SMC Networks 7824M/FSW - annexe 1 Management Manual

Fast ethernet switch

Table of Contents

Quick Links

Download this manual

™

TigerAccess

10/100

Fast Ethernet Switch

◆ 24 100BASE-BX Single-Fiber Ports

◆ 2 10/100/1000BASE-T ports shared with SFP slots

◆ 2 module slots for shared 1000BASE-T port / SFP slot

◆ Non-blocking switching architecture

◆ Spanning Tree Protocol, RSTP and MSTP

◆ Up to 12 LACP or static 8-port trunks

◆ Layer 2/3/4 CoS support through eight priority queues

◆ Layer 3/4 traffic priority with IP Precedence and IP DSCP

◆ Full support for VLANs with GVRP

◆ IGMP multicast filtering and snooping

◆ Support for jumbo frames up to 9 KB

◆ Manageable via console, Web, SNMP/RMON

◆ Security features: ACL, RADIUS, 802.1X

Management Guide

SMC7824M/FSW

Table of Contents

Need help?

Do you have a question about the 7824M/FSW - annexe 1 and is the answer not in the manual?

Questions and answers

Summary of Contents for SMC Networks 7824M/FSW - annexe 1

Page 1: Management Guide
™ TigerAccess 10/100 Fast Ethernet Switch ◆ 24 100BASE-BX Single-Fiber Ports ◆ 2 10/100/1000BASE-T ports shared with SFP slots ◆ 2 module slots for shared 1000BASE-T port / SFP slot ◆ Non-blocking switching architecture ◆ Spanning Tree Protocol, RSTP and MSTP ◆...
Page 3 ™ TigerAccess 10/100 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 38 Tesla Irvine, CA 92618 December 2006 Phone: (949) 679-8000 Pub. # 150200058800A...
Page 4 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC.
Page 5 All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
Page 6 RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
Page 7: Table Of Contents
ABLE OF ONTENTS Section I Getting Started Introduction ........1-1 Key Features .
Page 8 ABLE OF ONTENTS Main Menu ......... . 3-5 Basic Management Tasks .
Page 9 ABLE OF ONTENTS Configuring Remote SNMPv3 Users ..... 5-15 Configuring SNMPv3 Groups ......5-18 Setting SNMPv3 Views .
Page 10 ABLE OF ONTENTS Creating Trunk Groups ........9-8 Statically Configuring a Trunk .
Page 11 ABLE OF ONTENTS Configuring Private VLANs ....... . 12-25 Enabling Private VLANs ......12-25 Configuring Uplink and Downlink Ports .
Page 12 ABLE OF ONTENTS Displaying Port Members of Multicast Groups ... 15-19 Assigning Static Multicast Groups to Interfaces ... 15-20 Domain Name Service ......16-1 Configuring General DNS Service Parameters .
Page 13 ABLE OF ONTENTS prompt ..........18-6 end .
Page 14 ABLE OF ONTENTS speed ..........19-32 stopbits .
Page 15 ABLE OF ONTENTS snmp-server engine-id ........20-10 show snmp engine-id .
Page 16 ABLE OF ONTENTS ip ssh timeout ........21-25 ip ssh authentication-retries .
Page 17 ABLE OF ONTENTS ip dhcp snooping binding ......22-14 ip dhcp snooping verify mac-address ....22-16 ip dhcp snooping database flash .
Page 18 ABLE OF ONTENTS flowcontrol ..........24-7 media-type .
Page 19 ABLE OF ONTENTS spanning-tree mode ........29-4 spanning-tree forward-time .
Page 20 ABLE OF ONTENTS interface vlan ........30-9 switchport mode .
Page 21 ABLE OF ONTENTS map ip precedence (Interface Configuration) ... . . 31-13 map ip dscp (Global Configuration) ....31-14 map ip dscp (Interface Configuration) .
Page 22 ABLE OF ONTENTS Multicast VLAN Registration Commands ..... 33-15 mvr (Global Configuration) ......33-16 mvr (Interface Configuration) .
Page 23 ABLE OF ONTENTS Section IV Appendices Software Specifications ......A-1 Software Features ......... . . A-1 Management Features .
Page 24: Able Of Ontents
ABLE OF ONTENTS xxiv...
Page 25 ABLES Table 1-1 Key Features ........1-1 Table 1-2 System Defaults .
Page 26 ABLES Table 19-11 show logging flash/ram - display description ..19-43 Table 19-12 show logging trap - display description ....19-43 Table 19-13 SMTP Alert Commands .
Page 27 ABLES Table 26-1 Mirror Port Commands ......26-1 Table 27-1 Rate Limit Commands ......27-1 Table 27-2 Mapping Default to Per Port CoS Priority Levels .
Page 28 ABLES xxviii...
Page 29 IGURES Figure 3-1 Home Page ........3-3 Figure 3-2 Front Panel Indicators .
Page 30 IGURES Figure 6-4 SSH Host-Key Settings ......6-15 Figure 6-5 SSH Server Settings ....... 6-17 Figure 6-6 802.1X Global Information .
Page 31 IGURES Figure 11-7 MSTP Port Configuration ..... . . 11-28 Figure 12-1 Globally Enabling GVRP ......12-5 Figure 12-2 VLAN Basic Information .
Page 32 IGURES Figure 16-3 DNS Cache ........16-7 xxxii...
Page 33: Section I Getting Started
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. Introduction ..........1-1 Initial Configuration .
Page 34 ETTING TARTED...
Page 35: Introduction
HAPTER NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 36: Table 1-1 Key Features
EATURES Table 1-1 Key Features (Continued) Feature Description Rate Limiting Input and output rate limiting per port Input rate limiting per port per CoS value Port Mirroring Single session, one source port to one analysis port Port Trunking Supports up to 12 trunks per unit, using either static or dynamic trunking (LACP) Storm Control Broadcast and multicast storm control...
Page 37: Description Of Software Features
NTRODUCTION Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Page 38 ESCRIPTION OF OFTWARE EATURES Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
Page 39 NTRODUCTION Storm Control – Broadcast and multicast storm suppression prevents traffic from overwhelming the network. When enabled on a port, the level of traffic passing through the port is restricted. If traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
Page 40 ESCRIPTION OF OFTWARE EATURES this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.
Page 41 NTRODUCTION • Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured. •...
Page 42: System Defaults
YSTEM EFAULTS to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic. IEEE 802.1Q Tunneling (QinQ) – This feature is designed for service providers carrying traffic for multiple customers across their networks.
Page 43 NTRODUCTION Table 1-2 System Defaults (Continued) Function Parameter Default Authentication Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Password “super” Normal Exec Level RADIUS Authentication Disabled TACACS Authentication Disabled 802.1X Port Authentication Disabled HTTPS Enabled...
Page 44 YSTEM EFAULTS Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Input limit per port per CoS Disabled value Port Trunking Static Trunks None LACP (all ports) Disabled Storm Protection...
Page 45 NTRODUCTION Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Ingress Port Priority Prioritization Queue Mode Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 IP Precedence Priority Disabled IP DSCP Priority Disabled...
Page 46 YSTEM EFAULTS 1-12...
Page 47: Initial Configuration
HAPTER NITIAL ONFIGURATION Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 48: Required Connections
ONNECTING TO THE WITCH The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: • Set user names and passwords • Set an IP interface for a management VLAN • Configure SNMP parameters •...
Page 49 NITIAL ONFIGURATION To connect a terminal to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector. 2.
Page 50: Remote Connections
ASIC ONFIGURATION Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 51: Setting Passwords
NITIAL ONFIGURATION Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1.
Page 52: Setting An Ip Address
ASIC ONFIGURATION 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the TigerAccess 10/100 is opened. To end the CLI session, enter [Exit]. 18-3 Console#configure Console(config)#username guest password 0 [password]...
Page 53: Dynamic Configuration
NITIAL ONFIGURATION Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IP address to the switch, complete the following steps: 1.
Page 54 ASIC ONFIGURATION To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. 2.
Page 55: Enabling Snmp Management Access
NITIAL ONFIGURATION Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 56: Trap Receivers
ASIC ONFIGURATION To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,”...
Page 57: Configuring Access For Snmp Version 3 Clients
NITIAL ONFIGURATION Then press <Enter>. For a more detailed description of these parameters, see “snmp-server host” on page 20-6. The following example creates a trap host for each type of SNMP client. 20-6 Console(config)#snmp-server host 10.1.19.23 batman Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth Console(config)# Configuring Access for SNMP Version 3 Clients...
Page 58: Managing System Files
ANAGING YSTEM ILES Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 59: Saving Configuration Settings
NITIAL ONFIGURATION In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Page 60 ANAGING YSTEM ILES To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. 2. Enter the name of the start-up file. Press <Enter>. 19-16 Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 61 ECTION WITCH ANAGEMENT This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser, and a brief example for the Command Line Interface. Configuring the Switch ........3-1 Basic Management Tasks .
Page 62 WITCH ANAGEMENT...
Page 63: Configuring The Switch
HAPTER ONFIGURING THE WITCH Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Page 64 ONFIGURING THE WITCH Notes: 1. You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated. 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password.
Page 65: Navigating The Web Browser Interface
AVIGATING THE ROWSER NTERFACE Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password “admin” is used for the administrator.
Page 66: Configuration Options
ONFIGURING THE WITCH Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 67: Main Menu
AVIGATING THE ROWSER NTERFACE Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Switch Main Menu Menu Description...
Page 68 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page 4-29 Remote Logs Configures the logging of messages to a remote logging process SMTP Sends an SMTP client message to a participating 4-32 server Reset Restarts the switch 4-34 SNTP 4-35...
Page 69 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses 802.1X Port authentication 6-19 Information Displays global configuration settings 6-21 Configuration Configures global configuration parameters 6-22...
Page 70 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page Port Neighbors Displays settings and operational state for the remote 9-21 Information side Port Broadcast Control Sets the broadcast storm threshold for each port 9-23 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 9-23 Mirror Port Sets the source and target ports for mirroring...
Page 71 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page MSTP VLAN Configuration Configures priority and VLANs for a spanning tree 11-21 instance Port Information Displays port settings for a specified MST instance 11-24 Trunk Information Displays trunk settings for a specified MST instance 11-24 Port Configuration Configures port settings for a specified MST instance 11-26...
Page 72 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page Priority 13-1 Default Port Priority Sets the default priority for each port 13-1 Default Trunk Priority Sets the default priority for each trunk 13-1 Traffic Classes Maps IEEE 802.1p priority tags to output queues 13-3 Traffic Classes Status Enables/disables traffic class priorities (not...
Page 73 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page Static Multicast Router Assigns ports that are attached to a neighboring 15-8 Port Configuration multicast router IP Multicast Registration Displays all multicast groups active on this switch, 15-9 Table including multicast IP addresses and VLAN ID...
Page 74 ONFIGURING THE WITCH 3-12...
Page 75: Basic Management Tasks
HAPTER ASIC ANAGEMENT ASKS This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Page 76: Figure 4-1 System Information
ASIC ANAGEMENT ASKS • Web Secure Server Port – Shows the TCP port used by the HTTPS interface. • Telnet Server – Shows if management access via Telnet is enabled. • Telnet Server Port – Shows the TCP port used by the Telnet interface. •...
Page 77 ISPLAYING YSTEM NFORMATION CLI – Specify the hostname, location and contact information. 19-2 Console(config)#hostname R&D 5 20-5 Console(config)#snmp-server location WC 9 Console(config)#snmp-server contact Ted 20-5 Console(config)#exit Console#show system 19-7 System Description: 24 port 100FX FTTH Metro Access Switch with 2 Combo ports and 2 module slots System OID String: 1.3.6.1.4.1.202.20.64 System Information System Up Time:...
Page 78: Configuring The Switch For Normal Operation Or Tunneling Mode
ASIC ANAGEMENT ASKS Configuring the Switch for Normal Operation or Tunneling Mode The system can be configured to operate in normal mode or IEEE 802.1Q (QinQ) tunneling mode which is used for passing Layer 2 traffic across a service provider’s metropolitan area network. Command Attributes System Mode –...
Page 79: Configuring The Maximum Frame Size
ONFIGURING THE AXIMUM RAME CLI – This example sets the switch to operate in QinQ mode. 19-10 Console(config)#system mode qinq Console(config)#exit Console#show system mode 19-11 System mode is QinQ mode Console# Configuring the Maximum Frame Size The maximum transfer unit (or frame size) for traffic crossing the switch should be set to minimize unnecessary fragmentation and maximize the transfer of large sequential data streams.
Page 80 ASIC ANAGEMENT ASKS Command Attributes • System MTU (1500-1548) – Specifies the MTU size for Fast Ethernet ports. (Range: 1500-1548 bytes) • Jumbo (1500-9216) – Specifies the jumbo frame size (MTU) for Gigabit Ethernet ports. (Range: 1500-9216 bytes) Web – Click System, System MTU. Set the maximum frame size for Fast Ethernet and Gigabit Ethernet ports, then click Apply.
Page 81: Configuring Support For Jumbo Frames
ONFIGURING UPPORT FOR UMBO RAMES Configuring Support for Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes for Gigabit Ethernet. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 82 ASIC ANAGEMENT ASKS Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 83: Displaying Switch Hardware/Software Versions
ISPLAYING WITCH ARDWARE OFTWARE ERSIONS Web – Click System, Switch Information. Figure 4-5 Switch Information CLI – Use the following command to display version information. 19-9 Console#show version Unit 1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 0.01 Number of Ports: Agent (Master) Unit ID: Loader Version:...
Page 84: Displaying Bridge Extension Capabilities
ASIC ANAGEMENT ASKS Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 85: Figure 4-6 Displaying Bridge Extension Configuration
ISPLAYING RIDGE XTENSION APABILITIES Web – Click System, Bridge Extension. Figure 4-6 Displaying Bridge Extension Configuration CLI – Enter the following command. 30-3 Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable:...
Page 86: Setting The Switch's Ip Address
ASIC ANAGEMENT ASKS Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings to values that are compatible with your network.
Page 87: Manual Configuration
’ IP A ETTING THE WITCH DDRESS • MAC Address – The physical layer address for this switch. Manual Configuration Web – Click System, System, IP Configuration. Select the VLAN through which the management station is attached. Enter the IP address, subnet mask and gateway, then click Apply.
Page 88: Using Dhcp/Bootp
ASIC ANAGEMENT ASKS Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP.
Page 89: Managing Firmware
ANAGING IRMWARE Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the stack is moved to another network segment, you will lose management access to the stack. In this case, you can reboot the stack or submit a client request to restart DHCP service via the CLI.
Page 90: Downloading System Software From A Server
ASIC ANAGEMENT ASKS • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Page 91: Figure 4-10 Setting The Startup Code
ANAGING IRMWARE If you download to a new destination file, go to the File Management, Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu.
Page 92: Saving Or Restoring Configuration Settings
ASIC ANAGEMENT ASKS CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “config” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch.
Page 93 AVING OR ESTORING ONFIGURATION ETTINGS - running-config to startup-config – Copies the running config to the startup config. - running-config to tftp – Copies the running configuration to a TFTP server. - startup-config to file – Copies the startup configuration to a file on the switch.
Page 94: Downloading Configuration Settings From A Server
ASIC ANAGEMENT ASKS Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg”...
Page 95: Figure 4-13 Setting The Startup Configuration Settings
AVING OR ESTORING ONFIGURATION ETTINGS If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu. You can also select any configuration file as the start-up configuration by using the System/File Management/Set Start-Up page.
Page 96: Console Port Settings
ASIC ANAGEMENT ASKS Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the web or CLI interface.
Page 97: Figure 4-14 Configuring The Console Port
ONSOLE ETTINGS device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: Auto) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password –...
Page 98 ASIC ANAGEMENT ASKS CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 19-24 Console(config-line)#login local 19-25 Console(config-line)#password 0 secret 19-26...
Page 99: Telnet Settings
ELNET ETTINGS • Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds) •...
Page 100: Figure 4-15 Configuring The Telnet Interface
ASIC ANAGEMENT ASKS Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 4-15 Configuring the Telnet Interface CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Page 101: Configuring Event Logging
ONFIGURING VENT OGGING Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Page 102: Figure 4-16 System Logs
ASIC ANAGEMENT ASKS Table 4-1 Logging Levels (Continued) Level Severity Name Description Warning Warning conditions (e.g., return false, unexpected return) Error Error conditions (e.g., invalid input, default used) Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) Alert Immediate action needed Emergency...
Page 103: Remote Log Configuration
ONFIGURING VENT OGGING CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Console(config)#logging on 19-36 Console(config)#logging history ram 0 19-37 Console(config)# Console#show logging ram...
Page 104: Figure 4-17 Remote Logs
ASIC ANAGEMENT ASKS • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add.
Page 105: Displaying Log Messages
ONFIGURING VENT OGGING CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.9 19-38 Console(config)#logging facility 23 19-39 19-40 Console(config)#logging trap 4 Console(config)#logging trap Console(config)#exit 19-42 Console#show logging trap Syslog logging: Enabled REMOTELOG status:...
Page 106: Sending Simple Mail Transfer Protocol Alerts
ASIC ANAGEMENT ASKS CLI – This example shows the event message stored in RAM. Console#show log ram 19-42 [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
Page 107: Figure 4-19 Enabling And Configuring Smtp Alerts
ONFIGURING VENT OGGING Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add.
Page 108: Resetting The System
ASIC ANAGEMENT ASKS CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.
Page 109: Setting The System Clock
ETTING THE YSTEM LOCK CLI – Use the reload command to restart the switch. Console#reload 18-5 System will be restarted, continue <y/n>? Note: When restarting the system, it will always run the Power-On Self-Test. Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP).
Page 110: Figure 4-21 Sntp Configuration
ASIC ANAGEMENT ASKS • SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence. Web –...
Page 111: Setting The Time Zone
ETTING THE YSTEM LOCK Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 112 ASIC ANAGEMENT ASKS 4-38...
Page 113: Simple Network Management Protocol
HAPTER IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 114: Table 5-1 Snmpv3 Security Models And Levels
IMPLE ETWORK ANAGEMENT ROTOCOL Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels.
Page 115 Table 5-1 SNMPv3 Security Models and Levels (Continued) Model Level Group Read View Write Notify Security View View AuthNoPriv user defined user defined user defined user defined Provides user authenticati on via MD5 or SHA algorithms AuthPriv user defined user defined user defined user defined Provides user...
Page 116: Enabling The Snmp Agent
IMPLE ETWORK ANAGEMENT ROTOCOL Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply.
Page 117: Figure 5-2 Configuring Snmp Community Strings
ETTING OMMUNITY CCESS TRINGS • Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only access), “private” (read/write access) Range: 1-32 characters, case sensitive • Access Mode – Specifies the access rights for the community string: - Read-Only –...
Page 118: Specifying Trap Managers And Trap Types
IMPLE ETWORK ANAGEMENT ROTOCOL Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 119 PECIFYING ANAGERS AND YPES To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 5-4). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 5-24). 4.
Page 120 IMPLE ETWORK ANAGEMENT ROTOCOL • Trap Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) - Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Page 121: Figure 5-3 Configuring Snmp Trap Managers
PECIFYING ANAGERS AND YPES Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/ down traps, and then click Apply.
Page 122 IMPLE ETWORK ANAGEMENT ROTOCOL Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Page 123: Configuring Snmpv3 Management Access
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 64 hexadecimal characters and then click Save. Figure 5-4 Setting the SNMPv3 Engine ID CLI – This example sets an SNMPv3 engine ID. Console(config)#snmp-server engine-id local 12345abcdef 20-10 Console(config)#exit...
Page 124: Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 64 hexadecimal characters and then click Save. Figure 5-5 Setting an Engine ID CLI – This example specifies a remote SNMPv3 engine ID. 20-10 Console(config)#snmp-server engine-id remote 54321 192.168.1.19 Console(config)#exit...
Page 125 SNMP ONFIGURING ANAGEMENT CCESS - AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model). • Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) • Authentication Password – A minimum of eight plain text characters is required.
Page 126: Figure 5-6 Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 127: Configuring Remote Snmpv3 Users
SNMP ONFIGURING ANAGEMENT CCESS CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace priv des56 einstien 20-18 Console(config)#exit Console#show snmp user 20-20 EngineId: 80000034030001f488f5200000 User Name: chris...
Page 128 IMPLE ETWORK ANAGEMENT ROTOCOL • Security Model – The user security model; SNMP v1, v2c or v3. (Default: v1) • Security Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications.
Page 129: Figure 5-7 Configuring Remote Snmpv3 Users
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 130: Configuring Snmpv3 Groups
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 20-18 Console(config)#exit 20-20 Console#show snmp user No user exist.
Page 131: Table 5-2 Supported Notification Messages
SNMP ONFIGURING ANAGEMENT CCESS • Notify View – The configured view for notifications. (Range: 1-64 characters) Table 5-2 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree;...
Page 132 IMPLE ETWORK ANAGEMENT ROTOCOL Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that linkDown the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the...
Page 133 SNMP ONFIGURING ANAGEMENT CCESS Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description RMON Events (V2) risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps.
Page 134 IMPLE ETWORK ANAGEMENT ROTOCOL Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description swThermalRising 1.3.6.1.4.1.202.20.64.90.2.1.0.58 This trap is sent when the Notification temperature exceeds the switchThermalActionRisingThre shold. swThermalFalling 1.3.6.1.4.1.202.20.64.90.2.1.0.59 This trap is sent when the Notification temperature falls below the switchThermalActionFallingThre shold.
Page 135: Figure 5-8 Configuring Snmpv3 Groups
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list.
Page 136: Setting Snmpv3 Views
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read 20-15 defaultview write defaultview notify defaultview Console(config)#exit Console#show snmp group 20-16...
Page 137: Figure 5-9 Configuring Snmpv3 Views
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Page 138 IMPLE ETWORK ANAGEMENT ROTOCOL CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* 20-13 included Console(config)#exit Console#show snmp view 20-14 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 139: User Authentication
HAPTER UTHENTICATION You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 140: Figure 6-1 User Accounts
UTHENTICATION Command Attributes • Account List – Displays the current list of user accounts and associated access levels. (Defaults: admin, and guest) • New Account – Displays configuration settings for a new account. - User Name – The name of the user. (Maximum length: 8 characters;...
Page 141: Configuring Local/Remote Logon Authentication
ONFIGURING OCAL EMOTE OGON UTHENTICATION CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password. 21-2 Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access console based on specified user...
Page 142 UTHENTICATION Command Usage • By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol.
Page 143 ONFIGURING OCAL EMOTE OGON UTHENTICATION • RADIUS Settings - Global – Provides globally applicable RADIUS settings. - ServerIndex – Specifies one of five RADIUS servers that may be configured. The switch attempts authentication using the listed sequence of servers. The process ends when a server either approves or denies access to a user.
Page 144: Figure 6-2 Authentication Server Settings
UTHENTICATION Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 6-2 Authentication Server Settings CLI –...
Page 145: Configuring Https
HTTPS ONFIGURING Server 1: Server IP address: 192.168.1.25 Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Console#config Console(config)#authentication login tacacs 21-5 Console(config)#tacacs-server host 10.20.30.40 21-13 Console(config)#tacacs-server port 200 21-14 21-14 Console(config)#tacacs-server key green Console(config)#exit 21-15 Console#show tacacs-server...
Page 146: Table 6-1 Https System Support
UTHENTICATION • The following web browsers and operating systems currently support HTTPS: Table 6-1 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6...
Page 147: Replacing The Default Secure-Site Certificate
HTTPS ONFIGURING Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site.
Page 148: Configuring The Secure Shell
UTHENTICATION Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 149 ONFIGURING THE ECURE HELL To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 150 UTHENTICATION 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory.
Page 151: Generating The Host Key Pair
ONFIGURING THE ECURE HELL Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process.
Page 152 UTHENTICATION • Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA, DSA, Both: Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 153: Figure 6-4 Ssh Host-Key Settings
ONFIGURING THE ECURE HELL Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
Page 154: Configuring The Ssh Server
UTHENTICATION CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. 21-28 Console#ip ssh crypto host-key generate 21-30 Console#ip ssh save host-key 21-32 Console#show public-key host Host:...
Page 155: Figure 6-5 Ssh Server Settings
ONFIGURING THE ECURE HELL • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;...
Page 156 UTHENTICATION CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. 21-24 Console(config)#ip ssh server 21-25 Console(config)#ip ssh timeout 100 21-26 Console(config)#ip ssh authentication-retries 5 Console(config)#ip ssh server-key size 512...
Page 157: Configuring 802.1X Port Authentication
802.1X P ONFIGURING UTHENTICATION Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 158 UTHENTICATION Transport Layer Security). PEAP will be supported in future releases. The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network.
Page 159: Displaying 802.1X Global Settings
802.1X P ONFIGURING UTHENTICATION Displaying 802.1X Global Settings The 802.1X protocol provides port authentication. Command Attributes 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 6-6 802.1X Global Information CLI – This example shows the default global setting for 802.1X. 21-41 Console#show dot1x Global 802.1X Parameters...
Page 160: Configuring 802.1X Global Settings
UTHENTICATION Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
Page 161: Configuring Port Settings For 802.1X
802.1X P ONFIGURING UTHENTICATION Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 162: Figure 6-8 802.1X Port Configuration
UTHENTICATION • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • TX Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) •...
Page 163 802.1X P ONFIGURING UTHENTICATION CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 21-41. 24-2 Console(config)#interface ethernet 1/2 21-36 Console(config-if)#dot1x port-control auto 21-39 Console(config-if)#dot1x re-authentication Console(config-if)#dot1x max-req 5...
Page 164: Displaying 802.1X Statistics
UTHENTICATION Backend State Machine State Idle Request Count Identifier(Server) Reauthentication State Machine State Initialize 802.1X is disabled on port 1/28 Console# Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X Statistics Parameter Description Rx EAPOL Start...
Page 165: Figure 6-9 802.1X Port Statistics
802.1X P ONFIGURING UTHENTICATION Table 6-2 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Web –...
Page 166: Filtering Ip Addresses For Management Access
UTHENTICATION Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Page 167: Figure 6-10 Ip Filter
IP A ILTERING DDRESSES FOR ANAGEMENT CCESS • End IP Address – The end address of a range. Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry.
Page 168 UTHENTICATION 6-30...
Page 169: Client Security
HAPTER LIENT ECURITY This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch.
Page 170: Configuring Port Security
LIENT ECURITY • DHCP Snooping – Filters IP traffic on unsecure ports for which the source address cannot be identified via DHCP snooping nor static source bindings. (See “DHCP Snooping Commands” on page 22-10.) Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
Page 171 ONFIGURING ECURITY • The default maximum number of MAC addresses allowed on a secure port is zero. You must configure a maximum address count from 1 - 1024 for the port to allow access. • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 9-4).
Page 172: Figure 7-1 Port Security
LIENT ECURITY Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
Page 173: Access Control Lists
HAPTER CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Page 174 CCESS ONTROL ISTS The following filtering modes are supported: • Standard IP ACL mode (STD-ACL) filters packets based on the source IP address. • Extended IP ACL mode (EXT-ACL) filters packets based on source or destination IP address, as well as protocol type and protocol port number.
Page 175: Configuring Access Control Lists
ONFIGURING CCESS ONTROL ISTS • Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. The order in which active ACLs are checked is as follows: 1. User-defined rules in the Egress MAC ACL for egress ports. 2.
Page 176: Configuring A Standard Acl
CCESS ONTROL ISTS Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 8-1 Selecting ACL Type CLI –...
Page 177: Configuring An Extended Acl
ONFIGURING CCESS ONTROL ISTS Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.
Page 178 CCESS ONTROL ISTS • Source/Destination IP Address – Source or destination IP address. • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 8-4.) • Service Type – Packet priority settings based on the following criteria: - Precedence –...
Page 179: Figure 8-3 Acl Configuration - Extended Ipv4
ONFIGURING CCESS ONTROL ISTS Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 180: Configuring A Mac Acl
CCESS ONTROL ISTS 3. Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” 23-5 Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-std-acl)# Configuring a MAC ACL Command Attributes...
Page 181: Figure 8-4 Acl Configuration - Mac
ONFIGURING CCESS ONTROL ISTS Command Usage Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,”...
Page 182: Configuring Acl Masks
CCESS ONTROL ISTS Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. ACL rules matching the first entry in the mask are checked first. Rules matching subsequent entries in the mask are then checked in the specified order.
Page 183: Specifying The Mask Type
ONFIGURING CCESS ONTROL ISTS Specifying the Mask Type Use the ACL Mask Configuration page to edit the mask for the Ingress IP ACL, Egress IP ACL, Ingress MAC ACL or Egress MAC ACL. Web – Click Security, ACL, Mask Configuration. Click Edit for one of the basic mask types to open the configuration page.
Page 184: Configuring An Ip Acl Mask
CCESS ONTROL ISTS Configuring an IP ACL Mask This mask defines the fields to check in the IP header. Command Usage • Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes.
Page 185: Figure 8-6 Acl Mask Configuration - Ip
ONFIGURING CCESS ONTROL ISTS Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types.
Page 186: Configuring A Mac Acl Mask
CCESS ONTROL ISTS CLI – This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255”...
Page 187: Figure 8-7 Acl Mask Configuration - Mac
ONFIGURING CCESS ONTROL ISTS Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s).
Page 188: Binding A Port To An Access Control List
CCESS ONTROL ISTS CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. 23-16 Console(config)#access-list mac M4 23-17 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11...
Page 189: Figure 8-8 Acl Port Binding
INDING A ORT TO AN CCESS ONTROL • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs.
Page 190 CCESS ONTROL ISTS CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2. 24-2 Console(config)#interface ethernet 1/1 23-14 Console(config-if)#ip access-group tom in 23-23 Console(config-if)#mac access-group jerry in Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#ip access-group tom in Console(config-if)#...
Page 191: Port Configuration
HAPTER ONFIGURATION Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. • Type – Indicates the port type. (100BASE-BX, 1000BASE-T, or SFP) •...
Page 192: Figure 9-1 Port - Port Information
ONFIGURATION Web – Click Port, Port Information or Trunk Information. Figure 9-1 Port - Port Information Field Attributes (CLI) Basic information: • Port type – Indicates the port type. (100BASE-BX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address”...
Page 193 ISPLAYING ONNECTION TATUS - 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1000 Mbps full-duplex operation - Sym - Transmits and receives pause frames for flow control - FC - Supports flow control • Broadcast storm – Shows if broadcast storm control is enabled or disabled.
Page 194: Configuring Interface Connections
ONFIGURATION CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 24-13 Information of Eth 1/13 Basic information: Port type: 100TX Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast storm limit:...
Page 195 ONFIGURING NTERFACE ONNECTIONS Note: 100BASE-BX ports are fixed at 100 Mbps, full-duplex. The 1000BASE-T standard does not support forced mode. Always use auto-negotiation to establish a connection over any 1000BASE-T port or trunk. • Flow Control – Allows automatic or manual selection of flow control. •...
Page 196: Figure 9-2 Port - Port Configuration
ONFIGURATION - SFP-Forced - Always uses the SFP port (even if module is not installed). - SFP-Preferred-Auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link. (This is the default.) • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups”...
Page 197 ONFIGURING NTERFACE ONNECTIONS CLI – Select the interface, and then enter the required settings. 24-2 Console(config)#interface ethernet 1/13 24-3 Console(config-if)#description RD SW#13 Console(config-if)#shutdown 24-9 Console(config-if)#no shutdown 24-5 Console(config-if)#no negotiation 24-3 Console(config-if)#speed-duplex 100half Console(config-if)#negotiation Console(config-if)#capabilities 100half 24-6 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)#exit Console(config)#interface ethernet 1/21 24-8...
Page 198: Creating Trunk Groups
ONFIGURATION Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 12 trunks. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
Page 199: Statically Configuring A Trunk
REATING RUNK ROUPS • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
Page 200: Figure 9-3 Static Trunk Configuration
ONFIGURATION Command Attributes • Member List (Current) – Shows configured trunks (Trunk ID, Unit, Port). • New – Includes entry fields for creating new trunks. - Trunk – Trunk identifier. (Range: 1-32) - Port – Port identifier. (Range: 1-28) Web – Click Port, Trunk Membership. Enter a trunk ID of 1-32 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add.
Page 201: Enabling Lacp On Selected Ports
REATING RUNK ROUPS CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk. 24-2 Console(config)#interface port-channel 1 Console(config-if)#exit 24-2 Console(config)#interface ethernet 1/9 Console(config-if)#channel-group 1 25-3 Console(config-if)#exit...
Page 202: Figure 9-4 Lacp Trunk Configuration
ONFIGURATION • A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 203: Configuring Lacp Parameters
REATING RUNK ROUPS CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. 24-2 Console(config)#interface ethernet 1/1 25-4 Console(config-if)#lacp Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end 24-13...
Page 204 ONFIGURATION Note: If the port channel admin key (lacp admin key, page 25-8) is not set (through the CLI) when a channel group is formed (i.e., it has a null value of 0), this key is set to the same value as the port admin key used by the interfaces that joined the group (lacp admin key, as described in this section and on page 25-7).
Page 205: Figure 9-5 Lacp - Aggregation Port
REATING RUNK ROUPS Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 206: Backup Mode
ONFIGURATION CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. 24-2 Console(config)#interface ethernet 1/1 25-6 Console(config-if)#lacp actor system-priority 3 25-7 Console(config-if)#lacp actor admin-key 120 Console(config-if)#lacp actor port-priority 128...
Page 207: Displaying Lacp Port Counters
REATING RUNK ROUPS Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 9-1 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group.
Page 208: Displaying Lacp Settings And Status For The Local Side
ONFIGURATION CLI – The following example displays LACP counters for port channel 1. 25-10 Console#show lacp 1 counters Port channel: 1 ------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------- LACPDUs Sent: LACPDUs Receive: Marker Sent: Marker Receive: LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation.
Page 209 REATING RUNK ROUPS Table 9-2 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state Oper State parameters: • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 210: Figure 9-7 Lacp - Port Internal Information
ONFIGURATION Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 9-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. 25-10 Console#show lacp 1 internal Port channel: 1...
Page 211: Displaying Lacp Settings And Status For The Remote Side
REATING RUNK ROUPS Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 9-3 LACP Neighbor Configuration Information Field Description Partner Admin System LAG partner’s system ID assigned by the user.
Page 212: Figure 9-8 Lacp - Port Neighbors Information
ONFIGURATION Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 9-8 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 25-10 Port channel 1 neighbors...
Page 213: Setting Broadcast Storm Thresholds
ETTING ROADCAST TORM HRESHOLDS Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 214: Figure 9-9 Port Broadcast Control
ONFIGURATION Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 9-9 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
Page 215: Configuring Port Mirroring
ONFIGURING IRRORING Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic Source Single analyzer or RMON probe to the target port(s) target port and study the traffic crossing the port source port in a completely unobtrusive manner.
Page 216: Configuring Rate Limits
ONFIGURATION Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 9-10 Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port.
Page 217: Figure 9-11 Rate Limit Configuration
ONFIGURING IMITS Command Attribute Rate Limit – Sets the output rate limit for an interface. Default Status – Disabled Default Rate – Fast Ethernet: 100 Mbps; Gigabit Ethernet: 1000 Mbps Range – Fast Ethernet: 1 - 1000 Mbps; Gigabit Ethernet: 1 - 1000 Mbps Web - Click Port, Rate Limit, Input/Output Port/Trunk Configuration.
Page 218: Showing Port Statistics
ONFIGURATION Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
Page 219 HOWING TATISTICS Table 9-4 Port Statistics (Continued) Parameter Description Received Unknown The number of packets received via the interface Packets which were discarded because of an unknown or unsupported protocol. Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.
Page 220 ONFIGURATION Table 9-4 Port Statistics (Continued) Parameter Description FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. This count does not include frames received with frame-too-long or frame-too-short error.
Page 221 HOWING TATISTICS Table 9-4 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Page 222 ONFIGURATION Table 9-4 Port Statistics (Continued) Parameter Description 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets). 65-127 Byte Frames The total number of frames (including bad packets) 128-255 Byte Frames received and transmitted where the number of octets 256-511 Byte Frames...
Page 223: Figure 9-12 Port Statistics
HOWING TATISTICS Figure 9-12 Port Statistics 9-33...
Page 224 ONFIGURATION CLI – This example shows statistics for port 12. 24-14 Console#show interfaces counters ethernet 1/12 Ethernet 1/12 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 17027...
Page 225: Address Table Settings
HAPTER DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 226: Figure 10-1 Static Addresses
DDRESS ABLE ETTINGS Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 10-1 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 227: Displaying The Address Table
ISPLAYING THE DDRESS ABLE Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 228: Figure 10-2 Dynamic Addresses
DDRESS ABLE ETTINGS Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 10-2 Dynamic Addresses CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 28-4 Interface Mac Address...
Page 229: Changing The Aging Time
HANGING THE GING Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds;...
Page 230 DDRESS ABLE ETTINGS 10-6...
Page 231: Spanning Tree Algorithm
HAPTER PANNING LGORITHM The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 232 PANNING LGORITHM Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 233 maintain connectivity among each of the assigned VLAN groups. MSTP then builds a Internal Spanning Tree (IST) for the Region containing all commonly configured MSTP bridges. MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 234: Displaying Global Settings
PANNING LGORITHM MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree (CIST). The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP, RSTP, MSTP protocols. Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
Page 235 ISPLAYING LOBAL ETTINGS make it return to a discarding state; otherwise, temporary data loops might result. • Designated Root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. - Root Port –...
Page 236: Figure 11-1 Sta Information
PANNING LGORITHM configuration messages at regular intervals. If the root port ages out STA information (provided in the last configuration message), a new root port is selected from among the device ports attached to the network. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.) •...
Page 237: Each Port
ISPLAYING LOBAL ETTINGS CLI – This command displays global STA settings, followed by settings for each port. 29-25 Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 238: Configuring Global Settings
PANNING LGORITHM Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 239 ONFIGURING LOBAL ETTINGS - Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Command Attributes Basic Configuration of Global Settings •...
Page 240 PANNING LGORITHM reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Page 241 ONFIGURING LOBAL ETTINGS Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST.
Page 242: Figure 11-2 Sta Global Configuration
PANNING LGORITHM Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 11-2 STA Global Configuration 11-12...
Page 243: Displaying Interface Settings
ISPLAYING NTERFACE ETTINGS CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. 29-3 Console(config)#spanning-tree Console(config)#spanning-tree mode mstp 29-4 Console(config)#spanning-tree priority 40000 29-8 Console(config)#spanning-tree hello-time 5 29-6 Console(config)#spanning-tree max-age 38 29-7 29-5 Console(config)#spanning-tree forward-time 20...
Page 244 PANNING LGORITHM - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. - All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding.
Page 245 ISPLAYING NTERFACE ETTINGS R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port. Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port.
Page 246: Figure 11-3 Sta Port Information
PANNING LGORITHM loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. • Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. •...
Page 247: Configuring Interface Settings
ONFIGURING NTERFACE ETTINGS CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 29-25 1/ 5 information -------------------------------------------------------------- Admin status: enabled Role: disable State: discarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000...
Page 248 PANNING LGORITHM - Discarding - Port receives STA configuration messages, but does not forward packets. - Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses.
Page 249: Table 11-1 Recommended Sta Path Cost Range
ONFIGURING NTERFACE ETTINGS When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. Table 11-1 Recommended STA Path Cost Range Port Type IEEE 802.1D-1998 IEEE 802.1w-2001 Fast Ethernet 10-60...
Page 250: Figure 11-4 Sta Port Configuration
PANNING LGORITHM such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems.
Page 251: Configuring Multiple Spanning Trees
ONFIGURING ULTIPLE PANNING REES Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 252: Figure 11-5 Mstp Vlan Configuration
PANNING LGORITHM • VLANs in MST Instance – VLANs assigned this instance. • MST ID – Instance identifier to configure. (Range: 0-4094; Default: 0) • VLAN ID – VLAN to assign to this selected MST instance. (Range: 1-4093) The other global attributes are described under “Displaying Global Settings,”...
Page 253 ONFIGURING ULTIPLE PANNING REES CLI – This displays STA settings for instance 1, followed by settings for each port. 29-25 Console#show spanning-tree mst 1 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enabled/disabled: enabled Instance: VLANs configuration: Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.):...
Page 254: Displaying Interface Settings For Mstp
PANNING LGORITHM CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. 29-10 Console(config)#spanning-tree mst-configuration Console(config-mst)#mst 1 priority 4096 29-12 Console(config-mstp)#mst 1 vlan 1-5 29-11 Console(config-mst)# Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
Page 255: Spanning Tree
MSTP ISPLAYING NTERFACE ETTINGS FOR CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 11-4), the settings for other instances only apply to the local spanning tree.
Page 256: Configuring Interface Settings For Mstp
PANNING LGORITHM Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See Displaying Interface Settings on page 11-13 for additional information.) - Discarding - Port receives STA configuration messages, but does not...
Page 257: Figure 11-7 Mstp Port Configuration
MSTP ONFIGURING NTERFACE ETTINGS FOR • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 258 PANNING LGORITHM CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 24-2 Console(config-if)#spanning-tree mst port-priority 0 29-23 Console(config-if)#spanning-tree mst cost 50 29-22 Console(config-if) 11-28...
Page 259: Vlan Configuration
HAPTER VLAN C ONFIGURATION IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains.
Page 260 VLAN C ONFIGURATION • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices •...
Page 261 IEEE 802.1Q VLAN VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 262 VLAN C ONFIGURATION To implement GVRP in a network, first add the host devices to the required VLANs (using the operating system or other application software), so that these VLANs can be propagated onto the network. For both the edge switches attached directly to these hosts, and core switches in the network, enable GVRP on the links between these devices.
Page 263: Enabling Or Disabling Gvrp (Global Setting)
IEEE 802.1Q VLAN forwarding a frame from this switch along a path that does not contain any VLAN-aware devices (including the destination host), the switch must first strip off the VLAN tag before forwarding the frame. When the switch receives a tagged frame, it will pass this frame onto the VLAN(s) indicated by the frame tag.
Page 264: Displaying Basic Vlan Information
VLAN C ONFIGURATION Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...
Page 265: Displaying Current Vlans
IEEE 802.1Q VLAN Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging.
Page 266: Creating Vlans
VLAN C ONFIGURATION Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. •...
Page 267: Figure 12-4 Vlan Static List - Creating Vlans
IEEE 802.1Q VLAN • VLAN ID – ID of configured VLAN (1-4093). • VLAN Name – Name of the VLAN (1 to 32 characters). • Status (Web) – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. •...
Page 268: Adding Static Members To Vlans (Vlan Index)
VLAN C ONFIGURATION CLI – This example creates a new VLAN. 30-7 Console(config)#vlan database Console(config-vlan)#vlan 2 name R&D media ethernet state active 30-8 Console(config-vlan)#end 30-16 Console#show vlan VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S)
Page 269 IEEE 802.1Q VLAN • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
Page 270: Figure 12-5 Vlan Static Table - Adding Static Members
VLAN C ONFIGURATION Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
Page 271: Adding Static Members To Vlans (Port Index)
IEEE 802.1Q VLAN Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
Page 272: Configuring Vlan Behavior For Interfaces
VLAN C ONFIGURATION Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 273 IEEE 802.1Q VLAN - If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 274: Figure 12-7 Vlan Port Configuration
VLAN C ONFIGURATION belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. - Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. - Dot1q-Tunnel – Configures IEEE 802.1Q tunneling (QinQ) to segregate and preserve customer VLAN IDs for traffic crossing the service provider network.
Page 275 IEEE 802.1Q T ONFIGURING UNNELING CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. 24-2 Console(config)#interface ethernet 1/3 30-11 Console(config-if)#switchport acceptable-frame-types tagged...
Page 276 VLAN C ONFIGURATION IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging). A port configured to support QinQ tunneling must be set to tunnel port mode.
Page 277: Configuring Ieee 802.1Q Tunneling
IEEE 802.1Q T ONFIGURING UNNELING Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge router B) (edge router A) Tunnel Port Tunnel Port Tunnel Port Tunnel Port Double Tagged Packets VLAN 20 VLAN 20 Outer Tag - Service Provider VID...
Page 278 VLAN C ONFIGURATION 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5.
Page 279 IEEE 802.1Q T ONFIGURING UNNELING 4. After successful source and destination lookup, the packet is double tagged. The switch uses the TPID of 0x8100 to indicate that an incoming packet is double-tagged. If the outer tag of an incoming double-tagged packet is equal to the port TPID and the inner tag is 0x8100, it is treated as a double-tagged packet.
Page 280 VLAN C ONFIGURATION - Tunnel ports do not support IP Access Control Lists. - Layer 3 Quality of Service (QoS) and other QoS features containing Layer 3 information are not supported on tunnel ports. - Spanning tree bridge protocol data unit (BPDU) filtering is automatically disabled on a tunnel port.
Page 281: Adding An Interface To A Qinq Tunnel
IEEE 802.1Q T ONFIGURING UNNELING Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the ingress port on the edge switch to dot1Q tunnel mode.
Page 282: Figure 12-8 Tunnel Port Configuration
VLAN C ONFIGURATION Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Set the mode for the tunnel port to Dot1q-Tunnel, and set the TPID if the client is using a non-standard ethertype to identify 802.1Q tagged frames, then click Apply. Figure 12-8 Tunnel Port Configuration CLI –...
Page 283: Configuring Private Vlans
VLAN ONFIGURING RIVATE Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Uplink Ports Primary VLAN (promiscuous ports)
Page 284: Configuring Uplink And Downlink Ports
VLAN C ONFIGURATION Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Page 285: Configuring Protocol-Based Vlans
VLAN ONFIGURING ROTOCOL ASED Configuring Protocol-Based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Page 286: Mapping Protocols To Vlans
VLAN C ONFIGURATION • Frame Type – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only option for the LLC_other frame type is IPX_raw. The options for all other frames types include: IP, ARP, RARP.
Page 287: Figure 12-12 Protocol Vlan Port Configuration
VLAN ONFIGURING ROTOCOL ASED Membership by Port menu (page 13), these interfaces will admit traffic of any protocol type into the associated VLAN. • When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: - If the frame is tagged, it will be processed according to the standard rules applied to tagged frames.
Page 288 VLAN C ONFIGURATION CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3. Console(config)#interface ethernet 1/1 30-21 Console(config-if)#protocol-vlan protocol-group 1 vlan 3 Console(config-if)# 12-30...
Page 289: Class Of Service
HAPTER LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 290: Figure 13-1 Default Port Priority
LASS OF ERVICE • If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface.
Page 291: Mapping Cos Values To Egress Queues
AYER UEUE ETTINGS CLI – This example assigns a default priority of 5 to port 3. 24-2 Console(config)#interface ethernet 1/3 31-4 Console(config-if)#switchport priority default 5 Console(config-if)#end Console#show interfaces switchport ethernet 1/3 24-16 Information of Eth 1/3 Broadcast threshold: Enabled, 500 packets/second LACP status: Disabled Ingress rate limit:...
Page 292: Table 13-2 Cos Priority Levels
LASS OF ERVICE The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network. Table 13-2 CoS Priority Levels Priority Level Traffic Type...
Page 293: Figure 13-2 Traffic Classes
AYER UEUE ETTINGS Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 13-2 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping. 24-2 Console(config)#interface ethernet 1/1 31-7...
Page 294: Selecting The Queue Mode
LASS OF ERVICE Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 295: Setting The Service Weight For Traffic Classes
AYER UEUE ETTINGS Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3, the traffic classes are mapped to one of the eight egress queues provided for each port.
Page 296: Layer 3/4 Priority Settings
LASS OF ERVICE CLI – The following example shows how to assign WRR weights to each of the priority queues. 31-6 Console(config)#queue bandwidth 1 3 5 7 9 11 13 15 Console(config)#exit 31-8 Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight --------...
Page 297: Selecting Ip Precedence/Dscp Priority
3/4 P AYER RIORITY ETTINGS Selecting IP Precedence/DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority. Select one of the methods or disable this feature. Command Attributes • Disabled – Disables both priority services. (This is the default setting.) •...
Page 298: Mapping Ip Precedence
LASS OF ERVICE Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
Page 299: Figure 13-6 Ip Precedence Priority
3/4 P AYER RIORITY ETTINGS Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 13-6 IP Precedence Priority CLI –...
Page 300: Mapping Dscp Priority
LASS OF ERVICE Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping.
Page 301: Figure 13-7 Ip Dscp Priority
3/4 P AYER RIORITY ETTINGS Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 13-7 IP DSCP Priority CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
Page 302: Mapping Ip Port Priority
LASS OF ERVICE Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110.
Page 303: Figure 13-9 Ip Port Priority
3/4 P AYER RIORITY ETTINGS Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 13-9 IP Port Priority CLI –...
Page 304 LASS OF ERVICE 13-16...
Page 305: Quality Of Service
HAPTER UALITY OF ERVICE The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis.
Page 306: Configuring Quality Of Service Parameters
UALITY OF ERVICE Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 14-9).
Page 307: Configuring A Class Map
ONFIGURING UALITY OF ERVICE ARAMETERS Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name”...
Page 308 UALITY OF ERVICE Settings” page. Enter the criteria used to classify ingress traffic on this page. • Remove Class – Removes the selected class. Class Configuration • Class Name – Name of the class map. (Range: 1-32 characters) • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
Page 309: Figure 14-1 Configuring Class Maps
ONFIGURING UALITY OF ERVICE ARAMETERS Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 14-1 Configuring Class Maps 14-5...
Page 310: Creating Qos Policies
UALITY OF ERVICE CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd_class match-any 32-3 Console(config-cmap)#match ip dscp 3 32-4 Console(config-cmap)#exit 4-105 Console(config)#access-list ip mask-precedence in 4-109 Console(config-ip-mask-acl)#mask any any dscp Console(config-ip-mask-acl)#...
Page 311 ONFIGURING UALITY OF ERVICE ARAMETERS • After using the policy map to define packet classification, service tagging, and bandwidth policing, it must be assigned to a specific interface by a service policy (page 14-10) to take effect. Command Attributes Policy Map •...
Page 312 UALITY OF ERVICE • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes. • Exceed Action – Specifies whether the traffic that exceeds the specified rate will be dropped or the DSCP service level will be reduced.
Page 313: Figure 14-2 Configuring Policy Maps
ONFIGURING UALITY OF ERVICE ARAMETERS Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 14-2 Configuring Policy Maps 14-9...
Page 314: Attaching A Policy Map To Ingress Queues
UALITY OF ERVICE CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. 32-6 Console(config)#policy-map rd_policy#3 Console(config-pmap)#class rd_class#3 32-7...
Page 315: Figure 14-3 Service Policy Settings
ONFIGURING UALITY OF ERVICE ARAMETERS Web – Click QoS, DiffServ, Service Policy Settings. Check Enabled and choose a Policy Map for a port from the scroll-down box, then click Apply. Figure 14-3 Service Policy Settings CLI - This example applies a service policy to an ingress interface. 24-2 Console(config)#interface ethernet 1/5 32-10...
Page 316 UALITY OF ERVICE 14-12...
Page 317 HAPTER ULTICAST ILTERING Multicasting is used to support real-time Unicast Flow applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local Multicast...
Page 318: Multicast Filtering
ULTICAST ILTERING those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. The purpose of IP multicast filtering is to optimize a switched network’s performance, so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers/switches, instead of flooding traffic to all ports in the subnet (VLAN).
Page 319 2 IGMP (S AYER NOOPING AND UERY Only IGMPv3 hosts can request service from a specific multicast source. When downstream hosts request service from a specific source for a multicast service, these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources.
Page 320: Configuring Igmp Snooping And Query Parameters
ULTICAST ILTERING Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 15-11). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
Page 321 2 IGMP (S AYER NOOPING AND UERY Note: Multicast routers use this information, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. Command Attributes • IGMP Status — When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic.
Page 322: Figure 15-1 Igmp Configuration
ULTICAST ILTERING Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 15-1 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
Page 323: Displaying Interfaces Attached To A Multicast Router
2 IGMP (S AYER NOOPING AND UERY Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Page 324: Specifying Static Interfaces For A Multicast Router
ULTICAST ILTERING CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. 33-14 Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type ---- ------------------ ------- Eth 1/11 Static Console# Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always...
Page 325: Displaying Port Members Of Multicast Services
2 IGMP (S AYER NOOPING AND UERY CLI – This example configures port 1 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/1 33-13 Console(config)#exit Console#show ip igmp snooping mrouter vlan 1 33-14 VLAN M'cast Router Port Type ---- ------------------ ------- Eth 1/1...
Page 326: Figure 15-4 Ip Multicast Registration Table
ULTICAST ILTERING Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 15-4 IP Multicast Registration Table CLI –...
Page 327: Assigning Ports To Multicast Services
2 IGMP (S AYER NOOPING AND UERY Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 15-4. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Page 328: Multicast Vlan Registration
ULTICAST ILTERING Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
Page 329 VLAN R ULTICAST EGISTRATION distribution tree for a normal multicast VLAN. This makes it possible to support common multicast services over a wide part of the network without having to use any multicast routing protocol. MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong.
Page 330: Configuring Global Mvr Settings
ULTICAST ILTERING 4. For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see “Assigning Static Multicast Groups to Interfaces” on page 15-20). Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will...
Page 331: Displaying Mvr Interface Status
VLAN R ULTICAST EGISTRATION Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 15-6 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.
Page 332: Figure 15-7 Mvr Port Information
ULTICAST ILTERING • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Page 333: Configuring Mvr Interface Status
VLAN R ULTICAST EGISTRATION Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Page 334: Figure 15-8 Mvr Port Configuration
ULTICAST ILTERING - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group.
Page 335: Displaying Port Members Of Multicast Groups
VLAN R ULTICAST EGISTRATION Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...
Page 336: Assigning Static Multicast Groups To Interfaces
ULTICAST ILTERING Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...
Page 337: Figure 15-10 Mvr Group Member Configuration
VLAN R ULTICAST EGISTRATION Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups. Select a multicast address from the displayed lists, and click the Add or Remove button to modify the Member list. Figure 15-10 MVR Group Member Configuration CLI –...
Page 338 ULTICAST ILTERING 15-22...
Page 339 HAPTER OMAIN ERVICE The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 340: Domain Name Service
OMAIN ERVICE • When more than one name server is specified, the servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. • Note that if all name servers are deleted, DNS will automatically be disabled.
Page 341: Configuring General Dns Service Parameters
DNS S ONFIGURING ENERAL ERVICE ARAMETERS Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 16-1 DNS General Configuration 16-3...
Page 342: Configuring Static Dns Host To Address Entries
OMAIN ERVICE CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. 34-4 Console(config)#ip domain-name sample.com 34-5 Console(config)#ip domain-list sample.com.uk Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 34-6 Console(config)#ip domain-lookup...
Page 343: Figure 16-2 Dns Static Host Table
DNS H ONFIGURING TATIC OST TO DDRESS NTRIES Field Attributes • Host Name – Name of a host device that is mapped to one or more IP addresses. (Range: 1-64 characters) • IP Address – Internet address(es) associated with a host name. (Range: 1-8 addresses) •...
Page 344: Displaying The Dns Cache
OMAIN ERVICE CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. 34-2 Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 34-8 Console#show hosts Hostname Inet address 10.1.0.55 192.168.1.55 Alias 1.rd6...
Page 345 DNS C ISPLAYING THE ACHE Web – Select DNS, Cache. Figure 16-3 DNS Cache CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache 34-9 FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME...
Page 346 OMAIN ERVICE 16-8...
Page 347 ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of Command Line Interface ......17-1 General Commands .
Page 348 OMMAND NTERFACE IP Interface Commands ........35-1...
Page 349: Overview Of Command Line Interface
HAPTER VERVIEW OF OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 350: Telnet Connection
VERVIEW OF OMMAND NTERFACE After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the TigerAccess 10/100 is opened. To end the CLI session, enter [Exit]. Console# Telnet Connection Telnet operates over the IP transport protocol.
Page 351: Entering Commands
NTERING OMMANDS After you configure the switch with an IP address, you can open a Telnet session by performing these steps: 1. From the remote host, enter the Telnet command and the IP address of the device you want to access. 2.
Page 352: Minimum Abbreviation
VERVIEW OF OMMAND NTERFACE You can enter commands as follows: • To enter a simple command, enter the command keyword. • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config...
Page 353: Showing Commands
NTERING OMMANDS Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database, or MSTP).
Page 354: Partial Keyword Lookup
VERVIEW OF OMMAND NTERFACE The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters protocol-vlan Protocol-vlan information status Information of interfaces status switchport Information of interfaces switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 355: Understanding Command Modes
NTERING OMMANDS Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes.
Page 356: Configuration Commands
VERVIEW OF OMMAND NTERFACE Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super” (page 21-4). To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the TigerAccess 10/100 is opened.
Page 357 NTERING OMMANDS • Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. • Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits. • Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance.
Page 358: Table 17-2 Configuration Command Modes
VERVIEW OF OMMAND NTERFACE To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 17-2 Configuration Command Modes Mode Command Prompt Page Line line {console | vty}...
Page 359: Command Line Processing
NTERING OMMANDS Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 360: Command Groups
VERVIEW OF OMMAND NTERFACE Command Groups The system commands can be broken down into the functional groups shown below Table 17-4 Command Group Index Command Group Description Page General Basic commands for entering privileged access 18-1 mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic 19-1 modes of operation, maximum frame size, file...
Page 361 OMMAND ROUPS Table 17-4 Command Group Index (Continued) Command Group Description Page Address Table Configures the address table for filtering specified 28-1 addresses, displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch 29-1 VLANs Configures VLAN settings, and defines port...
Page 362 VERVIEW OF OMMAND NTERFACE 17-14...
Page 363 HAPTER ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 18-1 General Commands Command Function Mode Page enable Activates privileged mode 18-2 disable Returns to normal mode from privileged mode PE 18-3 configure Activates global configuration mode...
Page 364: General Commands
ENERAL OMMANDS enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 17-7. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Page 365: Disable
DISABLE disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes”...
Page 366: Show History
ENERAL OMMANDS Example Console#configure Console(config)# Related Commands end (18-6) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
Page 367: Reload
RELOAD The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config).
Page 368: Prompt
ENERAL OMMANDS prompt This command customizes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt string no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 255 characters) Default Setting Console Command Mode Global Configuration...
Page 369: Exit
EXIT exit This command returns to the previous configuration mode or exits the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 370 ENERAL OMMANDS Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 18-8...
Page 371: Table 19-1 System Management Commands
HAPTER YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 19-1 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this 19-2 switch System Status...
Page 372: System Management Commands
YSTEM ANAGEMENT OMMANDS Device Designation Commands This section describes commands used to configure information that uniquely identifies the switch. Table 19-2 Device Designation Commands Command Function Mode Page hostname Specifies the host name for the switch 19-2 snmp-server Sets the system contact string 20-5 contact snmp-server...
Page 373: System Status Commands
YSTEM TATUS OMMANDS System Status Commands This section describes commands used to display system information. Table 19-3 System Status Commands Command Function Mode Page show Displays the contents of the configuration file 19-3 startup-config (stored in flash memory) that is used to start up the system show Displays the configuration data currently in...
Page 374: Snmp Community Strings
YSTEM ANAGEMENT OMMANDS mode command, and corresponding commands. This command displays the following information: - MAC address for the switch - SNTP server settings - SNMP community strings - Users (names and access levels) - VLAN database (VLAN ID, name and state) - VLAN configuration settings for each interface - Multiple spanning tree instances (name and interfaces) - IP address...
Page 375: Show Running-Config
YSTEM TATUS OMMANDS interface vlan 1 ip address dhcp no map IP precedence no map IP DSCP line console line VTY Console# Related Commands show running-config (19-5) show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec...
Page 376 YSTEM ANAGEMENT OMMANDS - VLAN configuration settings for each interface - Multiple spanning tree instances (name and interfaces) - IP address - Layer 4 precedence settings - Spanning tree settings - Any configured settings for the console port and Telnet Example Console#show running-config building running-config, please wait..
Page 377: Show System
YSTEM TATUS OMMANDS Related Commands show startup-config (19-3) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 4-1. •...
Page 378: Show Users
YSTEM ANAGEMENT OMMANDS Example Console#show system System Description : 24 port 100FX FTTH Metro Access Switch with 2 Combo ports and 2 module slots System OID String : 1.3.6.1.4.1.202.20.64 System information System Up time: 0 days, 1 hours, 23 minutes, and 44.61 seconds System Name : [NONE] System Location...
Page 379: Show Version
YSTEM TATUS OMMANDS Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users:...
Page 380: System Mode
YSTEM ANAGEMENT OMMANDS Example Console#show version Unit1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 0.01 Number of Ports: Agent (Master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version: 1.0.0.7 Operation Code Version: 1.0.1.5 Console# System Mode Commands This section describes command used to configure the switch to operate in normal mode or QinQ mode.
Page 381: Show System Mode
YSTEM OMMANDS Default Setting No system mode is set; the switch functions in normal operating mode. Command Mode Global Configuration Command Usage Make sure that no dot1q-tunnel port is configured before exiting QinQ mode (see “switchport mode dot1q-tunnel” on page 30-25). If there are any dot1q-tunnel ports set on the switch, the no system mode command will fail.
Page 382: System Mtu Commands
YSTEM ANAGEMENT OMMANDS System MTU Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 19-5 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames 19-12 system mtu Sets the maximum transfer unit 19-13 show system mtu Shows the maximum transfer unit size for...
Page 383: System Mtu
MTU C YSTEM OMMANDS • To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size.
Page 384: Show System Mtu
YSTEM ANAGEMENT OMMANDS Command Usage • Gigabit Ethernet ports are not affected by the system mtu FE-size command. Fast Ethernet ports are not affected by the system mtu jumbo command. • After setting the jumbo frame size with the system mtu or system mtu jumbo command, remember to use the jumbo frame command (page 19-12) to implement the new setting by enabling jumbo frames.
Page 385: Table 19-6 Flash/File Commands
ANAGEMENT OMMANDS When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file. Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from a TFTP server.
Page 386: Copy
YSTEM ANAGEMENT OMMANDS copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 387 ANAGEMENT OMMANDS or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Due to the size limit of the flash memory, the switch supports only two operation code files. • The maximum number of user-defined configuration files depends on available memory.
Page 388 YSTEM ANAGEMENT OMMANDS The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed.
Page 389: Delete
ANAGEMENT OMMANDS This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
Page 390: Dir
YSTEM ANAGEMENT OMMANDS Related Commands dir (19-20) delete public-key (21-28) This command displays a list of files in flash memory. Syntax dir {{boot-rom: | config: | opcode:} [filename]} The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. •...
Page 391: Whichboot
ANAGEMENT OMMANDS Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: D1.0.0.7 Boot-Rom Image 1159752 V1.0.1.5 Operation Code 3545724 Factory_Default_Config.cfg Config File startup1.cfg Config File 3336 --------------------------------------------------------------------------- Total free space:...
Page 392: Boot System
YSTEM ANAGEMENT OMMANDS boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. •...
Page 393: Line Commands
OMMANDS Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 19-8 Line Commands Command Function Mode Page...
Page 394: Line
YSTEM ANAGEMENT OMMANDS line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 395: Login
OMMANDS login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command. Default Setting login local Command Mode...
Page 396: Password
YSTEM ANAGEMENT OMMANDS Example Console(config-line)#login local Console(config-line)# Related Commands username (21-2) password (19-26) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
Page 397: Timeout Login Response
OMMANDS configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (19-25) password-thresh (19-29) timeout login response This command sets the interval that the system waits for a user to log into the CLI.
Page 398: Exec-Timeout
YSTEM ANAGEMENT OMMANDS Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout...
Page 399: Password-Thresh
OMMANDS password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
Page 400: Silent-Time
YSTEM ANAGEMENT OMMANDS silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 401: Parity
OMMANDS Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Page 402: Speed
YSTEM ANAGEMENT OMMANDS Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.
Page 403: Stopbits
OMMANDS Example To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} • 1 - One stop bit •...
Page 404: Show Line
YSTEM ANAGEMENT OMMANDS Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (21-31) show users (19-8) show line This command displays the terminal line’s parameters.
Page 405 OMMANDS Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: auto Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console# 19-35...
Page 406: Event Logging Commands
YSTEM ANAGEMENT OMMANDS Event Logging Commands This section describes commands used to configure event logging on the switch. Table 19-9 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 19-36 logging history Limits syslog messages saved to switch 19-37 memory based on severity logging host...
Page 407: Logging History
VENT OGGING OMMANDS command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers. Example Console(config)#logging on Console(config)# Related Commands logging history (19-37)
Page 408: Logging Host
YSTEM ANAGEMENT OMMANDS Table 19-10 Logging Levels (Continued) Level Severity Name Description warnings Warning conditions (e.g., return false, unexpected return) errors Error conditions (e.g., invalid input, default used) critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) alerts Immediate action needed emergencies...
Page 409: Logging Facility
VENT OGGING OMMANDS Command Mode Global Configuration Command Usage Use this command more than once to build up a list of host IP addresses. The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages.
Page 410: Logging Trap
YSTEM ANAGEMENT OMMANDS logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 411: Clear Log
VENT OGGING OMMANDS clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 412: Show Logging
YSTEM ANAGEMENT OMMANDS show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 413: Table 19-11 Show Logging Flash/Ram - Display Description
VENT OGGING OMMANDS Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: Enabled...
Page 414: Show Log
YSTEM ANAGEMENT OMMANDS Table 19-12 show logging trap - display description (Continued) Field Description REMOTELOG The severity threshold for syslog messages sent to a remote level type server as specified in the logging trap command. REMOTELOG The address of syslog servers as specified in the logging server IP address host command.
Page 415: Smtp Alert Commands
SMTP A LERT OMMANDS SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 19-13 SMTP Alert Commands Command Function Mode Page logging sendmail host SMTP servers to receive alert messages 19-45 logging sendmail Severity threshold used to trigger alert...
Page 416: Logging Sendmail Level
YSTEM ANAGEMENT OMMANDS • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command.
Page 417: Logging Sendmail Source-Email
SMTP A LERT OMMANDS logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Syntax logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration...
Page 418: Logging Sendmail
YSTEM ANAGEMENT OMMANDS Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
Page 419: Show Logging Sendmail
SMTP A LERT OMMANDS show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP source email address: bill@this-company.com...
Page 420: Time Commands
YSTEM ANAGEMENT OMMANDS Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 421: Table 19-14 Time Commands
OMMANDS Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 422: Sntp Poll
YSTEM ANAGEMENT OMMANDS Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.
Page 423: Show Sntp
OMMANDS Related Commands sntp client (19-50) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
Page 424: Clock Timezone
YSTEM ANAGEMENT OMMANDS clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-13 hours) •...
Page 425: Calendar Set
OMMANDS calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
Page 426 YSTEM ANAGEMENT OMMANDS Example Console#show calendar 15:12:34 February 1 2002 Console# 19-56...
Page 427 HAPTER SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 428: Snmp Commands
SNMP C OMMANDS Table 20-1 SNMP Commands (Continued) Command Function Mode Page snmp-server view Adds an SNMP view 20-13 show snmp view Shows the SNMP views 20-14 snmp-server group Adds an SNMP group, mapping users to 20-15 views show snmp group Shows the SNMP groups 20-16 snmp-server user...
Page 429 SHOW SNMP Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable...
Page 430: Snmp-Server Community
SNMP C OMMANDS snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
Page 431: Snmp-Server Contact
SNMP SERVER CONTACT snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 432: Snmp-Server Host
SNMP C OMMANDS Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (20-5) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
Page 433 SNMP SERVER HOST community command prior to using the snmp-server host command. (Maximum length: 32 characters) • version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) - auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
Page 434 SNMP C OMMANDS • Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt.
Page 435: Snmp-Server Enable Traps
SNMP SERVER ENABLE TRAPS user command. Otherwise, the authentication password and/or privacy password will not exist, and the switch will not authorize SNMP access for the host. However, if you specify a V3 host with the “noauth” option, an SNMP user account will be generated, and the switch will authorize SNMP access for the host.
Page 436: Snmp-Server Engine-Id
SNMP C OMMANDS notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. • The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications.
Page 437: Command Mode
SNMP SERVER ENGINE Command Mode Global Configuration Command Usage • An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Page 438: Show Snmp Engine-Id
SNMP C OMMANDS show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID IP address 80000000030004e2b316c54321 192.168.1.19 Console#...
Page 439: Snmp-Server View
SNMP SERVER VIEW snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
Page 440: Show Snmp View
SNMP C OMMANDS This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included...
Page 441: Snmp-Server Group
SNMP SERVER GROUP snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...
Page 442: Show Snmp Group
SNMP C OMMANDS • When privacy is selected, the DES 56-bit algorithm is used for data encryption. • For additional information on the notification messages supported by this switch, see “Supported Notification Messages” on page 5-19. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 20-9).
Page 443: Table 20-4 Show Snmp Group - Display Description
SHOW SNMP GROUP Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c...
Page 444: Snmp-Server User
SNMP C OMMANDS snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote}...
Page 445 SNMP SERVER USER Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 20-10) to specify the engine ID for the remote device where the user resides.
Page 446: Show Snmp User
SNMP C OMMANDS show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 447: Table 21-1 Authentication Commands
HAPTER UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 448: User Authentication Commands
UTHENTICATION OMMANDS User Account Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 19-23), user authentication via a remote authentication server (page 21-1), and host access authentication for specific ports (page 21-34).
Page 449: Table 21-3 Default Login Settings
CCOUNT OMMANDS • password password - The authentication password for the user. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting The default access level is Normal Exec. The factory defaults for the user names and passwords are: Table 21-3 Default Login Settings username access-level...
Page 450: Enable Password
UTHENTICATION OMMANDS enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 451: Authentication Sequence
UTHENTICATION EQUENCE Related Commands enable (18-2) authentication enable (21-7) Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 21-4 Authentication Sequence Commands Command Function...
Page 452 UTHENTICATION OMMANDS Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Page 453: Authentication Enable
UTHENTICATION EQUENCE authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 18-2). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable...
Page 454: Radius Client
UTHENTICATION OMMANDS Example Console(config)#authentication enable radius Console(config)# Related Commands enable password - sets the password for changing command modes (21-4) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 455: Radius-Server Host
RADIUS C LIENT radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] •...
Page 456: Radius-Server Port
UTHENTICATION OMMANDS radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration...
Page 457: Radius-Server Retransmit
RADIUS C LIENT Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 458: Show Radius-Server
UTHENTICATION OMMANDS Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times:...
Page 459: Tacacs+ Client
TACACS+ C LIENT TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 460: Tacacs-Server Port
UTHENTICATION OMMANDS tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting Command Mode Global Configuration Example...
Page 461: Show Tacacs-Server
ERVER OMMANDS Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with TACACS server: ***** Server port number: Console# Web Server Commands...
Page 462: Ip Http Port
UTHENTICATION OMMANDS ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode...
Page 463: Ip Http Secure-Server
ERVER OMMANDS Example Console(config)#ip http server Console(config)# Related Commands ip http port (21-16) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
Page 464: Ip Http Secure-Port
UTHENTICATION OMMANDS • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x and Netscape Navigator 6.2 or later versions. • The following web browsers and operating systems currently support HTTPS: Table 21-8 HTTPS System Support Web Browser...
Page 465 ERVER OMMANDS Default Setting Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Page 466: Telnet Server Commands
UTHENTICATION OMMANDS Telnet Server Commands This section describes commands used to configure Telnet management access to the switch. Table 21-9 Telnet Server Commands Command Function Mode Page ip telnet server Allows the switch to be monitored or 21-16 configured from Telnet; also specifies the port to be used by the Telnet interface ip telnet server This command allows this device to be monitored or configured from...
Page 467: Secure Shell Commands
ECURE HELL OMMANDS Secure Shell Commands This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients. Table 21-10 Secure Shell Commands Command Function...
Page 468 UTHENTICATION OMMANDS Configuration Guidelines The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 21-5.
Page 469 ECURE HELL OMMANDS 1024 35 1341081685609893921040944920155425347631641921872958921143173880 055536161631051775940838686311092912322268285192543746031009371877211996963178 136627741416898513204911720483033925432410163799759237144901193800609025394840 848271781943722884025331159521348610229029789827213532671316294325328189150453 06393916643 steve@192.168.1.19 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 470: Ip Ssh Server
UTHENTICATION OMMANDS c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
Page 471: Ip Ssh Timeout
ECURE HELL OMMANDS Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. • The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 472: Ip Ssh Authentication-Retries
UTHENTICATION OMMANDS Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 473: Ip Ssh Server-Key Size
ECURE HELL OMMANDS Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (21-31) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...
Page 474: Delete Public-Key
UTHENTICATION OMMANDS delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Page 475: Ip Ssh Crypto Zeroize
ECURE HELL OMMANDS • This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory. • Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process.
Page 476: Ip Ssh Save Host-Key
UTHENTICATION OMMANDS • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console# Related Commands ip ssh crypto host-key generate (21-28) ip ssh save host-key (21-30) no ip ssh server (21-24) ip ssh save host-key This command saves the host key from RAM to flash memory.
Page 477: Show Ip Ssh
ECURE HELL OMMANDS show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh...
Page 478: Show Public-Key
UTHENTICATION OMMANDS Table 21-11 show ssh - display description (Continued) Field Description Username The user name of the client. Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 479: Privileged Exec
ECURE HELL OMMANDS Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. •...
Page 480: 802.1X Port Authentication
UTHENTICATION OMMANDS 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 481: Dot1X System-Auth-Control
802.1X P UTHENTICATION Table 21-12 802.1X Port Authentication Commands (Continued) Command Function Mode Page dot1x timeout tx-period Sets the time period during an 21-41 authentication session that the switch waits before re-transmitting an EAP packet show dot1x Shows all dot1x related information 21-41 dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the...
Page 482: Dot1X Max-Req
UTHENTICATION OMMANDS dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax dot1x max-req count no dot1x max-req count –...
Page 483: Dot1X Operation-Mode
802.1X P UTHENTICATION Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
Page 484: Dot1X Re-Authenticate
UTHENTICATION OMMANDS • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10...
Page 485: Dot1X Re-Authentication
802.1X P UTHENTICATION dot1x re-authentication This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Page 486: Dot1X Timeout Re-Authperiod
UTHENTICATION OMMANDS Default 60 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod...
Page 487: Dot1X Timeout Tx-Period
802.1X P UTHENTICATION dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Page 488 UTHENTICATION OMMANDS Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status –...
Page 489 802.1X P UTHENTICATION - Port-control – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 21-36). - Supplicant – MAC address of authorized client. - Current Identifier – The integer (0-255) used by the Authenticator to identify the current authentication session.
Page 490: A Uthentication C Ommands
UTHENTICATION OMMANDS Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 1/47 disabled Single-Host ForceAuthorized 1/48 enabled Single-Host Auto 802.1X Port Details 802.1X is enabled on port 1/1 802.1X is enabled on port 26 reauth-enabled: Enable...
Page 491: Management Ip Filter Commands
IP F ANAGEMENT ILTER OMMANDS Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 21-13 Management IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed 21-45 management access show management Displays the switch to be monitored or 21-46...
Page 492: Show Management
UTHENTICATION OMMANDS Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 493 IP F ANAGEMENT ILTER OMMANDS Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2.
Page 494 UTHENTICATION OMMANDS 21-48...
Page 495: Client Security Commands
HAPTER LIENT ECURITY OMMANDS This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch.
Page 496: Port Security Commands
LIENT ECURITY OMMANDS Table 22-1 Client Security Commands Command Group Function Page Private VLANs Configures private VLANs, including uplink and 30-17 downlink ports Port Authentication Configures host authentication on specific ports 21-34 using 802.1X Configures secure addresses for a port 22-2 Port Security Filters IP traffic on unsecure ports for which the...
Page 497: Port Security
ECURITY OMMANDS Table 22-2 Port Security Commands Command Function Mode Page port security Configures a secure port 22-3 mac-address-table static Maps a static address to a port in a VLAN GC 28-2 show mac-address-table Displays entries in the bridge-forwarding 28-4 database port security This command enables or configures port security.
Page 498: Ip Source Guard Commands
LIENT ECURITY OMMANDS Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. •...
Page 499: Ip Source-Guard
IP S OURCE UARD OMMANDS the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard. Table 22-3 IP Source Guard Commands Command Function Mode Page ip source-guard Configures the switch to filter inbound traffic 22-5 based on source IP address, or source IP address and corresponding MAC address...
Page 500 LIENT ECURITY OMMANDS Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 501: Ip Source-Guard Binding
IP S OURCE UARD OMMANDS static DHCP snooping binding or dynamic DHCP snooping binding, the packet will be forwarded. - If IP source guard if enabled on an interface for which IP source bindings (dynamically learned via DHCP snooping or manually configured) are not yet configured, the switch will drop all IP traffic on that port, except for DHCP packets.
Page 502 LIENT ECURITY OMMANDS Command Mode Global Configuration Command Usage • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier. • All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command (page 22-9).
Page 503: Show Ip Source-Guard
IP S OURCE UARD OMMANDS show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED...
Page 504: Dhcp Snooping Commands
LIENT ECURITY OMMANDS DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Page 505: Ip Dhcp Snooping
DHCP S NOOPING OMMANDS ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source.
Page 506 LIENT ECURITY OMMANDS - If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Page 507: Ip Dhcp Snooping Vlan
DHCP S NOOPING OMMANDS binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
Page 508: Ip Dhcp Snooping Binding
LIENT ECURITY OMMANDS • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. When DHCP snooping is globally enabled, configuration changes for specific VLANs have the following effects: - If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table;...
Page 509 DHCP S NOOPING OMMANDS • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28) • lease-time - The time after which an entry is removed from the table. (Range: 0-4294967295, where 0 indicates a permanent entry) Default Setting None Command Mode...
Page 510: Ip Dhcp Snooping Verify Mac-Address
LIENT ECURITY OMMANDS • When the lease time for a dynamic or static DHCP binding entry expires, it is removed from the binding table. Example This example configures a static DHCP binding entry on port 5, and sets the lease time to make it a permanent entry. Console(config)#ip dhcp snooping binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 0 Console(config-if)#...
Page 511: Ip Dhcp Snooping Database Flash
DHCP S NOOPING OMMANDS Related Commands ip dhcp snooping (22-11) ip dhcp snooping vlan (22-13) ip dhcp snooping trust (22-17) ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 512: Show Ip Dhcp Snooping
LIENT ECURITY OMMANDS Command Usage • An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. •...
Page 513: Show Ip Dhcp Snooping Binding
DHCP S NOOPING OMMANDS Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface Trusted ---------- ---------- Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 show ip dhcp snooping binding This command shows the DHCP snooping binding table entries.
Page 514 LIENT ECURITY OMMANDS 22-20...
Page 515 HAPTER CCESS ONTROL OMMANDS Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Page 516: Access Control List Commands
CCESS ONTROL OMMANDS IP ACLs The commands in this section configure ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP control code. To configure IP ACLs, first create an access list containing the required permit or deny rules, set a precedence mask to control the filter sequence, and then bind the access list to one or more ports Table 23-2 IP ACL Commands Command...
Page 517: Ip Acls
IP ACL access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address.
Page 518: Permit, Deny (Standard Acl)
CCESS ONTROL OMMANDS permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 519: Permit, Deny (Extended Acl)
IP ACL permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 520 CCESS ONTROL OMMANDS • control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • flag-bitmask – Decimal number representing the code bits to match. Default Setting None Command Mode Extended IP ACL Command Usage •...
Page 521: Show Ip Access-List
IP ACL Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any...
Page 522: Access-List Ip Mask-Precedence
CCESS ONTROL OMMANDS Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny 23-4 ip access-group (23-14) access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks.
Page 523: Mask (Ip Acl)
IP ACL Example Console(config)#access-list ip mask-precedence in Console(config-ip-mask-acl)# Related Commands mask (IP ACL) (23-9) ip access-group (23-14) mask (IP ACL) This command defines a mask for IP ACLs. This mask defines the fields to check in the IP header. Use the no form to remove a mask. Syntax [no] mask [protocol] {any | host | source-bitmask}...
Page 524 CCESS ONTROL OMMANDS Default Setting None Command Mode IP Mask Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered.
Page 525 IP ACL This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any”...
Page 526 CCESS ONTROL OMMANDS This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port 23 Console(config-ext-acl)#end Console#show access-list...
Page 527: Show Access-List Ip Mask-Precedence
IP ACL This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL.
Page 528: Ip Access-Group
CCESS ONTROL OMMANDS Command Mode Privileged Exec Example Console#show access-list ip mask-precedence IP ingress mask ACL: mask host any mask 255.255.255.0 any Console# Related Commands mask (IP ACL) (23-9) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port.
Page 529: Show Ip Access-Group
MAC ACL Related Commands show ip access-list (23-7) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP standard access-list david Console# Related Commands ip access-group (23-14) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
Page 530 CCESS ONTROL OMMANDS Table 23-3 MAC ACL Commands (Continued) Command Function Mode Page mask Sets a precedence mask for the ACL MAC-Mask 23-21 rules show access-list mac Shows the ingress or egress rule 23-23 mask-precedence masks for MAC ACLs mac access-group Adds a port to a MAC ACL 23-23 show mac...
Page 531: Permit, Deny (Mac Acl)
MAC ACL Related Commands permit, deny (23-17) mac access-group (23-23) show mac access-list (23-19) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 532 CCESS ONTROL OMMANDS • tagged-eth2 – Tagged Ethernet II packets. • untagged-eth2 – Untagged Ethernet II packets. • tagged-802.3 – Tagged Ethernet 802.3 packets. • untagged-802.3 – Untagged Ethernet 802.3 packets. • any – Any MAC source or destination address. •...
Page 533: Show Mac Access-List
MAC ACL Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (23-16) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name –...
Page 534: Access-List Mac Mask-Precedence
CCESS ONTROL OMMANDS access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. •...
Page 535: Mask (Mac Acl)
MAC ACL mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask. Syntax [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination-bitmask} [vid [vid-bitmask]] [ethertype [ethertype-bitmask]] •...
Page 536: Table 23-1 Access Control List Commands
CCESS ONTROL OMMANDS Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 Console(config-mac-acl)#end...
Page 537: Show Access-List Mac Mask-Precedence
MAC ACL show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [in | out] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precedence for egress ACLs. Command Mode Privileged Exec Example...
Page 538: Show Mac Access-Group
CCESS ONTROL OMMANDS • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
Page 539: Show Access-List
ACL I NFORMATION show access-list This command shows all IPv4 ACLs and associated rules. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
Page 540 CCESS ONTROL OMMANDS 23-26...
Page 541 HAPTER NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 24-1 Interface Commands Command Function Mode Page interface Configures an interface type and enters 24-2 interface configuration mode description Adds a description to an interface 24-3...
Page 542: Interface Commands
NTERFACE OMMANDS Table 24-1 Interface Commands (Continued) Command Function Mode Page show interfaces Displays statistics for the specified NE, PE 24-14 counters interfaces show interfaces Displays the administrative and NE, PE 24-16 switchport operational status of an interface interface This command configures an interface type and enter interface configuration mode.
Page 543: Description
DESCRIPTION description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode...
Page 544 NTERFACE OMMANDS Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is: - Fast Ethernet ports – 100full (100 Mbps full-duplex) - Gigabit Ethernet ports – 1000full (1 Gbps full-duplex) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 545: Negotiation
NEGOTIATION negotiation This command enables autonegotiation for a given interface. Use the no form to disable autonegotiation. Syntax [no] negotiation Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.
Page 546: Capabilities
NTERFACE OMMANDS capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values. Syntax [no] capabilities {1000full | 100full | 100half | 10full | 10half | flowcontrol | symmetric} •...
Page 547: Flowcontrol
FLOWCONTROL Example The following example configures Ethernet port 5 capabilities to 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)# Related Commands negotiation (24-5) speed-duplex (24-3) flowcontrol (24-7) flowcontrol This command enables flow control. Use the no form to disable flow control.
Page 548: Media-Type
NTERFACE OMMANDS To enable flow control under auto-negotiation, “flowcontrol” must be included in the capabilities list for any port • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
Page 549: Shutdown
SHUTDOWN Example This forces the switch to use the built-in RJ-45 port for the combination port 28. Console(config)#interface ethernet 1/28 Console(config-if)#media-type copper-forced Console(config-if)# shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled.
Page 550: Switchport Packet-Rate
NTERFACE OMMANDS switchport packet-rate This command configures broadcast and multicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast} packet-rate rate no switchport broadcast • broadcast - Specifies storm control for broadcast traffic. •...
Page 551: Switchport Block
SWITCHPORT BLOCK switchport block This command prevents flooding of unknown unicast or multicast packets to an interface. Use the no form to restore the default setting. Syntax [no] switchport block {unicast | multicast} • unicast - Specifies unknown unicast packets. •...
Page 552: Clear Counters
NTERFACE OMMANDS clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode Privileged Exec...
Page 553: Show Interfaces Status
SHOW INTERFACES STATUS show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-32) •...
Page 554: Show Interfaces Counters
NTERFACE OMMANDS Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Disabled LACP:...
Page 555 SHOW INTERFACES COUNTERS Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 9-28. Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats:...
Page 556: Show Interfaces Switchport
NTERFACE OMMANDS show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 557: Table 24-2 Show Interfaces Switchport - Display Description
SHOW INTERFACES SWITCHPORT Table 24-2 show interfaces switchport - display description Field Description Broadcast threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 24-10). Muilticast Threshold Shows if multicast storm suppression is enabled or disabled;...
Page 558 NTERFACE OMMANDS 24-18...
Page 559 HAPTER GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 560: Link Aggregation Commands
GGREGATION OMMANDS Table 25-1 Link Aggregation Commands (Continued) Command Function Mode Page lacp admin-key Configures an port IC (Port Channel) 25-8 channel’s administration key lacp port-priority Configures a port's LACP IC (Ethernet) 25-9 port priority Trunk Status Display Commands show interfaces status Shows trunk information NE, PE 24-13...
Page 561: Channel-Group
CHANNEL GROUP • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
Page 562: Lacp
GGREGATION OMMANDS Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting...
Page 563 LACP Example The following shows LACP enabled on ports 46-48. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established. Console(config)#interface ethernet 1/46 Console(config-if)#lacp Console(config-if)#exit Console(config)#interface ethernet 1/47...
Page 564: Lacp System-Priority
GGREGATION OMMANDS lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. •...
Page 565: Lacp Admin-Key (Ethernet Interface)
LACP ADMIN THERNET NTERFACE lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. •...
Page 566: Lacp Admin-Key (Port Channel)
GGREGATION OMMANDS lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Page 567: Lacp Port-Priority
LACP PORT PRIORITY lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 568: Show Lacp
GGREGATION OMMANDS show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • port-channel - Local identifier for a link aggregation group. (Range: 1-32) • counters - Statistics for LACP protocol messages. •...
Page 569: Table 25-2 Show Lacp Counters - Display Description
SHOW LACP Table 25-2 show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Page 570 GGREGATION OMMANDS Table 25-3 show lacp internal - display description (Continued) Field Description LACPDUs Number of seconds before invalidating received LACPDU Internal information. LACP System LACP system priority assigned to this port channel. Priority LACP Port LACP port priority assigned to this interface within the channel Priority group.
Page 571: Table 25-4 Show Lacp Neighbors - Display Description
SHOW LACP Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: Oper Key:...
Page 572: Table 25-5 Show Lacp Sysid - Display Description
GGREGATION OMMANDS Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------- 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 Table 25-5 show lacp sysid - display description Field Description Channel group...
Page 573: Mirror Port Commands
HAPTER IRROR OMMANDS This section describes how to mirror traffic from a source port to a target port. Table 26-1 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 26-1 show port monitor Shows the configuration for a mirror port 26-2 port monitor This command configures a mirror session.
Page 574: Show Port Monitor
IRROR OMMANDS Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 575 SHOW PORT MONITOR Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring...
Page 576 IRROR OMMANDS 26-4...
Page 577 HAPTER IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. The maximum data rate may also be set for specific Class of Service (CoS) priorities for traffic transmitted out of an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 578: Rate Limit Commands
IMIT OMMANDS rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} •...
Page 579: Rate-Limit Cos
RATE LIMIT COS rate-limit cos This command defines the output rate limit for an interface based on specified CoS priorities. Use the no form to restore the default status of disabled. Syntax rate-limit cos cos_value rate no rate-limit cos • cos_value – A number from 0 to 7, where 7 is the highest priority. •...
Page 580: Table 27-2 Mapping Default To Per Port Cos Priority Levels
IMIT OMMANDS Table 27-2 Mapping Default to Per Port CoS Priority Levels Queue Priority (default CoS) Priority (per port CoS) Example This example sets the maximum output rate for CoS traffic of priority level 0 to 50 Mbps on Port 1. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit cos 0 50 Console(config-if)#...
Page 581: Show Rate-Limit Cos
SHOW RATE LIMIT COS show rate-limit cos This command displays the output rate limit for CoS priorities. Command Mode Privileged Exec Command Usage If no rate limit is set, this command displays a value of “0” for the corresponding interface. Example The following example shows that the rate limit set in the preceding example for CoS priority class 0 affects both priority class 0 and 3, which...
Page 582 IMIT OMMANDS 27-6...
Page 583 HAPTER DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 28-1 Address Table Commands Command Function Mode Page mac-address-table static Maps a static address to a port in 28-2 a VLAN clear mac-address-table...
Page 584: Address Table Commands
DDRESS ABLE OMMANDS mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id •...
Page 585: Clear Mac-Address-Table Dynamic
CLEAR MAC ADDRESS TABLE DYNAMIC • A static address cannot be learned on another port until the address is removed with the no form of this command. Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries.
Page 586: Show Mac-Address-Table
DDRESS ABLE OMMANDS show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Page 587: Mac-Address-Table Aging-Time
ADDRESS TABLE AGING TIME • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface MAC Address VLAN Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-e0-29-94-34-de 1 Delete-on-reset Console# mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time.
Page 588: Show Mac-Address-Table Aging-Time
DDRESS ABLE OMMANDS show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec. Console# 28-6...
Page 589 HAPTER PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 29-1 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 29-3 spanning-tree mode Configures STP, RSTP or MSTP mode GC...
Page 590: Spanning Tree Commands
PANNING OMMANDS Table 29-1 Spanning Tree Commands (Continued) Command Function Mode Page revision Configures the revision number for the 29-14 multiple spanning tree max-hops Configures the maximum number of 29-14 hops allowed in the region before a BPDU is discarded spanning-tree Disables spanning tree for an interface IC 29-15...
Page 591: Spanning-Tree
SPANNING TREE spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
Page 592: Spanning-Tree Mode
PANNING OMMANDS spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) •...
Page 593: Spanning-Tree Forward-Time
SPANNING TREE FORWARD TIME restarts the migration delay timer and begins using RSTP BPDUs on that port. • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances.
Page 594: Spanning-Tree Hello-Time
PANNING OMMANDS Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state;...
Page 595: Spanning-Tree Max-Age
SPANNING TREE MAX Related Commands spanning-tree forward-time (29-5) spanning-tree max-age (29-7) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds.
Page 596: Spanning-Tree Priority
PANNING OMMANDS Related Commands spanning-tree forward-time (29-5) spanning-tree hello-time (29-6) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
Page 597: Spanning-Tree Pathcost Method
SPANNING TREE PATHCOST METHOD spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method •...
Page 598: Spanning-Tree Transmission-Limit
PANNING OMMANDS spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
Page 599: Mst Vlan
MST VLAN Related Commands mst vlan (29-11) mst priority (29-12) name (29-13) revision (29-14) max-hops (29-14) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
Page 600: Mst Priority
PANNING OMMANDS instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance.
Page 601: Name
NAME Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode...
Page 602: Revision
PANNING OMMANDS revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration Command Usage...
Page 603: Spanning-Tree Spanning-Disabled
SPANNING TREE SPANNING DISABLED Default Setting Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Page 604: Spanning-Tree Cost
PANNING OMMANDS Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost...
Page 605 SPANNING TREE COST Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 606: Spanning-Tree Port-Priority
PANNING OMMANDS spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting Command Mode Interface Configuration (Ethernet, Port Channel)
Page 607: Spanning-Tree Portfast
SPANNING TREE PORTFAST Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Page 608 PANNING OMMANDS Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. •...
Page 609: Spanning-Tree Link-Type
SPANNING TREE LINK TYPE spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. •...
Page 610: Spanning-Tree Mst Cost
PANNING OMMANDS spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...
Page 611: Spanning-Tree Mst Port-Priority
SPANNING TREE MST PORT PRIORITY should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. • Use the no spanning-tree mst cost command to specify auto-configuration mode. • Path cost takes precedence over interface priority. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50...
Page 612: Spanning-Tree Protocol-Migration
PANNING OMMANDS Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (29-22) spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface.
Page 613: Show Spanning-Tree
SHOW SPANNING TREE Example Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance_id] • interface •...
Page 614 PANNING OMMANDS description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 11-13. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 615: Show Spanning-Tree Mst Configuration
SHOW SPANNING TREE MST CONFIGURATION show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- Console# 29-27...
Page 616 PANNING OMMANDS 29-28...
Page 617 HAPTER VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 618: Vlan Commands
VLAN C OMMANDS GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 619: Show Bridge-Ext
GVRP RIDGE XTENSION OMMANDS Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. Example Console(config)#bridge-ext gvrp Console(config)#...
Page 620: Switchport Gvrp
VLAN C OMMANDS switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
Page 621: Garp Timer
GVRP RIDGE XTENSION OMMANDS garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 622: Show Garp Timer
VLAN C OMMANDS Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (30-6) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit.
Page 623: Editing Vlan Groups
VLAN G DITING ROUPS Editing VLAN Groups Table 30-3 Commands for Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, 30-7 change, and delete VLANs vlan Configures a VLAN, including VID, 30-8 name and state vlan database This command enters VLAN database mode.
Page 624: Vlan
VLAN C OMMANDS vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4093, no leading zeroes) •...
Page 625: Configuring Vlan Interfaces
VLAN I ONFIGURING NTERFACES Related Commands show vlan (30-16) Configuring VLAN Interfaces Table 30-4 Commands for Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for 30-9 a specified VLAN switchport mode Configures VLAN membership mode 30-10 for an interface switchport...
Page 626: Switchport Mode
VLAN C OMMANDS Default Setting None Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (24-9)
Page 627: Switchport Acceptable-Frame-Types
VLAN I ONFIGURING NTERFACES Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# Related Commands switchport acceptable-frame-types (30-11) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default.
Page 628: Switchport Ingress-Filtering
VLAN C OMMANDS Related Commands switchport mode (30-10) switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 629: Switchport Native Vlan
VLAN I ONFIGURING NTERFACES switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) Default Setting VLAN 1...
Page 630: Switchport Allowed Vlan
VLAN C OMMANDS switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 631: Switchport Forbidden Vlan
VLAN I ONFIGURING NTERFACES • If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged...
Page 632: Displaying Vlan Information
VLAN C OMMANDS Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# Displaying VLAN Information This section describes commands used to display VLAN information. Table 30-5 Commands for Displaying VLAN Information Command Function...
Page 633: Pvlan
VLAN ONFIGURING RIVATE Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S)
Page 634: Show Pvlan
VLAN C OMMANDS Command Mode Global Configuration Command Usage • A private VLAN provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the uplink port. • Private VLANs and normal VLANs can exist simultaneously within the same switch.
Page 635: Configuring Protocol-Based Vlans
VLAN ONFIGURING ROTOCOL BASED Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Page 636: Protocol-Vlan Protocol-Group (Configuring Groups)
VLAN C OMMANDS Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode). protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol]...
Page 637: Protocol-Vlan Protocol-Group (Configuring Interfaces)
VLAN ONFIGURING ROTOCOL BASED protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan •...
Page 638: Show Protocol-Vlan Protocol-Group
VLAN C OMMANDS Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups.
Page 639: Show Interfaces Protocol-Vlan Protocol-Group
VLAN ONFIGURING ROTOCOL BASED show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 640: Configuring Ieee 802.1Q Tunneling
VLAN C OMMANDS Configuring IEEE 802.1Q Tunneling QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 641: Switchport Mode Dot1Q-Tunnel
IEEE 802.1Q T ONFIGURING UNNELING ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (See switchport dot1q-ethertype, page 30-27.) Configure the QinQ tunnel port to join the SPVLAN as an untagged member (switchport allowed vlan, page 30-14). Configure the SPVLAN ID as the native VID on the QinQ tunnel port (switchport native vlan, page 30-13).
Page 642: Show Dot1Q-Tunnel
VLAN C OMMANDS Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode dot1q-tunnel Console(config-if)# Related Commands show dot1q-tunnel (page 30-26) show interfaces switchport (24-16) show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#system mode qinq Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode dot1q-tunnel Console(config-if)#end Console#show dot1q-tunnel...
Page 643: Switchport Dot1Q-Ethertype
IEEE 802.1Q T ONFIGURING UNNELING switchport dot1q-ethertype This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form. Use the no form to restore the default setting. Syntax switchport dot1q-ethertype tpid no switchport dot1q-ethertype tpid –...
Page 644 VLAN C OMMANDS 30-28...
Page 645 HAPTER LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 646: Class Of Service Commands
LASS OF ERVICE OMMANDS Priority Commands (Layer 2) This section describes commands used to configure Layer 2 traffic priority on the switch. Table 31-2 Priority Commands (Layer 2) Command Function Mode Page Global Priority Settings queue mode Sets the queue mode to strict priority or 31-3 Weighted Round-Robin (WRR) show queue mode...
Page 647: Priority Commands (Layer 2)
RIORITY OMMANDS AYER queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...
Page 648: Show Queue Mode
LASS OF ERVICE OMMANDS Related Commands queue bandwidth (31-6) show queue mode (31-4) show queue mode This command shows the current queue mode. Default Setting None Command Mode Privileged Exec Example Console#sh queue mode Wrr status: Enabled Console# switchport priority default This command sets a priority for incoming untagged frames.
Page 649 RIORITY OMMANDS AYER Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames).
Page 650: Queue Bandwidth
LASS OF ERVICE OMMANDS queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler.
Page 651: Queue Cos-Map
RIORITY OMMANDS AYER queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values. Syntax queue cos-map queue_id [cos1 ... cosn] no queue cos-map •...
Page 652: Show Queue Bandwidth
LASS OF ERVICE OMMANDS Example The following example shows how to change the CoS assignments to a one-to-one mapping: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1 Console(config-if)#queue cos-map 2 2 Console(config-if)#exit Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 Traffic Class : 0 1 2 3 4 5 6 7 Priority Queue: 0 1 2 3 4 5 6 7...
Page 653: Show Queue Cos-Map
RIORITY OMMANDS AYER show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode...
Page 654: Show Vlan Based Priority
LASS OF ERVICE OMMANDS Default Setting The original priority value in the VLAN tag of a tagged packet, or a VLAN priority tag inserted by another device for an untagged packet. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 655: Priority Commands (Layer 3 And 4)
RIORITY OMMANDS AYER Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 31-4 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip port Enables TCP/UDP class of service 31-11 mapping...
Page 656: Map Ip Port (Interface Configuration)
LASS OF ERVICE OMMANDS Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. Example The following example shows how to enable TCP/UDP port mapping globally: Console(config)#map ip port Console(config)# map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority).
Page 657: Map Ip Precedence (Global Configuration)
RIORITY OMMANDS AYER map ip precedence (Global Configuration) This command enables IP precedence mapping (i.e., IP Type of Service). Use the no form to disable IP precedence mapping. Syntax [no] map ip precedence Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 658: Map Ip Dscp (Global Configuration)
LASS OF ERVICE OMMANDS Default Setting The list below shows the default priority mapping. Table 31-5 Mapping IP Precedence to CoS Values IP Precedence Value CoS Value Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
Page 659: Map Ip Dscp (Interface Configuration)
RIORITY OMMANDS AYER Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled. Enabling one of these priority types will automatically disable the other type. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp...
Page 660: Show Map Ip Port
LASS OF ERVICE OMMANDS Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the eight hardware priority queues.
Page 661: Show Map Ip Precedence
RIORITY OMMANDS AYER Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console# Related Commands map ip port (Global Configuration) (31-11) map ip port (Interface Configuration) (31-12) show map ip precedence This command shows the IP precedence priority map.
Page 662: Show Map Ip Dscp
LASS OF ERVICE OMMANDS Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands...
Page 663: Table 31-1 Priority Commands
RIORITY OMMANDS AYER Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (31-14)
Page 664 LASS OF ERVICE OMMANDS 31-20...
Page 665 HAPTER UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 666: Quality Of Service Commands
UALITY OF ERVICE OMMANDS Table 32-1 Quality of Service Commands (Continued) Command Function Mode Page show policy-map Displays the QoS policy maps which define 32-12 classification criteria for incoming traffic, and may include policers for bandwidth limitations show policy-map Displays the configuration of all classes 32-13 interface configured for all service policies on the...
Page 667: Class-Map
CLASS Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 32-3) before creating a Policy Map (page 32-6). Otherwise, you will not be able to specify a Class Map with the class command (page 32-7) after entering Policy-Map Configuration mode.
Page 668: Match
UALITY OF ERVICE OMMANDS • The class map is used with a policy map (page 32-6) to create a service policy (page 32-10) for a specific interface that defines packet classification, service tagging, and bandwidth policing. Example This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3...
Page 669 MATCH Command Usage • First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use the match command to specify the fields within ingress packets that must match to qualify for this class map. •...
Page 670: Policy-Map
UALITY OF ERVICE OMMANDS policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Page 671: Class
CLASS class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map.
Page 672: Set
UALITY OF ERVICE OMMANDS Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 673: Police
POLICE Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 674: Service-Policy
UALITY OF ERVICE OMMANDS burst-byte field, and the average rate tokens are removed from the bucket is by specified by the rate-bps option. Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating...
Page 675: Show Class-Map
SHOW CLASS • You must first define a class map, then define a policy map, and finally use the service-policy command to bind the policy map to the required interface. Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)#...
Page 676: Show Policy-Map
UALITY OF ERVICE OMMANDS show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] • policy-map-name - Name of the policy map. (Range: 1-32 characters) •...
Page 677: Show Policy-Map Interface
SHOW POLICY MAP INTERFACE show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 678 UALITY OF ERVICE OMMANDS 32-14...
Page 679 HAPTER ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 680: Multicast Filtering Commands
ULTICAST ILTERING OMMANDS IGMP Snooping Commands This section describes commands used to configure IGMP snooping on the switch. Table 33-2 IGMP Snooping Commands Command Function Mode Page ip igmp snooping Enables IGMP snooping 33-2 ip igmp snooping vlan Adds an interface as a member of a 33-3 static multicast group...
Page 681: Igmp Snooping Commands
IGMP S NOOPING OMMANDS Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface •...
Page 682: Ip Igmp Snooping Version
ULTICAST ILTERING OMMANDS ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...
Page 683: Ip Igmp Snooping Leave-Proxy
IGMP S NOOPING OMMANDS ip igmp snooping leave-proxy This command suppresses leave messages unless received from the last member port in the group. Use the no form to restore the default. Syntax ip igmp snooping leave-proxy no ip igmp snooping leave-proxy Default Setting Disabled Command Mode...
Page 684: Ip Igmp Snooping Immediate-Leave
ULTICAST ILTERING OMMANDS • IGMP version 1 hosts do not respond to multicast group-specific queries. If a version 1 host is known by the switch to exist on a LAN segment, it will not use the IGMP snooping leave-proxy mechanism on that interface, but will instead process any group leave requests as specified in the original mechanism for IGMP snooping.
Page 685: Show Ip Igmp Snooping
IGMP S NOOPING OMMANDS • This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave. Console(config)#interface vlan 1 Console(config-if)#ip igmp snooping immediate-leave Console(config-if)# show ip igmp snooping This command shows the IGMP snooping configuration.
Page 686: Show Mac-Address-Table Multicast
ULTICAST ILTERING OMMANDS show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] • vlan-id - VLAN ID (1 to 4093) • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping.
Page 687: Igmp Query Commands
IGMP Q UERY OMMANDS IGMP Query Commands This section describes commands used to configure Layer 2 IGMP query on the switch. Table 33-3 IGMP Query Commands Command Function Mode Page ip igmp snooping querier Allows this device to act as the 33-9 querier for IGMP snooping ip igmp snooping...
Page 688: Ip Igmp Snooping Query-Count
ULTICAST ILTERING OMMANDS Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Page 689: Ip Igmp Snooping Query-Interval
IGMP Q UERY OMMANDS ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Page 690: Ip Igmp Snooping Router-Port-Expire-Time
ULTICAST ILTERING OMMANDS Command Usage • The switch must be using IGMPv2 or v3 snooping for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.
Page 691: Static Multicast Routing Commands
TATIC ULTICAST OUTING OMMANDS Command Usage The switch must use IGMPv2 or v3 snooping for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)# Related Commands ip igmp snooping version (33-4) Static Multicast Routing Commands This section describes commands used to configure static multicast...
Page 692: Show Ip Igmp Snooping Mrouter
ULTICAST ILTERING OMMANDS Default Setting No static multicast router ports are configured. Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 693: Multicast Vlan Registration Commands
VLAN R ULTICAST EGISTRATION OMMANDS Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR).
Page 694: Mvr (Global Configuration)
ULTICAST ILTERING OMMANDS mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Page 695: Mvr (Interface Configuration)
VLAN R ULTICAST EGISTRATION OMMANDS • IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group (see ip igmp snooping on page 33-2). Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Page 696 ULTICAST ILTERING OMMANDS Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. •...
Page 697: Show Mvr
VLAN R ULTICAST EGISTRATION OMMANDS page 33-2). Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages. Example The following configures one source port and several receiver ports on the switch, enables immediate leave on one of the receiver ports, and statically assigns a multicast group to another receiver port: Console(config)#interface ethernet 1/5 Console(config-if)#mvr type source...
Page 698: Table 33-6 Show Mvr - Display Description
ULTICAST ILTERING OMMANDS Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Page 699: Table 33-7 Show Mvr Interface - Display Description
VLAN R ULTICAST EGISTRATION OMMANDS The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port Type Status Immediate Leave ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP Disable eth1/2 RECEIVER ACTIVE/UP Disable eth1/5 RECEIVER INACTIVE/DOWN Disable eth1/6 RECEIVER...
Page 700: Table 33-8 Show Mvr Members - Display Description
ULTICAST ILTERING OMMANDS The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status Members ---------------- -------- ------- 225.0.0.1 ACTIVE eth1/1(d), eth1/2(s) 225.0.0.2 INACTIVE None 225.0.0.3 INACTIVE None 225.0.0.4 INACTIVE None...
Page 701: Table 34-1 Dns Commands
HAPTER OMAIN ERVICE OMMANDS These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Page 702: Domain Name Service Commands
OMAIN ERVICE OMMANDS Table 34-1 DNS Commands (Continued) Command Function Mode Page show dns cache Displays entries in the DNS cache 34-9 clear dns cache Clears all entries from the DNS cache 34-10 ip host This command creates a static entry in the DNS table that maps a host name to an IP address.
Page 703: Clear Host
CLEAR HOST Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname Inet address 10.1.0.55 192.168.1.55 Alias Console# clear host This command deletes entries from the DNS table. Syntax clear host {name | *} •...
Page 704: Ip Domain-Name
OMAIN ERVICE OMMANDS ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name.
Page 705: Ip Domain-List
IP DOMAIN LIST ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list.
Page 706: Ip Name-Server
OMAIN ERVICE OMMANDS Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List:...
Page 707: Ip Domain-Lookup
IP DOMAIN LOOKUP Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console#...
Page 708: Show Hosts
OMAIN ERVICE OMMANDS Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (34-4) ip name-server (34-6) show hosts This command displays the static host name-to-address mapping table.
Page 709: Show Dns
SHOW DNS show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Page 710: Clear Dns Cache
OMAIN ERVICE OMMANDS Table 34-2 show dns cache - display description Field Description TYPE This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry.
Page 711: Table 35-1 Basic Ip Configuration Commands
HAPTER IP I NTERFACE OMMANDS An IP address may be used for management access to the switch over your network. An IP address is obtained via DHCP by default for VLAN 1. You can manually configure a specific IP address, or direct the switch to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 712: Ip Interface Commands
IP I NTERFACE OMMANDS ip address This command sets the IP address for the currently selected VLAN interface. Use the no form to remove the current IP address. Syntax ip address {ip-address netmask | bootp | dhcp} no ip address •...
Page 713: Ip Default-Gateway
IP C ASIC ONFIGURATION Notes: 1. Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN.
Page 714: Ip Dhcp Restart
IP I NTERFACE OMMANDS • An default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands...
Page 715: Show Ip Interface
IP C ASIC ONFIGURATION Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface Console# Related Commands ip address (35-2) show ip interface This command displays the settings of an IP interface. Command Mode Normal Exec, Privileged Exec Example...
Page 716: Show Arp
IP I NTERFACE OMMANDS Example Console#show ip redirects ip default gateway 10.1.0.254 Console# Related Commands ip default-gateway (35-3) show arp Use this command to display entries in the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Command Usage This command displays information about the ARP cache. The first line shows the cache timeout.
Page 717: Ping
IP C ASIC ONFIGURATION ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address or IP alias of the host. • count - Number of packets to send. (Range: 1-16, default: 5) •...
Page 718 IP I NTERFACE OMMANDS Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%)
Page 719 ECTION PPENDICES This section provides additional information on the following topics. Software Specifications ........A-1 Troubleshooting .
Page 720 PPENDICES...
Page 721 PPENDIX OFTWARE PECIFICATIONS Software Features Authentication Local, RADIUS, TACACS+, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC Fast Ethernet ports - 157 rules, 4 masks shared by 8-port groups Gigabit Ethernet ports - 29 rules, 4 masks DHCP Client DNS Proxy Port Configuration...
Page 722: Software Specifications
OFTWARE PECIFICATIONS Rate Limits Input Limit Output limit Range (configured per port) Port Trunking Static trunks (Cisco EtherChannel compliant) Dynamic trunks (Link Aggregation Control Protocol) Spanning Tree Algorithm Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) VLAN Support Up to 255 groups;...
Page 723: Management Features
ANAGEMENT EATURES Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading TFTP in-band or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards...
Page 724: Management Information Bases
OFTWARE PECIFICATIONS IGMPv2 (RFC 2236) IPv4 IGMP (RFC 3228) RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.0) TELNET (RFC 854, 855, 856) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493)
Page 725 ANAGEMENT NFORMATION ASES RADIUS Authentication Client MIB (RFC 2621) RMON MIB (RFC 2819) RMON II Probe Configuration Group (RFC 2021, partial implementation) SNMPv2 IP MIB (RFC 2011) SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) SNMP Community MIB (RFC 3584)
Page 726 OFTWARE PECIFICATIONS...
Page 727: Troubleshooting
PPENDIX ROUBLESHOOTING Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using • Be sure the switch is powered up. Telnet, web browser, • Check network cabling between the management station or SNMP software and the switch. •...
Page 728 ROUBLESHOOTING Table B-1 Troubleshooting Chart (Continued) Symptom Action Cannot connect using • If you cannot connect using SSH, you may have exceeded Secure Shell the maximum number of concurrent Telnet/SSH sessions permitted. Try connecting again at a later time. • Be sure the control parameters for the SSH server are properly configured on the switch, and that the SSH client software is properly configured on the management station.
Page 729: Using System Logs
SING YSTEM Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1.
Page 730 ROUBLESHOOTING...
Page 731: Glossary
LOSSARY Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, BOOTP is including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 732 LOSSARY marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. Domain Name Service (DNS) A system used for translating host names for network nodes into IP addresses.
Page 733 LOSSARY Generic Multicast Registration Protocol (GMRP) GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. Group Attribute Registration Protocol (GARP) See Generic Attribute Registration Protocol. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol.
Page 734: Igmp Query
LOSSARY IEEE 802.3ac Defines frame extensions for VLAN tagging. IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Page 735: Link Aggregation
LOSSARY IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The eight values are mapped one-to-one to the Class of Service categories by default, but may be configured differently to suit the requirements for specific network applications.
Page 736: Multicast Switching
LOSSARY Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Multicast VLAN Registration A method of using a single network-wide multicast VLAN to transmit common services, such as such as television channels or video-on-demand, across a service-provider’s network.
Page 737: Port Mirroring
LOSSARY Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links.
Page 738 LOSSARY Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch.
Page 739 LOSSARY Terminal Access Controller Access Control System Plus (TACACS+) TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACS-compliant devices on the network. Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol.
Page 740 LOSSARY XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected. Glossary-10...
Page 741: Index
NDEX Numerics configuring 13-1 31-1 32-1 802.1Q tunnel 12-17 30-24 DSCP 13-12 31-14 description 12-17 IP port priority 13-14 31-11 interface configuration 12-23 IP precedence 13-10 31-13 – 30-25 30-27 layer 3/4 priorities 13-8 31-11 mode selection 12-23 queue mapping 13-3 31-7 TPID 12-16 12-23...
Page 742 NDEX name server list 16-1 34-6 IEEE 802.1s 29-4 static entries 16-4 IEEE 802.1w 11-1 29-4 Domain Name Service See DNS IEEE 802.1X 6-19 21-34 downloading software 4-16 19-16 IGMP DSCP groups, displaying 15-9 33-8 enabling 13-9 31-14 Layer 2 15-2 33-2 mapping priorities 13-12 31-15...
Page 743 NDEX Link Aggregation Control Protocol See LACP link type, STA 11-16 11-19 29-21 password, line 19-26 logging passwords 2-5 syslog traps 19-40 administrator setting 6-1 21-2 to syslog servers 19-38 path cost 11-5 11-15 log-in, Web interface 3-3 method 11-10 29-9 logon authentication 6-1 21-1...
Page 744 NDEX rate limits transmission limit 11-10 29-10 setting input and output limits 27-2 standards, IEEE A-3 setting output limits based on startup files priorities 27-3 creating 4-20 19-16 rate limits, setting 9-26 displaying 4-16 19-3 remote logging 19-40 setting 4-16 19-22 restarting the system 4-34 18-5...
Page 745 NDEX user account 6-1 interface configuration 12-14 – user password 6-1 21-2 21-4 30-11 30-15 private 12-25 30-17 protocol 12-27 30-19 – – VLANs 12-1 12-26 30-1 30-18 802.1Q tunnel mode 12-23 adding static members 12-10 12-13 Web interface 30-14 access requirements 3-1 creating 12-8 30-8...
Page 746 NDEX Index-6...
Page 748 81-45-224-2332; Fax 81-45-224-2331 Australia: 61-2-8875-7887; Fax 61-2-8875-7777 India: 91-22-8204437; Fax 91-22-8204443 If you are looking for further contact information, please visit www.smc.com, www.smc-europe.com, or www.smc-asia.com. Model Number: SMC7824M/FSW 38 Tesla Pub. Number: 150200058800A Irvine, CA 92618 Revision Number: F1.0.1.5 E122006/ST-R01...

This manual is also suitable for:

Tigeraccess smc7824m/fsw

SMC Networks 7824M/FSW - annexe 1 Management Manual

Section I Getting Started

1 Introduction

2 Initial Configuration

3 Configuring the Switch

4 Basic Management Tasks

5 Simple Network Management Protocol

6 User Authentication

7 Client Security

8 Access Control Lists

9 Port Configuration

10 Address Table Settings

11 Spanning Tree Algorithm

12 VLAN Configuration

13 Class of Service

14 Quality of Service

15 Multicast Filtering

16 Domain Name Service

17 Overview of Command Line Interface

Quick Links

Management Guide

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for SMC Networks 7824M/FSW - annexe 1

Summary of Contents for SMC Networks 7824M/FSW - annexe 1