Page 1 TL-SG5426 26-Port Gigabit Managed Switch Rev: 1.0.0 1910010105...
Page 2 ® is a registered Specifications are subject to change without notice. trademark of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD.
Page 3: Fcc Statement
FCC STATEMENT This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 4: Table Of Contents
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 5 Contents Saving or Restoring Configuration Settings 3-19 Downloading Configuration Settings from a Server 3-20 Console Port Settings 3-21 Telnet Settings 3-23 Configuring Event Logging 3-25 Displaying Log Messages 3-25 System Log Configuration 3-26 Remote Log Configuration 3-27 Simple Mail Transfer Protocol 3-28 Renumbering the System 3-30...
Page 6 Contents Binding a Port to an Access Control List 3-73 Filtering IP Addresses for Management Access 3-74 Port Configuration 3-76 Displaying Connection Status 3-76 Configuring Interface Connections 3-78 Creating Trunk Groups 3-80 Statically Configuring a Trunk 3-81 Enabling LACP on Selected Ports 3-82 Configuring LACP Parameters 3-84...
Page 7 Contents Protocol VLAN Group Configuration 3-142 Configuring Protocol VLAN Interfaces 3-143 Class of Service Configuration 3-144 Layer 2 Queue Settings 3-144 Setting the Default Priority for Interfaces 3-144 Mapping CoS Values to Egress Queues 3-145 Enabling CoS 3-147 Selecting the Queue Mode 3-147 Setting the Service Weight for Traffic Classes 3-148...
Page 8 Contents DHCP Snooping Information Option Configuration 3-188 DHCP Snooping Port Configuration 3-189 DHCP Snooping Binding Information 3-190 IP Source Guard 3-191 IP Source Guard Port Configuration 3-191 Static IP Source Guard Binding Configuration 3-192 Dynamic IP Source Guard Binding Information 3-193 Switch Clustering 3-194...
Page 9 Contents disconnect 4-18 show line 4-18 General Commands 4-19 enable 4-19 disable 4-20 configure 4-21 show history 4-21 reload 4-22 4-22 exit 4-23 quit 4-23 System Management Commands 4-24 Device Designation Commands 4-24 prompt 4-24 hostname 4-25 User Access Commands 4-25 username 4-25...
Page 10 Contents logging facility 4-45 logging trap 4-46 clear logging 4-46 show logging 4-47 show log 4-48 SMTP Alert Commands 4-49 logging sendmail host 4-49 logging sendmail level 4-50 logging sendmail source-email 4-51 logging sendmail destination-email 4-51 logging sendmail 4-52 show logging sendmail 4-52 Time Commands 4-53...
Page 11 Contents TACACS+ Client 4-77 tacacs-server host 4-77 tacacs-server port 4-77 tacacs-server key 4-78 show tacacs-server 4-78 Port Security Commands 4-79 port security 4-79 802.1X Port Authentication 4-81 dot1x system-auth-control 4-81 dot1x default 4-82 dot1x max-req 4-82 dot1x port-control 4-82 dot1x operation-mode 4-83 dot1x re-authenticate 4-84...
Page 12 Contents show snmp engine-id 4-108 snmp-server view 4-109 show snmp view 4-110 snmp-server group 4-110 show snmp group 4-112 snmp-server user 4-113 show snmp user 4-115 Interface Commands 4-116 interface 4-116 description 4-117 speed-duplex 4-117 negotiation 4-118 capabilities 4-119 flowcontrol 4-120 shutdown 4-121...
Page 13 Contents spanning-tree priority 4-148 spanning-tree pathcost method 4-149 spanning-tree transmission-limit 4-150 spanning-tree mst-configuration 4-150 mst vlan 4-151 mst priority 4-151 name 4-152 revision 4-153 max-hops 4-153 spanning-tree spanning-disabled 4-154 spanning-tree cost 4-154 spanning-tree port-priority 4-155 spanning-tree edge-port 4-156 spanning-tree portfast 4-156 spanning-tree link-type 4-157...
Page 14 Contents Related Commands 4-178 show dot1q-tunnel 4-178 Configuring Private VLANs 4-179 pvlan 4-179 show pvlan 4-180 Configuring Protocol-based VLANs 4-181 protocol-vlan protocol-group (Configuring Groups) 4-181 protocol-vlan protocol-group (Configuring Interfaces) 4-182 show protocol-vlan protocol-group 4-183 show interfaces protocol-vlan protocol-group 4-183 Priority Commands 4-184 Priority Commands (Layer 2) 4-184...
Page 15 Contents ip igmp snooping querier 4-206 ip igmp snooping query-count 4-206 ip igmp snooping query-interval 4-207 ip igmp snooping query-max-response-time 4-208 ip igmp snooping router-port-expire-time 4-208 Static Multicast Routing Commands 4-209 ip igmp snooping vlan mrouter 4-209 show ip igmp snooping mrouter 4-210 IGMP Filtering and Throttling Commands 4-211...
Page 16 Contents cluster 4-238 cluster commander 4-239 cluster ip-pool 4-239 cluster member 4-240 rcommand 4-240 show cluster 4-241 show cluster members 4-241 show cluster candidates 4-242 Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs Glossary...
Page 17 Contents...
Page 18 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-26 Table 3-4 Supported Notification Messages 3-42 Table 3-5 HTTPS System Support 3-52 Table 3-6 802.1X Statistics 3-66 Table 3-7 LACP Port Counters 3-86 Table 3-8...
Page 19 Tables Table 4-27 Authentication Commands 4-70 Table 4-28 Authentication Sequence 4-70 Table 4-29 RADIUS Client Commands 4-73 Table 4-30 TACACS Commands 4-77 Table 4-31 Port Security Commands 4-79 Table 4-32 802.1X Port Authentication 4-81 Table 4-33 Access Control Lists 4-89 Table 4-34 IP ACLs 4-90...
Page 20 Tables Table 4-69 IGMP Query Commands (Layer 2) 4-206 Table 4-70 Static Multicast Routing Commands 4-209 Table 4-71 IGMP Filtering and Throttling Commands 4-211 Table 4-72 Multicast VLAN Registration Commands 4-217 Table 4-73 show mvr - display description 4-221 Table 4-74 show mvr interface - display description 4-222 Table 4-75...
Page 21 Tables xviii...
Page 22 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-10 Figure 3-4 Switch Information 3-12 Figure 3-5 Bridge Extension Configuration 3-13 Figure 3-6 Manual IP Configuration 3-15 Figure 3-7 DHCP IP Configuration 3-16 Figure 3-8 Bridge Extension Configuration 3-17 Figure 3-9 Copy Firmware...
Page 23 Figures Figure 3-43 Selecting ACL Type 3-68 Figure 3-44 Configuring Standard IP ACLs 3-69 Figure 3-45 Configuring Extended IP ACLs 3-71 Figure 3-46 Configuring MAC ACLs 3-73 Figure 3-47 Configuring ACL Port Binding 3-74 Figure 3-48 Creating an IP Filter List 3-75 Figure 3-49 Displaying Port/Trunk Information...
Page 24 Figures Figure 3-88 Configuring Queue Scheduling 3-148 Figure 3-89 IP Precedence/DSCP Priority Status 3-150 Figure 3-90 Mapping IP Precedence Priority Values 3-151 Figure 3-91 Mapping IP DSCP Priority Values 3-152 Figure 3-92 IP Port Priority Status 3-153 Figure 3-93 IP Port Priority 3-154 Figure 3-94 Configuring Class Maps...
Page 25 Figures xxii...
Page 26: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 27: Description Of Software Features
Introduction Table 1-1 Key Features Feature Description Switch Clustering Supports up to 16 Member switches in a cluster Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation.
Page 28 Description of Software Features Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Traffic that falls within the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped.
Page 29 Introduction seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
Page 30 Description of Software Features Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.
Page 31: System Defaults
Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-19). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 32 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Status Enabled (all ports) Protection Broadcast Limit Rate 500 packets per second...
Page 33 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default System Log Status Enabled Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard...
Page 34: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 35: Required Connections
Initial Configuration • Configure up to 32 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 36: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 37: Setting Passwords
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Page 38: Dynamic Configuration
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Page 39: Enabling Snmp Management Access
Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end...
Page 40: Trap Receivers
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 41: Configuring Access For Snmp Version 3 Clients
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Page 42 Initial Configuration 2-10...
Page 43: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above).
Page 44: Navigating The Web Browser Interface
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Page 45: Configuration Options
Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 46: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 47: Main Menu
Navigating the Web Browser Interface Table 3-2 Main Menu (Continued) Menu Description Page Engine ID Sets the SNMP v3 engine ID on this switch 3-36 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-37 Users Configures SNMP v3 users on this switch 3-37 Remote Users...
Page 48 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Aggregation Port Configures parameters for link aggregation group members 3-84 Port Counters Information Displays statistics for LACP protocol messages 3-86 Port Internal Information Displays settings and operational state for the local side 3-88 Port Neighbors Information Displays settings and operational state for the remote side 3-90...
Page 49 Navigating the Web Browser Interface Table 3-2 Main Menu (Continued) Menu Description Page VLAN 3-122 802.1Q VLAN 3-122 GVRP Status Enables GVRP VLAN registration protocol 3-125 802.1Q Tunnel Enables QinQ Tunneling on the switch 3-126 Configuration Basic Information Displays information on the VLAN type supported by this switch 3-126 Current Table Shows the current port members of each VLAN and whether or...
Page 50 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a 3-152 DSCP tag to a class-of-service value IP Port Prioriey Status Globally enables or disables IP Port Priority 3-153 IP Port Priority Sets TCP/UDP port priority, defining the socket number and...
Page 51 Navigating the Web Browser Interface Table 3-2 Main Menu (Continued) Menu Description Page Port Configuration Configures MVR interface type and immediate leave status 3-179 Trunk Configuration Configures MVR interface type and immediate leave status 3-179 Group Member Configuration Statically assigns MVR multicast streams to an interface 3-180 General Configuration Enables DNS;...
Page 52: Basic Configuration
Configuring the Switch Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. •...
Page 53 Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: •...
Page 54: Displaying Switch Hardware/Software Versions
Basic Configuration CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-25 Console(config)#snmp-server location WC 9 4-103 Console(config)#snmp-server contact Ted 4-103 Console(config)#exit Console#show system 4-61 System Description: TL-SG5426 System OID String: 1.3.6.1.4.1.11863.6.10.58 System Information System Up Time: 0 days, 0 hours, 2 minutes, and 57.23 seconds System Name: [NONE]...
Page 55: Figure 3-4 Switch Information
Configuring the Switch Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version 4-62 Unit 1 Serial Number: !!!!!!!!!! Hardware Version: EPLD Version: 1.02 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (Master)
Page 56: Displaying Bridge Extension Capabilities
Basic Configuration Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 57: Setting The Switch's Ip Address
Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-164 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
Page 58: Manual Configuration
Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Page 59: Using Dhcp/Bootp
Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Page 60: Enabling Jumbo Frames
Basic Configuration Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Page 61: Downloading System Software From A Server
Configuring the Switch • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored...
Page 62: Saving Or Restoring Configuration Settings
Basic Configuration To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI –...
Page 63: Downloading Configuration Settings From A Server
Configuring the Switch - tftp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a file from a TFTP server to the running config. - tftp to startup-config – Copies a file from a TFTP server to the startup config. •...
Page 64: Console Port Settings
Basic Configuration Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch.
Page 65: Figure 3-14 Console Port Settings
Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded.
Page 66: Telnet Settings
Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-11 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret 4-12...
Page 67: Figure 3-15 Enabling Telnet
Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password.
Page 68: Configuring Event Logging
Basic Configuration CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. Console(config)#line vty 4-11 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret 4-12...
Page 69: System Log Configuration
Configuring the Switch CLI – This example shows the event message stored in RAM. Console#show log ram 4-47 [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:00:25 2001-01-01 "System coldStart notification." level: 6, module: 5, function: 1, and event no.: 1 Console# System Log Configuration...
Page 70: Remote Log Configuration
Basic Configuration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-17 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Page 71: Simple Mail Transfer Protocol
Configuring the Switch • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.
Page 72: Figure 3-19 Enabling And Configuring Smtp
Basic Configuration • Severity – Specifies the degree of urgency that the message carries. • Debugging – Sends a debugging notification. (Level 7) • Information – Sends informatative notification only. (Level 6) • Notice – Sends notification of a normal but significant condition, such as a cold start.
Page 73: Renumbering The System
Configuring the Switch CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Renumbering the System Web –...
Page 74: Setting The System Clock
Basic Configuration Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 75: Setting The Time Zone
Configuring the Switch CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-54 Console(config)#sntp poll 60 4-55 Console(config)#sntp client 4-53 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 16...
Page 76: Simple Network Management Protocol
Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 77: Specifying Trap Managers And Trap Types
Configuring the Switch Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-24 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw 4-102 Console(config)#...
Page 78: Enabling Snmp Agent Status
Simple Network Management Protocol Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply.
Page 79: Configuring Snmpv3 Management Access
Configuring the Switch Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: If you want to change the default engine ID, it must be changed first before configuring other parameters. Specify read and write access views for the switch MIB tree. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy).
Page 80: Specifying A Remote Engine Id
Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 81 Configuring the Switch • Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.) - AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).
Page 82: Figure 3-29 Configuring Snmpv3 Users
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 83: Configuring Remote Snmpv3 Users
Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 84: Configuring Snmpv3 Groups
Simple Network Management Protocol CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 4-113 Console(config)#exit Console#show snmp user 4-113 No user exist.
Page 85: Table 3-4 Supported Notification Messages
Configuring the Switch • Notify View – The configured view for notifications. (Range: 1-64 characters) Table 3-4 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree;...
Page 86 Simple Network Management Protocol Table 3-4 Supported Notification Messages (Continued) Object Label Object ID Description authenticationFailure 1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, has received a protocol message that is not properly authenticated. While all implementations of the SNMPv2 must be capable of generating this trap, the...
Page 87: Figure 3-31 Configuring Snmpv3 Groups
Configuring the Switch Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Page 88: Setting Snmpv3 Views
Simple Network Management Protocol Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...
Page 89: User Authentication
Configuring the Switch CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries.. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included4-115 Console(config)#exit Console#show snmp view4-116 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included...
Page 90: Figure 3-33 Access Levels
User Authentication • New Account – Displays configuration settings for a new account. - User Name – The name of the user. (Maximum length: 8 characters; maximum number of users: 16) - Access Level – Specifies the user level. (Options: Normal and Privileged) - Password –...
Page 91: Configuring Local/Remote Logon Authentication
Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 92 User Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Page 93: Figure 3-34 Authentication Settings
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-34 Authentication Settings 3-50...
Page 94 User Authentication CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-71 Console(config)#radius-server port 181 4-74 Console(config)#radius-server key green 4-75 Console(config)#radius-server retransmit 5 4-75 Console(config)#radius-server timeout 10 4-76 Console(config)#radius-server 1 host 192.168.1.25 4-74 Console(config)#end Console#show radius-server 4-76 Remote RADIUS server configuration: Global settings:...
Page 95: Configuring Https
Configuring the Switch Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
Page 96: Replacing The Default Secure-Site Certificate
User Authentication CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-30 Console(config)#ip http secure-port 443 4-31 Console(config)# Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 97: Configuring The Secure Shell
Configuring the Switch Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 98 User Authentication Import Client’s Public Key to the Switch – Use the copy tftp public-key command (4-64) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on 3-46.) The clients are subsequently authenticated using these keys.
Page 99: Configuring The Ssh Server
Configuring the Switch Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Page 100: Generating The Host Key Pair
User Authentication CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-35 Console(config)#ip ssh timeout 100 4-36 Console(config)#ip ssh authentication-retries 5 4-37...
Page 101: Figure 3-37 Ssh Host-Key Settings
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-37 SSH Host-Key Settings CLI –...
Page 102: Configuring Port Security
User Authentication Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 103: Configuring 802.1X Port Authentication
Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-38 Configuring Port Security CLI –...
Page 104: Displaying 802.1X Global Settings
User Authentication This switch uses the Extensible Authentication Protocol over LANs (EAPOL) 802.1x to exchange authentication client protocol messages with the client, and a remote RADIUS 1. Client attempts to access a switch port. authentication server to verify 2. Switch sends client an identity request. user identity and access RADIUS 3.
Page 105: Configuring 802.1X Global Settings
Configuring the Switch Web – Click Security, 802.1X, Information. Figure 3-39 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-86 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled...
Page 106: Configuring Port Settings For 802.1X
User Authentication Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 107: Figure 3-41 802.1X Port Configuration
Configuring the Switch Figure 3-41 802.1X Port Configuration 3-64...
Page 108 User Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-86. Console(config)#interface ethernet 1/2 4-116 Console(config-if)#dot1x port-control auto 4-82 Console(config-if)#dot1x re-authentication 4-84 Console(config-if)#dot1x max-req 5 4-82...
Page 109: Displaying 802.1X Statistics
Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-6 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 110: Access Control Lists
Access Control Lists CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-86 Eth 1/4 Rx: EAPOL EAPOL EAPOL EAPOL Start Logoff Invalid Total Resp/Id Resp/Oth LenError 1007 Last Last EAPOLVer EAPOLSrc 00-12-CF-94-34-DE Tx: EAPOL Total...
Page 111: Setting The Acl Name And Type
Configuring the Switch Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. If no explicit rule is matched, the implicit default is permit all. Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes •...
Page 112: Configuring A Standard Ip Acl
Access Control Lists Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
Page 113 Configuring the Switch host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields. (Options: Any, Host, IP; Default: Any) • Source/Destination IP Address – Source or destination IP address. • Source/Destination Subnet Mask – Subnet mask for source or destination address.
Page 114: Figure 3-45 Configuring Extended Ip Acls
Access Control Lists Figure 3-45 Configuring Extended IP ACLs CLI – This example adds two rules: (1) Accept any incoming packets if the source address is in subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 &...
Page 115: Configuring A Mac Acl
Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Page 116: Binding A Port To An Access Control List
Access Control Lists Figure 3-46 Configuring MAC ACLs Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage This switch supports ACLs for ingress filtering only.
Page 117: Filtering Ip Addresses For Management Access
Configuring the Switch Figure 3-47 Configuring ACL Port Binding CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-116 Console(config-if)#ip access-group david in 4-93 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# Filtering IP Addresses for Management Access...
Page 118: Figure 3-48 Creating An Ip Filter List
Access Control Lists • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Command Attributes •...
Page 119: Port Configuration
Configuring the Switch CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 4-27 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- SNMP-Client: Start IP address End IP address ----------------------------------------------- 1.
Page 120: Figure 3-49 Displaying Port/Trunk Information
Port Configuration Web – Click Port, Port Information or Trunk Information. Figure 3-49 Displaying Port/Trunk Information Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see 3-14.) Configuration: •...
Page 121: Configuring Interface Connections
Configuring the Switch • Port Security – Shows if port security is enabled or disabled. • Max MAC count – Shows the maximum number of MAC address that can be learned by a port. (0 - 1024 addresses) • Port security action – Shows the response to take when a security violation is detected.
Page 122: Figure 3-50 Port/Trunk Configuration
Port Configuration • Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) • Flow Control – Allows automatic or manual selection of flow control. • Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/ disabled.
Page 123: Creating Trunk Groups
Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 4-116 Console(config-if)#description RD SW#13 4-117 Console(config-if)#shutdown 4-121 Console(config-if)#no shutdown Console(config-if)#no negotiation 4-118 Console(config-if)#speed-duplex 100half 4-117 Console(config-if)#flowcontrol 4-120 Console(config-if)#negotiation Console(config-if)#capabilities 100half 4-119 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate...
Page 124: Statically Configuring A Trunk
Port Configuration • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN.
Page 125: Enabling Lacp On Selected Ports
Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-116 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-116 Console(config-if)#channel-group 2 4-131 Console(config-if)#exit...
Page 126: Figure 3-52 Lacp Trunk Configuration
Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-26) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Page 127: Configuring Lacp Parameters
Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-116 Console(config-if)#lacp 4-132 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 128: Figure 3-53 Lacp Port Configuration
Port Configuration - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.
Page 129: Displaying Lacp Port Counters
Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-116 Console(config-if)#lacp actor system-priority 3 4-133 Console(config-if)#lacp actor admin-key 120 4-134 Console(config-if)#lacp actor port-priority 128 4-136 Console(config-if)#exit Console(config)#interface ethernet 1/4...
Page 130: Figure 3-54 Lacp - Port Counters Information
Port Configuration Table 3-7 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 131: Displaying Lacp Settings And Status For The Local Side
Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-8 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Page 132: Figure 3-55 Lacp - Port Internal Information
Port Configuration Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-55 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-136 Port channel : 1...
Page 133: Displaying Lacp Settings And Status For The Remote Side
Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-9 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Page 134: Setting Broadcast Storm Thresholds
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-136 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-12-CF-CE-2A-20...
Page 135: Figure 3-57 Port Broadcast Control
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-57 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 packets per second for port 2.
Page 136: Configuring Port Mirroring
Port Configuration Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.
Page 137: Configuring Rate Limits
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 138: Showing Port Statistics
Port Configuration CLI - This example sets the rate limit level for input traffic passing through port 3. Console(config)#interface ethernet 1/3 4-116 Console(config-if)#rate-limit input 500 4-129 Console(config-if)# Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 139 Configuring the Switch Table 3-10 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. Transmit Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this...
Page 140 Port Configuration Table 3-10 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Page 141: Figure 3-60 Port Statistics
Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-60 Port Statistics 3-98...
Page 142: Address Table Settings
Address Table Settings CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-124 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 143: Displaying The Address Table
Configuring the Switch Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-61 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 144: Figure 3-62 Configuring A Dynamic Address Table
Address Table Settings Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-62 Configuring a Dynamic Address Table CLI –...
Page 145: Changing The Aging Time
Configuring the Switch Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds;...
Page 146 Spanning Tree Algorithm Configuration disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 147 Configuring the Switch An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest-V see 3-116). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
Page 148: Displaying Global Settings
Spanning Tree Algorithm Configuration Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
Page 149: Figure 3-64 Displaying Spanning Tree Information
Configuring the Switch However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. • Root Hello Time – Interval (in seconds) at which this device transmits a configuration message. •...
Page 150: Configuring Global Settings
Spanning Tree Algorithm Configuration CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-160 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: RSTP Spanning tree enabled/disabled: enabled Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Page 151 Configuring the Switch - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments.
Page 152 Spanning Tree Algorithm Configuration • Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 153: Figure 3-65 Configuring Spanning Tree
Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-65 Configuring Spanning Tree CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-145 Console(config)#spanning-tree mode rstp...
Page 154: Displaying Interface Settings
Spanning Tree Algorithm Configuration Displaying Interface Settings The STA Port Information and STA Trunk Information pages display the current status of ports and trunks in the Spanning Tree. Field Attributes • Spanning Tree – Shows if STA has been enabled on this interface. •...
Page 155 Configuring the Switch • Trunk Member – Indicates if a port is a member of a trunk. (STA Port Information only) These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. •...
Page 156: Figure 3-66 Displaying Spanning Tree Port Information
Spanning Tree Algorithm Configuration the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to reconfigure when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
Page 157: Configuring Interface Settings
Configuring the Switch Configuring Interface Settings You can configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port. You may use a different priority or path cost for ports of the same media type to indicate the preferred path, link type to indicate a point-to-point connection or shared-media connection, and edge port to indicate if the attached device can support fast forwarding.
Page 158: Figure 3-67 Configuring Spanning Tree Per Port
Spanning Tree Algorithm Configuration • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Page 159: Configuring Multiple Spanning Trees
Configuring the Switch Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 160: Figure 3-68 Configuring Multiple Spanning Trees
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Page 161: Displaying Interface Settings For Mstp
Configuring the Switch CLI – This example sets STA attributes for port 1, , followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20...
Page 162: Figure 3-69 Displaying Mstp Interface Settings
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values. Figure 3-69 Displaying MSTP Interface Settings 3-119...
Page 163: Configuring Interface Settings For Mstp
Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-231 Spanning-tree information ---------------------------------------------------------------...
Page 164 Spanning Tree Algorithm Configuration - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. - Forwarding –...
Page 165: Vlan Configuration
Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-70 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...
Page 166: Assigning Ports To Vlans
VLAN Configuration This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 167 Configuring the Switch VLAN form a broadcast domain that is separate from other VLANs configured on the switch. Packets are forwarded only between ports that are designated for the same VLAN. Untagged VLANs can be used to manually isolate user groups or subnets. However, you should use IEEE 802.3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration.
Page 168: Enabling Or Disabling Gvrp (Global Setting)
VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 169: Displaying Basic Vlan Information
Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard.
Page 170: Figure 3-73 Displaying Current Vlans
VLAN Configuration • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web –...
Page 171: Creating Vlans
Configuring the Switch CLI – Current VLAN information can be displayed with the following command. Console#show vlan id 1 4-175 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/ 10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/...
Page 172: Adding Static Members To Vlans (Vlan Index)
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-74 Configuring a VLAN Static List CLI –...
Page 173: Figure 3-75 Configuring A Vlan Static Table
Configuring the Switch VLAN 1 is the default untagged VLAN containing all ports on the switch, and can only be modified by first reassigning the default port VLAN ID as described under “Configuring VLAN Behavior for Interfaces” on page 3-132. Command Attributes •...
Page 174: Adding Static Members To Vlans (Port Index)
VLAN Configuration CLI – The following example adds tagged and untagged ports to VLAN 2. Console(config)#interface ethernet 1/1 4-116 Console(config-if)#switchport allowed vlan add 2 tagged 4-173 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 2 untagged Console(config-if)#exit Console(config)#interface ethernet 1/13 Console(config-if)#switchport allowed vlan add 2 tagged Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the...
Page 175: Configuring Vlan Behavior For Interfaces
Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 176: Configuring Ieee 802.1Q Tunneling
Configuring IEEE 802.1Q Tunneling Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-77 Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, and then sets the switchport mode to hybrid.
Page 177 Configuring the Switch A port configured to support QinQ tunneling must be set to tunnel port mode. The Service Provider VLAN (SPVLAN) ID for the specific customer must be assigned to the QinQ tunnel access port on the edge switch where the customer traffic enters the service provider’s network.
Page 178 Configuring IEEE 802.1Q Tunneling tag if it is a tagged or priority tagged packet. 2. After successful source and destination lookup, the ingress process sends the packet to the switching process with two tags. If the incoming packet is untagged, the outer tag is an SPVLAN tag, and the inner tag is a dummy tag (8100 0000).
Page 179 Configuring the Switch 6. After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped.
Page 180: Enabling Qinq Tunneling On The Switch
Configuring IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch The switch can be configured to operate in normal VLAN mode or IEEE 802.1Q (QinQ) tunneling mode which is used for passing Layer 2 traffic across a service provider’s metropolitan area network. Command Attributes •...
Page 181: Adding An Interface To A Qinq Tunnel
Configuring the Switch CLI – This example sets the switch to operate in QinQ mode. Console(config)#dot1q-tunnel system-tunnel-control 52-14 Console(config)#exit Console#show dot1q-tunnel 52-16 Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
Page 182: Figure 3-79 Tunnel Port Configuration
Configuring IEEE 802.1Q Tunneling - 802.1Q Tunnel Uplink – Configures IEEE 802.1Q tunneling (QinQ) for an uplink port to another device within the service provider network. Web – Click VLAN, 802.1Q VLAN, Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink.
Page 183 Configuring the Switch CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode. Console(config)#interface ethernet 1/1 45-1 Console(config-if)#switchport dot1q-tunnel mode access 52-14 Console(config-if)#switchport dot1q-tunnel tpid 9100 52-15...
Page 184: Configuring Private Vlans
Configuring IEEE 802.1Q Tunneling Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function.
Page 185: Configuring Uplink And Downlink Ports
Configuring the Switch Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Page 186: Configuring Protocol Vlan Interfaces
Configuring IEEE 802.1Q Tunneling • Protocol Type – The only option for the LLC Other frame type is IPX Raw. The options for all other frames types include IP, ARP, or RARP. Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-82 Protocol VLAN Configuration Configuring Protocol VLAN Interfaces Use the Protocol VLAN Port Configuration menu to set the protocol VLAN settings per port.
Page 187: Class Of Service Configuration
Configuring the Switch Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 188: Mapping Cos Values To Egress Queues
Class of Service Configuration Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-84 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-116 Console(config-if)#switchport priority default 5...
Page 189: Table 3-12 Cos Priority Levels
Configuring the Switch The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.
Page 190: Enabling Cos
Class of Service Configuration CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-116 Console(config-if)#queue cos-map 0 0 4-187 Console(config-if)#queue cos-map 1 1 Console(config-if)#queue cos-map 2 2 Console(config-if)#end Console#show queue cos-map ethernet 1/1 4-189 Information of Eth 1/1 CoS Value: 0 1 2 3 4 5 6 7...
Page 191: Setting The Service Weight For Traffic Classes
Configuring the Switch Web – Click Priority, Queue Mode. Select Strict or WRR, then click Apply. Figure 3-87 Queue Mode CLI – The following sets the queue mode to WRR priority service mode. Console(config)#queue mode wrr 4-185 Console(config)#exit Console#show queue mode 4-188 Queue mode: wrr Console#...
Page 192: Layer 3/4 Priority Settings
Class of Service Configuration CLI – The following example shows how to display the WRR weights assigned to each of the priority queues. Console#show queue bandwidth 4-188 Queue ID Weight -------- ------ Console Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 193: Mapping Ip Precedence
Configuring the Switch Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, then click Apply. Figure 3-89 IP Precedence/DSCP Priority Status CLI – The following example enables IP Precedence service on the switch. Console(config)#map ip precedence 4-204 Console(config)#...
Page 194: Figure 3-90 Mapping Ip Precedence Priority Values
Class of Service Configuration Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 3-90 Mapping IP Precedence Priority Values CLI –...
Page 195: Mapping Dscp Priority
Configuring the Switch Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 196: Mapping Ip Port Priority
Class of Service Configuration CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-189 Console(config)#interface ethernet 1/1 4-116 Console(config-if)#map ip dscp 1 cos 0 4-190...
Page 197: Quality Of Service
Configuring the Switch Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 3-93 IP Port Priority CLI* –...
Page 198: Configuring Quality Of Service Parameters
Quality of Service All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class. Class information can be assigned by end hosts, or switches or routers along the path. Priority can then be assigned based on a general policy, or a detailed examination of the packet.
Page 199 Configuring the Switch based on an access list, a DSCP or IP Precedence value, or a VLAN, and click the Add button next to the field for the selected traffic criteria. You can specify up to 16 items to match when assigning ingress traffic to a class map. •...
Page 200: Figure 3-94 Configuring Class Maps
Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-94 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Page 201: Creating Qos Policies
Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-155. - Open the Policy Map page, and click Add Policy.
Page 202 Quality of Service Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on 3-155).
Page 203: Figure 3-95 Configuring Policy Maps
Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-95 Configuring Policy Maps CLI –...
Page 204: Attaching A Policy Map To Ingress Queues
Quality of Service Attaching a Policy Map to Ingress Queues This function binds a policy map to the ingress queue of a particular interface. Command Usage • You must first define a class map, then define a policy map, and finally bind the service policy to the required interface.
Page 205: Multicast Filtering
Configuring the Switch Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Page 206: Configuring Igmp Snooping And Query Parameters
Multicast Filtering Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
Page 207: Enabling Igmp Immediate Leave
Configuring the Switch Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-97 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
Page 208: Displaying Interfaces Attached To A Multicast Router
Multicast Filtering Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Immediate Leave – Enable or disable IGMP immediate leave for the selected VLAN. Web – Click IGMP Snooping, IGMP Immediate Leave. Figure 3-98 IGMP Immediate Leave CLI –...
Page 209: Specifying Static Interfaces For A Multicast Router
Configuring the Switch Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-99 Displaying Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
Page 210: Displaying Port Members Of Multicast Services
Multicast Filtering Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
Page 211: Assigning Ports To Multicast Services
Configuring the Switch Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-101 IP Multicast Registration Table CLI –...
Page 212: Igmp Filtering And Throttling
Multicast Filtering Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
Page 213: Enabling Igmp Filtering And Throttling
Configuring the Switch switch randomly removes an existing group and replaces it with the new multicast group. Note: IGMP filtering and throttling only applies to dynamically learned multicast groups, it does not apply to statically configured groups. Enabling IGMP Filtering and Throttling To implement IGMP filtering and throttling on the switch, you must first enable the feature globally and create IGMP profile numbers.
Page 214: Configuring Igmp Filtering And Throttling For Interfaces
Multicast Filtering Configuring IGMP Filtering and Throttling for Interfaces Once you have configured IGMP profiles, you can then assign them to interfaces on the switch. Also, you can set the IGMP throttling number to limit the number of multicast groups an interface can join at the same time. Command Usage •...
Page 215: Configuring Igmp Filter Profiles
Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-104 IGMP Filter and Throttling Port Configuration CLI –...
Page 216: Figure 3-105 Igmp Profile Configuration
Multicast Filtering deny, IGMP join reports are only processed when a multicast group is not in the controlled range. Command Attributes • Profile ID – Selects an existing profile number to configure. After selecting an ID number, click the Query button to display the current configuration. •...
Page 217: Configuring Global Mvr Settings
Multicast Filtering General Configuration Guidelines for MVR Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings” on page 3-175). Set the interfaces that will join the MVR as source ports or receiver ports (see “Configuring MVR Interface Status”...
Page 218 Configuring the Switch CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 4-222 Console(config-igmp-profile)#permit 4-222...
Page 219: Displaying Mvr Interface Status
Configuring the Switch Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-106 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.
Page 220: Figure 3-107 Mvr Port Information
Multicast Filtering Web – Click MVR, Port or Trunk Information. Figure 3-107 MVR Port Information CLI – This example shows information about interfaces attached to the MVR VLAN. Console#show mvr interface 4-221 Port Type Status Immediate Leave ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP...
Page 221: Displaying Port Members Of Multicast Groups
Configuring the Switch Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...
Page 222: Configuring Mvr Interface Status
Multicast Filtering Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Page 223: Assigning Static Multicast Groups To Interfaces
Configuring the Switch Web – Click MVR, Port or Trunk Configuration. Figure 3-109 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source 4-219 Console(config-if)#exit...
Page 224: Configuring Domain Name Service
Configuring Domain Name Service Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups. Select a multicast address from the displayed lists, and click the Add or Remove button to modify the Member list.
Page 225: Figure 3-111 Dns General Configuration
Configuring the Switch • When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 226: Configuring Static Dns Host To Address Entries
Configuring Domain Name Service CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com 4-234 Console(config)#ip domain-list sample.com.uk 4-235 Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55...
Page 227: Figure 3-112 Dns Static Host Table
Configuring the Switch Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-112 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.
Page 228: Displaying The Dns Cache
Configuring Domain Name Service Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...
Page 229: Dhcp Snooping
Configuring the Switch CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache 4-238 FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME 207.46.134.155 www.microsoft.akadns.net CNAME 207.46.249.222 www.microsoft.akadns.net CNAME 207.46.249.27 www.microsoft.akadns.net ALIAS POINTER TO:4 www.microsoft.com...
Page 230: Dhcp Snooping Configuration
DHCP Snooping the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header. • If the DHCP packet is not a recognizable type, it is dropped. •...
Page 231: Dhcp Snooping Vlan Configuration
Configuring the Switch DHCP Snooping VLAN Configuration Enables DHCP snooping on the specified VLAN. Command Attributes • VLAN ID – ID of a configured VLAN. (Range: 1-4094) • DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN.
Page 232: Dhcp Snooping Port Configuration
DHCP Snooping Command Attributes • DHCP Snooping Information Option Status – Enables or disables DHCP Option 82 information relay. • DHCP Snooping Information Option Policy – Sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information.
Page 233: Dhcp Snooping Binding Information
Configuring the Switch Web – Click DHCP Snooping, Information Option Configuration. Figure 3-117 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-234 Console(config-if)# DHCP Snooping Binding Information Displays the DHCP snooping binding information.
Page 234: Ip Source Guard
IP Source Guard Web – Click DHCP Snooping, DHCP Snooping Binding Information. Figure 3-118 DHCP Snooping Binding Information CLI – This example shows how to display the DHCP Snooping binding table entries Console#show ip dhcp snooping binding 4-237 MacAddress IpAddress Lease(sec) Type VLAN Interface...
Page 235: Static Ip Source Guard Binding Configuration
Configuring the Switch Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) • None – Disables IP source guard filtering on the port. •...
Page 236: Dynamic Ip Source Guard Binding Information
IP Source Guard Command Attributes • Static Binding Table Counts – The total number of static entries in the table. • Port – Switch port number. (Range: 1-26) • VLAN ID – ID of a configured VLAN (Range: 1-4094) • MAC Address – A valid unicast MAC address. •...
Page 237: Switch Clustering
Configuring the Switch Web – Click IP Source Guard, Dynamic Information. Figure 3-121 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5 Console#show ip source-guard binding 4-230 MacAddress IpAddress Lease(sec) Type VLAN Interface...
Page 238: Cluster Configuration
Switch Clustering Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. After the Commander and Members have been configured, any switch in the cluster can be managed from the web interface by choosing the Member ID from the Cluster drop-down menu.
Page 239: Cluster Member Configuration
Configuring the Switch Web – Click Cluster, Configuration. Figure 3-123 Cluster Configuration CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster 4-238 Console(config)#cluster commander 4-239 Console(config)#cluster ip-pool 10.2.3.4 4-239...
Page 240: Cluster Member Information
Switch Clustering Web – Click Cluster, Member Configuration. Figure 3-124 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-240 Console(config)# Cluster Member Information...
Page 241: Cluster Candidate Information
Configuring the Switch CLI – This example shows information about cluster Member switches. Vty-0#sh cluster members 4-241 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: TL-SG5426 Vty-0# Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.
Page 242: Chapter 4: Command Line Interface
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 243: Telnet Connection
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 244: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 245: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 246: Partial Keyword Lookup
Entering Commands The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information protocol-vlan Protocol-VLAN information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 247: Exec Commands
Command Line Interface Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Page 248: Configuration Commands
Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command. The configuration commands are organized into different modes: •...
Page 249: Command Line Processing
Command Line Interface Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 250: Command Groups
Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page Line Sets communication parameters for the serial port and Telnet, 4-10 including baud rate and console time-out General Basic commands for entering privileged access mode, restarting the 4-19...
Page 251: Line Commands
Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) MST (Multiple Spanning Tree) CM (Class Map Configuration) NE (Normal Exec) GC (Global Configuration) PE (Privileged Exec) IC (Interface Configuration) PM (Policy Map Configuration) LC (Line Configuration) VC (VLAN Database Configuration)
Page 252: Line
Line Commands line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 253: Password
Command Line Interface - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
Page 254: Timeout Login Response
Line Commands during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (4-11) password-thresh (4-14) timeout login response This command sets the interval that the system waits for a user to log into the CLI.
Page 255: Password-Thresh
Command Line Interface Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.
Page 256: Silent-Time
Line Commands Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
Page 257: Parity
Command Line Interface Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
Page 258: Speed
Line Commands Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting.
Page 259: Disconnect
Command Line Interface Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage...
Page 260: General Commands
General Commands Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# General Commands...
Page 261: Disable
Command Line Interface Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-26.) •...
Page 262: Configure
General Commands configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration. See “Understanding Command Modes”...
Page 263: Reload
Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.
Page 264: Exit
General Commands exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 265: System Management Commands
Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-24 User Access...
Page 266: Hostname
System Management Commands Example Console(config)#prompt RD2 RD2(config)# hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 267: Enable Password
Command Line Interface • name - The name of the user. (Maximum length: 8 characters, case sensitive. Maximum users: 16) • access-level level - Specifies the user level. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. •...
Page 268: Ip Filter Commands
System Management Commands • password - password for this privilege level. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting • The default is level 15. • The default password is “super” Command Mode Global Configuration Command Usage •...
Page 269: Show Management
Command Line Interface • telnet-client - Adds IP address(es) to the Telnet group. • start-address - A single IP address, or the starting address of a range. • end-address - The end address of a range. Default Setting All addresses Command Mode Global Configuration Command Usage...
Page 270: Web Server Commands
System Management Commands Example Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------- 1.
Page 271: Ip Http Server
Command Line Interface Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-30) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled...
Page 272: Ip Http Secure-Port
System Management Commands • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Page 273: Telnet Server Commands
Command Line Interface • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000 Console(config)# Related Commands ip http secure-server (4-30) Telnet Server Commands Table 4-14 Telnet Server Commands Command...
Page 274: Ip Telnet Server
System Management Commands ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# Related Commands ip telnet port (4-32)
Page 275 Command Line Interface Table 4-15 SSH Commands (Continued) Command Function Mode Page copy tftp public-key Copies the user’s public key from a TFTP server to the switch 4-64 delete public-key Deletes the public key for the specified user 4-38 ip ssh crypto host-key Generates the host key 4-38 generate...
Page 276: Ip Ssh Server
System Management Commands firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key: 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve@192.168.1.19 Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size.
Page 277: Ip Ssh Timeout
Command Line Interface • The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. •...
Page 278: Ip Ssh Authentication-Retries
System Management Commands ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Page 279: Delete Public-Key
Command Line Interface delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Page 280: Ip Ssh Crypto Zeroize
System Management Commands Related Commands ip ssh crypto zeroize (4-39) ip ssh save host-key (4-39) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
Page 281: Show Ip Ssh
Command Line Interface Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-38) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99...
Page 282: Show Public-Key
System Management Commands Table 4-16 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 283: Command Line Interface
Command Line Interface Example Console#show public-key host Host: RSA: 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# 4-42...
Page 284: Event Logging Commands
System Management Commands Event Logging Commands Table 4-17 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-43 logging history Limits syslog messages saved to switch memory based on 4-44 severity logging host Adds a syslog server host IP address that will receive logging 4-45 messages logging facility...
Page 285: Logging History
Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 286: Logging Host
System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Page 287: Logging Trap
Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 288: Show Logging
System Management Commands Example Console#clear logging Console# Related Commands show logging (4-47) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Page 289: Show Log
Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Page 290: Smtp Alert Commands
System Management Commands Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [3] 00:00:54 2001-01-01 "STA root change notification."...
Page 291: Logging Sendmail Level
Command Line Interface Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Page 292: Logging Sendmail Source-Email
System Management Commands logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 0-41 characters) Default Setting None...
Page 293: Logging Sendmail
Command Line Interface logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...
Page 294: Time Commands
System Management Commands Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 295: Sntp Server
Command Line Interface Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status: Enabled SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0 Current server: 10.1.0.19 Console# Related Commands sntp server (4-54) sntp poll (4-55) show sntp (4-55)
Page 296: Sntp Poll
System Management Commands sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...
Page 297: Clock Timezone
Command Line Interface clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-12 hours) •...
Page 298: Show Calendar
System Management Commands Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, April 1st, 2004. Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock. Default Setting None Command Mode...
Page 299 Command Line Interface Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!”...
Page 300: Show Running-Config
System Management Commands Related Commands show running-config (4-59) show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 301 Command Line Interface Example Console#show running-config building startup-config, please wait..phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 clock timezone hours 0 minute 0 after-UTC SNMP-server community private rw SNMP-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4...
Page 302: Show System
System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-10. •...
Page 303: Show Version
Command Line Interface Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users:...
Page 304: Frame Size Commands
System Management Commands Example Console#show version Unit1 Serial number: S416000937 Service tag: Hardware version: Module A type: 1000BaseT Module B type: 1000BaseT Number of ports: Main power status: Redundant power status :not present Agent (master) Unit ID: Loader version: 2.2.1.4 Boot ROM version: 2.2.1.8 Operation code version:...
Page 305: Flash/File Commands
Command Line Interface • Enabling jumbo frames will limit the maximum threshold for broadcast storm control to 64 packets per second. (See the switchport broadcast command on page 4-122.) • The current setting for jumbo frames can be displayed with the show system command (page 4-61).
Page 306 Flash/File Commands • https-certificate - Copies an HTTPS certificate from an TFTP server to the switch. • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shell Commands” on page 4-33) • unit - Keyword that allows you to copy to/from a unit. Default Setting None Command Mode...
Page 307 Command Line Interface Example The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed.
Page 308: Delete
Flash/File Commands This example shows how to copy a public-key used by SSH from a TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch: Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
Page 309: Dir
Command Line Interface This command displays a list of files in flash memory. Syntax dir [unit:] {{boot-rom: | config: | opcode:} [:filename]} The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. •...
Page 310: Whichboot
Flash/File Commands whichboot This command displays which files were booted when the system powered up. Syntax whichboot [unit] unit - Stack unit. (Range: Unit 1) Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Page 311: Authentication Commands
Command Line Interface Command Usage • A colon (:) is required after the specified unit number and file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-68) whichboot (4-69)
Page 312: Authentication Login
Authentication Commands authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. •...
Page 313: Authentication Enable
Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-19). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable...
Page 314: Radius Client
Authentication Commands Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. •...
Page 315: Radius-Server Host
Command Line Interface radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] •...
Page 316: Radius-Server Key
Authentication Commands Command Mode Global Configuration Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Page 317: Radius-Server Timeout
Command Line Interface radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Page 318: Tacacs+ Client
Authentication Commands TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 319: Tacacs-Server Key
Command Line Interface Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Page 320: Port Security Commands
Authentication Commands Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 321 Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 322: 802.1X Port Authentication
Authentication Commands 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-32 802.1X Port Authentication Command Function...
Page 323: Dot1X Default
Command Line Interface dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 324: Dot1X Operation-Mode
Authentication Commands Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
Page 325: Dot1X Re-Authenticate
Command Line Interface dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Range: Unit 1) - port - Port number. (Range: 1-26) Command Mode Privileged Exec Example Console#dot1x re-authenticate...
Page 326: Dot1X Timeout Re-Authperiod
Authentication Commands Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Page 327: Show Dot1X
Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. •...
Page 328 Authentication Commands • 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled – Periodic re-authentication (page 4-84). - reauth-period – Time after which a connected client must be re-authenticated (page 4-85). - quiet-period –...
Page 329 Command Line Interface Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/26 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period:...
Page 330: Access Control List Commands
Access Control List Commands Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
Page 331: Ip Acls
Command Line Interface IP ACLs Table 4-34 IP ACLs Command Function Mode Page access-list ip Creates an IP ACL and enters configuration mode 4-90 permit, deny Filters packets matching a specified source IP address STD-ACL 4-91 permit, deny Filters packets meeting the specified criteria, including EXT-ACL 4-91 source and destination IP address, TCP/UDP port number,...
Page 332: Permit, Deny (Standard Acl)
Access Control List Commands Related Commands permit, deny 4-91 ip access-group (4-93) show ip access-list (4-93) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 333 Command Line Interface Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] •...
Page 334: Show Ip Access-List
Access Control List Commands This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# Related Commands access-list ip (4-90) show ip access-list This command displays the rules for configured IP ACLs.
Page 335: Mac Acls
Access Control List Commands MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports Table 4-35 MAC ACL Commands Command...
Page 336: Permit, Deny (Mac Acl)
Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 337: Show Mac Access-List
Access Control List Commands Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP...
Page 338: Mac Access-Group
Command Line Interface mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
Page 339 Command Line Interface Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. •...
Page 340: Acl Information
Access Control List Commands ACL Information Table 4-36 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-99 show access-group Shows the ACLs assigned to each port 4-99 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 341: Snmp Commands
Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 342: Snmp-Server
SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
Page 343: Snmp-Server Community
Command Line Interface Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...
Page 344: Snmp-Server Contact
SNMP Commands • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.
Page 345: Snmp-Server Host
Command Line Interface Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-103) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}...
Page 346 SNMP Commands • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Page 347: Snmp-Server Enable Traps
Command Line Interface supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.
Page 348: Snmp-Server Engine-Id
SNMP Commands conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 4-110). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-104) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
Page 349: Show Snmp Engine-Id
Command Line Interface fill the octet. For example, entering the value “123456789” results in an engine ID of “1234567890.” • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared.
Page 350: Snmp-Server View
SNMP Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
Page 351: Show Snmp View
Command Line Interface show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 352 SNMP Commands Default Setting • Default groups: public (read only), private (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothing is defined. • notifyview - Nothing is defined. Command Mode Global Configuration Command Usage •...
Page 353: Show Snmp Group
Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
Page 354: Snmp-Server User
SNMP Commands Table 4-40 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
Page 355 Command Line Interface Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. •...
Page 356: Show Snmp User
SNMP Commands show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 357: Interface Commands
Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-42 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-116 mode description...
Page 358: Description
Interface Commands Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 359: Negotiation
Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 360: Capabilities
Interface Commands • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-119) speed-duplex (4-117) capabilities This command advertises the port capabilities of a given interface during autonegotiation.
Page 361: Flowcontrol
Command Line Interface Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-118) speed-duplex (4-117) flowcontrol (4-120) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting...
Page 362: Shutdown
Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-118) capabilities (flowcontrol, symmetric) (4-119) shutdown This command disables an interface. To restart a disabled interface, use the no form.
Page 363: Switchport Broadcast Packet-Rate
Command Line Interface switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast octet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., kilobits per second. (Range: 500-262143) Default Setting Enabled for all ports...
Page 364: Show Interfaces Status
Interface Commands Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 365: Show Interfaces Counters
Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Disabled Lacp:...
Page 366: Show Interfaces Switchport
Interface Commands Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
Page 367 Command Line Interface Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast threshold: Enabled, 500 packets/second LACP status: Enabled Ingress Rate Limit: Disabled, 100000 Kbits per second Egress Rate Limit: Disabled, 100000 Kbits per second VLAN membership mode: Hybrid Ingress rule:...
Page 368: Mirror Port Commands
Mirror Port Commands Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-44 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-127 show port monitor Shows the configuration for a mirror port 4-128 port monitor...
Page 369: Show Port Monitor
Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
Page 370: Rate Limit Commands
Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 371: Link Aggregation Commands
Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 372: Channel-Group
Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. •...
Page 373: Lacp
Command Line Interface Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting...
Page 374: Lacp System-Priority
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Page 375: Lacp Admin-Key (Ethernet Interface)
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 376: Lacp Admin-Key (Port Channel)
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 377: Lacp Port-Priority
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 378: Table 4-47 Show Lacp Counters - Display Description
Link Aggregation Commands Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-47...
Page 379: Table 4-48 Show Lacp Internal - Display Description
Command Line Interface Table 4-48 show lacp internal - display description Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel.
Page 380 Link Aggregation Commands Table 4-49 show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Current administrative value of the port number for the protocol Partner.
Page 381: Address Table Commands
Command Line Interface Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 4-51 Address Table Commands Command Function Mode Page mac-address-table static Maps a static address to a port in a VLAN 4-140 clear mac-address-table...
Page 382: Clear Mac-Address-Table Dynamic
Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...
Page 383: Mac-Address-Table Aging-Time
Command Line Interface • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: - Learned - Dynamic address entries - Permanent - Static entry - Delete-on-reset - Static entry to be deleted when system is reset...
Page 384: Show Mac-Address-Table Aging-Time
Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# 4-143...
Page 385: Spanning Tree Commands
Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-52 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-145 spanning-tree mode...
Page 386: Spanning-Tree
Spanning Tree Commands spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
Page 387: Spanning-Tree Forward-Time
Command Line Interface members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option. • Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: - STP Mode –...
Page 388: Spanning-Tree Hello-Time
Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state;...
Page 389: Spanning-Tree Max-Age
Command Line Interface spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 390: Spanning-Tree Pathcost Method
Spanning Tree Commands Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 391: Spanning-Tree Transmission-Limit
Command Line Interface spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
Page 392: Mst Vlan
Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range •...
Page 393: Name
Command Line Interface Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 394: Revision
Spanning Tree Commands revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration...
Page 395: Spanning-Tree Spanning-Disabled
Command Line Interface specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface.
Page 396: Spanning-Tree Port-Priority
Spanning Tree Commands • Fast Ethernet – half duplex: 200,000; full duplex: 100,000; trunk: 50,000 • Gigabit Ethernet – full duplex: 10,000; trunk: 5,000 • 10 Gigabit Ethernet – full duplex: 1000; trunk: 500 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 397: Spanning-Tree Edge-Port
Command Line Interface Related Commands spanning-tree cost (4-154) spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 398: Spanning-Tree Link-Type
Spanning Tree Commands Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
Page 399: Spanning-Tree Mst Cost
Command Line Interface • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple...
Page 400: Spanning-Tree Mst Port-Priority
Spanning Tree Commands Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (4-159) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority...
Page 401: Spanning-Tree Protocol-Migration
Command Line Interface spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26) •...
Page 402: Table 4-53 Vlans
Spanning Tree Commands Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Page 403: Show Spanning-Tree Mst Configuration
Command Line Interface --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000...
Page 404: Vlan Commands
VLAN Commands VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 405: Bridge-Ext Gvrp
Command Line Interface bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
Page 406: Switchport Gvrp
VLAN Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
Page 407: Garp Timer
Command Line Interface garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 408: Editing Vlan Groups
VLAN Commands Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: Unit 1) - port - Port number. (Range: 1-26) • port-channel channel-id (Range: 1-4) Default Setting Shows all GARP timers. Command Mode Normal Exec, Privileged Exec Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status:...
Page 409: Vlan
Command Line Interface Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
Page 410: Configuring Vlan Interfaces
VLAN Commands Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# Related Commands show vlan (4-175) Configuring VLAN Interfaces Table 4-56 Configuring VLAN Interfaces Command Function...
Page 411: Switchport Mode
Command Line Interface Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-121) switchport mode This command configures the VLAN membership mode for a port.
Page 412: Switchport Acceptable-Frame-Types
VLAN Commands switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...
Page 413: Switchport Native Vlan
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. •...
Page 414: Switchport Allowed Vlan
VLAN Commands switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged.
Page 415: Switchport Forbidden Vlan
Command Line Interface Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs.
Page 416: Displaying Vlan Information
VLAN Commands Displaying VLAN Information Table 4-57 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-175 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-123 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-125 interface...
Page 417: Configuring Ieee 802.1Q Tunneling
Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 418: Switchport Dot1Q-Tunnel Mode
VLAN Commands Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (4-178) show interfaces switchport (4-125) switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port.
Page 419: Switchport Dot1Q-Tunnel Tpid
Command Line Interface switchport dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 420: Configuring Private Vlans
VLAN Commands Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
Page 421: Show Pvlan
Command Line Interface • up-link - Sepcifies an uplink interface. • down-link - Sepcifies a downlink interface. Default Setting No private VLANs are defined. Command Mode Global Configuration Command Usage • A private VLAN provides port-based security and isolation between ports within the VLAN.
Page 422: Configuring Protocol-Based Vlans
VLAN Commands Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 423: Protocol-Vlan Protocol-Group (Configuring Interfaces)
Command Line Interface • protocol - Protocol type. The only option for the llc_other frame type is ipx_raw. The options for all other frames types include: ip, arp, rarp, and user-defined (0801-FFFF hexadecimal). Default Setting No protocol groups are configured. Command Mode Global Configuration Example...
Page 424: Show Protocol-Vlan Protocol-Group
VLAN Commands - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
Page 425: Priority Commands
Command Line Interface Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID Vlan ID ---------- ------------------ ----------- Eth 1/1 vlan2 Console#...
Page 426: Queue Mode
Priority Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...
Page 427: Queue Bandwidth
Command Line Interface Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority.
Page 428: Queue Cos-Map
Priority Commands Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to priority queues 0 - 2: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands show queue bandwidth (4-188) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 3).
Page 429: Show Queue Mode
Command Line Interface Command Usage • CoS values assigned at the ingress port are also used at the egress port. Example The following example shows how to change the CoS assignments: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1 Console(config-if)#queue cos-map 2 2 Console(config-if)#exit Console#show queue cos-map ethernet 1/1...
Page 430: Show Queue Cos-Map
Priority Commands Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: Unit 1) - port - Port number.
Page 431: Map Ip Dscp (Interface Configuration)
Command Line Interface Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration)
Page 432: Show Map Ip Dscp
Priority Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues.
Page 433: Quality Of Service Commands
Command Line Interface Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-189)
Page 434: Table 4-66 Quality Of Service Commands
Quality of Service Commands Table 4-66 Quality of Service Commands Command Function Mode Page class-map Creates a class map for a type of traffic 4-194 match Defines the criteria used to classify traffic 4-194 policy-map Creates a policy map for multiple interfaces 4-195 class Defines a traffic classification for the policy to act on...
Page 435: Class-Map
Command Line Interface class-map This command creates a class map used for matching packets to the specified class, and enters Class Map configuration mode. Use the no form to delete a class map and return to Global configuration mode. Syntax [no] class-map class-map-name [match-any] •...
Page 436: Policy-Map
Quality of Service Commands • vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration Command Usage • First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use the match command to specify the fields within ingress packets that must match to qualify for this class map.
Page 437: Class
Command Line Interface Command Usage • Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches criteria defined in a class map. • A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command (page 4-199).
Page 438: Set
Quality of Service Commands Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 439: Police
Command Line Interface police This command defines an policer for classified traffic. Use the no form to remove a policer. Syntax [no] police rate-kbps burst-byte [exceed-action {drop | set}] • rate-kbps - Rate in kilobits per second. (Range: 1-100000 kbps or maximum port speed, whichever is lower) •...
Page 440: Service-Policy
Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name •...
Page 441: Show Policy-Map
Command Line Interface Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Page 442: Example
Example Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
Page 443: Ip Igmp Snooping
Command Line Interface ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static...
Page 444: Ip Igmp Snooping Version
Multicast Filtering Commands ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2} no ip igmp snooping version • 1 - IGMP Version 1 •...
Page 445: Ip Igmp Snooping Immediate-Leave
Command Line Interface • The leave-proxy feature does not function when a switch is set as the querier. Example Console(config)#ip igmp snooping leave-proxy Console(config)# ip igmp snooping immediate-leave This command enables IGMP immediate leave for specific VLAN. Use the no form to disable the feature for a VLAN.
Page 446: Show Mac-Address-Table Multicast
Multicast Filtering Commands Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Enabled Leave proxy status: Disabled Query count: Query interval: 100 sec Query max response time: 20 sec Router port expire time: 300 sec Immediate Leave Processing: Disabled on all VLAN IGMP snooping version: Version 2...
Page 447: Igmp Query Commands (Layer 2)
Command Line Interface IGMP Query Commands (Layer 2) Table 4-69 IGMP Query Commands (Layer 2) Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 4-206 ip igmp snooping Configures the query count 4-206 query-count ip igmp snooping...
Page 448: Ip Igmp Snooping Query-Interval
Multicast Filtering Commands Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-max- response-time.
Page 449: Ip Igmp Snooping Query-Max-Response-Time
Command Line Interface ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-25) Default Setting 10 seconds Command Mode...
Page 450: Static Multicast Routing Commands
Multicast Filtering Commands Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)# Related Commands ip igmp snooping version (4-203)
Page 451: Show Ip Igmp Snooping Mrouter
Command Line Interface Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 452: Igmp Filtering And Throttling Commands
Multicast Filtering Commands IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Page 453: Ip Igmp Profile
Command Line Interface • The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic. Example Console(config)#ip igmp filter Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode.
Page 454: Range
Multicast Filtering Commands • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.
Page 455: Ip Igmp Max-Groups
Command Line Interface Command Mode Interface Configuration Command Usage • The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. • Only one profile can be assigned to an interface. •...
Page 456: Ip Igmp Max-Groups Action
Multicast Filtering Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-group 10 Console(config-if)# ip igmp max-groups action This command sets the IGMP throttling action for an interface on the switch. Syntax ip igmp max-groups action {replace | deny} • replace - The new multicast group replaces an existing group. •...
Page 457: Show Ip Igmp Profile
Command Line Interface Command Mode Privileged Exec Example Console#show ip igmp filter IGMP filter enabled onsole#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Page 458: Multicast Vlan Registration Commands
Multicast Filtering Commands - -port - Port number. (Range: 1-29) • port-channel channel-id (Range: 1-4) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny...
Page 459: Mvr (Global Configuration)
Command Line Interface mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Page 460: Mvr (Interface Configuration)
Multicast Filtering Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
Page 461 Command Line Interface Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN.
Page 462: Show Mvr
Multicast Filtering Commands show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
Page 463: Table 4-74 Show Mvr Interface - Display Description
Command Line Interface The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port Type Status Immediate Leave ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP Disable eth1/2 RECEIVER ACTIVE/UP Disable eth1/5 RECEIVER INACTIVE/DOWN Disable eth1/6 RECEIVER INACTIVE/DOWN Disable...
Page 464: Ip Interface Commands
IP Interface Commands IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 465: Ip Default-Gateway
Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
Page 466: Show Ip Redirects
Command Line Interface show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-224) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] •...
Page 467: Ip Source Guard Commands
IP Source Guard Commands Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%)
Page 468 Command Line Interface Syntax ip source-guard {sip | sip-mac} no ip source-guard • sip - Filters traffic based on IP addresses stored in the binding table. • sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table. Default Setting Disabled Command Mode...
Page 469: Ip Source-Guard Binding
IP Source Guard Commands is static IP source guard binding, static DHCP snooping binding or dynamic DHCP snooping binding, the packet will be forwarded. - If IP source guard if enabled on an interface for which IP source bindings (dynamically learned via DHCP snooping or manually configured) are not yet configured, the switch will drop all IP traffic on that port, except for DHCP packets.
Page 470: Show Ip Source-Guard
Command Line Interface table, or static addresses configured in the source guard binding table with this command. • Static bindings are processed as follows: - If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding.
Page 471: Show Ip Source-Guard Binding
DHCP Snooping Commands Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- ---- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 472 Command Line Interface firewall. When DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by the ip dhcp snooping vlan command (page 4-233), DHCP messages received on an untrusted interface (as specified by the no ip dhcp snooping trust command, page 4-234) from a device not listed in the DHCP snooping table will be dropped.
Page 473: Ip Dhcp Snooping Vlan
DHCP Snooping Commands receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
Page 474: Ip Dhcp Snooping Trust
Command Line Interface Related Commands ip dhcp snooping (4-231) ip dhcp snooping trust (4-234) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode...
Page 475: Ip Dhcp Snooping Verify Mac-Address
DHCP Snooping Commands ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function. Syntax [no] ip dhcp snooping verify mac-address Default Setting Enabled Command Mode...
Page 476: Ip Dhcp Snooping Information Policy
Command Line Interface identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. •...
Page 477: Show Ip Dhcp Snooping
Switch Cluster Commands show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface Trusted ----------...
Page 478: Cluster
Command Line Interface Table 4-79 Switch Cluster Commands Command Function Mode Page cluster ip-pool Sets the cluster IP address pool for Members 4-239 cluster member Sets Candidate switches as cluster members 4-240 rcommand Provides configuration access to Member switches 4-240 show cluster Displays the switch clustering status 4-241...
Page 479: Cluster Commander
Switch Cluster Commands cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage • Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network.
Page 480: Cluster Member
Command Line Interface • You cannot change the cluster IP pool when the switch is currently in Commander mode. Commander mode must first be disabled. Example Console(config)#cluster ip-pool 10.2.3.4 Console(config)# cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster.
Page 481: Show Cluster
Switch Cluster Commands Example Vty-0#rcommand id 1 CLI session with the TL-SG5426 is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role: commander Interval heartbeat: Heartbeat loss count: 3 Number of Members:...
Page 482: Show Cluster Candidates
Command Line Interface show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role Description --------------- ---------------------------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 TL-SG5426 CANDIDATE 00-12-cf-0b-47-a0 TL-SG5426 Console# 4-242...
Page 483: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists 128 ACLS (96 MAC rules, 96 IP rules) DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/ZX - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.3-2002...
Page 484: Management Features
Software Specifications Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Management Features In-Band Management...
Page 485: Management Information Bases
Management Information Bases RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674)
Page 486 Software Specifications...
Page 487: Appendix B: Troubleshooting
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 488: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 489: Glossary
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 490 Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so...
Page 491 Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Page 492 Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 493 Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Page 494 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 495 IP Interface Commands ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. •...
Page 496: Index
Index Numerics 802.1Q tunnel 3-133, 4-176 default gateway, configuration 3-14, description 3-133 4-224 interface configuration 3-138, default priority, ingress port 3-144, 4-177–4-178 4-185 mode selection 3-138 default settings, system 1-6 TPID 3-137, 4-178 DHCP 3-16, 4-223 802.1X, port authentication 3-60, 3-67 client 3-14 dynamic configuration 2-5 DHCP snooping...
Page 497 Index firmware LACP displaying version 3-11, 4-62 local parameters 4-136 upgrading 3-18, 4-64 partner parameters 4-136 protocol message statistics 4-136 link type, STA 3-113, 3-115, 3-117, 3-119, 3-122, 4-157 GARP VLAN Registration Protocol See logging GVRP syslog traps 4-46 gateway, default 3-14, 4-224 to syslog servers 4-45 GVRP log-in, Web interface 3-2...
Page 498 Index password, line 4-12, 4-13 secure shell 3-54, 4-33 passwords 2-4 configuration 3-54, 4-36, 4-37 administrator setting 3-46, 4-25 serial port path cost 3-105, 3-112 configuring 4-10 method 3-109, 4-149 show dot1q-tunnel 4-178 STA 3-105, 3-112, 4-149 Simple Network Management Protocol port authentication 3-60, 3-67 See SNMP port priority...
Page 499 Index switchport mode dot1q-tunnel 4-177 system clock, setting 3-31, 4-53 VLANs 3-122–3-142, ??–3-144, 4-163 system logs 3-25 802.1Q tunnel mode 3-138 system mode, normal or QinQ 3-137, adding static members 3-129, 4-176 3-131, 4-173 system software, downloading from creating 3-128, 4-168 server 3-18 description 3-122, 3-144 displaying basic information 3-126,...

TP-Link TL-SG5426 Installation Manual

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Quick Links

Related Manuals for TP-Link TL-SG5426

Summary of Contents for TP-Link TL-SG5426