Download Print this page

SMC Networks 8708L2 - annexe 1 Management Manual

Tigerswitch 10g gigabit ethernet switch

Hide thumbs Also See for 8708L2 - annexe 1:

Installation manual (80 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual

TigerSwitch 10G

Gigabit Ethernet Switch

◆ 8 10GBASE XFP slots

◆ Non-blocking switching architecture

◆ Support for a redundant power unit

◆ Spanning Tree Protocol, RSTP, and MSTP

◆ Up to 4 LACP or static 8-port trunks

◆ Layer 2/3/4 CoS support through eight priority queues

◆ Layer 3/4 traffic priority with IP Precedence and IP DSCP

◆ Full support for VLANs with GVRP

◆ IGMP multicast filtering and snooping

◆ Support for jumbo frames up to 9 KB

◆ Manageable via console, Web, SNMP/RMON

Management Guide

SMC8708L2

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the 8708L2 - annexe 1 and is the answer not in the manual?

Questions and answers

Summary of Contents for SMC Networks 8708L2 - annexe 1

Page 1: Management Guide
TigerSwitch 10G Gigabit Ethernet Switch ◆ 8 10GBASE XFP slots ◆ Non-blocking switching architecture ◆ Support for a redundant power unit ◆ Spanning Tree Protocol, RSTP, and MSTP ◆ Up to 4 LACP or static 8-port trunks ◆ Layer 2/3/4 CoS support through eight priority queues ◆...
Page 3 TigerSwitch 10G Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 38 Tesla Irvine, CA 92618 May 2005 Phone: (949) 679-8000 Pub. # 149100024300A...
Page 4 Irvine, CA 92618 All rights reserved. Printed in Taiwan Trademarks: SMC is a registered trademark; and EZ Switch, TigerStack and TigerSwitch are trademarks of SMC Networks, Inc. Other product and company names are trademarks or registered trademarks of their respective holders.
Page 5 All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
Page 6 RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
Page 7: Table Of Contents
ABLE OF ONTENTS Introduction ........1-1 Key Features ..........1-1 Description of Software Features .
Page 8 ABLE OF ONTENTS Manual Configuration ......3-22 Using DHCP/BOOTP ......3-22 Configuring Support for Jumbo Frames .
Page 9 ABLE OF ONTENTS Configuring Port Security ......3-91 Configuring 802.1X Port Authentication ....3-94 Displaying 802.1X Global Settings .
Page 10 ABLE OF ONTENTS Spanning Tree Algorithm Configuration ..... . 3-156 Displaying Global Settings ......3-158 Configuring Global Settings .
Page 11 ABLE OF ONTENTS Mapping CoS Values to ACLs ..... 3-219 Multicast Filtering ........3-221 IGMP Protocol .
Page 12 ABLE OF ONTENTS timeout login response ....... . 4-18 exec-timeout ........4-19 password-thresh .
Page 13 ABLE OF ONTENTS Secure Shell Commands ....... 4-46 ip ssh server ........4-50 ip ssh timeout .
Page 14 ABLE OF ONTENTS System Status Commands ......4-78 show startup-config ......4-78 show running-config .
Page 15 ABLE OF ONTENTS dot1x operation-mode ......4-110 dot1x re-authenticate ......4-111 dot1x re-authentication .
Page 16 ABLE OF ONTENTS show access-group ......4-149 SNMP Commands ........4-150 snmp-server .
Page 17 ABLE OF ONTENTS lacp system-priority ........4-190 lacp admin-key (Ethernet Interface) .
Page 18 ABLE OF ONTENTS VLAN Commands ........4-229 Editing VLAN Groups .
Page 19 ABLE OF ONTENTS show queue cos-map ......4-258 Priority Commands (Layer 3 and 4) ....4-259 map ip port (Global Configuration) .
Page 20 ABLE OF ONTENTS DNS Commands ......... 4-284 ip host .
Page 21 ABLES Table 1-1 Key Features ........1-1 Table 1-2 System Defaults .
Page 22 ABLES Table 4-17 Event Logging Commands ..... . . 4-59 Table 4-18 Logging Levels ....... . . 4-60 Table 4-19 show logging flash/ram - display description .
Page 23 ABLES Table 4-54 Spanning Tree Commands ..... . 4-204 Table 4-55 VLAN Commands ......4-229 Table 4-56 Editing VLAN Groups .
Page 24 ABLES xxiv...
Page 25 IGURES Figure 3-1 Home Page ........3-3 Figure 3-2 Panel Display .
Page 26 IGURES Figure 3-38 802.1X Global Information ..... . 3-95 Figure 3-39 802.1X Global Configuration ..... 3-96 Figure 3-40 802.1X Port Configuration .
Page 27 IGURES Figure 3-75 VLAN Current Table ......3-191 Figure 3-76 VLAN Static List - Creating VLANs ....3-193 Figure 3-77 VLAN Static Table - Adding Static Members .
Page 28 IGURES xxviii...
Page 29: Introduction
HAPTER NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 30 NTRODUCTION (Continued) Table 1-1 Key Features Feature Description Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports up to 4 trunks using either static or dynamic trunking (LACP) Broadcast Storm Supported...
Page 31: Description Of Software Features
ESCRIPTION OF OFTWARE EATURES Description of Software Features The switch provides a wide range of advanced performance enhancing features. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Page 32 NTRODUCTION by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 33 ESCRIPTION OF OFTWARE EATURES IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses. Store-and-Forward Switching –...
Page 34 NTRODUCTION Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).
Page 35: System Defaults
YSTEM EFAULTS This switch also supports several common methods of prioritizing layer 3/ 4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.
Page 36 NTRODUCTION (Continued) Table 1-2 System Defaults Function Parameter Default Authentication Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec Password “super” from Normal Exec Level RADIUS Authentication Disabled TACACS Authentication Disabled 802.1X Port Authentication Disabled HTTPS Enabled Disabled...
Page 37 YSTEM EFAULTS (Continued) Table 1-2 System Defaults Function Parameter Default Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Status Enabled Protection Broadcast Limit Rate 1042 packets per second Spanning Tree Status Enabled, MSTP Algorithm (Defaults: All values based on IEEE 802.1s) Fast Forwarding (Edge Disabled...
Page 38: Table 1-2 System Defaults
NTRODUCTION (Continued) Table 1-2 System Defaults Function Parameter Default IP Settings Management. VLAN Any VLAN configured with an IP address IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.0 DHCP Client: Enabled BOOTP Disabled Multicast IGMP Snooping Snooping: Enabled Filtering Querier: Disabled System Log Status...
Page 39: Initial Configuration
Telnet connection over the network. The switch’s management agent also supports SNMP (Simple Network Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software such as SMC EliteView.
Page 40: Required Connections
NITIAL ONFIGURATION The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: • Set user names and passwords • Set an IP interface for any VLAN • Configure SNMP parameters • Enable/disable any port •...
Page 41 ONNECTING TO THE WITCH To connect a terminal to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.
Page 42: Remote Connections
NITIAL ONFIGURATION Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 43: Basic Configuration
ASIC ONFIGURATION Basic Configuration Console Connection The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Page 44: Setting An Ip Address
NITIAL ONFIGURATION 2. Type “configure” and press <Enter>. 3. Type “username guest password 0 password,” for the Normal Exec level, where password is your new password. Press <Enter>. 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the 8*10GE L2 Switch is opened.
Page 45: Dynamic Configuration
ASIC ONFIGURATION Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1.
Page 46 NITIAL ONFIGURATION If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1.
Page 47: Enabling Snmp Management Access
Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as SMC EliteView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps.
Page 48: Community Strings (For Snmp Version 1 And 2C Clients)
NITIAL ONFIGURATION Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
Page 49: Trap Receivers
ASIC ONFIGURATION Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
Page 50: Saving Configuration Settings
NITIAL ONFIGURATION the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien...
Page 51: Managing System Files
ANAGING YSTEM ILES Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 52 NITIAL ONFIGURATION In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Page 53: Configuring The Switch
HAPTER ONFIGURING THE WITCH Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Page 54 ONFIGURING THE WITCH 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3.
Page 55: Navigating The Web Browser Interface
AVIGATING THE ROWSER NTERFACE Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”...
Page 56: Configuration Options
ONFIGURING THE WITCH Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 57: Panel Display
AVIGATING THE ROWSER NTERFACE Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control .
Page 58: Main Menu
ONFIGURING THE WITCH Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 59 AVIGATING THE ROWSER NTERFACE Table 3-2 Main Menu (Continued) Menu Description Page SMTP Sends an SMTP client message to a 3-44 participating server Reset Restarts the switch 3-46 SNTP 3-47 Configuration Configures SNTP client settings, including a 3-47 specified list of servers Clock Time Zone Sets the local time zone for the system clock 3-49...
Page 60 ONFIGURING THE WITCH Table 3-2 Main Menu (Continued) Menu Description Page Host-Key Settings Generates the host key pair (public and 3-87 private) Port Security Configures per port security, including 3-91 status, response for security breach, and maximum allowed MAC addresses 802.1X Port authentication 3-94...
Page 61 AVIGATING THE ROWSER NTERFACE Table 3-2 Main Menu (Continued) Menu Description Page LACP 3-127 Configuration Allows ports to dynamically join trunks 3-130 Aggregation Port Configures parameters for link aggregation 3-132 group members Port Counters Displays statistics for LACP protocol 3-135 Information messages Port Internal...
Page 62 ONFIGURING THE WITCH Table 3-2 Main Menu (Continued) Menu Description Page Address Aging Sets timeout for dynamically learned entries 3-156 Spanning Tree 3-156 Information Displays STA values used for the bridge 3-158 Configuration Configures global bridge settings for STP, 3-163 RSTP and MSTP Port Information Displays individual port settings for STA...
Page 63 AVIGATING THE ROWSER NTERFACE Table 3-2 Main Menu (Continued) Menu Description Page Static List Used to create or remove VLAN groups 3-192 Static Table Modifies the settings for an existing VLAN 3-194 Static Membership by Configures membership type for interfaces, 3-196 Port including tagged, untagged or forbidden...
Page 64: Table 4-54 Table
ONFIGURING THE WITCH Table 3-2 Main Menu (Continued) Menu Description Page IP Precedence Priority Sets IP Type of Service priority, mapping 3-213 the precedence tag to a class-of-service value IP DSCP Priority Sets IP Differentiated Services Code Point 3-215 priority, mapping a DSCP tag to a class-of-service value IP Port Priority Status Globally enables or disables IP Port Priority 3-217...
Page 65 AVIGATING THE ROWSER NTERFACE Table 3-2 Main Menu (Continued) Menu Description Page 3-231 General Configuration Enables DNS; configures domain name and 3-231 domain list; and specifies IP address of name servers for dynamic lookup Static Host Table Configures static entries for domain name 3-234 to address mapping Cache...
Page 66: Basic Configuration
ONFIGURING THE WITCH Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem.
Page 67: Figure 3-3 System Information
ASIC ONFIGURATION Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information 3-15...
Page 68: Displaying Switch Hardware/Software Versions
ONFIGURING THE WITCH CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-34 Console(config)#snmp-server location WC 9 4-154 Console(config)#snmp-server contact Ted 4-153 Console(config)#exit Console#show system 4-83 System Description: 8*10GE L2 Switch System OID String: 1.3.6.1.4.1.259.6.10.76 System Information System Up Time: 0 days, 4 hours, 5 minutes, and 56.31 seconds System Name:...
Page 69: Figure 3-4 Switch Information
ASIC ONFIGURATION • Internal Power Status – Displays the status of the internal power supply. Management Software • EPLD Version – Version number of EEPROM Programmable Logic Device. • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.
Page 70: Displaying Bridge Extension Capabilities
ONFIGURING THE WITCH CLI – Use the following command to display version information. Console#show version 4-84 Unit 1 Serial Number: A000000022 Hardware Version: EPLD Version: 1.00 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (Master) Unit ID: Loader Version: 3.0.0.2 Boot ROM Version:...
Page 71: Figure 3-5 Displaying Bridge Extension Configuration
ASIC ONFIGURATION • Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 3-184.) • Local VLAN Capable –...
Page 72: Setting The Switch's Ip Address
ONFIGURING THE WITCH CLI – Enter the following command. Console#show bridge-ext 4-248 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
Page 73 ASIC ONFIGURATION • IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address.
Page 74: Manual Configuration
ONFIGURING THE WITCH Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static.” Enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 IP Interface Configuration - Manual CLI –...
Page 75: Figure 3-7 Ip Interface Configuration - Dhcp
ASIC ONFIGURATION Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
Page 76: Configuring Support For Jumbo Frames
ONFIGURING THE WITCH Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch.
Page 77: Managing Firmware
ASIC ONFIGURATION Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames, and click Apply. Figure 3-8 Configuring Support for Jumbo Frames CLI – This example enables jumbo frames globally for the switch. Console(config)#jumbo frame 4-85 Console(config)# Managing Firmware You can upload/download firmware to or from a TFTP server, or copy files to and from switch units in a stack.
Page 78 ONFIGURING THE WITCH • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Page 79: Downloading System Software From A Server
ASIC ONFIGURATION Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file.
Page 80: Figure 3-10 Setting The Startup Code
ONFIGURING THE WITCH Figure 3-10 Setting the Startup Code To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files 3-28...
Page 81 ASIC ONFIGURATION CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “config” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch.
Page 82: Saving Or Restoring Configuration Settings
ONFIGURING THE WITCH Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server, or copy files to and from switch units in a stack. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes •...
Page 83 ASIC ONFIGURATION - file to unit – Copies a file from this switch to another unit in the stack. - unit to file – Copies a file from another unit in the stack to this switch. • TFTP Server IP Address – The IP address of a TFTP server. •...
Page 84: Downloading Configuration Settings From A Server
ONFIGURING THE WITCH Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg”...
Page 85: Console Port Settings
ASIC ONFIGURATION Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-87 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1...
Page 86 ONFIGURING THE WITCH Command Attributes • Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds;...
Page 87: Figure 3-14 Configuring The Console Port
ASIC ONFIGURATION • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) •...
Page 88: Telnet Settings
ONFIGURING THE WITCH CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-15 Console(config-line)#login local 4-16 Console(config-line)#password 0 secret 4-17...
Page 89: Figure 3-15 Configuring The Telnet Interface
ASIC ONFIGURATION interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds) • Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated.
Page 90: Configuring Event Logging
ONFIGURING THE WITCH CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. Console(config)#line vty 4-15 Console(config-line)#login local 4-16 Console(config-line)#password 0 secret...
Page 91: Table 3-3 Logging Levels
ASIC ONFIGURATION Command Attributes • System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash.
Page 92: Remote Log Configuration
ONFIGURING THE WITCH Web – Click System, Logs, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Page 93 ASIC ONFIGURATION The facility type is used by the syslog server to dispatch log messages to an appropriate service. The attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch.
Page 94: Figure 3-17 Remote Logs
ONFIGURING THE WITCH Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.
Page 95: Displaying Log Messages
ASIC ONFIGURATION CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.9 4-61 Console(config)#logging facility 23 4-62 Console(config)#logging trap 4 4-63 Console(config)#logging trap Console(config)#exit Console#show logging trap 4-64 Syslog logging: Enabled REMOTELOG status: Disabled...
Page 96: Sending Simple Mail Transfer Protocol Alerts
ONFIGURING THE WITCH CLI – This example shows the event message stored in RAM. Console#show log ram 4-66 [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
Page 97: Figure 3-19 Enabling And Configuring Smtp Alerts
ASIC ONFIGURATION • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list. Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level.
Page 98: Resetting The System
ONFIGURING THE WITCH CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.
Page 99: Setting The System Clock
ASIC ONFIGURATION CLI – Use the reload command to restart the switch. Console#reload 4-30 System will be restarted, continue <y/n>? Note:When restarting the system, it will always run the Power-On Self-Test. Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP).
Page 100: Figure 3-21 Sntp Configuration
ONFIGURING THE WITCH • SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence. Web –...
Page 101: Setting The Time Zone
ASIC ONFIGURATION Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 102: Simple Network Management Protocol
3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as SMC EliteView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings.
Page 103: Table 3-4 Snmpv3 Security Models And Levels
IMPLE ETWORK ANAGEMENT ROTOCOL “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c.
Page 104 ONFIGURING THE WITCH Table 3-4 SNMPv3 Security Models and Levels (Continued) Model Level Group Read Write Notify Security View View View AuthNoPriv user defined user defined user defined user defined Provides user authentication via MD5 or algorithms AuthPriv user defined user defined user defined user defined Provides user authentication...
Page 105: Enabling The Snmp Agent
IMPLE ETWORK ANAGEMENT ROTOCOL Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply.
Page 106: Figure 3-24 Configuring Snmp Community Strings
ONFIGURING THE WITCH • Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only), “private” (read/write) Range: 1-32 characters, case sensitive • Access Mode – Specifies the access rights for the community string: - Read-Only –...
Page 107: Specifying Trap Managers And Trap Types
You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as SMC EliteView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
Page 108 ONFIGURING THE WITCH To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 3-53). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 3-72). 4.
Page 109 IMPLE ETWORK ANAGEMENT ROTOCOL • Trap Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) - Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Page 110: Configuring Snmpv3 Management Access
ONFIGURING THE WITCH Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/ down traps, and then click Apply.
Page 111: Setting A Local Engine Id
IMPLE ETWORK ANAGEMENT ROTOCOL 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4. Assign SNMP users to groups, along with their specific authentication and privacy passwords. Setting a Local Engine ID An SNMPv3 engine is an independent SNMP agent that resides on the switch.
Page 112: Specifying A Remote Engine Id
ONFIGURING THE WITCH CLI – This example sets an SNMPv3 engine ID. Console(config)#snmp-server engine-id local 12345abcdef 4-159 Console(config)#exit Console#show snmp engine-id 4-160 Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Console# Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 113: Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – This example specifies a remote SNMPv3 engine ID. Console(config)#snmp-server engine-id remote 192.168.1.19 12345abcdef 4-159 Console(config)#exit Console#show snmp engine-id 4-160 Local SNMP EngineID: 12345abcdef000000000000000 Local SNMP EngineBoots: 1 Remote SNMP engineID IP address 12345abcdef0 192.168.1.19 Console# Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name.
Page 114: Figure 3-28 Configuring Snmpv3 Users
ONFIGURING THE WITCH • Privacy Password – A minimum of eight plain text characters is required. • Actions – Enables the user to be assigned to another SNMPv3 group. Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list.
Page 115: Configuring Remote Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris r&d v3 auth md5 greenpeace priv des56 einstien 4-166 Console(config)#exit Console#show snmp user 4-168 EngineId: 12345abcdef000000000000000 User Name: chris Authentication Protocol: MD5...
Page 116 ONFIGURING THE WITCH Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) •...
Page 117: Figure 3-29 Configuring Remote Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 118: Configuring Snmpv3 Groups
ONFIGURING THE WITCH CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 4-166 Console(config)#exit Console#show snmp user 4-168 No user exist.
Page 119: Table 3-5 Supported Notification Messages
IMPLE ETWORK ANAGEMENT ROTOCOL • Write View – The configured view for write access. (Range: 1-64 characters) • Notify View – The configured view for notifications. (Range: 1-64 characters) Table 3-5 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the...
Page 120 ONFIGURING THE WITCH Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the linkDown SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
Page 121 IMPLE ETWORK ANAGEMENT ROTOCOL Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps.
Page 122 ONFIGURING THE WITCH Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description swThermalFalling 1.3.6.1.4.1.259.6.10. This trap is sent when the Notification 76.2.1.0.59 temperature falls below the switchThermalActionFallingThresh old. swModuleInsertion 1.3.6.1.4.1.259.6.10. This trap is sent when a module is Notificaiton 76.2.1.0.60 inserted.
Page 123: Figure 3-30 Configuring Snmpv3 Groups
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list.
Page 124: Setting Snmpv3 Views
ONFIGURING THE WITCH CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview 4-163 Console(config)#exit Console#show snmp group...
Page 125: Figure 3-31 Configuring Snmpv3 Views
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Page 126: User Authentication
ONFIGURING THE WITCH CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-161 Console(config)#exit Console#show snmp view 4-162 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 127: Configuring User Accounts
UTHENTICATION • IP Filter – Filters management access to the web, SNMP or Telnet interface. Configuring User Accounts The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.
Page 128: Configuring Local/Remote Logon Authentication
ONFIGURING THE WITCH Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then click Add. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 129 UTHENTICATION Remote Authentication Dial-in User Service (RADIUS) and Terminal console Access Controller Access Telnet Control System Plus (TACACS+) are logon 1. Client attempts management access. 2. Switch contacts authentication server. authentication protocols RADIUS/ 3. Authentication server challenges client. 4. Client responds with proper password or key. TACACS+ 5.
Page 130 ONFIGURING THE WITCH • You can specify up to three authentication methods for any user to indicate the authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted using the TACACS+ server, and finally the local user name and password is checked.
Page 131 UTHENTICATION - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535;...
Page 132: Figure 3-33 Authentication Server Settings
ONFIGURING THE WITCH Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Server Settings 3-80...
Page 133: Configuring Https
UTHENTICATION CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-95 Console(config)#radius-server port 181 4-99 Console(config)#radius-server key green 4-99 Console(config)#radius-server retransmit 5 4-100 Console(config)#radius-server timeout 10 4-100 Console(config)#radius-server 1 host 192.168.1.25 4-98 Console(config)#exit Console#show radius-server 4-101 Remote RADIUS server configuration: Global settings:...
Page 134: Table 3-6 Https System Support
ONFIGURING THE WITCH • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate.
Page 135: Replacing The Default Secure-Site Certificate
UTHENTICATION Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-34 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-43 Console(config)#ip http secure-port 441 4-44 Console(config)# Replacing the Default Secure-site Certificate...
Page 136: Configuring The Secure Shell
ONFIGURING THE WITCH When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: Console#copy tftp https-certificate 4-87 TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name>...
Page 137 UTHENTICATION Command Usage The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication Settings page (page 3-76).
Page 138 ONFIGURING THE WITCH 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199696317 81366277414168985132049117204830339254324101637997592371449011938006090253948 40848271781943722884025331159521348610229029789827213532671316294325328189150 45306393916643 steve@192.168.1.19 4. Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch.
Page 139: Generating The Host Key Pair
UTHENTICATION Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the preceding section (Command Usage).
Page 140: Figure 3-35 Ssh Host-Key Settings
ONFIGURING THE WITCH Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
Page 141: Configuring The Ssh Server
UTHENTICATION CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. Console#ip ssh crypto host-key generate 4-53 Console#ip ssh save host-key 4-55 Console#show public-key host 4-57 Host:...
Page 142: Figure 3-36 Ssh Server Settings
ONFIGURING THE WITCH • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;...
Page 143: Configuring Port Security
UTHENTICATION CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-50 Console(config)#ip ssh timeout 100 4-51 Console(config)#ip ssh authentication-retries 5 4-52...
Page 144 ONFIGURING THE WITCH already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch. Command Usage • A secure port has the following restrictions: - It cannot use port monitoring.
Page 145: Figure 3-37 Port Security
UTHENTICATION Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
Page 146: Configuring 802.1X Port Authentication
ONFIGURING THE WITCH Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 147: Displaying 802.1X Global Settings
UTHENTICATION RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked. The operation of dot1x on the switch requires the following: •...
Page 148: Configuring 802.1X Global Settings
ONFIGURING THE WITCH CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-113 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 1/8 Console#...
Page 149: Configuring Port Settings For 802.1X
UTHENTICATION Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 150: Figure 3-40 802.1X Port Configuration
ONFIGURING THE WITCH • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds) • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated.
Page 151 UTHENTICATION CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-113. Console(config)#interface ethernet 1/2 4-170 Console(config-if)#dot1x port-control auto 4-108 Console(config-if)#dot1x re-authentication 4-111 Console(config-if)#dot1x max-req 5 4-108 Console(config-if)#dot1x timeout quiet-period 40...
Page 152: C Onfiguring The S Witch
ONFIGURING THE WITCH Console#show dot1x 4-113 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host Auto disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Disable...
Page 153: Displaying 802.1X Statistics
UTHENTICATION Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 154: Figure 3-41 802.1X Port Statistics
ONFIGURING THE WITCH Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-41 802.1X Port Statistics CLI – This example displays the dot1x statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-113 Eth 1/4 Rx: EAPOL...
Page 155: Filtering Ip Addresses For Management Access
UTHENTICATION Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default.
Page 156: Figure 3-42 Ip Filter
ONFIGURING THE WITCH • Start IP Address – A single IP address, or the starting address of a range. • End IP Address – The end address of a range. Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry.
Page 157: Access Control Lists
CCESS ONTROL ISTS Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Page 158: Setting The Acl Name And Type
ONFIGURING THE WITCH • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs.
Page 159: Configuring A Standard Ip Acl
CCESS ONTROL ISTS Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 3-43 Selecting ACL Type CLI –...
Page 160: Configuring An Extended Ip Acl
ONFIGURING THE WITCH Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.
Page 161 CCESS ONTROL ISTS • Source/Destination IP Address – Source or destination IP address. • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 3-107.) • Service Type – Packet priority settings based on the following criteria: - Precedence –...
Page 162: Figure 3-45 Acl Configuration - Extended Ip
ONFIGURING THE WITCH For example, use the code value and mask below to catch packets with the following flags set: - SYN flag valid, use control-code 2, control bitmask 2 - Both SYN and ACK valid, use control-code 18, control bitmask 18 - SYN valid and ACK invalid, use control-code 2, control bitmask 18 Web –...
Page 163: Configuring A Mac Acl
CCESS ONTROL ISTS 2. Allow TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). 3. Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any 4-123 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any...
Page 164: Figure 3-46 Acl Configuration - Mac
ONFIGURING THE WITCH • Packet Format – This attribute includes the following packet types: Any – Any Ethernet packet type. Untagged-eth2 – Untagged Ethernet II packets. Untagged-802.3 – Untagged Ethernet 802.3 packets. Tagged-eth2 – Tagged Ethernet II packets. Tagged-802.3 – Tagged Ethernet 802.3 packets. Command Usage Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets.
Page 165: Configuring Acl Masks
CCESS ONTROL ISTS CLI – This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 4-123 Console(config-mac-acl)# Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked.
Page 166: Configuring An Ip Acl Mask
ONFIGURING THE WITCH Web – Click Security, ACL, Mask Configuration. Click Edit for one of the basic mask types to open the configuration page. Figure 3-47 Selecting ACL Mask Types CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries.
Page 167 CCESS ONTROL ISTS specify a host address (not a subnet), or “IP” to specify a range of addresses. (Options: Any, Host, IP; Default: Any) • Source/Destination Subnet Mask – Source or destination address of rule must match this bitmask. (See the description for SubMask on page 3-107.) •...
Page 168: Figure 3-48 Acl Mask Configuration - Ip
ONFIGURING THE WITCH Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types.
Page 169: Configuring A Mac Acl Mask
CCESS ONTROL ISTS CLI – This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255”...
Page 170: Figure 3-49 Acl Mask Configuration - Mac
ONFIGURING THE WITCH Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s).
Page 171: Binding A Port To An Access Control List
CCESS ONTROL ISTS CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4 4-138 Console(config-mac-acl)#permit any any 4-139...
Page 172: Figure 3-50 Acl Port Binding
ONFIGURING THE WITCH • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs.
Page 173: Port Configuration
ONFIGURATION CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2. Console(config)#interface ethernet 1/1 4-170 Console(config-if)#ip access-group david in 4-132 Console(config-if)#mac access-group jerry in 4-145 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#ip access-group david in Console(config-if)# Port Configuration...
Page 174: Figure 3-51 Port - Port Information
ONFIGURING THE WITCH • Creation – Shows if a trunk is manually configured or dynamically set via LACP. Web – Click Port, Port Information or Trunk Information. Figure 3-51 Port - Port Information Field Attributes (CLI) Basic information: • Port type – Indicates the port type. (10G or 100-TX) •...
Page 175 ONFIGURATION • Capabilities – Specifies the capabilities to be advertised for a port during auto-negotiation. (To access this item on the web, see “Configuring Interface Connections” on page 3-48.) The following capabilities are supported. - 10half - Supports 10 Mbps half-duplex operation - 10full - Supports 10 Mbps full-duplex operation - 100half - Supports 100 Mbps half-duplex operation - 100full - Supports 100 Mbps full-duplex operation...
Page 176 ONFIGURING THE WITCH CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 4-177 Information of Eth 1/5 Basic Information: Port Type: Mac Address: 00-0C-DB-21-11-38 Configuration: Name: Port Admin: Speed-duplex: 10G full Capabilities: Broadcast Storm: Enabled Broadcast Storm Limit: 1042 packets/second...
Page 177: Configuring Interface Connections
ONFIGURATION Configuring Interface Connections You can use the Port Configuration or Trunk Configuration page to enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed and duplex mode. Note: Interface settings for the management port can only be configured from the CLI.
Page 178: Figure 3-52 Port - Port Configuration
ONFIGURING THE WITCH • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups” on page 3-127. Note: Auto-negotiation must be disabled before you can configure or force the interface to use the Speed/Duplex Mode.
Page 179: Creating Trunk Groups
ONFIGURATION Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two switches. You can create up to four trunks. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
Page 180: Statically Configuring A Trunk
ONFIGURING THE WITCH • The ports at both ends of a trunk must be configured in an identical manner, including VLAN assignments and CoS settings. • Any of the 10 Gigabit ports on the front panel can be trunked together, including ports of different media types.
Page 181: Figure 3-53 Static Trunk Configuration
ONFIGURATION Web – Click Port, Trunk Membership. Enter a trunk ID of 1-4 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
Page 182: Enabling Lacp On Selected Ports
ONFIGURING THE WITCH Enabling LACP on Selected Ports Command Usage • To avoid creating a loop in the dynamically enabled network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling active backup links link LACP.
Page 183: Figure 3-54 Lacp Trunk Configuration
ONFIGURATION Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-54 LACP Trunk Configuration CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk.
Page 184: Configuring Lacp Parameters
ONFIGURING THE WITCH Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. •...
Page 185: Figure 3-55 Lacp - Aggregation Port
ONFIGURATION • Port Priority – If a link goes down, LACP port priority is used to select a backup link. (Range: 0-65535; Default: 32768) Set Port Partner – This menu sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor.
Page 186: Backup Mode
ONFIGURING THE WITCH CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG, ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 4-170 Console(config-if)#lacp actor system-priority 3 4-190 Console(config-if)#lacp actor admin-key 120 4-191...
Page 187: Displaying Lacp Port Counters
ONFIGURATION Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 3-8 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Number of valid LACPDUs received by this channel group. Received Marker Sent Number of valid Marker PDUs transmitted from this...
Page 188: Displaying Lacp Settings And Status For The Local Side
ONFIGURING THE WITCH CLI – The following example displays LACP counters for port channel 1. Console#show lacp 1 counters 4-194 Port channel: 1 ------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------- LACPDUs Sent: LACPDUs Receive: Marker Sent: Marker Receive: LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the...
Page 189 ONFIGURATION Table 3-9 LACP Internal Configuration Information (Continued) Field Description LACP Port LACP port priority assigned to this interface within the channel Priority group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; •...
Page 190: Figure 3-57 Lacp - Port Internal Information
ONFIGURING THE WITCH Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-57 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-194 Port channel: 1...
Page 191: Displaying Lacp Settings And Status For The Remote Side
ONFIGURATION Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin LAG partner’s system ID assigned by the user. System ID Partner Oper System LAG partner’s system ID assigned by the LACP protocol.
Page 192: Figure 3-58 Lacp - Port Neighbors Information
ONFIGURING THE WITCH Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-58 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-194 Port channel 1 neighbors...
Page 193: Setting Broadcast Storm Thresholds
ONFIGURATION Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 194: Figure 3-59 Port Broadcast Control
ONFIGURING THE WITCH Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 3-59 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 6000 packets per second for port 2.
Page 195: Configuring Port Mirroring
ONFIGURATION Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic Source Single analyzer or RMON probe to the target port(s) target port and study the traffic crossing the port source port in a completely unobtrusive manner.
Page 196: Figure 3-60 Mirror Port Configuration
ONFIGURING THE WITCH Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 3-60 Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port.
Page 197: Configuring Rate Limits
ONFIGURATION Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch.
Page 198: Showing Port Statistics
Statistics are refreshed every 60 seconds by default. Note: RMON groups 2, 3 and 9 can only be accessed using SNMP management software such as SMC EliteView. Table 3-11 Port Statistics Parameter...
Page 199 ONFIGURATION Table 3-11 Port Statistics (Continued) Parameter Description Received Discarded The number of inbound packets which were chosen to Packets be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.
Page 200 ONFIGURING THE WITCH Table 3-11 Port Statistics (Continued) Parameter Description Etherlike Statistics Alignment Errors The number of alignment errors (missynchronized data packets). Late Collisions The number of times that a collision is detected later than 512 bit-times into the transmission of a packet. FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not...
Page 201 ONFIGURATION Table 3-11 Port Statistics (Continued) Parameter Description Internal MAC Receive A count of frames for which reception on a particular Errors interface fails due to an internal MAC sublayer receive error. RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources.
Page 202 ONFIGURING THE WITCH Table 3-11 Port Statistics (Continued) Parameter Description 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets). 65-127 Byte Frames The total number of frames (including bad packets) 128-255 Byte Frames received and transmitted where the number of octets...
Page 203: Figure 3-62 Port Statistics
ONFIGURATION Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-62 Port Statistics 3-151...
Page 204: Address Table Settings
ONFIGURING THE WITCH CLI – This example shows statistics for port 12. Console#show interfaces counters ethernet 1/12 4-178 Ethernet 1/12 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 205: Setting Static Addresses
DDRESS ABLE ETTINGS Setting Static Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 206: Displaying The Address Table
ONFIGURING THE WITCH Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-63 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 207: Figure 3-64 Dynamic Addresses
DDRESS ABLE ETTINGS • MAC Address – Physical address associated with this interface. • VLAN – ID of configured VLAN (1-4094). • Address Table Sort Key – You can sort the information displayed based on MAC address, VLAN or interface (port or trunk). •...
Page 208: Changing The Aging Time
ONFIGURING THE WITCH Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds;...
Page 209 PANNING LGORITHM ONFIGURATION The spanning tree algorithms supported by this switch include these versions: • STP – Spanning Tree Protocol (IEEE 802.1D) • RSTP – Rapid Spanning Tree Protocol (IEEE 802.1w) • MSTP – Multiple Spanning Tree Protocol (IEEE 802.1s) STA uses a distributed algorithm to select a bridging device (STA-compliant switch, bridge or router) that serves as the root of the spanning tree network.
Page 210: Displaying Global Settings
ONFIGURING THE WITCH more for STP) by reducing the number of state changes before active ports start learning, predefining an alternate route that can be used when a node or port fails, and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs.
Page 211 PANNING LGORITHM ONFIGURATION (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) • Hello Time – Interval (in seconds) at which the root device transmits a configuration message. • Forward Delay – The maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding).
Page 212 ONFIGURING THE WITCH • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 213: Figure 3-66 Sta Information
PANNING LGORITHM ONFIGURATION Web – Click Spanning Tree, STA, Information. Figure 3-66 STA Information 3-161...
Page 214: Each Port
ONFIGURING THE WITCH CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-226 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 215: Configuring Global Settings
PANNING LGORITHM ONFIGURATION Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 216 ONFIGURING THE WITCH - Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Command Attributes Basic Configuration of Global Settings •...
Page 217 PANNING LGORITHM ONFIGURATION • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Page 218 ONFIGURING THE WITCH • Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned.
Page 219: Figure 3-67 Sta Global Configuration
PANNING LGORITHM ONFIGURATION Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-67 STA Global Configuration 3-167...
Page 220: Displaying Interface Settings
ONFIGURING THE WITCH CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 4-205 Console(config)#spanning-tree mode mstp 4-206 Console(config)#spanning-tree priority 4096 4-210 Console(config)#spanning-tree hello-time 5 4-209 Console(config)#spanning-tree max-age 38 4-209 Console(config)#spanning-tree forward-time 20 4-208...
Page 221 PANNING LGORITHM ONFIGURATION If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding.
Page 222 ONFIGURING THE WITCH set to disabled (i.e., disabled port) if a port has no role within the spanning tree. R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 223 PANNING LGORITHM ONFIGURATION an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled.
Page 224: Configuring Interface Settings
ONFIGURING THE WITCH Web – Click Spanning Tree, STA, Port Information or STA Trunk Information. Figure 3-68 STA Port Information CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-226 1/ 5 information -------------------------------------------------------------- Admin status: enabled Role:...
Page 225 PANNING LGORITHM ONFIGURATION shared-media connection, and edge port to indicate if the attached device can support fast forwarding. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.) Command Attributes The following attributes are read-only and cannot be changed: •...
Page 226 ONFIGURING THE WITCH • Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
Page 227: Figure 3-69 Sta Port Configuration
PANNING LGORITHM ONFIGURATION such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems.
Page 228: Configuring Multiple Spanning Trees
ONFIGURING THE WITCH Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 229 PANNING LGORITHM ONFIGURATION Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440;...
Page 230: Figure 3-70 Mstp Vlan Configuration
ONFIGURING THE WITCH Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add. Figure 3-70 MSTP VLAN Configuration 3-178...
Page 231 PANNING LGORITHM ONFIGURATION CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 4-226 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enabled/disabled: enabled Instance: VLANs configuration: Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 232: Displaying Interface Settings For Mstp
ONFIGURING THE WITCH CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst configuration 4-229 Console(config-mst)#mst 1 priority 4096 4-214 Console(config-mstp)#mst 1 vlan 1-5 4-213 Console(config-mst)# Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
Page 233 PANNING LGORITHM ONFIGURATION CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 3-158), the settings for other instances only apply to the local spanning tree.
Page 234: Configuring Interface Settings For Mstp
ONFIGURING THE WITCH Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...
Page 235 PANNING LGORITHM ONFIGURATION • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
Page 236: Vlan Configuration
ONFIGURING THE WITCH Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-72 MSTP Port Configuration CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 4-170 Console(config-if)#spanning-tree mst 1 port-priority 0...
Page 237: Assigning Ports To Vlans
VLAN C ONFIGURATION VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections. VLANs can be easily organized to reflect departmental groups (such as Marketing or R&D), usage groups (such as e-mail), or multicast groups (used for multimedia applications such as videoconferencing).
Page 238 ONFIGURING THE WITCH Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA: VLAN Aware VU: VLAN Unaware tagged untagged...
Page 239 VLAN C ONFIGURATION Automatic VLAN Registration – GVRP (GARP VLAN Registration Protocol) defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned. If an end station (or its network adapter) supports the IEEE 802.1Q VLAN protocol, it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join.
Page 240: Forwarding Tagged/Untagged Frames
ONFIGURING THE WITCH Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 241: Enabling Or Disabling Gvrp (Global Setting)
VLAN C ONFIGURATION Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network.
Page 242: Displaying Current Vlans
ONFIGURING THE WITCH • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information. Figure 3-74 VLAN Basic Information CLI – Enter the following command. Console#show bridge-ext 4-248 Max support VLAN numbers:...
Page 243: Figure 3-75 Vlan Current Table
VLAN C ONFIGURATION • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports –...
Page 244: Creating Vlans
ONFIGURING THE WITCH CLI – Current VLAN information can be displayed with the following command. Console#show vlan id 1 4-239 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Console# Creating VLANs...
Page 245: Figure 3-76 Vlan Static List - Creating Vlans
VLAN C ONFIGURATION • Remove – Removes a VLAN group from the current list. If any port is assigned to this group as untagged, it will be reassigned to VLAN group 1 as untagged. Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add.
Page 246: Adding Static Members To Vlans (Vlan Index)
ONFIGURING THE WITCH Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices.
Page 247: Figure 3-77 Vlan Static Table - Adding Static Members
VLAN C ONFIGURATION - Forbidden: Interface is forbidden from automatically joining the VLAN via GVRP. For more information, see “Automatic VLAN Registration” on page 3-187. - None: Interface is not a member of the VLAN. Packets associated with this VLAN will not be transmitted by the interface. •...
Page 248: Adding Static Members To Vlans (Port Index)
ONFIGURING THE WITCH Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port (1-8) or trunk identifier. •...
Page 249: Configuring Vlan Behavior For Interfaces
VLAN C ONFIGURATION Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 250 ONFIGURING THE WITCH If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded.
Page 251: Figure 3-79 Vlan Port Configuration
VLAN C ONFIGURATION • Mode – Indicates VLAN membership mode for an interface. (Default: Hybrid) 1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
Page 252: Configuring Private Vlans
ONFIGURING THE WITCH CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-170 Console(config-if)#switchport acceptable-frame-types tagged 4-234...
Page 253: Configuring Uplink And Downlink Ports
VLAN C ONFIGURATION Web – Click VLAN, Private VLAN, Status. Select Enable or Disable from the scroll-down box, and click Apply. Figure 3-80 Private VLAN Status CLI – This example enables private VLANs. Console(config)#pvlan 4-240 Console(config)# Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports.
Page 254: Configuring Protocol-Based Vlans
ONFIGURING THE WITCH CLI – This configures port 3 as an uplink and port 5 and 6 as downlinks. Console(config)#pvlan up-link ethernet 1/3 down-link ethernet 1/5-6 4-240 Console(config)#end Console#show pvlan Private VLAN status: Enabled Up-link port: Ethernet 1/3 Down-link port: Ethernet 1/5 Ethernet 1/6 Console#...
Page 255: Configuring Protocol Groups
VLAN C ONFIGURATION Configuring Protocol Groups Create a protocol group for one or more protocols. Command Attributes • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • Frame Type – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) •...
Page 256: Mapping Protocols To Vlans
ONFIGURING THE WITCH Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group. Command Usage • When creating a protocol-based VLAN, only assign interfaces using this configuration screen. If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table (page 3-194) or VLAN Static Membership by Port menu (page 3-196), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 257: Figure 3-83 Protocol Vlan Port Configuration
VLAN C ONFIGURATION Web – Click VLAN, Protocol VLAN, Port Configuration. Select a a port or trunk, enter a protocol group ID, the corresponding VLAN ID, and click Apply. Figure 3-83 Protocol VLAN Port Configuration CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3.
Page 258: Class Of Service Configuration
ONFIGURING THE WITCH Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 259: Figure 3-84 Default Port Priority
LASS OF ERVICE ONFIGURATION • Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-84 Default Port Priority CLI –...
Page 260: Mapping Cos Values To Egress Queues
ONFIGURING THE WITCH Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
Page 261: Selecting The Queue Mode
LASS OF ERVICE ONFIGURATION Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-85 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping. Console(config)#interface ethernet 1/1 4-170 Console(config-if)#queue cos-map 0 0...
Page 262: Setting The Service Weight For Traffic Classes
ONFIGURING THE WITCH predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. Command Attributes •...
Page 263: Figure 3-87 Queue Scheduling
LASS OF ERVICE ONFIGURATION the corresponding traffic priorities). This weight sets the frequency at which each queue will be polled for service, and subsequently affects the response time for software applications assigned a specific priority value. Command Attributes • WRR Setting Table –...
Page 264: Layer 3/4 Priority Settings
ONFIGURING THE WITCH CLI – The following example shows how to assign WRR weights to each of the priority queues. Console(config)#interface ethernet 1/1 Console(config-if)#queue bandwidth 1 3 5 7 9 11 13 15 4-255 Console(config-if)#end Console#show queue bandwidth 4-258 Information of Eth 1/1 Queue ID Weight --------...
Page 265: Selecting Ip Precedence/Dscp Priority
LASS OF ERVICE ONFIGURATION Selecting IP Precedence/DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority. Select one of the methods or disable this feature. Command Attributes • Disabled – Disables both priority services. (This is the default setting.) •...
Page 266: Table 3-14 Mapping Ip Precedence
ONFIGURING THE WITCH Bits 6 and 7 are used for network control, and the other bits for various application types. ToS bits are defined in the following table. Table 3-14 Mapping IP Precedence Priority Traffic Type Priority Traffic Type Level Level Network Control Flash...
Page 267: Mapping Dscp Priority
LASS OF ERVICE ONFIGURATION CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings. Console(config)#map ip precedence 4-261 Console(config)#interface ethernet 1/1 4-170 Console(config-if)#map ip precedence 1 cos 0...
Page 268: Figure 3-90 Ip Dscp Priority
ONFIGURING THE WITCH Table 3-15 Mapping DSCP Priority IP DSCP Value CoS Value 26, 28, 30, 32, 34, 36 38, 40, 42 46, 56 Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS value to the selected DSCP Priority value.
Page 269: Mapping Ip Port Priority
LASS OF ERVICE ONFIGURATION CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-262 Console(config)#interface ethernet 1/1 4-170 Console(config-if)#map ip dscp 1 cos 0 4-263...
Page 270: Figure 3-91 Ip Port Priority Status
ONFIGURING THE WITCH Web – Click Priority, IP Port Status. Set IP Port Priority Status to Enabled. Figure 3-91 IP Port Priority Status Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply.
Page 271: Mapping Cos Values To Acls
LASS OF ERVICE ONFIGURATION * Mapping specific values for IP DSCP is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch. Mapping CoS Values to ACLs Use the ACL CoS Mapping page to set the output queue for packets matching an ACL rule as shown in the following table.
Page 272: Figure 3-93 Acl Cos Priority
ONFIGURING THE WITCH Web – Click Priority, ACL CoS Priority. Select a port, select an ACL rule, specify a CoS priority, then click Add. Figure 3-93 ACL CoS Priority CLI – This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 1.
Page 273: Multicast Filtering
ULTICAST ILTERING Multicast Filtering Multicasting is used to support real-time Unicast Flow applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local Multicast...
Page 274: Igmp Protocol
ONFIGURING THE WITCH IGMP Protocol The Internet Group Management Protocol (IGMP) runs between hosts and their immediately adjacent multicast router/switch. IGMP is a multicast host registration protocol that allows any host to inform its local router that it wants to receive transmissions addressed to a specific multicast group.
Page 275: Configuring Igmp Snooping And Query Parameters
ULTICAST ILTERING your switch (page 3-227). This interface will then join all the current multicast groups supported by the attached router/switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch. Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-229).
Page 276 ONFIGURING THE WITCH Command Attributes • IGMP Status — When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.
Page 277: Figure 3-94 Igmp Configuration
ULTICAST ILTERING Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-94 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
Page 278: Displaying Interfaces Attached To A Multicast Router
ONFIGURING THE WITCH Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Page 279: Specifying Static Interfaces For A Multicast Router
ULTICAST ILTERING CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. Console#show ip igmp snooping mrouter vlan 1 4-270 VLAN M'cast Router Port Type ---- ------------------ ------- Eth 1/11 Static Console# Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always...
Page 280: Displaying Port Members Of Multicast Services
ONFIGURING THE WITCH Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-96 Static Multicast Router Port Configuration CLI –...
Page 281: Assigning Ports To Multicast Services
ULTICAST ILTERING Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-97 Displaying Port Members of Multicast Services CLI –...
Page 282: Figure 3-98 Specifying Multicast Port Membership
ONFIGURING THE WITCH Command Usage • Static multicast addresses are never aged out. • When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Command Attribute •...
Page 283: Configuring Domain Name Service
ONFIGURING OMAIN ERVICE CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/1 4-269 Console(config)#exit Console#show mac-address-table multicast vlan 1 4-271 VLAN M'cast IP addr.
Page 284 ONFIGURING THE WITCH • When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 285: Figure 3-99 Dns General Configuration
ONFIGURING OMAIN ERVICE Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-99 DNS General Configuration 3-233...
Page 286: Configuring Static Dns Host To Address Entries
ONFIGURING THE WITCH CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com 4-287 Console(config)#ip domain-list sample.com.uk 4-288 Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 4-289...
Page 287: Figure 3-100 Dns Static Host Table
ONFIGURING OMAIN ERVICE • IP Address – Internet address(es) associated with a host name. (Range: 1-8 addresses) • Alias – Displays the host names that are mapped to the same address(es) as a previously configured entry. Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply.
Page 288: Displaying The Dns Cache
ONFIGURING THE WITCH CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 4-285 Console(config)#ip host rd6 10.1.0.55 Console(config)#end Console#show hosts 4-291 Hostname Inet address 10.1.0.55 192.168.1.55 Alias...
Page 289: Figure 3-101 Dns Cache
ONFIGURING OMAIN ERVICE Web – Select DNS, Cache. Figure 3-101 DNS Cache CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache 4-292 FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME 207.46.134.155 www.microsoft.akadns.net...
Page 290 ONFIGURING THE WITCH 3-238...
Page 291: Command Line Interface
HAPTER OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 292: Telnet Connection
OMMAND NTERFACE After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the 8*10GE L2 Switch is opened. To end the CLI session, enter [Exit]. Console# Telnet Connection Telnet operates over the IP transport protocol.
Page 293 SING THE OMMAND NTERFACE After you configure the switch with an IP address, you can open a Telnet session by performing these steps: 1. From the remote host, enter the Telnet command and the IP address of the device you want to access. 2.
Page 294: Entering Commands
OMMAND NTERFACE Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 295: Command Completion
NTERING OMMANDS Command Completion If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.”...
Page 296: Showing Commands
OMMAND NTERFACE Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, DHCP, Interface, Line, Router, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Page 297: Partial Keyword Lookup
NTERING OMMANDS The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters protocol-vlan Protocol-vlan information status Information of interfaces status switchport Information of interfaces switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 298: Understanding Command Modes
OMMAND NTERFACE Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes.
Page 299: Configuration Commands
NTERING OMMANDS To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the 8*10GE L2 Switch is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the 8*10GE L2 Switch is opened.
Page 300: Table 4-2 Configuration Command Modes
OMMAND NTERFACE • Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits. • VLAN Configuration - Includes the command to create VLAN groups. • Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance.
Page 301: Command Line Processing
NTERING OMMANDS For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 302: Command Groups
OMMAND NTERFACE Table 4-3 Keystroke Commands (Continued) Keystroke Function Esc-D Deletes from the cursor to the end of the word. Esc-F Moves the cursor forward one word. Delete key or Erases a mistake when entering a command. backspace key Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Group Index...
Page 303 OMMAND ROUPS Table 4-4 Command Group Index (Continued) Command Group Description Page Mirror Port Mirrors data to another port for analysis without 4-182 affecting the data passing through or the performance of the monitored port Rate Limiting Controls the maximum rate for traffic transmitted or 4-184 received on a port Link Aggregation...
Page 304: Line Commands
OMMAND NTERFACE The access mode shown in the following tables is indicated by these abbreviations: PE (Privileged Exec) VC (VLAN Database Configuration) NE (Normal Exec) MST (Multiple Spanning Tree) GC (Global Configuration) LC (Line Configuration) IC (Interface Configuration) ACL (Access Control List Configuration) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
Page 305: Line
OMMANDS Table 4-5 Line Commands (Continued) Command Function Mode Page Defines the generation of a parity bit 4-23 parity Sets the terminal baud rate 4-23 speed Sets the number of the stop bits transmitted 4-24 stopbits per byte disconnect Terminates a line connection 4-25 show line Displays a terminal line's parameters...
Page 306: Login
OMMAND NTERFACE Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands show line (4-25) show users (4-84) login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login...
Page 307: Password
OMMANDS - no login selects no authentication. When using this method, the management interface starts in Normal Exec (NE) mode. • This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers.
Page 308: Timeout Login Response
OMMAND NTERFACE password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server.
Page 309: Exec-Timeout
OMMANDS • The timeout for Telnet cannot be disabled. • Using the command without specifying a timeout restores the default setting. Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# exec-timeout This command sets the interval that the system waits until user input is detected.
Page 310: Password-Thresh
OMMAND NTERFACE Example To set the timeout to two minutes, enter this command: Console(config-line)#exec-timeout 120 Console(config-line)# password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value.
Page 311: Silent-Time
OMMANDS Related Commands silent-time (4-21) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 312: Databits
OMMAND NTERFACE databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. •...
Page 313: Parity
OMMANDS parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity • none - No parity • even - Even parity • odd - Odd parity Default Setting No parity Command Mode...
Page 314: Stopbits
OMMAND NTERFACE Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported.
Page 315: Disconnect
OMMANDS Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage...
Page 316: General Commands
OMMAND NTERFACE Default Setting Shows all lines Command Mode Normal Exec, Privileged Exec Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: auto Databits: Parity: none...
Page 317: Enable
ENERAL OMMANDS Table 4-6 General Commands Command Function Mode Page Returns to Privileged Exec mode 4-31 config. mode exit Returns to the previous configuration mode, or 4-31 exits the CLI quit Exits a CLI session NE, PE 4-32 help Shows how to use help Shows options for command completion (context sensitive) enable...
Page 318: Disable
OMMAND NTERFACE Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-37.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
Page 319: Configure
ENERAL OMMANDS configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 320: Reload
OMMAND NTERFACE Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 321: End
ENERAL OMMANDS Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 322: Quit
OMMAND NTERFACE Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program. Default Setting None Command Mode...
Page 323: System Management Commands
YSTEM ANAGEMENT OMMANDS System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7 System Management Commands Command Function Page Group Device Configures information that uniquely identifies this 4-33 Designation...
Page 324: Prompt
OMMAND NTERFACE Table 4-8 Device Designation Commands (Continued) Command Function Mode Page snmp-server Sets the system contact string 4-153 contact snmp-server Sets the system location string 4-154 location prompt This command customizes the CLI prompt. Use the no form to restore the default prompt.
Page 325: User Access Commands
YSTEM ANAGEMENT OMMANDS Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-14), user authentication via a remote authentication server (page 4-94), and host access authentication for specific ports (page 4-107).
Page 326: Username
OMMAND NTERFACE username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
Page 327: Enable Password
YSTEM ANAGEMENT OMMANDS Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Page 328: Ip Filter Commands
OMMAND NTERFACE Command Usage • You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command (page 4-27). • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server.
Page 329: Management
YSTEM ANAGEMENT OMMANDS management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] •...
Page 330: Show Management
OMMAND NTERFACE • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed...
Page 331: Web Server Commands
YSTEM ANAGEMENT OMMANDS Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------- 1.
Page 332: Ip Http Port
OMMAND NTERFACE ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode...
Page 333: Ip Http Secure-Server
YSTEM ANAGEMENT OMMANDS Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-42) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
Page 334: Ip Http Secure-Port
OMMAND NTERFACE • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x and Netscape Navigator 6.2 or later versions. • The following web browsers and operating systems currently support HTTPS: Table 4-13 HTTPS System Support Web Browser...
Page 335: Telnet Server Commands
YSTEM ANAGEMENT OMMANDS Default Setting Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example...
Page 336: Ip Telnet Server
OMMAND NTERFACE ip telnet server This command allows this device to be monitored or configured from Telnet. It also specifies the TCP port number used by the Telnet interface. Use the no form without the “port” keyword to disable this function. Use the no from with the “port”...
Page 337: Table 4-15 Secure Shell Commands
YSTEM ANAGEMENT OMMANDS name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered. This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 338 OMMAND NTERFACE Table 4-15 Secure Shell Commands (Continued) Command Function Mode Page show ssh Displays the status of current SSH sessions 4-56 show public-key Shows the public key for the specified user or 4-57 for the host show users Shows SSH users, including privilege level and 4-84 public key type The SSH server on this switch supports both password and public key...
Page 339 YSTEM ANAGEMENT OMMANDS 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch with the username command as described on page 4-36.) The clients are subsequently authenticated using these keys.
Page 340: Ip Ssh Server
OMMAND NTERFACE The switch compares the decrypted bytes to the original bytes it sent. If the two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated. Note: To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file.
Page 341: Ip Ssh Timeout
YSTEM ANAGEMENT OMMANDS Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (4-53) show ssh (4-56) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting.
Page 342: Ip Ssh Authentication-Retries
OMMAND NTERFACE ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Page 343: Delete Public-Key
YSTEM ANAGEMENT OMMANDS Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512 Console(config)# delete public-key This command deletes the specified user’s public key.
Page 344: Ip Ssh Crypto Zeroize
OMMAND NTERFACE Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory. • Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process.
Page 345: Ip Ssh Save Host-Key
YSTEM ANAGEMENT OMMANDS Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
Page 346: Show Ssh
OMMAND NTERFACE show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh...
Page 347: Table 4-7 System Management Commands
YSTEM ANAGEMENT OMMANDS Table 4-16 show ssh - display description (Continued) Field Description Username The user name of the client. Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 348: L Ine I Nterface
OMMAND NTERFACE Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
Page 349: Logging On
YSTEM ANAGEMENT OMMANDS Event Logging Commands Table 4-17 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-59 logging history Limits syslog messages saved to switch 4-60 memory based on severity logging host Adds a syslog server host IP address that will 4-61 receive logging messages logging facility...
Page 350: Logging History
OMMAND NTERFACE Example Console(config)#logging on Console(config)# Related Commands logging history (4-60) clear log (4-64) logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level.
Page 351: Logging Host
YSTEM ANAGEMENT OMMANDS Table 4-18 Logging Levels Level Severity Name Description warnings Warning conditions (e.g., return false, unexpected return) errors Error conditions (e.g., invalid input, default used) critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) alerts Immediate action needed emergencies...
Page 352: Logging Facility
OMMAND NTERFACE Default Setting None Command Mode Global Configuration Command Usage • By using this command more than once you can build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)#...
Page 353: Logging Trap
YSTEM ANAGEMENT OMMANDS logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 354: Clear Log
OMMAND NTERFACE clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 355: Table 4-19 Show Logging Flash/Ram - Display Description
YSTEM ANAGEMENT OMMANDS Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: Enabled...
Page 356: Show Log
OMMAND NTERFACE Table 4-20 show logging trap - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. REMOTELOG Shows if remote logging has been enabled via the logging status trap command. REMOTELOG The facility type for remote logging of syslog messages as facility type...
Page 357: Table 4-21 Smtp Alert Commands
YSTEM ANAGEMENT OMMANDS Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
Page 358: Logging Sendmail Host
OMMAND NTERFACE logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip_address ip_address - IP address of an SMTP server that will be sent alert messages for event handling.
Page 359: Logging Sendmail Level
YSTEM ANAGEMENT OMMANDS logging sendmail level This command sets the severity threshold used to trigger alert messages. Syntax logging sendmail level level level - One of the system message levels (page 4-60). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7) Default Setting Level 7 Command Mode...
Page 360: Logging Sendmail Destination-Email
OMMAND NTERFACE Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
Page 361: Logging Sendmail
YSTEM ANAGEMENT OMMANDS logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...
Page 362: Sntp Client
OMMAND NTERFACE Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 363: Sntp Server
YSTEM ANAGEMENT OMMANDS Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 364: Sntp Poll
OMMAND NTERFACE Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.
Page 365: Show Sntp
YSTEM ANAGEMENT OMMANDS Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-72) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
Page 366: Clock Timezone
OMMAND NTERFACE clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-13 hours) •...
Page 367: Calendar Set
YSTEM ANAGEMENT OMMANDS calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
Page 368: System Status Commands
OMMAND NTERFACE Example Console#show calendar 15:12:34 February 1 2002 Console# System Status Commands Table 4-23 System Status Commands Command Function Mode Page show Displays the contents of the configuration file 4-78 startup-config (stored in flash memory) that is used to start up the system show Displays the configuration data currently in...
Page 369 YSTEM ANAGEMENT OMMANDS • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - MAC address for the switch - SNTP server settings - SNMP community strings - Users (names and access levels)
Page 370: Related Commands
OMMAND NTERFACE Example Console#show startup-config !<stackingDB>00</stackingDB> !<stackingMac>01_00-0c-db-21-11-33_00</stackingMac> phymap 00-0c-db-21-11-33 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca VLAN database VLAN 1 media ethernet state active...
Page 371: Show Running-Config
YSTEM ANAGEMENT OMMANDS show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 372 OMMAND NTERFACE Example Console#show running-config building running-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-0c-db-21-11-33_00</stackingMac> phymap 00-0c-db-21-11-33 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca VLAN database VLAN 1 media ethernet state active...
Page 373: Show System
YSTEM ANAGEMENT OMMANDS show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-14. •...
Page 374: Show Users
OMMAND NTERFACE show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 375: Frame Size Commands
YSTEM ANAGEMENT OMMANDS Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-16 for detailed information on the items displayed by this command. Example Console#show version Unit 1 Serial Number: A000000022 Hardware Version: EPLD Version: 1.00 Number of Ports: Main Power Status:...
Page 376: Flash/File Commands
OMMAND NTERFACE Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 377: Copy
LASH OMMANDS copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
Page 378 OMMAND NTERFACE • Due to the size limit of the flash memory, the switch supports only two operation code files. • The maximum number of user-defined configuration files depends on available memory. • You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination.
Page 379 LASH OMMANDS The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Page 380: Delete
OMMAND NTERFACE delete This command deletes a file or image. Syntax delete filename filename - Name of configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted.
Page 381: Dir
LASH OMMANDS This command displays a list of files in flash memory. Syntax dir {{boot-rom: | config: | opcode:} [filename]} The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. • config - Switch configuration file. •...
Page 382: Whichboot
OMMAND NTERFACE Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: SMC8708L2_Diag_v3006.bix Boot-Rom Image 1164420 SMC8708L2_Runtime_v3.0.0.4.bix Operation Code 3154548 Factory_Default_Config.cfg Config File startup1.cfg Config File 1584 --------------------------------------------------------------------------- Total free space:...
Page 383: Boot System
LASH OMMANDS boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. •...
Page 384: Authentication Commands
OMMAND NTERFACE Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X. Table 4-27 Authentication Commands Command Group Function Page...
Page 385: Authentication Login
UTHENTICATION OMMANDS authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. •...
Page 386: Authentication Enable
OMMAND NTERFACE Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-36) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-27).
Page 387: Radius Client
UTHENTICATION OMMANDS • You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication enable radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server.
Page 388: Radius-Server Host
OMMAND NTERFACE radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] •...
Page 389: Radius-Server Port
UTHENTICATION OMMANDS radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration...
Page 390: Radius-Server Retransmit
OMMAND NTERFACE Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 391: Show Radius-Server
UTHENTICATION OMMANDS Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times:...
Page 392: Tacacs+ Client
OMMAND NTERFACE TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 393: Tacacs-Server Port
UTHENTICATION OMMANDS tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting Command Mode Global Configuration Example...
Page 394: Show Tacacs-Server
OMMAND NTERFACE Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with TACACS server: ***** Server port number: Console# Port Security Commands...
Page 395: Port Security
UTHENTICATION OMMANDS Table 4-31 Port Security Commands Command Function Mode Page port security Configures a secure port 4-105 mac-address-table Maps a static address to a port in a 4-199 static VLAN show Displays entries in the bridge-forwarding 4-201 mac-address-table database port security This command enables or configures port security.
Page 396 OMMAND NTERFACE Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. •...
Page 397: 802.1X Port Authentication
UTHENTICATION OMMANDS 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 398: Dot1X System-Auth-Control
OMMAND NTERFACE dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
Page 399: Dot1X Port-Control
UTHENTICATION OMMANDS Default Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control...
Page 400: Dot1X Operation-Mode
OMMAND NTERFACE dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Page 401: Dot1X Re-Authenticate
UTHENTICATION OMMANDS dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-8) Command Mode Privileged Exec Example Console#dot1x re-authenticate Console#...
Page 402: Dot1X Timeout Quiet-Period
OMMAND NTERFACE dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
Page 403: Dot1X Timeout Tx-Period
UTHENTICATION OMMANDS Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period...
Page 404 OMMAND NTERFACE Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status...
Page 405 UTHENTICATION OMMANDS - Operation Mode– Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port. - Max Count – The maximum number of hosts allowed to access this port (page 4-110). - Port-control – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 4-109).
Page 406 OMMAND NTERFACE Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized enabled Single-Host Auto 802.1X Port Details 802.1X is enabled on port 1/1 802.1X is enabled on port 8 reauth-enabled: Enable...
Page 407: Access Control List Commands
CCESS ONTROL OMMANDS Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Page 408 OMMAND NTERFACE to an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC ACL and Egress MAC ACL. • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. •...
Page 409: Table 4-34 Ip Acl Commands
CCESS ONTROL OMMANDS IP ACL, Egress IP ACL, Ingress MAC ACL or Egress MAC ACL), but a mask can be bound to up to four ACLs of the same type. Table 4-33 Access Control List Commands Command Groups Function Page IP ACLs Configures ACLs based on IP addresses, TCP/ 4-119...
Page 410: Access-List Ip
OMMAND NTERFACE Table 4-34 IP ACL Commands (Continued) Command Function Mode Page show access-list Shows the ingress or egress rule masks for 4-131 IP ACLs mask-precedence ip access-group Adds a port to an IP ACL 4-132 show ip Shows port assignments for IP ACLs 4-132 access-group map access-list ip Sets the CoS value and corresponding...
Page 411: Access-List Ip Extended Fragment-Auto-Mask
CCESS ONTROL OMMANDS Command Mode Global Configuration Command Usage • An egress ACL must contain all deny rules. • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 412: Permit, Deny (Standard Acl)
OMMAND NTERFACE Command Usage If this feature is disabled, fragmented packets will not be matched by any ACL rule, and will be handled according to the default permit or deny rule. Example Console(config)#tacacs-list ip extended fragment-auto-mask Console(config)# permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL.
Page 413: Permit, Deny (Extended Acl)
CCESS ONTROL OMMANDS Example This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)# Related Commands access-list ip (4-120) permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL.
Page 414 OMMAND NTERFACE • tos – Type of Service level. (Range: 0-15) • dscp – DSCP priority level. (Range: 0-63) • sport – Protocol source port number. (Range: 0-65535) • dport – Protocol destination port number. (Range: 0-65535) • port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) •...
Page 415 CCESS ONTROL OMMANDS - 16 (ack) – Acknowledgement - 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: - SYN flag valid, use “control-code 2 2” - Both SYN and ACK valid, use “control-code 18 18” - SYN valid and ACK invalid, use “control-code 2 18”...
Page 416: Show Ip Access-List
OMMAND NTERFACE show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. • acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example...
Page 417 CCESS ONTROL OMMANDS Command Usage • A mask can only be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but instead by the order of the masks; i.e., the first mask that matches a rule will determine the rule that is applied to a packet.
Page 418: Mask (Ip Acl)
OMMAND NTERFACE mask (IP ACL) This command defines a mask for IP ACLs. This mask defines the fields to check in the IP header. Use the no form to remove a mask. Syntax [no] mask [protocol] {any | host | source-bitmask} {any | host | destination-bitmask} [precedence] [tos] [dscp] [source-port [port-bitmask]] [destination-port [port-bitmask]]...
Page 419 CCESS ONTROL OMMANDS Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered.
Page 420 OMMAND NTERFACE This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit any Console(config-std-acl)#deny host 171.69.198.102 Console(config-std-acl)#end Console#show access-list IP standard access-list A2: deny host 171.69.198.102 permit any...
Page 421: Table 4-33 Access Control List Commands
CCESS ONTROL OMMANDS This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL.
Page 422: Ip Access-Group
OMMAND NTERFACE Command Mode Privileged Exec Example Console#show access-list ip mask-precedence IP ingress mask ACL: mask host any mask 255.255.255.0 any Console# Related Commands mask (IP ACL) (4-128) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port.
Page 423: Show Ip Access-Group
CCESS ONTROL OMMANDS Example Console(config)#int eth 1/2 Console(config-if)#ip access-group standard david in Console(config-if)# Related Commands show ip access-list (4-126) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP standard access-list david Console# Related Commands...
Page 424: Show Map Access-List Ip
OMMAND NTERFACE Command Usage • You must configure an ACL mask before you can map CoS values to the rule. • A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table. For information on mapping the CoS values to output queues, see queue cos-map on page 4-256.
Page 425: Match Access-List Ip
CCESS ONTROL OMMANDS Example Console#show map access-list ip Access-list to COS of Eth 1/4 Access-list ALS1 cos 0 Console# Related Commands map access-list ip (4-133) match access-list ip This command changes the IEEE 802.1p priority, IP Precedence, or DSCP Priority of a frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker.
Page 426: Show Marking
OMMAND NTERFACE • The IP frame header also includes priority bits in the Type of Service (ToS) octet. The Type of Service octet may contain three bits for IP Precedence or six bits for Differentiated Services Code Point (DSCP) service. To specify the IP precedence priority, use the set tos keywords. To specify the DSCP priority, use the set dscp keywords.
Page 427: Mac Acls
CCESS ONTROL OMMANDS MAC ACLs Table 4-36 MAC ACL Commands Command Function Mode Page access-list mac Creates a MAC ACL and enters 4-138 configuration mode permit, deny Filters packets matching a specified MAC-ACL 4-139 source and destination address, packet format, and Ethernet type show mac Displays the rules for configured MAC 4-141...
Page 428: Access-List Mac
OMMAND NTERFACE access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...
Page 429: Permit, Deny (Mac Acl)
CCESS ONTROL OMMANDS permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 430 OMMAND NTERFACE • address-bitmask – Bitmask for MAC address (in hexidecimal format). • vid – VLAN ID. (Range: 1-4094) • vid-bitmask – VLAN bitmask. (Range: 1-4094) • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode...
Page 431: Show Mac Access-List
CCESS ONTROL OMMANDS show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands...
Page 432: Mask (Mac Acl)
OMMAND NTERFACE • A mask can only be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but instead by the order of the masks; i.e., the first mask that matches a rule will determine the rule that is applied to a packet.
Page 433 CCESS ONTROL OMMANDS Command Mode MAC Mask Command Usage • Up to seven masks can be assigned to an ingress or egress ACL. • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered.
Page 434: Show Access-List Mac Mask-Precedence
OMMAND NTERFACE This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.3 host 00-11-11-11-11-11 any deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 ethertype 0806 Console(config)#access-list mac mask-precedence out Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff any Console(config-mac-mask-acl)#exit...
Page 435: Mac Access-Group
CCESS ONTROL OMMANDS mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) •...
Page 436: Map Access-List Mac
OMMAND NTERFACE Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (4-145) map access-list mac This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue;...
Page 437: Show Map Access-List Mac
CCESS ONTROL OMMANDS Example Console(config)#int eth 1/5 Console(config-if)#map access-list mac M5 cos 0 Console(config-if)# Related Commands queue cos-map (4-256) show map access-list mac (4-147) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface.
Page 438: Match Access-List Mac
OMMAND NTERFACE match access-list mac This command changes the IEEE 802.1p priority of a Layer 2 frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker. Syntax match access-list mac acl_name set priority priority no match access-list mac acl_name...
Page 439: Show Access-List
CCESS ONTROL OMMANDS ACL Information Table 4-38 ACL Information Commands Command Function Mode Page show access-list Show all ACLs and associated rules 4-149 show access-group Shows the ACLs assigned to each port 4-149 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 440: Snmp Commands
OMMAND NTERFACE Example Console#show access-group Interface ethernet 1/2 IP standard access-list david MAC access-list jerry Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
Page 441: Snmp-Server
SNMP C OMMANDS Table 4-39 SNMP Commands (Continued) Command Function Mode Page snmp-server enable Enables the device to send SNMP traps 4-158 traps (i.e., SNMP notifications) snmp-server Sets the SNMP engine ID 4-159 engine-id show snmp Shows the SNMP engine ID 4-160 engine-id snmp-server view...
Page 442: Show Snmp
OMMAND NTERFACE show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 443: Snmp-Server Community
SNMP C OMMANDS snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
Page 444: Snmp-Server Location
OMMAND NTERFACE Default Setting None Command Mode Global Configuration Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (4-154) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Page 445: Snmp-Server Host
SNMP C OMMANDS snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr •...
Page 446 OMMAND NTERFACE Default Setting • Host Address: None • Notification Type: Traps • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Page 447 SNMP C OMMANDS 3. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. 4. Create a view with the required notification messages (page 4-161). 5. Create a group that includes the required notify view (page 4-163). To send an inform to a SNMPv3 host, complete these steps: 1.
Page 448: Snmp-Server Enable Traps
OMMAND NTERFACE snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] • authentication - Keyword to issue authentication failure notifications.
Page 449: Snmp-Server Engine-Id
SNMP C OMMANDS Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-155) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} •...
Page 450: Show Snmp Engine-Id
OMMAND NTERFACE • A remote engine ID is required when using SNMPv3 informs. (See snmp-server host on page 4-155.) The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent.
Page 451: Snmp-Server View
SNMP C OMMANDS Table 4-40 show snmp engine-id - display description Field Description Local SNMP String identifying the engine ID. engineID Local SNMP The number of times that the engine has (re-)initialized since engineBoots the snmp EngineID was last configured. Remote SNMP String identifying an engine ID on a remote device.
Page 452: Show Snmp View
OMMAND NTERFACE Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Page 453: Snmp-Server Group
SNMP C OMMANDS Table 4-41 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree. View Type Indicates if the view is included or excluded. Storage Type The storage type for this entry.
Page 454: Show Snmp Group
OMMAND NTERFACE Command Mode Global Configuration Command Usage • A group sets the access policy for the assigned users. • When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. • When privacy is selected, the DES 56-bit algorithm is used for data encryption.
Page 455: Table 4-42 Show Snmp Group - Display Description
SNMP C OMMANDS Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent Row Status: active Group Name: public Security Model: v1 Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active...
Page 456: Snmp-Server User
OMMAND NTERFACE Table 4-42 show snmp group - display description (Continued) Field Description writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View.
Page 457: Global Configuration
SNMP C OMMANDS Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. •...
Page 458: Show Snmp User
OMMAND NTERFACE show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 459: Interface Commands
NTERFACE OMMANDS Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-44 Interface Commands Command Function Mode Page interface Configures an interface type and enters 4-170 interface configuration mode description Adds a description to an interface 4-170...
Page 460: Interface
OMMAND NTERFACE interface This command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channel-id interface • ethernet unit/port - unit - This is unit 1. - port - Port number.
Page 461: Speed-Duplex
NTERFACE OMMANDS Default Setting None Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Example The following example adds a description to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#description RD-SW#3 Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled .
Page 462: Negotiation
OMMAND NTERFACE Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command.
Page 463: Capabilities
NTERFACE OMMANDS Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. •...
Page 464: Shutdown
OMMAND NTERFACE Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex command.
Page 465: Switchport Broadcast Packet-Rate
NTERFACE OMMANDS Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast packet-rate rate no switchport broadcast rate - Threshold level as a rate;...
Page 466: Clear Counters
OMMAND NTERFACE clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-8) • port-channel channel-id (Range: 1-4) Default Setting None Command Mode Privileged Exec...
Page 467: Show Interfaces Status
NTERFACE OMMANDS show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. (Range: 1-8) • port-channel channel-id (Range: 1-4) •...
Page 468: Show Interfaces Counters
OMMAND NTERFACE Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic Information: Port Type: Mac Address: 00-0C-DB-21-11-3B Configuration: Name: Port Admin: Speed-duplex: 10G full Capabilities: Broadcast Storm: Enabled Broadcast Storm Limit: 1042 packets/second LACP: Disabled Port Security: Disabled Max MAC Count: Port Security Action: None...
Page 469: Table 4-44 Interface Commands
NTERFACE OMMANDS Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 3-146. Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable Stats: Octets Input: 229516, Octets Output: 464876 Unicast Input: 51, Unicast Output: 64...
Page 470: Show Interfaces Switchport
OMMAND NTERFACE show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-8) •...
Page 471: Table 4-45 Show Interfaces Switchport - Display Description
NTERFACE OMMANDS Table 4-45 show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; threshold if enabled it also shows the threshold level (page 4-175). LACP status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 4-188).
Page 472: Mirror Port Commands
OMMAND NTERFACE Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-46 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-182 show port Shows the configuration for a mirror port 4-183 monitor port monitor...
Page 473: Show Port Monitor
IRROR OMMANDS Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 474: Rate Limit Commands
OMMAND NTERFACE Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination Port (listen port): Eth1/ 8 Source Port (monitored port): Eth1/ 6 Mode :RX/TX Console#...
Page 475: Rate-Limit
GGREGATION OMMANDS rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} •...
Page 476: Table 4-48 Link Aggregation Commands
OMMAND NTERFACE Table 4-48 Link Aggregation Commands Command Function Mode Page Manual Configuration Commands interface Configures a trunk and enters 4-170 port-channel interface configuration mode for the trunk channel-group Adds a port to a trunk IC (Ethernet) 4-187 Dynamic Configuration Commands lacp Configures LACP for the current IC (Ethernet)
Page 477: Channel-Group
GGREGATION OMMANDS • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. • STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
Page 478: Lacp
OMMAND NTERFACE Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. Example The following example creates trunk 1 and then adds port 8: Console(config)#interface port-channel 1...
Page 479: L Ink A Ggregation C Ommands
GGREGATION OMMANDS Example The following shows LACP enabled on ports 6-8. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established. Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#exit...
Page 480: Lacp System-Priority
OMMAND NTERFACE lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. •...
Page 481: Lacp Admin-Key (Ethernet Interface)
GGREGATION OMMANDS lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. •...
Page 482: Lacp Admin-Key (Port Channel)
OMMAND NTERFACE lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Page 483: Lacp Port-Priority
GGREGATION OMMANDS lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 484: Show Lacp
OMMAND NTERFACE show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • port-channel - Local identifier for a link aggregation group. (Range: 1-4) • counters - Statistics for LACP protocol messages. •...
Page 485: Table 4-49 Show Lacp Counters - Display Description
GGREGATION OMMANDS Table 4-49 show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Number of valid LACPDUs received on this channel group. Received Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Page 486 OMMAND NTERFACE Table 4-50 show lacp internal - display description (Continued) Field Description LACP System LACP system priority assigned to this port channel. Priority LACP Port LACP port priority assigned to this interface within the channel Priority group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State...
Page 487: Table 4-51 Show Lacp Neighbors - Display Description
GGREGATION OMMANDS Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: Oper Key:...
Page 488: Table 4-52 Show Lacp Sysid - Display Description
OMMAND NTERFACE Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------- 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 Console# Table 4-52 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group.
Page 489: Address Table Commands
DDRESS ABLE OMMANDS mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id •...
Page 490: Clear Mac-Address-Table Dynamic
OMMAND NTERFACE • A static address cannot be learned on another port until the address is removed with the no form of this command. Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries.
Page 491: Show Mac-Address-Table
DDRESS ABLE OMMANDS show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Page 492: Mac-Address-Table Aging-Time
OMMAND NTERFACE • The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0” means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.”...
Page 493: Show Mac-Address-Table Aging-Time
DDRESS ABLE OMMANDS show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec. Console# 4-203...
Page 494: Spanning Tree Commands
OMMAND NTERFACE Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-54 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-205 spanning-tree mode Configures STP, RSTP or MSTP mode...
Page 495: Spanning-Tree
PANNING OMMANDS Table 4-54 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Disables spanning tree for an interface 4-217 spanning-disabled spanning-tree cost Configures the spanning tree path cost of 4-218 an interface spanning-tree Configures the spanning tree priority of 4-219 port-priority an interface...
Page 496: Spanning-Tree Mode
OMMAND NTERFACE Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over...
Page 497 PANNING OMMANDS Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 498: Spanning-Tree Forward-Time
OMMAND NTERFACE Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...
Page 499: Spanning-Tree Hello-Time
PANNING OMMANDS spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) -1].
Page 500: Spanning-Tree Priority
OMMAND NTERFACE Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Page 501: Spanning-Tree Pathcost Method
PANNING OMMANDS Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 502: Spanning-Tree Transmission-Limit
OMMAND NTERFACE spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
Page 503: Mst Vlan
PANNING OMMANDS Related Commands mst vlan (4-213) mst priority (4-214) name (4-215) revision (4-216) max-hops (4-216) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
Page 504: Mst Priority
OMMAND NTERFACE RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority...
Page 505: Name
PANNING OMMANDS Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode...
Page 506: Revision
OMMAND NTERFACE revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration Command Usage...
Page 507: Spanning-Tree Spanning-Disabled
PANNING OMMANDS Default Setting Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Page 508: Spanning-Tree Cost
OMMAND NTERFACE spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, or 1-200,000,000) The recommended range is: •...
Page 509: Spanning-Tree Port-Priority
PANNING OMMANDS • When the spanning-tree pathcost method (page 4-211) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default.
Page 510: Spanning-Tree Edge-Port
OMMAND NTERFACE spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
Page 511: Spanning-Tree Portfast
PANNING OMMANDS spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port.
Page 512: Spanning-Tree Link-Type
OMMAND NTERFACE spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. •...
Page 513: Spanning-Tree Mst Cost
PANNING OMMANDS spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) •...
Page 514: Spanning-Tree Mst Port-Priority
OMMAND NTERFACE Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
Page 515: Spanning-Tree Protocol-Migration
PANNING OMMANDS Command Usage • This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 516: Show Spanning-Tree
OMMAND NTERFACE also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible). Example Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST).
Page 517 PANNING OMMANDS • Use the show spanning-tree mst instance_id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST). • For a description of the items displayed under “Spanning-tree information,” see “Configuring Global Settings” on page 3-163. For a description of the items displayed for specific interfaces, see “Displaying Interface Settings”...
Page 518 OMMAND NTERFACE Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.): Max hops: Remaining hops:...
Page 519: Show Spanning-Tree Mst Configuration
VLAN C OMMANDS show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
Page 520: Editing Vlan Groups
OMMAND NTERFACE Editing VLAN Groups Table 4-56 Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, 4-230 change, and delete VLANs vlan Configures a VLAN, including VID, name 4-231 and state vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Page 521: Vlan
VLAN C OMMANDS vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) •...
Page 522: Configuring Vlan Interfaces
OMMAND NTERFACE Related Commands show vlan (4-239) Configuring VLAN Interfaces Table 4-57 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for 4-232 a specified VLAN switchport mode Configures VLAN membership mode 4-233 for an interface switchport Configures frame types to be accepted 4-234...
Page 523: Switchport Mode
VLAN C OMMANDS Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-174) switchport mode This command configures the VLAN membership mode for a port.
Page 524: Switchport Acceptable-Frame-Types
OMMAND NTERFACE Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# Related Commands switchport acceptable-frame-types (4-234) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default.
Page 525: Switchport Ingress-Filtering
VLAN C OMMANDS Related Commands switchport mode (4-233) switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Command Usage •...
Page 526: Switchport Native Vlan
OMMAND NTERFACE switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4094, no leading zeroes) Default Setting VLAN 1...
Page 527: Switchport Allowed Vlan
VLAN C OMMANDS switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 528: Switchport Forbidden Vlan
OMMAND NTERFACE • If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged...
Page 529: Displaying Vlan Information
VLAN C OMMANDS Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# Displaying VLAN Information Table 4-58 Displaying VLAN Information Command Function Mode Page show vlan Shows VLAN information NE, PE...
Page 530: Configuring Private Vlans
OMMAND NTERFACE Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Console# Configuring Private VLANs Private VLANs provide port-based security and isolation between ports...
Page 531: Show Pvlan
VLAN C OMMANDS Command Usage • A private VLAN provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the uplink port. • Private VLANs and normal VLANs can exist simultaneously within the same switch.
Page 532: Configuring Protocol-Based Vlans
OMMAND NTERFACE Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Page 533: Protocol-Vlan Protocol-Group (Configuring Groups)
VLAN C OMMANDS 3. Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode). protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group.
Page 534: Protocol-Vlan Protocol-Group (Configuring Interfaces)
OMMAND NTERFACE protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan •...
Page 535: Show Protocol-Vlan Protocol-Group
VLAN C OMMANDS Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups.
Page 536: Show Interfaces Protocol-Vlan Protocol-Group
OMMAND NTERFACE show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-8) •...
Page 537: Gvrp And Bridge Extension Commands
GVRP RIDGE XTENSION OMMANDS GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 538: Show Bridge-Ext
OMMAND NTERFACE Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. Example Console(config)#bridge-ext gvrp Console(config)#...
Page 539: Switchport Gvrp
GVRP RIDGE XTENSION OMMANDS switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration...
Page 540: Garp Timer
OMMAND NTERFACE garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 541: Show Garp Timer
GVRP RIDGE XTENSION OMMANDS Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (4-251) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - This is unit 1.
Page 542: Priority Commands
OMMAND NTERFACE Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 543: Queue Mode
RIORITY OMMANDS Table 4-63 Priority Commands (Layer 2) Command Function Mode Page show queue Shows the class-of-service map 4-258 cos-map show interfaces Displays the administrative and operational 4-180 switchport status of an interface queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues.
Page 544: Switchport Priority Default
OMMAND NTERFACE percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. Example The following example sets the queue mode to strict priority service mode: Console(config)#queue mode strict Console(config)# switchport priority default...
Page 545: Queue Bandwidth
RIORITY OMMANDS • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port.
Page 546: Queue Cos-Map
OMMAND NTERFACE Example This example shows how to assign WRR weights to each of the priority queues: Console#configure Console(config)#interface ethernet 1/5 Console(config-if)#queue bandwidth 1 3 5 7 9 11 13 15 Console(config-if)# Related Commands show queue bandwidth (4-258) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7).
Page 547: Show Queue Mode
RIORITY OMMANDS Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to change the CoS assignments to a one-to-one mapping: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0...
Page 548: Show Queue Bandwidth
OMMAND NTERFACE show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- ------ show queue cos-map This command shows the class of service priority map.
Page 549: Priority Commands (Layer 3 And 4)
RIORITY OMMANDS Command Mode Privileged Exec Example Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 CoS Value: 0 1 2 3 4 5 6 7 Priority Queue: 2 0 1 3 4 5 6 7 Console# Priority Commands (Layer 3 and 4) Table 4-65 Priority Commands (Layer 3 and 4) Command Function...
Page 550: Map Ip Port (Interface Configuration)
OMMAND NTERFACE Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. Example The following example shows how to enable TCP/UDP port mapping globally: Console(config)#map ip port Console(config)# map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority).
Page 551: Map Ip Precedence (Interface Configuration)
RIORITY OMMANDS map ip precedence (Global Configuration) This command enables IP precedence mapping (i.e., IP Type of Service). Use the no form to disable IP precedence mapping. Syntax [no] map ip precedence Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 552: Map Ip Dscp (Global Configuration)
OMMAND NTERFACE Default Setting The list below shows the default priority mapping. Table 4-66 Mapping IP Precedence to CoS Values IP Precedence Value CoS Value Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
Page 553: Map Ip Dscp (Interface Configuration)
RIORITY OMMANDS Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • IP Precedence and IP DSCP cannot both be enabled. Enabling one of these priority types will automatically disable the other type. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp...
Page 554: Show Map Ip Port
OMMAND NTERFACE Command Mode Interface Configuration (Ethernet Ports 1-8, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the eight hardware priority queues.
Page 555: Show Map Ip Precedence
RIORITY OMMANDS Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console# Related Commands map ip port (Global Configuration) (4-259) map ip port (Interface Configuration) (4-260) show map ip precedence This command shows the IP precedence priority map.
Page 556: Show Map Ip Dscp
OMMAND NTERFACE Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands...
Page 557: Table 4-68 Multicast Filtering Commands
ULTICAST ILTERING OMMANDS Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-262)
Page 558: Ip Igmp Snooping
OMMAND NTERFACE IGMP Snooping Commands Table 4-69 IGMP Snooping Commands Command Function Mode Page ip igmp snooping Enables IGMP snooping 4-268 ip igmp snooping vlan Adds an interface as a member of a multicast 4-269 static group ip igmp snooping Configures the IGMP version for snooping 4-269 version...
Page 559: Ip Igmp Snooping Vlan Static
ULTICAST ILTERING OMMANDS ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface • vlan-id - VLAN ID (Range: 1-4094) •...
Page 560: Show Ip Igmp Snooping
OMMAND NTERFACE Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version. If there are legacy devices in your network that only support Version 1, you will also have to configure this switch to use Version 1. •...
Page 561: Show Mac-Address-Table Multicast
ULTICAST ILTERING OMMANDS Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Disabled Query count: Query interval: 125 sec Query max response time: 10 sec Router port expire time: 300 sec IGMP snooping version: Version 2 Console#...
Page 562: Ip Igmp Snooping Querier
OMMAND NTERFACE IGMP Query Commands (Layer 2) Table 4-70 IGMP Query Commands (Layer 2) Command Function Mode Page ip igmp snooping Allows this device to act as the querier 4-272 querier for IGMP snooping ip igmp snooping Configures the query count 4-273 query-count ip igmp snooping...
Page 563: Ip Igmp Snooping Query-Count
ULTICAST ILTERING OMMANDS ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Page 564: Ip Igmp Snooping Query-Interval
OMMAND NTERFACE ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Page 565: Ip Igmp Snooping Router-Port-Expire-Time
ULTICAST ILTERING OMMANDS Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.
Page 566: Ip Igmp Snooping Vlan Mrouter
OMMAND NTERFACE Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)# Related Commands ip igmp snooping version (4-269) Static Multicast Routing Commands Table 4-71 Static Multicast Routing Commands Command...
Page 567: Show Ip Igmp Snooping Mrouter
ULTICAST ILTERING OMMANDS Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 568: Ip Interface Commands
OMMAND NTERFACE Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Console# IP Interface Commands An IP addresses may be used for management access to the switch over your network.
Page 569: Ip Address
IP I NTERFACE OMMANDS ip address This command sets the IP address for the currently selected VLAN interface. Use the no form to restore the default IP address. Syntax ip address {ip-address netmask | bootp | dhcp} no ip address •...
Page 570: Ip Default-Gateway
OMMAND NTERFACE Note: Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN.
Page 571: Ip Dhcp Restart
IP I NTERFACE OMMANDS Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (4-282) ip dhcp restart This command submits a BOOTP or DCHP client request. Default Setting None Command Mode Privileged Exec Command Usage...
Page 572: Show Ip Interface
OMMAND NTERFACE Related Commands ip address (4-279) show ip interface This command displays the settings for the switch’s IP interface. Command Mode Privileged Exec Example Console#show ip interface IP Address and Netmask: 192.168.1.58 255.255.255.0 on VLAN 1, Address Mode: DHCP Console# Related Commands show ip redirects (4-282)
Page 573: Ping
IP I NTERFACE OMMANDS ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address or IP alias of the host. • count - Number of packets to send. (Range: 1-16, default: 5) •...
Page 574: Dns Commands
OMMAND NTERFACE Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Page 575: Ip Host
DNS C OMMANDS Table 4-73 DNS Commands (Continued) Command Function Mode Page Enables DNS-based host name-to-address 4-290 domain-lookup translation show hosts Displays the static host name-to-address 4-291 mapping table show dns Displays the configuration for DNS services 4-292 show dns cache Displays entries in the DNS cache 4-292 clear dns cache Clears all entries from the DNS cache...
Page 576: Clear Host
OMMAND NTERFACE Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname Inet address 10.1.0.55 192.168.1.55 Alias Console# clear host This command deletes entries from the DNS table. Syntax clear host {name | *} •...
Page 577: Ip Domain-Name
DNS C OMMANDS ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name.
Page 578: Ip Domain-List
OMMAND NTERFACE ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list.
Page 579: Ip Name-Server
DNS C OMMANDS Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List:...
Page 580: Ip Domain-Lookup
OMMAND NTERFACE Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console#...
Page 581: Show Hosts
DNS C OMMANDS Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (4-287) ip name-server (4-289) show hosts This command displays the static host name-to-address mapping table.
Page 582: Show Dns
OMMAND NTERFACE show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Page 583: Clear Dns Cache
DNS C OMMANDS Table 4-74 show dns cache - display description Field Description The entry number for each resource record. FLAG The flag is always “4” indicating a cache entry and therefore unreliable. TYPE This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry.
Page 584 OMMAND NTERFACE 4-294...
Page 585 PPENDIX OFTWARE PECIFICATIONS Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) DHCP Client DNS Server Port Configuration RJ-45: 100BASE-TX: 10/100 Mbps at half/full duplex XFP: 10GBASE-SR/LR/ER - 10 Gbps at full duplex Broadcast Storm Control Traffic throttled above a critical threshold Port Mirroring...
Page 586: Software Specifications
OFTWARE PECIFICATIONS VLAN Support Up to 255 groups; port-based, protocol-based, or tagged (802.1Q), GVRP for automatic VLAN learning, private VLANs Class of Service Supports eight levels of priority and Weighted Round Robin Queueing (which can be configured by VLAN tag or port), Layer 3/4 priority mapping: IP Port, IP Precedence, IP DSCP Multicast Filtering IGMP Snooping (Layer 2)
Page 587: Management Information Bases
ANAGEMENT NFORMATION ASES IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1X Port Authentication IEEE 802.3-2002 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) IEEE 802.3ac VLAN tagging ARP (RFC 826) DHCP Client (RFC 1541) HTTPS IGMP (RFC 1112) IGMPv2 (RFC 2236)
Page 588 OFTWARE PECIFICATIONS RADIUS Authentication Client MIB (RFC 2621) RMON MIB (RFC 2819) RMON II Probe Configuration Group (RFC 2021, partial implementation) SNMPv2 IP MIB (RFC 2011) SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) SNMP Community MIB (RFC 2576)
Page 589: Troubleshooting
PPENDIX ROUBLESHOOTING Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using • Be sure the switch is powered up. Telnet, web browser, • Check network cabling between the management station or SNMP software and the switch. •...
Page 590 VT100 compatible, 8 data bits, 1 stop bit, no parity, and configuration 9600 bps). program via a serial • Check that the null-modem serial cable conforms to the port connection pin-out connections provided in the Installation Guide. Forgot or lost the • Contact SMC Technical Support for help. password...
Page 591: Using System Logs
SING YSTEM Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1.
Page 592 ROUBLESHOOTING...
Page 593: Glossary
LOSSARY Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 594 LOSSARY Domain Name Service (DNS) A system used for translating host names for network nodes into IP addresses. Dynamic Host Control Protocol (DHCP) Provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses and additional configuration options.
Page 595: Igmp Snooping
LOSSARY IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 596: Ip Multicast Filtering
LOSSARY Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Page 597: Multicast Switching
LOSSARY MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 598 LOSSARY Quality of Service (QoS) QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow.
Page 599 LOSSARY Spanning Tree Algorithm (STA) A technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Page 600 LOSSARY Virtual Router Redundancy Protocol (VRRP) A protocol that uses a virtual IP address to support a primary router and multiple backup routers. The backups can be configured to take over the workload if the master fails or to load share the traffic. The primary goal of VRRP is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
Page 601: Index
NDEX Numerics queue mapping 3-208 4-256 queue mode 3-209 4-253 802.1X, port authentication 3-94 4-107 traffic class weights 3-210 4-255 acceptable frame type 3-197 4-234 default gateway, configuration 3-21 Access Control List See ACL 4-280 default priority, ingress port 3-206 4-254 Extended IP 3-106 4-117...
Page 602 NDEX enabling 3-217 4-259 mapping priorities 3-217 4-260 firmware IP precedence displaying version 3-16 4-84 enabling 3-213 4-261 upgrading 3-27 4-87 mapping priorities 3-213 4-261 GARP VLAN Registration Protocol See jumbo frame 4-85 GVRP gateway, default 3-21 4-280 GVRP global setting 3-189 4-247 LACP interface configuration 3-198...
Page 603 NDEX global settings 3-176 4-204 interface settings 3-172 4-205 multicast filtering 3-221 4-267 queue weights 3-210 4-255 multicast groups 3-228 4-271 displaying 4-271 static 3-228 4-269 4-271 multicast services RADIUS, logon authentication 3-76 configuring 3-229 4-269 4-97 displaying 3-228 4-271 rate limits, setting 3-145 4-184 multicast, static router port 3-227...
Page 604 NDEX path cost method 3-165 4-211 port priority 3-170 4-219 protocol migration 3-175 4-225 upgrading software 3-27 4-87 transmission limit 3-166 4-212 user account 3-75 standards, IEEE A-2 user password 3-75 4-36 4-37 startup files creating 3-32 4-87 displaying 3-27 4-78 setting 3-27 4-93...
Page 606 Fax 81-45-224-2331 Australia: 61-2-8875-7887; Fax 61-2-8875-7777 India: 91-22-8204437 ; Fax 91-22-8204443 If you are looking for further contact information, please visit www.smc.com, www.smc-europe.com, or www.smc-asia.com. 38 Tesla Model Number: SMC8708L2 F 3.0.0.4 Irvine, CA 92618 Pub.Number: 149100024300A E052005-R01 Phone: (949) 679-8000...

This manual is also suitable for:

Tigerswitch smc8708l2