configuring the Switch Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 155: Configuring A Standard Ip Acl
Access Control Lists MAC address and the Ethernet frame type (RFC 1060). Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list.
Page 156: Configuring An Extended Ip Acl
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 3-66 Configuring Standard IP ACLs CLI –...
Page 157 Access Control Lists • Source/Destination Port Bitmask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) •...
Page 158: Figure 3-67 Configuring Extended Ip Acls
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 159: Configuring A Mac Acl
Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Page 160: Figure 3-68 Configuring Mac Acls
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Page 161: Binding A Port To An Access Control List
Access Control Lists Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage •...
Page 162: Filtering Ip Addresses For Management Access
Configuring the Switch CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#ip access-group david in 4-144 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed...
Page 163: Figure 3-70 Creating An Ip Filter List
Access Control Lists Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-70 Creating an IP Filter List CLI –...
Page 164: Port Configuration
Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 165 Port Configuration Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-16.) Configuration: •...
Page 166: Configuring Interface Connections
Configuring the Switch CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 4-173 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast storm limit:...
Page 167: Figure 3-72 Port/Trunk Configuration
Port Configuration • Media Type – Media type used for the combo ports. (Options: Coppper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-116. Notes: 1.
Page 168: Creating Trunk Groups
Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 169: Statically Configuring A Trunk
Port Configuration Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be statically able to link switches of different types, configured depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 170: Enabling Lacp On Selected Ports
Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-166 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-166 Console(config-if)#channel-group 2 4-181 Console(config-if)#exit...
Page 171: Figure 3-74 Lacp Trunk Configuration
Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Page 172: Configuring Lacp Parameters
Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#lacp 4-181 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 173: Figure 3-75 Lacp Port Configuration
Port Configuration - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.
Page 174: Displaying Lacp Port Counters
Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#lacp actor system-priority 3 4-183 Console(config-if)#lacp actor admin-key 120 4-183 Console(config-if)#lacp actor port-priority 128 4-185 Console(config-if)#exit Console(config)#interface ethernet 1/4...
Page 175: Figure 3-76 Lacp - Port Counters Information
Port Configuration Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 176: Displaying Lacp Settings And Status For The Local Side
Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Page 177: Figure 3-77 Lacp - Port Internal Information
Port Configuration Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-77 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-186 Port channel : 1...
Page 178: Displaying Lacp Settings And Status For The Remote Side
Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Page 179: Setting Broadcast Storm Thresholds
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-186 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-12-CF-CE-2A-20...
Page 180: Figure 3-79 Port Broadcast Control
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-79 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
Page 181: Configuring Port Mirroring
Port Configuration Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.
Page 182: Configuring Rate Limits
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 183: Showing Port Statistics
Port Configuration Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Page 184 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
Page 185 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Page 186: Figure 3-82 Port Statistics
Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-82 Port Statistics 3-134...
Page 187: Power Over Ethernet Settings
Power Over Ethernet Settings CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-174 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 188: Switch Power Status
Configuring the Switch dropped to some low-priority ports and later the power demands on the switch fall back within its budget, the dropped power is automatically restored. Switch Power Status Displays the Power over Ethernet parameters for the switch. Command Attributes •...
Page 189: Setting A Switch Power Budget
Power Over Ethernet Settings Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Page 190: Configuring Port Poe Power
Configuring the Switch Web – Click PoE, Power Port Status. Figure 3-85 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1. Console#show power inline status 4-194 Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable...
Page 191: Figure 3-86 Configuring Port Poe Power
Power Over Ethernet Settings Command Attributes • Port – The port number on the switch. • Admin Status – Enables PoE power on the port. Power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the switch or port power budget.
Page 192: Address Table Settings
Configuring the Switch Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 193: Displaying The Address Table
Address Table Settings CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-12-cf-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 4-196 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Page 194: Changing The Aging Time
Configuring the Switch CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-197 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# Changing the Aging Time...
Page 195: Spanning Tree Algorithm Configuration
Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 196 Configuring the Switch MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.
Page 197: Configuring Port And Trunk Loopback Detection
Spanning Tree Algorithm Configuration Configuring Port and Trunk Loopback Detection When Port Loopback Detection is enabled and a port receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap and places the port in discarding mode. This loopback state can be released manually or automatically. If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: •...
Page 198: Displaying Global Settings
Configuring the Switch CLI – This command enables loopback detection for port 1/5, configures automatic release-mode and enables SNMP trap notification for detected loopback BPDU’s. 4-166 Console(config)#interface ethernet 1/5 4-213 Console(config-if)#spanning-tree loopback-detection Console(config-if)#spanning-tree loopback-detection release-mode auto4-214 4-214 Console(config-if)#spanning-tree loopback-detection trap Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
Page 199: Figure 3-91 Displaying Spanning Tree Information
Spanning Tree Algorithm Configuration These additional parameters are only displayed for the CLI: • Spanning tree mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s) •...
Page 200: Configuring Global Settings
Configuring the Switch CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-217 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: RSTP Spanning tree enabled/disabled: enabled Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Page 201 Spanning Tree Algorithm Configuration - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments.
Page 202 Configuring the Switch • Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 203: Figure 3-92 Configuring Spanning Tree
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-92 Configuring Spanning Tree CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-200 Console(config)#spanning-tree mode rstp...
Page 204: Displaying Interface Settings
Configuring the Switch Displaying Interface Settings The STA Port Information and STA Trunk Information pages display the current status of ports and trunks in the Spanning Tree. Field Attributes • Spanning Tree – Shows if STA has been enabled on this interface. •...
Page 205 Spanning Tree Algorithm Configuration R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port. Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port.
Page 206: Figure 3-93 Displaying Spanning Tree Port Information
Configuring the Switch the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to reconfigure when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
Page 207: Configuring Interface Settings
Spanning Tree Algorithm Configuration Configuring Interface Settings You can configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port. You may use a different priority or path cost for ports of the same media type to indicate the preferred path, link type to indicate a point-to-point connection or shared-media connection, and edge port to indicate if the attached device can support fast forwarding.
Page 208: Figure 3-94 Configuring Spanning Tree Per Port
Configuring the Switch • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Page 209: Configuring Multiple Spanning Trees
Spanning Tree Algorithm Configuration Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 210: Figure 3-95 Configuring Multiple Spanning Trees
Configuring the Switch Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Page 211 Spanning Tree Algorithm Configuration CLI – This example sets STA attributes for port 1, followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20...
Page 212: Displaying Interface Settings For Mstp
Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes • MST Instance ID – Instance identifier to configure. (Default: 0) Note: The other attributes are described under “Displaying Interface Settings”...
Page 213 Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-231 4-217 Spanning-tree information...
Page 214: Configuring Interface Settings For Mstp
Configuring the Switch Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...
Page 215: Vlan Configuration
VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-97 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...
Page 216: Assigning Ports To Vlans
Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 217 VLAN Configuration Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.
Page 218: Enabling Or Disabling Gvrp (Global Setting)
Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 219: Displaying Basic Vlan Information
VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...
Page 220: Displaying Current Vlans
Configuring the Switch Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.
Page 221: Creating Vlans
VLAN Configuration • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members. CLI –...
Page 222: Adding Static Members To Vlans (Vlan Index)
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-101 Configuring a VLAN Static List CLI –...
Page 223 VLAN Configuration Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. •...
Page 224: Adding Static Members To Vlans (Port Index)
Configuring the Switch Figure 3-102 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#switchport allowed vlan add 2 tagged 4-230 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 2 untagged Console(config-if)#exit Console(config)#interface ethernet 1/13 Console(config-if)#switchport allowed vlan add 2 tagged...
Page 225: Configuring Vlan Behavior For Interfaces
VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 226: Figure 3-104 Configuring Vlans Per Port
Configuring the Switch or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
Page 227: Configuring Ieee 802.1Q Tunneling
VLAN Configuration Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. This is accomplished by inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network.
Page 228 Configuring the Switch Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel Access Port Tunnel Access Port Tunnel Uplink Ports VLAN 20 VLAN 20 Double-Tagged Packets...
Page 229 VLAN Configuration Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
Page 230: Enabling Qinq Tunneling On The Switch
Configuring the Switch • Static trunk port groups are compatible with QinQ tunnel ports as long as the QinQ configuration is consistent within a trunk port group. • The native VLAN (VLAN 1) is not normally added to transmitted frames. Avoid using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration.
Page 231: Figure 3-105 802.1Q Tunnel Status And Ethernet Type
VLAN Configuration incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port.
Page 232: Adding An Interface To A Qinq Tunnel
Configuring the Switch Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the access port on the edge switch to 802.1Q Tunnel mode. Command Usage Use the 802.1Q Tunnel Status screen to set the switch to QinQ mode before configuring a tunnel port (see “Enabling QinQ Tunneling on the Switch”...
Page 233: Private Vlans
VLAN Configuration CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode. 4-166 Console(config)#interface ethernet 1/1 4-234 Console(config-if)#switchport dot1q-tunnel mode access 4-235 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)#interface ethernet 1/2...
Page 234: Displaying Current Private Vlans
Configuring the Switch Use the Private VLAN Port Configuration menu (page 3-185) to set the port type to promiscuous (i.e., having access to all ports in the primary VLAN), or host (i.e., having access restricted to community VLAN members, and channeling all other traffic through promiscuous ports).
Page 235: Configuring Private Vlans
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
Page 236: Associating Vlans
Configuring the Switch Associating VLANs Each community VLAN must be associated with a primary VLAN. Command Attributes • Primary VLAN ID – ID of primary VLAN (2-4092). • Association – Community VLANs associated with the selected primary VLAN. • Non-Association – Community VLANs not associated with the selected VLAN. Web –...
Page 237: Configuring Private Vlan Interfaces
VLAN Configuration • Primary VLAN – Conveys traffic between promiscuous ports, and between promiscuous ports and community ports within the associated secondary VLANs. • Community VLAN – A community VLAN conveys traffic between community ports, and from community ports to their designated promiscuous ports. •...
Page 238: Figure 3-111 Private Vlan Port Configuration
Configuring the Switch designated promiscuous port in the isolated VLAN; it cannot communicate with any other host ports. - Promiscuous – A promiscuous port can communicate with all interfaces within a private VLAN. • Primary VLAN – Conveys traffic between promiscuous ports, and between promiscuous ports and community ports within the associated secondary VLANs.
Page 239: Protocol Vlans
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6.
Page 240: Protocol Vlan System Configuration
Configuring the Switch Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-112 Protocol VLAN Configuration CLI – This example shows the switch configured with Protocol Group 2 which matches RFC 1042 IP traffic. Console(config)#protocol-vlan protocol group 2 add frame-type rfc-1042 protocol-type ip 4-244 Console(config)# Protocol VLAN System Configuration...
Page 241: Link Layer Discovery Protocol
Link Layer Discovery Protocol CLI – This example shows the switch configured with Protocol Group 2 mapped to VLAN 2. Console(config)#protocol-vlan protocol-group 2 vlan 2 4-244 Console(config)# Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
Page 242 Configuring the Switch • Delay Interval – Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. (Range: 1-8192 seconds; Default: 2 seconds) The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Page 243: Configuring Lldp Interface Attributes
Link Layer Discovery Protocol Web – Click LLDP, Configuration. Enable LLDP, modify any of the timing parameters as required, and click Apply. Figure 3-114 LLDP Configuration CLI – This example sets several attributes which control basic LLDP message timing. Console(config)#lldp 4-248 Console(config)#lldp refresh-interval 60 4-250...
Page 244 Configuring the Switch This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA-1057), or vendor-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Page 245: Figure 3-115 Lldp Port Configuration
Link Layer Discovery Protocol • MED TLV Type – Configures the information included in the MED TLV field of advertised messages. - Port Capabilities – This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch.
Page 246: Displaying Lldp Local Device Information
Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#lldp admin-status tx-rx 4-252 Console(config-if)#lldp notification 4-252...
Page 247: Displaying Lldp Remote Port Information
Link Layer Discovery Protocol CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-265 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : 24 10/100 ports and 4 gigabit ports with PoE switch System Capabilities Support : Bridge System Capabilities Enable : Bridge...
Page 248: Displaying Lldp Remote Information Details
Configuring the Switch CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP. Console#show lldp info remote-device 4-266 LLDP Remote Devices Information Interface | ChassisId PortId SysName --------- + ----------------- ----------------- --------------------- Eth 1/1 | 00-01-02-03-04-05 00-01-02-03-04-06 Console#...
Page 249: Displaying Device Statistics
Link Layer Discovery Protocol CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch. Console#show lldp info remote-device detail ethernet 1/1 4-266 LLDP Remote Devices Information Detail --------------------------------------------------------------- Local PortName : Eth 1/1 Chassis Type : MAC Address...
Page 250: Figure 3-119 Lldp Device Statistics
Configuring the Switch CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-267 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count...
Page 251: Class Of Service Configuration
Class of Service Configuration CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-267 LLDP Port Statistics Detail PortName : Eth 1/1 Frames Discarded Frames Invalid Frames Received...
Page 252: Figure 3-121 Port Priority Configuration
Configuring the Switch Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port.
Page 253: Mapping Cos Values To Egress Queues
Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
Page 254: Enabling Cos
Configuring the Switch Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-122 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#queue cos-map 0 0...
Page 255: Selecting The Queue Mode
Class of Service Configuration Web – Click Priority, Traffic Classes Status. Figure 3-123 Enable Traffic Classes Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 256: Layer 3/4 Priority Settings
Configuring the Switch Values to Egress Queues” on page 3-201, the traffic classes are mapped to one of the eight egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue will be polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
Page 257: Enabling Ip Dscp Priority
Class of Service Configuration a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Because different priority information may be contained in the traffic, this switch maps priority values to the output queues in the following manner: •...
Page 258: Mapping Dscp Priority
Configuring the Switch Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 259: Quality Of Service
Quality of Service CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-273 Console(config)#interface ethernet 1/1 4-166 Console(config-if)#map ip dscp 1 cos 0 4-274...
Page 260: Configuring Quality Of Service Parameters
Configuring the Switch You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 3-213). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1.
Page 261 Quality of Service • Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. •...
Page 262: Figure 3-128 Configuring Class Maps
Configuring the Switch Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-128 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.
Page 263: Creating Qos Policies
Quality of Service Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-208. - Open the Policy Map page, and click Add Policy.
Page 264 Configuring the Switch Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-208).
Page 265: Figure 3-129 Configuring Policy Maps
Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-129 Configuring Policy Maps 3-213...
Page 266: Attaching A Policy Map To Ingress Queues
Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. 4-200 Console(config)#policy-map rd_policy#3 4-200 Console(config-pmap)#class rd_class#3...
Page 267: Voip Traffic Configuration
VoIP Traffic Configuration VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality.
Page 268: Configuring Voip Traffic Port
Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-131 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
Page 269: Figure 3-132 Voip Traffic Port Configuration
VoIP Traffic Configuration address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...
Page 270 Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 4-287 Console(config-if)#switchport voice vlan auto 4-288 Console(config-if)#switchport voice vlan security 4-288 Console(config-if)#switchport voice vlan rule oui 4-289 Console(config-if)#switchport voice vlan priority 5 Console(config-if)#exit...
Page 271: Configuring Telephony Oui
VoIP Traffic Configuration Configuring Telephony OUI VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 272: Multicast Filtering
Configuring the Switch Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Page 273: Configuring Igmp Snooping And Query Parameters
Multicast Filtering these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources. IGMPv3 hosts may also request that service be forwarded from all sources except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources.
Page 274 Configuring the Switch the multicast filtering table is already full, the switch will continue flooding the traffic into the VLAN. • IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/switch on the LAN performing IP multicasting, one of these devices is elected “querier”...
Page 275: Enabling Igmp Immediate Leave
Multicast Filtering Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-134 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
Page 276: Figure 3-135 Igmp Immediate Leave
Configuring the Switch is determined by the IGMP Query Report Delay (see “Configuring IGMP Snooping and Query Parameters” on page 3-221). • If immediate leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Page 277: Displaying Interfaces Attached To A Multicast Router
Multicast Filtering Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Page 278: Specifying Static Interfaces For A Multicast Router
Configuring the Switch Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Page 279: Displaying Port Members Of Multicast Services
Multicast Filtering Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4093) • Multicast IP Address – The IP address for a specific multicast service. •...
Page 280: Assigning Ports To Multicast Services
Configuring the Switch Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP snooping and Query Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Page 281: Igmp Filtering And Throttling
Multicast Filtering CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 4-292 Console(config)#exit Console#show mac-address-table multicast vlan 1 4-295 VLAN M'cast IP addr.
Page 282: Configuring Igmp Filter Profiles
Configuring the Switch Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile group by entering a number in the text box and clicking Add. Enable the IGMP filter status, then click Apply. Figure 3-140 Enabling IGMP Filtering and Throttling CLI –...
Page 283: Figure 3-141 Igmp Profile Configuration
Multicast Filtering • New Multicast Address Range List – Specifies multicast groups to include in the profile. Specify a multicast group range by entering the same IP address for the start and end of the range. Click the Add button to add a range to the current list. •...
Page 284: Configuring Igmp Filtering And Throttling For Interfaces
Configuring the Switch Configuring IGMP Filtering and Throttling for Interfaces Once you have configured IGMP profiles, you can assign them to interfaces on the switch. Also you can set the IGMP throttling number to limit the number of multicast groups an interface can join at the same time. Command Usage •...
Page 285: Figure 3-142 Igmp Filter And Throttling Port Configuration
Multicast Filtering Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-142 IGMP Filter and Throttling Port Configuration CLI –...
Page 286: Multicast Vlan Registration
Configuring the Switch Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Page 287: Configuring Global Mvr Settings
Multicast VLAN Registration For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see “Assigning Static Multicast Groups to Interfaces” on page 3-239).
Page 288: Displaying Mvr Interface Status
Configuring the Switch CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping 4-292 Console(config)#mvr 4-308 Console(config)#mvr group 228.1.23.1 10 4-308 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes •...
Page 289: Displaying Port Members Of Multicast Groups
Multicast VLAN Registration Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...
Page 290: Configuring Mvr Interface Status
Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Page 291: Assigning Static Multicast Groups To Interfaces
Multicast VLAN Registration Web – Click MVR, Port or Trunk Configuration. Figure 3-146 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source 4-309 Console(config-if)#exit...
Page 292: Dhcp Snooping
Configuring the Switch Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups. Select a multicast address from the displayed lists, and click the Add or Remove button to modify the Member list.
Page 293: Dhcp Snooping Configuration
DHCP Snooping • If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: • If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
Page 294: Dhcp Snooping Vlan Configuration
Configuring the Switch Web – Click DHCP Snooping, Configuration. Figure 3-148 DHCP Snooping Configuration CLI – This example first enables DHCP Snooping, and then enables DHCP Snooping MAC-Address Verification. Console(config)#ip dhcp snooping 4-322 Console(config)#ip dhcp snooping verify mac-address 4-325 Console(config)# DHCP Snooping VLAN Configuration Enables DHCP snooping on the specified VLAN.
Page 295: Dhcp Snooping Information Option Configuration
DHCP Snooping DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 296: Dhcp Snooping Port Configuration
Configuring the Switch CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-326 Console(config)#ip dhcp snooping information policy replace 4-327 Console(config)# DHCP Snooping Port Configuration Configures switch ports as trusted or untrusted. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall.
Page 297: Dhcp Snooping Binding Information
DHCP Snooping DHCP Snooping Binding Information Displays the DHCP snooping binding information. Command Attributes • No. – Entry number for DHCP snooping binding information. • Unit – Stack unit. • Port – Port number. • VLAN ID – ID of a configured VLAN (Range: 1-4093) •...
Page 298: Ip Source Guard
Configuring the Switch IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-240).
Page 299: Static Ip Source Guard Binding Configuration
IP Source Guard CLI – This example shows how to enable IP source guard on port 5 Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip 4-318 Console(config-if)#end Console#show ip source-guard 4-321 Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED...
Page 300: Figure 3-154 Static Ip Source Guard Binding Configuration
Configuring the Switch Web – Click IP Source Guard, Static Configuration. Figure 3-154 Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5 Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 4-320 Console(config)#...
Page 301: Dynamic Ip Source Guard Binding Information
IP Source Guard Dynamic IP Source Guard Binding Information Displays the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding. (Options: Port, VLAN, MAC Address, or IP Address) •...
Page 302: Switch Clustering
Configuring the Switch Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 303: Cluster Member Configuration
Switch Clustering IP pool when the switch is currently in Commander mode. Commander mode must first be disabled. (Default: 10.254.254.1) • Number of Members – The current number of Member switches in the cluster. • Number of Candidates – The current number of Candidate switches discovered in the network that are available to become Members.
Page 304: Cluster Member Information
Configuring the Switch Web – Click Cluster, Member Configuration. Figure 3-158 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-331 Console(config)# Cluster Member Information...
Page 305: Cluster Candidate Information
Switch Clustering CLI – This example shows information about cluster Member switches. Vty-0#show cluster members 4-332 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.
Page 306: Upnp
Configuring the Switch UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards.
Page 307: Figure 3-161 Upnp Configuration
UPnP Web – Click UPNP, Configuration and enter the desired variables Figure 3-161 UPnP Configuration CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration.
Page 308 Configuring the Switch 3-256...
Page 309: Chapter 4: Command Line Interface
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 310: Telnet Connection
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 311: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 312: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 313: Partial Keyword Lookup
Entering Commands voice Shows the voice VLAN information web-auth Shows web authentication configuration Console#show The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 314: Exec Commands
Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Page 315: Configuration Commands
Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command. The configuration commands are organized into different modes: •...
Page 316: Command Line Processing
Command Line Interface For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 317: Command Groups
Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page Line Sets communication parameters for the serial port and Telnet, 4-10 including baud rate and console time-out General Basic commands for entering privileged access mode, restarting the 4-19...
Page 318: Line Commands
Command Line Interface Table 4-4 Command Groups (Continued) Command Group Description Page IP Cluster Configures switch clustering 4-328 UPnP Configures UPnP settings 4-328 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) MST (Multiple Spanning Tree) CM (Class Map Configuration) NE (Normal Exec)
Page 319: Line
Line Commands line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 320: Password
Command Line Interface Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.
Page 321: Timeout Login Response
Line Commands number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server.
Page 322: Exec-Timeout
Command Line Interface exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds;...
Page 323: Silent-Time
Line Commands Command Mode Line Configuration Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
Page 324: Databits
Command Line Interface databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. •...
Page 325: Speed
Line Commands Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.
Page 326: Disconnect
Command Line Interface Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
Page 327: General Commands
General Commands Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# General Commands...
Page 328: Enable
Command Line Interface enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 4-5. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Page 329: Configure
General Commands Example Console#disable Console> Related Commands enable (4-20) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration.
Page 330: Reload
Command Line Interface Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer...
Page 331: Reload Cancel
General Commands Command Usage This command resets the entire system. The switch will wait the designated amount of time before resetting. If a delayed reset was already scheduled, then the newly configured reset will overwrite the original delay configuration. The configured delay time cannot exceed 24 days (576 hours, or 34560 minutes).
Page 332: End
Command Line Interface Example This example shows how to display the remaining time until a configured delayed reset of the switch will take place: Console#show reload The switch will be rebooted at Nov 23 22:52:14 2007. Remaining Time : 0 days, 4 hours, 31 minutes, 46 seconds. Console# This command returns to Privileged Exec mode.
Page 333: Quit
System Management Commands quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification...
Page 334: Device Designation Commands
Command Line Interface Device Designation Commands Table 4-8 Device Designation Commands Command Function Mode Page prompt Customizes the prompt used in PE and NE mode 4-26 hostname Specifies the host name for the switch 4-26 snmp-server contact Sets the system contact string 4-152 snmp-server location Sets the system location string...
Page 335: Banner
System Management Commands Example Console(config)#hostname RD#1 Console(config)# Banner These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as network administrator and manager contact information.
Page 336: Banner Configure
Command Line Interface banner configure This command allows the administrator to interactively specify administrative information for this device. Syntax banner configure Default Setting None Command Mode Global Configuration Command Usage The administrator can batch-input all details for the switch with one command. When the administrator finishes typing the company name and presses the enter key, the script prompts for the next piece of information, and so on, until all information has been entered.
Page 337: Banner Configure Company
Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: SMC Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply.
Page 338: Banner Configure Dc-Power-Info
Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure company Acme_Corporation Console(config)#...
Page 339: Banner Configure Department
System Management Commands banner configure department This command allows the administrator to configure the department information displayed in the banner. Use the no form to remove the department information from the banner display. Syntax banner configure department dept-name no banner configure company dept-name - The name of the department.
Page 340: Banner Configure Equipment-Location
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
Page 341: Banner Configure Ip-Lan
System Management Commands banner configure ip-lan This command allows the administrator to configure the device IP address and subnet mask information displayed in the banner. Use the no form to remove the IP and subnet information from the banner display. Syntax banner configure ip-lan ip-mask no banner configure ip-lan...
Page 342: Banner Configure Manager-Info
Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure lp-number command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure lp-number 12 Console(config)#...
Page 343: Banner Configure Mux
System Management Commands banner configure mux This command allows the administrator to configure the mux information displayed in the banner. Use the no form to remove the mux information from the banner display. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected.
Page 344: Show Banner
Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure note command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmware- upgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected...
Page 345: User Access Commands
System Management Commands User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-10), user authentication via a remote authentication server (page 4-90), and host access authentication for specific ports (page 4-112).
Page 346: Enable Password
Command Line Interface Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how to set the access level and password for a user.
Page 347: Ip Filter Commands
System Management Commands Related Commands enable (4-20) authentication enable (4-92) IP Filter Commands Table 4-12 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-39 show management Displays the switch to be monitored or configured from a 4-40 browser management...
Page 348: Show Management
Command Line Interface • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management...
Page 349: Web Server Commands
System Management Commands Web Server Commands Table 4-13 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface 4-41 ip http server Allows the switch to be monitored or configured from a browser GC 4-41 ip http secure-server Enables HTTPS for encrypted communications...
Page 350: Ip Http Secure-Server
Command Line Interface Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-41) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server Default Setting...
Page 351: Ip Http Secure-Port
System Management Commands Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-43) copy tftp https-certificate (4-84) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port...
Page 352: Telnet Server Commands
Command Line Interface Telnet Server Commands Table 4-15 Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet interface 4-41 ip telnet server Allows the switch to be monitored or configured from Telnet 4-41 ip telnet port This command specifies the TCP port number used by the Telnet interface.
Page 353: Secure Shell Commands
System Management Commands Related Commands ip telnet port (4-44) Secure Shell Commands The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 354 Command Line Interface The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-91.
Page 355: Ip Ssh Server
System Management Commands corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.
Page 356: Ip Ssh Timeout
Command Line Interface ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds...
Page 357: Ip Ssh Server-Key Size
System Management Commands Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-51) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...
Page 358: Ip Ssh Crypto Host-Key Generate
Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...
Page 359: Ip Ssh Save Host-Key
System Management Commands Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console#...
Page 360: Table 4-17 Show Ssh - Display Description
Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username...
Page 361: Show Public-Key
System Management Commands show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...
Page 362: Event Logging Commands
Command Line Interface Event Logging Commands Table 4-18 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-54 logging history Limits syslog messages saved to switch memory based on 4-55 severity logging host Adds a syslog server host IP address that will receive logging 4-56 messages logging facility...
Page 363: Logging History
System Management Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 364: Logging Host
Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Page 365: Logging Trap
System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 366: Show Logging
Command Line Interface Related Commands show logging (4-58) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Page 367: Show Log
System Management Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Page 368: Logging Sendmail Host
Command Line Interface Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [3] 00:00:54 2001-01-01 "STA root change notification."...
Page 369: Logging Sendmail Level
System Management Commands Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Page 370: Logging Sendmail Source-Email
Command Line Interface logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 0-41 characters) Default Setting None...
Page 371: Logging Sendmail
System Management Commands logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...
Page 372: Time Commands
Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 373: Sntp Server
System Management Commands Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). •...
Page 374: Sntp Poll
Command Line Interface Example Console(config)#sntp server 10.1.0.19 Related Commands sntp client (4-64) sntp poll (4-66) show sntp (4-66) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll...
Page 375: Ntp Client
System Management Commands Example Console#show sntp Current time: Dec 23 05:13:28 2002 Poll interval: 16 Current mode: unicast SNTP status : Enabled SNTP server 137.92.140.80 0.0.0.0 0.0.0.0 Current server: 137.92.140.80 Console# ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command.
Page 376: Ntp Server
Command Line Interface ntp server This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. Syntax ntp server ip-address [version number] [key key-number] no ntp server [ip-address]...
Page 377: Ntp Poll
System Management Commands ntp poll This command sets the interval between sending time requests when the switch is set to NTP client mode. Use the no form to restore to the default. Syntax ntp poll seconds no ntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...
Page 378: Ntp Authentication-Key
Command Line Interface Example Console(config)#ntp authenticate Console(config)# Related Commands ntp authentication-key (4-70) ntp authentication-key This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list.
Page 379: Show Ntp
System Management Commands show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
Page 380: Clock Timezone
Command Line Interface Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 381: Clock Summer-Time (Date)
System Management Commands clock summer-time (date) This command allows the user to manually configure the start, end, and offset times of summer-time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer-time. Syntax clock summer-time name date b-month b-day b-year b-hour b-minute e-month e-day e-year e-hour e-minute offset no clock summer-time...
Page 382: Clock Summer-Time (Predefined)
Command Line Interface Example Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console(config)# Related Commands show sntp (4-66) clock summer-time (predefined) This command configures the summer time (daylight savings time) status and settings for the switch using predefined configurations for several major regions of the world.
Page 383: Clock Summer-Time (Recurring)
System Management Commands Related Commands show sntp (4-66) clock summer-time (recurring) This command allows the user to manually configure the start, end, and offset times of summer-time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time. Syntax clock summer-time name recurring b-week b-day b-month b-hour b-minute e-week e-day e-month e-hour e-minute offset...
Page 384: Calendar Set
Command Line Interface Example Console(config)#clock summer-time MESZ recurring 1 friday june 23 59 3 saturday september 2 55 60 Console(config)# Related Commands show sntp (4-66) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server.
Page 385: System Status Commands
System Management Commands System Status Commands Table 4-25 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 4-77 memory) that is used to start up the system show running-config Displays the configuration data currently in use 4-79 show system Displays system information...
Page 386 Command Line Interface Example Console#show startup-config building startup-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-16-b6-f0-6f-fd_00</stackingMac> phymap 00-16-b6-f0-6f-fd sntp server 0.0.0.0 0.0.0.0 0.0.0.0 ntp poll 16 no dot1q-tunnel system-tunnel-control power mainpower maximum allocation 180 unit 1 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0...
Page 387: Show Running-Config
System Management Commands show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 388 Command Line Interface Example Console#show running-config building running-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-16-b6-f0-6f-fd_00</stackingMac> phymap 00-16-b6-f0-6f-fd sntp server 0.0.0.0 0.0.0.0 0.0.0.0 ntp poll 16 cluster commander cluster member mac 00-30-fc-12-34-56 id 1 no dot1q-tunnel system-tunnel-control power mainpower maximum allocation 180 unit 1 snmp-server community public ro snmp-server community private rw username admin access-level 15...
Page 389: Show System
System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. •...
Page 390: Show Version
Command Line Interface Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users:...
Page 391: Frame Size Commands
System Management Commands Example Console#show version Unit1 Serial number: S416000937 Service tag: Hardware version: Module A type: 1000BaseT Module B type: 1000BaseT Number of ports: Main power status: Redundant power status :not present Agent (master) Unit ID: Loader version: 2.2.1.4 Boot ROM version: 2.2.1.8 Operation code version:...
Page 392: Flash/File Commands
Command Line Interface • Enabling jumbo frames will limit the maximum threshold for broadcast storm control to 64 packets per second. (See the switchport broadcast command on page 4-172.) • The current setting for jumbo frames can be displayed with the show system command (page 4-81).
Page 393 Flash/File Commands • https-certificate - Copies an HTTPS certificate from an TFTP server to the switch. • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shell Commands” on page 4-45) • unit - Keyword that allows you to copy to/from a unit. Default Setting None Command Mode...
Page 394 Command Line Interface Example The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed.
Page 395: Delete
Flash/File Commands This example shows how to copy a public-key used by SSH from a TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch: Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
Page 396: Dir
Command Line Interface This command displays a list of files in flash memory. Syntax dir [unit:] {{boot-rom: | config: | opcode:} [:filename]} The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. •...
Page 397: Whichboot
Flash/File Commands whichboot This command displays which files were booted when the system powered up. Syntax whichboot [unit] unit - Stack unit. (Range: 1) Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Page 398: Authentication Commands
Command Line Interface Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-88) whichboot (4-89) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
Page 399: Authentication Login
Authentication Commands authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. •...
Page 400: Authentication Enable
Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-20). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable...
Page 401: Radius Client
Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 402: Radius-Server Host
Command Line Interface radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] •...
Page 403: Radius-Server Auth-Port
Authentication Commands Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server auth-port This command sets the RADIUS server network port for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port port_number - RADIUS server UDP port used for authentication messages.
Page 404: Radius-Server Retransmit
Command Line Interface radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) Default Setting Command Mode Global Configuration...
Page 405: Tacacs+ Client
Authentication Commands Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Communication Key with RADIUS Server: Auth-Port: 1812 Acct-port: 1813 Retransmit Times: Request Timeout: Radius server group: Group Name Member Index --------------------- ------------- radius Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
Page 406: Tacacs-Server Host
Command Line Interface tacacs-server host This command specifies a TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...
Page 407: Tacacs-Server Key
Authentication Commands Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Page 408: Tacacs-Server Timeout
Command Line Interface tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Page 409: Aaa Commands
Authentication Commands AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-33 AAA Commands Command Function Mode...
Page 410: Server
Command Line Interface Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} •...
Page 411: Aaa Accounting Exec
Authentication Commands - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-98. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101. (Range: 1-255 characters) Default Setting Accounting is not enabled...
Page 412: Aaa Accounting Commands
Command Line Interface Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage • This command runs accounting for Exec service requests for the local console and Telnet connections. • Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Page 413: Aaa Accounting Update
Authentication Commands Command Usage • The accounting of Exec mode commands is only supported by TACACS+ servers. • Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Page 414: Accounting Dot1X
Command Line Interface accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x • default - Specifies the default method list created with the aaa accounting dot1x command (page 4-102).
Page 415: Accounting Commands
Authentication Commands accounting commands This command applies an accounting method to entered CLI commands. Use the no form to disable accounting for entered commands. Syntax accounting commands level {default | list-name} no accounting commands level • level - The privilege level for executing commands. (Range: 0-15) •...
Page 416: Authorization Exec
Command Line Interface Command Mode Global Configuration Command Usage • This command performs authorization to determine if a user is allowed to run an Exec shell. • AAA authentication must be enabled before authorization is enabled. • If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
Page 417: Show Accounting
Authentication Commands show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics [username user-name | interface]] • commands - Displays command accounting information. •...
Page 418: Port Security Commands
Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 419 Authentication Commands Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 420: 802.1X Port Authentication
Command Line Interface 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 421: Dot1X Default
Authentication Commands dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 422: Dot1X Operation-Mode
Command Line Interface Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
Page 423: Dot1X Re-Authenticate
Authentication Commands dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) Command Mode Privileged Exec Example Console#dot1x re-authenticate Console#...
Page 424: Dot1X Timeout Re-Authperiod
Command Line Interface Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Page 425: Dot1X Intrusion-Action
Authentication Commands Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Page 426 Command Line Interface Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface, including the following items: - Status –...
Page 427 Authentication Commands - Reauth Count – Number of times connecting state is re-entered. • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response.
Page 428 Command Line Interface Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/28 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period:...
Page 429: Network Access - Mac Address Authentication
Authentication Commands Network Access MAC Address Authentication – The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 430: Network-Access Mode
Command Line Interface network-access mode Use this command to enable network access authentication on a port interface. Use the no form of this command to disable network access authentication. Syntax [no] network-access mode mac-authentication Default Setting Disabled Command Mode Interface Configuration Command Usage •...
Page 431: Network-Access Max-Mac-Count
Authentication Commands network-access max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated MAC addresses allowed.
Page 432: Mac-Authentication Max-Mac-Count
Command Line Interface mac-authentication max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via 802.1X authentication or MAC authentication. Use the no form of this command to restore the default. Syntax mac-authentication max-mac-count count no mac-authentication max-mac-count...
Page 433: Network-Access Dynamic-Vlan
Authentication Commands network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage • When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have already been created on the switch.
Page 434: Network-Access Link-Detection
Command Line Interface Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active (“vlan database” on page 4-224). • When used with 802.1x authentication, the intrusion-action configuration must be set for ‘guest-vlan’ to be effective (“dot1x intrusion-action” on page 4-117).
Page 435: Network-Access Link-Detection Link-Up
Authentication Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access link-detection link-up Use this command to configure the link detection feature to detect link up events. When a link up event is detected, the feature can shut down the port, send an SNMP trap, or both.
Page 436: Mac-Authentication Reauth-Time
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# mac-authentication reauth-time Use this command to set the time period after which a connected MAC address must be re-authenticated. Use the no form of this command to restore the default value.
Page 437: Clear Network-Access
Authentication Commands clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • static - Specifies static address entries. • dynamic - Specifies dynamic address entries. •...
Page 438: Show Network-Access Mac-Address-Table
Command Line Interface Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment...
Page 439: Web Authentication
Authentication Commands Example Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s Console# Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 440: Table 4-37 Web Authentication
Command Line Interface Table 4-37 Web Authentication (Continued) Command Function Mode Page web-auth Enables web authentication for an interface 4-135 show web-auth Displays global web authentication parameters 4-136 show web-auth Displays interface-specific web authentication parameters 4-136 interface and statistics web-auth re-authenticate Ends all web authentication sessions on the port and 4-137 (Port)
Page 441: Web-Auth Login-Page-Url
Authentication Commands Command Mode Global Configuration Command Usage This command is not supported in the current release of the firmware. Example Console(config)#web-auth login-fail-page-url http://www.example.com/fail/ Console(config)# web-auth login-page-url This command defines the external authentication page URL to which a host is directed to complete web authentication.
Page 442: Web-Auth Quiet-Period
Command Line Interface Command Mode Global Configuration Command Usage This command is not supported in the current release of the firmware. Example Console(config)#web-auth login-success-page-url http://www.example.com/ success/ Console(config)# web-auth quiet-period This command defines the amount of time a host must wait after exceeding the failed login attempts limit, before it may attempt web authentication again.
Page 443: Web-Auth System-Auth-Control
Authentication Commands Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 444: Show Web-Auth
Command Line Interface show web-auth This command displays global web authentication parameters. Syntax show web-auth Default Setting None Command Mode Privileged Exec Example Console#sh web-auth Global Web-Auth Parameters System Auth Control : Enabled Login Page URL Login Fail Page URL Login Success Page URL Session Timeout : 3600...
Page 445: Web-Auth Re-Authenticate (Port)
Authentication Commands Example Console#show web-auth interface eth 1/2 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- Console# web-auth re-authenticate (Port) This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface •...
Page 446: Show Web-Auth Summary
Command Line Interface Command Mode Privileged Exec Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Failed to reauth port. Console# show web-auth summary This command displays a summary of web authentication port parameters and statistics. Syntax show web-auth summary Default Setting None Command Mode Privileged Exec...
Page 447: Access Control List Commands
Access Control List Commands Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
Page 448: Ip Acls
Command Line Interface IP ACLs Table 4-39 IP ACLs Command Function Mode Page access-list ip Creates an IP ACL and enters configuration mode 4-140 permit, deny Filters packets matching a specified source IP address STD-ACL 4-141 permit, deny Filters packets meeting the specified criteria, including EXT-ACL 4-142 source and destination IP address, TCP/UDP port number,...
Page 449: Permit, Deny (Standard Acl)
Access Control List Commands Related Commands permit, deny 4-141 ip access-group (4-144) show ip access-list (4-143) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 450: Permit, Deny (Extended Acl)
Command Line Interface permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, or source or destination protocol ports. Use the no form to remove a rule.
Page 451: Show Ip Access-List
Access Control List Commands Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination...
Page 452: Ip Access-Group
Command Line Interface ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters, no spaces) •...
Page 453: Mac Acls
Access Control List Commands MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports Table 4-40 MAC ACL Commands Command...
Page 454: Permit, Deny (Mac Acl)
Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 455: Show Mac Access-List
Access Control List Commands Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP...
Page 456: Mac Access-Group
Command Line Interface mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
Page 457: Acl Information
Access Control List Commands ACL Information Table 4-41 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-149 show access-group Shows the ACLs assigned to each port 4-149 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 458: Snmp Commands
Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 459: Show Snmp
SNMP Commands Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 460: Snmp-Server Community
Command Line Interface snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
Page 461: Snmp-Server Location
SNMP Commands Related Commands snmp-server location (4-153) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None...
Page 462 Command Line Interface you define this string using the snmp-server community command prior to using the snmp-server host command. (Maximum length: 32 characters) • version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) - auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
Page 463: Snmp-Server Enable Traps
SNMP Commands 5. Create a group that includes the required notify view (page 4-159). To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 4-150). 2. Allow the switch to send SNMP traps; i.e., notifications (page 4-155). 3.
Page 464: Snmp-Server Engine-Id
Command Line Interface Command Usage • If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 465: Show Snmp Engine-Id
SNMP Commands passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. • A remote engine ID is required when using SNMPv3 informs. (See snmp-server host on page 4-153.) The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 466: Snmp-Server View
Command Line Interface Table 4-43 show snmp engine-id - display description Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. snmp-server view This command adds an SNMP view which controls user access to the MIB.
Page 467: Show Snmp View
SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active...
Page 468 Command Line Interface Default Setting • Default groups: public (read only), private (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothing is defined. • notifyview - Nothing is defined. Command Mode Global Configuration Command Usage •...
Page 469: Show Snmp Group
SNMP Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
Page 470: Snmp-Server User
Command Line Interface Table 4-45 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 471: Show Snmp User
SNMP Commands Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-156) to specify the engine ID for the remote device where the user resides.
Page 472: Table 4-46 Show Snmp User - Display Description
Command Line Interface Table 4-46 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.
Page 473 SNMP Commands 4-165...
Page 474: Interface Commands
Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-47 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-166 mode description...
Page 475: Description
Interface Commands Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 476: Negotiation
Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • 1000full operation cannot be forced. The Gigabit Combo ports can only operate at 1000full when auto-negotiation is enabled.
Page 477: Capabilities
Interface Commands disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)#...
Page 478: Flowcontrol
Command Line Interface Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
Page 479: Shutdown
Interface Commands • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. Example The following example enables flow control on port 5.
Page 480: Switchport Packet-Rate
Command Line Interface switchport packet-rate This command configures broadcast and multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast | unknown-unicast} packet-rate rate no switchport {broadcast | multicast | unknown-unicast} •...
Page 481: Show Interfaces Status
Interface Commands Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 482: Show Interfaces Counters
Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, Broadcast storm: Enabled Broadcast storm limit: 64 Kbits/second Flow control: Disabled Lacp:...
Page 483: Show Interfaces Switchport
Interface Commands Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
Page 484 Command Line Interface Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast threshold: Enabled, 64 Kbits/second LACP status: Enabled Ingress Rate Limit: Disabled, 100000 Kbits per second Egress Rate Limit: Disabled, 100000 Kbits per second VLAN membership mode: Hybrid Ingress rule:...
Page 485: Mirror Port Commands
Mirror Port Commands Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-49 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-177 show port monitor Shows the configuration for a mirror port 4-178 port monitor...
Page 486: Show Port Monitor
Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
Page 487: Rate Limit Commands
Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 488: Link Aggregation Commands
Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 489: Channel-Group
Link Aggregation Commands Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). •...
Page 490 Command Line Interface Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
Page 491: Lacp System-Priority
Link Aggregation Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. •...
Page 492: Lacp Admin-Key (Port Channel)
Command Line Interface Default Setting Command Mode Interface Configuration (Ethernet) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 493: Lacp Port-Priority
Link Aggregation Commands • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
Page 494: Show Lacp
Command Line Interface show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} • port-channel - Local identifier for a link aggregation group. (Range: 1-8) • counters - Statistics for LACP protocol messages. •...
Page 495: Table 4-52 Show Lacp Counters - Display Description
Link Aggregation Commands Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-52 show lacp counters - display description Field...
Page 496 Command Line Interface Table 4-53 show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State •...
Page 497 Link Aggregation Commands Table 4-54 show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Current administrative value of the port number for the protocol Partner.
Page 498: Power Over Ethernet Commands
Command Line Interface Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the switch ports. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Page 499: Power Inline Compatible
Power over Ethernet Commands Example Console(config)#power mainpower maximum allocation 180 Console(config)# Related Commands power inline priority (4-193) power inline compatible This command allows the switch to detect and provide power to powered devices that were designed prior to the IEEE 802.3af PoE standard. Use the no form to disable this feature.
Page 500: Power Inline
Command Line Interface power inline This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly. Use the no form to turn off power for a port. Syntax [no] power inline Default Setting...
Page 501: Power Inline Priority
Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000 Console(config-if)# power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Page 502: Show Power Inline Status
Command Line Interface show power inline status This command displays the current power status for all ports or for specific ports. Syntax show power inline status [interface] interface ethernet • unit - Stack unit. (Range: 1-8) • port - Port number. (Range: 1-26) Command Mode Privileged Exec Example...
Page 503: Show Power Mainpower
Address Table Commands show power mainpower Use this command to display the current power status for the switch. Command Mode Privileged Exec Example Console#show power mainpower Unit 1 Mainpower Status Maximum Available Power : 180 watts System Operation Status : on Mainpower Consumption : 15 watts Software Version...
Page 504: Mac-Address-Table Static
Command Line Interface mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id •...
Page 505: Clear Mac-Address-Table Dynamic
Address Table Commands clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database.
Page 506: Mac-Address-Table Aging-Time
Command Line Interface means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address...
Page 507: Spanning Tree Commands
Spanning Tree Commands Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-60 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-200 spanning-tree mode...
Page 508: Spanning-Tree
Command Line Interface Table 4-60 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Re-checks the appropriate BPDU format 4-217 protocol-migration show spanning-tree Shows spanning tree configuration for the common 4-217 spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree show spanning-tree mst Shows the multiple spanning tree configuration...
Page 509 Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 510: Spanning-Tree Forward-Time
Command Line Interface spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Page 511: Spanning-Tree Max-Age
Spanning Tree Commands Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-202) spanning-tree max-age (4-203) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds.
Page 512: Spanning-Tree Priority
Command Line Interface spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
Page 513: Spanning-Tree Transmission-Limit
Spanning Tree Commands Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 4-209) takes precedence over port priority (page 4-210).
Page 514: Mst Vlan
Command Line Interface Related Commands mst vlan (4-206) mst priority (4-207) name (4-207) revision (4-208) max-hops (4-208) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
Page 515: Mst Priority
Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) •...
Page 516: Revision
Command Line Interface Command Usage The MST region name and revision number (page 4-208) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 517: Spanning-Tree Spanning-Disabled
Spanning Tree Commands Default Setting Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Page 518: Spanning-Tree Port-Priority
Command Line Interface The recommended range is: • Ethernet: 200,000-20,000,000 • Fast Ethernet: 20,000-2,000,000 • Gigabit Ethernet: 2,000-200,000 • 10 Gigabit Ethernet: 200-20,000 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
Page 519: Spanning-Tree Edge-Port
Spanning Tree Commands Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 520: Spanning-Tree Portfast
Command Line Interface spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port.
Page 521: Spanning-Tree Loopback-Detection
Spanning Tree Commands Default Setting auto Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. •...
Page 522: Spanning-Tree Loopback-Detection Release-Mode
Command Line Interface spanning-tree loopback-detection release-mode This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore the default. Syntax loopback-detection release-mode spanning-tree {auto | manual} loopback-detection release-mode no spanning-tree...
Page 523: Spanning-Tree Mst Cost
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost...
Page 524: Spanning-Tree Mst Port-Priority
Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (4-216) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority...
Page 525: Spanning-Tree Protocol-Migration
Spanning Tree Commands spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 526: Table 4-61 Vlans
Command Line Interface Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Page 527: Show Spanning-Tree Mst Configuration
VLAN Commands Oper edge port: disable Admin Link type: auto Oper Link type: point-to-point Spanning Tree Status: enable show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D...
Page 528: Gvrp And Bridge Extension Commands
Command Line Interface GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 529: Show Bridge-Ext
VLAN Commands show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-167 and “Displaying Bridge Extension Capabilities” on page 3-15 for a description of the displayed items.
Page 530: Show Gvrp Configuration
Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting Shows both global and interface-specific configuration.
Page 531: Show Garp Timer
VLAN Commands Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.
Page 532: Editing Vlan Groups
Command Line Interface Related Commands garp timer (4-222) Editing VLAN Groups Table 4-63 Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete 4-224 VLANs vlan Configures a VLAN, including VID, name and state 4-225 vlan database This command enters VLAN database mode.
Page 533: Vlan
VLAN Commands vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4092, no leading zeroes) •...
Page 534: Configuring Vlan Interfaces
Command Line Interface Configuring VLAN Interfaces Table 4-64 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN 4-226 switchport mode Configures VLAN membership mode for an interface 4-227 switchport Configures frame types to be accepted by an interface 4-227 acceptable-frame-types switchport ingress-filtering...
Page 535: Switchport Mode
VLAN Commands switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid | private-vlan} no switchport mode • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
Page 536: Switchport Ingress-Filtering
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged...
Page 537: Switchport Native Vlan
VLAN Commands Example The following example shows how to select port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default.
Page 538: Switchport Allowed Vlan
Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged.
Page 539: Switchport Forbidden Vlan
VLAN Commands Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
Page 540: Displaying Vlan Information
Command Line Interface Displaying VLAN Information Table 4-65 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-232 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-173 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-175...
Page 541: Configuring Ieee 802.1Q Tunneling
VLAN Commands Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
Page 542: Dot1Q-Tunnel System-Tunnel-Control
Command Line Interface dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional.
Page 543: Switchport Dot1Q-Tunnel Tpid
VLAN Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)# Related Commands show dot1q-tunnel (4-236) show interfaces switchport (4-175) switchport dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid...
Page 544: Show Dot1Q-Tunnel
Command Line Interface show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
Page 545: Table 4-67 Private Vlan Commands
VLAN Commands This section describes commands used to configure private VLANs. Table 4-67 Private VLAN Commands Command Function Mode Page Edit Private VLAN Groups private-vlan Adds or deletes primary, community, or isolated VLANs 4-238 private-vlan association Associates a community VLAN with a primary VLAN 4-239 Configure Private VLAN Interfaces switchport mode...
Page 546: Private-Vlan
Command Line Interface private-vlan Use this command to create a primary, community, or isolated private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4092, no leading zeroes). •...
Page 547: Private Vlan Association
VLAN Commands private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...
Page 548: Switchport Private-Vlan Host-Association
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. •...
Page 549: Switchport Private-Vlan Isolated
VLAN Commands switchport private-vlan isolated Use this command to assign an interface to an isolated VLAN. Use the no form to remove this assignment. Syntax switchport private-vlan isolated isolated-vlan-id no switchport private-vlan isolated isolated-vlan-id - ID of isolated VLAN. (Range: 1-4092). Default Setting None Command Mode...
Page 550: Show Vlan Private-Vlan
Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#switchport private-vlan mapping 2 Console(config-if)# show vlan private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show vlan private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces.
Page 551: Configuring Protocol-Based Vlans
VLAN Commands Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 552: Protocol-Vlan Protocol-Group (Configuring Groups)
Command Line Interface protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group. Only one frame and protocol type can be added to a protocol group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id •...
Page 553: Show Protocol-Vlan Protocol-Group
VLAN Commands Command Usage • When creating a protocol-based VLAN, do not assign interfaces to the protocol VLAN via any of the standard VLAN commands. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-225), the switch will admit traffic of any protocol type into the associated VLAN.
Page 554: Show Protocol-Vlan Protocol-Group-Vid
Command Line Interface show protocol-vlan protocol-group-vid This command shows the mapping from protocol groups to VLANs. Syntax show protocol-vlan protocol-group-vid Default Setting The mapping for all protocol groups is displayed. Command Mode Privileged Exec Example This shows that traffic matching the specifications for protocol group 2 will be mapped to VLAN 2: Console#show protocol-vlan protocol-group-vid ProtocolGroup ID...
Page 555: Table 4-69 Lldp Commands
LLDP Commands Table 4-69 LLDP Commands (Continued) Command Function Mode Page lldp refresh-interval Configures the periodic transmit interval for LLDP 4-250 advertisements lldp reinit-delay Configures the delay before attempting to re-initialize after 4-251 LLDP ports are disabled or the link goes down lldp tx-delay Configures a delay between the successive transmission of 4-251...
Page 556: Lldp
Command Line Interface Table 4-69 LLDP Commands (Continued) Command Function Mode Page lldp medtlv Configures an LLDP-MED-enabled port to advertise its 4-262 location location identification details lldp medtlv Configures an LLDP-MED-enabled port to advertise its 4-262 med-cap Media Endpoint Device capabilities lldp medtlv Configures an LLDP-MED-enabled port to advertise its 4-263...
Page 557: Lldp Medfaststartcount
LLDP Commands Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during...
Page 558: Lldp Refresh-Interval
Command Line Interface Default Setting 5 seconds Command Mode Global Configuration Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Page 559: Lldp Reinit-Delay
LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP. (Range: 1 - 10 seconds) Default Setting 2 seconds...
Page 560: Lldp Admin-Status
Command Line Interface • This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status...
Page 561: Lldp Mednotification
LLDP Commands the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 4-153). • Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Page 562: Lldp Basic-Tlv Management-Ip-Address
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode...
Page 563: Lldp Basic-Tlv Port-Description
LLDP Commands lldp basic-tlv port-description This command configures an LLDP-enabled port to advertise its port description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Page 564: Lldp Basic-Tlv System-Description
Command Line Interface lldp basic-tlv system-description This command configures an LLDP-enabled port to advertise the system description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type,...
Page 565: Lldp Dot1-Tlv Proto-Ident
LLDP Commands lldp dot1-tlv proto-ident This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature. Syntax dot1-tlv proto-ident [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface.
Page 566: Lldp Dot1-Tlv Pvid
Command Line Interface lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv pvid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan”...
Page 567: Lldp Dot3-Tlv Link-Agg
LLDP Commands lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature. Syntax dot3-tlv link-agg [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
Page 568: Lldp Dot3-Tlv Max-Frame
Command Line Interface lldp dot3-tlv max-frame This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv max-frame Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands”...
Page 569: Lldp Medtlv Extpoe
LLDP Commands lldp medtlv extpoe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature. Syntax [no] lldp medtlv extpoe Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including...
Page 570: Lldp Medtlv Location
Command Line Interface lldp medtlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax medtlv location [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Page 571: Lldp Medtlv Network-Policy
LLDP Commands lldp medtlv network-policy This command configures an LLDP-MED-enabled port to advertise its network policy configuration. Use the no form to disable this feature. Syntax medtlv network-policy [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
Page 572 Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...
Page 573: Show Lldp Info Local-Device
LLDP Commands show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 574: Show Lldp Info Remote-Device
Command Line Interface show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit.
Page 575: Show Lldp Info Statistics
LLDP Commands show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 576: Priority Commands
Command Line Interface Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 577: Switchport Priority Default
Priority Commands Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 578: Queue Bandwidth
Command Line Interface • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port.
Page 579: Queue Cos-Map
Priority Commands queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 3). Use the no form set the CoS map to the default values. Syntax queue cos-map queue_id [cos1 ... cosn] no queue cos-map •...
Page 580: Show Queue Mode
Command Line Interface show queue mode This command shows the current queue mode. Default Setting None Command Mode Privileged Exec Example Console#show queue mode Queue mode: wrr Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues.
Page 581: Priority Commands (Layer 3 And 4)
Priority Commands Default Setting None Command Mode Privileged Exec Example Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 Traffic Class : 0 1 2 3 4 5 6 7 Priority Queue: 1 0 0 1 2 2 3 3 Console# Priority Commands (Layer 3 and 4) Table 4-73...
Page 582: Map Ip Dscp (Interface Configuration)
Command Line Interface map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp •...
Page 583: Show Map Ip Dscp
Priority Commands show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode...
Page 584: Quality Of Service Commands
Command Line Interface Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 585: Class-Map
Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. You should create a Class Map (page 4-277) before creating a Policy Map (page 4-279). Otherwise, you will not be able to specify a Class Map with the class command (page 4-279) after entering Policy-Map Configuration mode.
Page 586: Match
Command Line Interface match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Page 587: Policy-Map
Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Page 588: Set
Command Line Interface Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
Page 589: Police
Quality of Service Commands Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 590: Service-Policy
Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 591: Show Class-Map
Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps. Command Mode Privileged Exec Example...
Page 592: Show Policy-Map Interface
Command Line Interface Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface...
Page 593: Voice Vlan
Voice VLAN Commands Table 4-76 Voice VLAN Commands Command Function Mode Page switchport voice vlan security Enables Voice VLAN security on ports 4-288 switchport voice vlan priority Sets the VoIP traffic priority for ports 4-289 show voice vlan Displays Voice VLAN settings 4-290 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID.
Page 594: Voice Vlan Aging
Command Line Interface voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes...
Page 595: Switchport Voice Vlan
Voice VLAN Commands Command Usage • VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 596: Switchport Voice Vlan Rule
Command Line Interface switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} •...
Page 597: Switchport Voice Vlan Priority
Voice VLAN Commands Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.
Page 598: Show Voice Vlan
Command Line Interface show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings. Default Setting None Command Mode...
Page 599: Multicast Filtering Commands
Multicast Filtering Commands Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 600: Ip Igmp Snooping
Command Line Interface ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static...
Page 601: Ip Igmp Snooping Version
Multicast Filtering Commands ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...
Page 602: Ip Igmp Snooping Immediate-Leave
Command Line Interface Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier. Example Console(config)#ip igmp snooping leave-proxy Console(config)#...
Page 603: Show Ip Igmp Snooping
Multicast Filtering Commands show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-221 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping...
Page 604: Igmp Query Commands (Layer 2)
Command Line Interface Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
Page 605: Ip Igmp Snooping Query-Count
Multicast Filtering Commands Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Page 606: Ip Igmp Snooping Query-Max-Response-Time
Command Line Interface Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.
Page 607: Ip Igmp Snooping Router-Port-Expire-Time
Multicast Filtering Commands ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
Page 608: Ip Igmp Snooping Vlan Mrouter
Command Line Interface ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration. Syntax [no] ip igmp snooping vlan vlan-id mrouter interface • vlan-id - VLAN ID (Range: 1-4092) •...
Page 609: Igmp Filtering And Throttling Commands
Multicast Filtering Commands Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static...
Page 610: Ip Igmp Filter (Global Configuration)
Command Line Interface ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 611: Permit, Deny
Multicast Filtering Commands Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode;...
Page 612: Ip Igmp Filter (Interface Configuration)
Command Line Interface Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Page 613: Ip Igmp Max-Groups
Multicast Filtering Commands ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Page 614: Show Ip Igmp Filter
Command Line Interface Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Page 615: Show Ip Igmp Profile
Multicast Filtering Commands show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19...
Page 616: Multicast Vlan Registration Commands
Command Line Interface Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR).
Page 617: Mvr (Interface Configuration)
Multicast VLAN Registration Commands Default Setting • MVR is disabled. • No MVR group address is defined. • The default number of contiguous addresses is 0. • MVR VLAN ID is 1. Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.
Page 618 Command Line Interface Default Setting • The port type is not defined. • Immediate leave is disabled. • No receiver port is a member of any configured multicast group. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering.
Page 619: Show Mvr
Multicast VLAN Registration Commands Example The following configures one source port and several receiver ports on the switch, enables immediate leave on one of the receiver ports, and statically assigns a multicast group to another receiver port: Console(config)#interface ethernet 1/5 Console(config-if)#mvr type source Console(config-if)#exit Console(config)#interface ethernet 1/6...
Page 620: Table 4-84 Show Mvr Interface - Display Description
Command Line Interface Example The following shows the global MVR settings: Console#show mvr MVR Status:enable MVR running status:TRUE MVR multicast vlan:1 MVR Max Multicast Groups:255 MVR Current multicast groups:10 Console# Table 4-83 show mvr - display description Field Description MVR Status Shows if MVR is globally enabled on the switch.
Page 621: Ip Interface Commands
IP Interface Commands The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status Members ---------------- -------- ------- 225.0.0.1 ACTIVE eth1/1(d), eth1/2(s) 225.0.0.2 INACTIVE None 225.0.0.3 INACTIVE None 225.0.0.4 INACTIVE None...
Page 622: Ip Address
Command Line Interface ip address This command sets the IP address for the currently selected VLAN interface. Use the no form to restore the default IP address. Syntax ip address {ip-address netmask | bootp | dhcp} no ip address • ip-address - IP address •...
Page 623: Ip Default-Gateway
IP Interface Commands ip default-gateway This command establishes a static route between this switch and devices that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No static route is established.
Page 624: Show Ip Interface
Command Line Interface Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: DHCP. Console# Related Commands ip address (4-314)
Page 625: Ping
IP Interface Commands ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] • host - IP address or IP alias of the host. • size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the switch adds header information.
Page 626: Ip Source Guard Commands
Command Line Interface IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands”...
Page 627 IP Source Guard Commands option to check these same parameters, plus the source MAC address. Use the no source guard command to disable this function on the selected port. • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, static entries configured in the DHCP snooping table, or static addresses configured in the source guard binding table.
Page 628: Ip Source-Guard Binding
Command Line Interface ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id •...
Page 629: Show Ip Source-Guard
IP Source Guard Commands Related Commands ip source-guard (4-318) ip dhcp snooping (4-322) ip dhcp snooping vlan (4-324) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ---------...
Page 630: Dhcp Snooping Commands
Command Line Interface DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
Page 631 DHCP Snooping Commands • When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. • Table entries are only learned for untrusted interfaces. Each entry includes a MAC address, IP address, lease time, entry type (Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier.
Page 632: Ip Dhcp Snooping Vlan
Command Line Interface Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (4-324) ip dhcp snooping trust (4-325) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Page 633: Ip Dhcp Snooping Trust
DHCP Snooping Commands ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 634: Ip Dhcp Snooping Information Option
Command Line Interface Command Mode Global Configuration Command Usage If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. Example This example enables MAC address verification.
Page 635: Ip Dhcp Snooping Information Policy
DHCP Snooping Commands ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy <drop | keep | replace> • drop - Discards the Option 82 information in a packet and then floods it to the entire VLAN.
Page 636: Show Ip Dhcp Snooping
Command Line Interface show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface Trusted ----------...
Page 637: Cluster
Switch Cluster Commands Table 4-89 Switch Cluster Commands Command Function Mode Page cluster member Sets Candidate switches as cluster members 4-331 rcommand Provides configuration access to Member switches 4-331 show cluster Displays the switch clustering status 4-332 show cluster members Displays current cluster Members 4-332 show cluster candidates Displays current cluster Candidates in the network...
Page 638: Cluster Ip-Pool
Command Line Interface Command Mode Global Configuration Command Usage • Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
Page 639: Cluster Member
Switch Cluster Commands cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address <mac-address> id <member-id> no cluster member id <member-id> mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
Page 640: Show Cluster
Command Line Interface show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role: commander Interval heartbeat: Heartbeat loss count: 3 Number of Members: Number of Candidates: 2 Console# show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example...
Page 641: Upnp Commands
UPnP Commands UPnP Commands Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards.
Page 642: Upnp Device Ttl
Command Line Interface upnp device ttl This command sets the time-to-live (TTL) value for sending of UPnP messages from the device. Syntax upnp device ttl {value} • value - The number of router hops a UPnP packet can travel before it is discarded.
Page 643: Show Upnp
UPnP Commands Related Commands upnp device ttl (4-334) show upnp This command displays the UPnP management status and time out settings. Command Mode Privileged Exec Example Console#show upnp UPnP global settings: Status: Enabled Advertise duration: TTL: Console# 4-335...
Page 644 Command Line Interface 4-336...
Page 645: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X, MAC Authentication, Web Authentication), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 100 rules per system Power over Ethernet DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control...
Page 646: Management Features
Software Specifications Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard...
Page 647: Management Information Bases
Management Information Bases HTTPS IGMP (RFC 1112) IGMPv2 (RFC 2236) RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289)
Page 648 Software Specifications...
Page 649: Appendix B: Troubleshooting
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 650: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 651: Glossary
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 652 Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so...
Page 653: Link Aggregation
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Page 654: Multicast Switching
Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 655 Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Page 656 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 657: Index
Index authentication Symbols MAC 3-101 3-58 MAC address auth 3-95 MAC, configuring ports 3-101 Numerics network access 3-95 public key 3-75 802.1Q tunnel 3-175, 4-233 web 3-90 configuration, guidelines 3-178 web auth for ports, configuring 3-92 configuration, limitations 3-177 web auth port info, displaying 3-93 description 3-175 web auth, re-authenticating ethernet type 3-179...
Page 658 Index default settings, system 1-6 firmware DHCP 3-18, 4-314, 4-333, 4-334 displaying version 3-13, 4-82 client 3-16 upgrading 3-20, 4-84 dynamic configuration 2-5 DHCP snooping global configuration 4-322, 4-329 GARP VLAN Registration Protocol See specifying trusted interfaces 4-325 GVRP verifying MAC addresses 4-325, gateway, default 3-16, 4-315 4-326, 4-327 GVRP...
Page 659 Index settings 4-304–4-305 Link Layer Discovery Protocol See groups, displaying 3-227, 4-295 LLDP immediate leave, status 3-223 link type, STA 3-154, 3-156, 3-158, Layer 2 3-220, 4-291 3-160, 3-163, 4-212, 4-213, 4-214 query 3-220, 4-296 LLDP 3-189 query, Layer 2 3-222, 4-296 device statistics detail, snooping 3-220, 4-292 displaying 3-198...
Page 660 Index logon authentication, sequence 3-55, 4-91, 4-92 network access logon authentication, settings 3-55 authentication 3-95, 4-121 dynamic VLAN assignment 4-125 port configuration 3-97 MAC address authentication 3-95, reauthentication 3-96, 4-128 4-121 secure MAC information 3-99, 4-130 ports, configuring 3-97 reauthentication 3-96 MAC authentication 3-101 packet filtering 3-102 ports, configuring 3-101...
Page 661 Index priority, default port ingress 3-199, 4-269 secure shell 3-74, 4-45 private key 3-74 configuration 3-74, 4-48 private VLANs, configuring 3-181, serial port 3-182, 3-183, 4-237 configuring 4-10 private VLANs, displaying 3-182 show dot1q-tunnel 4-236 problems, troubleshooting B-1 Simple Network Management Protocol promiscuous ports 3-181, 4-236 See SNMP protocol migration 3-156, 4-217...
Page 662 Index startup files creating 3-22 upgrading software 3-20 displaying 3-20, 4-77 UPnP 3-254 setting 3-20, 4-89 configuration 3-254 static addresses, setting 3-140, 4-196 user password 3-52, 3-61, 3-62, 3-64, statistics 3-65, 3-67, 4-37, 4-38 port 3-131, 4-174 STP 3-148, 4-200 STP Also see STA summary, accounting 3-67 VLANs 3-163–3-199, 4-219–4-220...
Page 664 Informações sobre Suporte Técnico em www.smc.com SWEDISH Information om Teknisk Support finns tillgängligt på www.smc.com INTERNET E-mail address: techsupport@smc.com Driver updates http://www.smc.com/ index.cfm?action=tech_support_drivers_downloads World Wide Web http://www.smc.com/ SMC6128PL2 149100032800A R04 20 Mason • Irvine, CA 92618 • Phn: 949-679-8000 • www.smc.com...

This manual is also suitable for:

Tigerswitch smc6128pl2

SMC Networks 6128PL2 - annexe 2 Management Manual

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Quick Links

MANAGEMENT GUIDE

Related Manuals for SMC Networks 6128PL2 - annexe 2

Summary of Contents for SMC Networks 6128PL2 - annexe 2