Page 1 TL-SL5428 24-Port 10/100 + 4-Port Gigabit Managed Switch Rev: 1.0.0 1910010123...
Page 2 Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD.
Page 3: Fcc Statement
FCC STATEMENT This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 4: Table Of Contents
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 5 Contents Saving or Restoring Configuration Settings 3-21 Downloading Configuration Settings from a Server 3-22 Console Port Settings 3-23 Telnet Settings 3-25 Configuring Event Logging 3-28 Displaying Log Messages 3-28 System Log Configuration 3-28 Remote Log Configuration 3-30 Simple Mail Transfer Protocol 3-31 Resetting the System 3-33...
Page 6 Contents Configuring the SSH Server 3-75 Generating the Host Key Pair 3-76 Importing User Public Keys 3-77 Configuring Port Security 3-81 Configuring 802.1X Port Authentication 3-82 Displaying 802.1X Global Settings 3-84 Configuring 802.1X Global Settings 3-84 Configuring Port Settings for 802.1X 3-85 Displaying 802.1X Statistics 3-88...
Page 7 Contents Setting Static Addresses 3-134 Displaying the Address Table 3-135 Changing the Aging Time 3-137 Spanning Tree Algorithm Configuration 3-137 Configuring Port and Trunk Loopback Detection 3-139 Displaying Global Settings 3-141 Configuring Global Settings 3-143 Displaying Interface Settings 3-147 Configuring Interface Settings 3-149 Configuring Multiple Spanning Trees 3-151...
Page 8 Contents Enabling CoS 3-197 Selecting the Queue Mode 3-198 Setting the Service Weight for Traffic Classes 3-198 Layer 3/4 Priority Settings 3-199 Mapping Layer 3/4 Priorities to CoS Values 3-199 Enabling IP DSCP Priority 3-200 Mapping DSCP Priority 3-201 Quality of Service 3-202 Configuring Quality of Service Parameters 3-203...
Page 9 Contents Cluster Configuration 3-244 Cluster Member Configuration 3-245 Cluster Member Information 3-246 Cluster Candidate Information 3-247 UPnP 3-248 UPnP Configuration 3-248 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion...
Page 10 Contents show history 4-23 reload 4-24 reload cancel 4-24 show reload 4-25 4-25 exit 4-26 quit 4-26 System Management Commands 4-27 Device Designation Commands 4-27 prompt 4-27 hostname 4-28 Banner 4-28 banner configure 4-29 banner configure company 4-30 banner configure dc-power-info 4-31 banner configure department 4-31...
Page 11 Contents ip ssh crypto zeroize 4-51 ip ssh save host-key 4-52 show ip ssh 4-52 show ssh 4-53 show public-key 4-54 Event Logging Commands 4-55 logging on 4-55 logging history 4-56 logging host 4-57 logging facility 4-57 logging trap 4-58 clear logging 4-58 show logging...
Page 12 Contents Frame Size Commands 4-84 jumbo frame 4-84 Flash/File Commands 4-85 copy 4-85 delete 4-88 4-89 whichboot 4-90 boot system 4-90 Authentication Commands 4-91 Authentication Sequence 4-91 authentication login 4-92 authentication enable 4-93 RADIUS Client 4-94 radius-server host 4-95 radius-server acct-port 4-95 radius-server auth-port 4-96...
Page 13 Contents dot1x max-req 4-114 dot1x port-control 4-114 dot1x operation-mode 4-115 dot1x re-authenticate 4-115 dot1x re-authentication 4-116 dot1x timeout quiet-period 4-116 dot1x timeout re-authperiod 4-117 dot1x timeout tx-period 4-117 dot1x intrusion-action 4-118 show dot1x 4-118 Network Access – MAC Address Authentication 4-121 network-access mode 4-121...
Page 14 Contents show ip access-list 4-143 ip access-group 4-143 show ip access-group 4-144 MAC ACLs 4-144 access-list mac 4-145 permit, deny (MAC ACL) 4-146 show mac access-list 4-147 mac access-group 4-148 show mac access-group 4-148 ACL Information 4-149 show access-list 4-149 show access-group 4-149 SNMP Commands...
Page 15 Contents rate-limit 4-179 Link Aggregation Commands 4-180 channel-group 4-181 lacp 4-182 lacp system-priority 4-183 lacp admin-key (Ethernet Interface) 4-184 lacp admin-key (Port Channel) 4-185 lacp port-priority 4-186 show lacp 4-186 Address Table Commands 4-190 mac-address-table static 4-190 clear mac-address-table dynamic 4-191 show mac-address-table 4-191...
Page 16 Contents show lldp info local-device 4-212 show lldp info remote-device 4-213 show lldp info statistics 4-213 UPnP Commands 4-215 upnp device 4-215 upnp device ttl 4-216 upnp device advertise duration 4-216 show upnp 4-217 Spanning Tree Commands 4-217 spanning-tree 4-218 spanning-tree mode 4-219 spanning-tree forward-time...
Page 17 Contents Editing VLAN Groups 4-242 vlan database 4-242 vlan 4-243 Configuring VLAN Interfaces 4-244 interface vlan 4-244 switchport mode 4-245 switchport acceptable-frame-types 4-246 switchport ingress-filtering 4-246 switchport native vlan 4-247 switchport allowed vlan 4-248 switchport forbidden vlan 4-249 Displaying VLAN Information 4-250 show vlan 4-250...
Page 18 Contents class-map 4-273 match 4-274 policy-map 4-275 class 4-276 4-277 police 4-277 service-policy 4-278 show class-map 4-279 show policy-map 4-279 show policy-map interface 4-280 Voice VLAN Commands 4-280 voice vlan 4-281 voice vlan aging 4-282 voice vlan mac-address 4-282 switchport voice vlan 4-283 switchport voice vlan rule 4-284...
Page 19 Contents show ip igmp filter 4-302 show ip igmp profile 4-302 show ip igmp throttle interface 4-303 Multicast VLAN Registration Commands 4-304 mvr (Global Configuration) 4-304 mvr (Interface Configuration) 4-305 show mvr 4-307 IP Interface Commands 4-309 ip address 4-309 ip default-gateway 4-310 ip dhcp restart...
Page 20 Contents Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs Glossary Index xvii...
Page 21 Contents xviii...
Page 22 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-29 Table 3-5 Supported Notification Messages 3-48 Table 3-6 HTTPS System Support 3-70 Table 3-7 802.1X Statistics 3-88 Table 3-8 LACP Port Counters 3-121 Table 3-9...
Page 23 Tables Table 4-28 File Directory Information 4-89 Table 4-29 Authentication Commands 4-91 Table 4-30 Authentication Sequence 4-91 Table 4-31 RADIUS Client Commands 4-94 Table 4-32 TACACS Commands 4-98 Table 4-34 Port Security Commands 4-111 Table 4-35 802.1X Port Authentication 4-112 Table 4-36 Network Access 4-121...
Page 24 Tables Table 4-74 Multicast Filtering Commands 4-287 Table 4-75 IGMP Snooping Commands 4-287 Table 4-76 IGMP Query Commands (Layer 2) 4-292 Table 4-77 Static Multicast Routing Commands 4-295 Table 4-78 IGMP Filtering and Throttling Commands 4-297 Table 4-79 Multicast VLAN Registration Commands 4-304 Table 4-80 show mvr - display description...
Page 25 Tables xxii...
Page 26 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-12 Figure 3-4 Switch Information 3-14 Figure 3-5 Bridge Extension Configuration 3-15 Figure 3-6 Manual IP Configuration 3-17 Figure 3-7 DHCP IP Configuration 3-18 Figure 3-8 Jumbo Frames Configuration 3-19 Figure 3-9 Copy Firmware...
Page 27 Figures Figure 3-43 AAA Accounting Summary 3-67 Figure 3-44 AAA Authorization Settings 3-68 Figure 3-45 AAA Authorization Exec Settings 3-69 Figure 3-46 AAA Authorization Summary 3-70 Figure 3-47 HTTPS Settings 3-71 Figure 3-48 HTTPS Settings 3-72 Figure 3-49 SSH Server Settings 3-75 Figure 3-50 SSH Host-Key Settings...
Page 28 Figures Figure 3-88 Displaying Spanning Tree Information 3-142 Figure 3-89 Configuring Spanning Tree 3-146 Figure 3-90 Displaying Spanning Tree Port Information 3-149 Figure 3-91 Configuring Spanning Tree per Port 3-151 Figure 3-92 Configuring Multiple Spanning Trees 3-153 Figure 3-93 Displaying MSTP Interface Settings 3-155 Figure 3-94 Displaying MSTP Interface Settings...
Page 29 Figures Figure 3-133 Displaying Multicast Router Port Information 3-220 Figure 3-134 Static Multicast Router Port Configuration 3-221 Figure 3-135 IP Multicast Registration Table 3-222 Figure 3-136 IGMP Member Port Table 3-223 Figure 3-137 Enabling IGMP Filtering and Throttling 3-224 Figure 3-138 IGMP Profile Configuration 3-226 Figure 3-139 IGMP Filter and Throttling Port Configuration 3-227...
Page 30: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 31: Description Of Software Features
Introduction Table 1-1 Key Features Feature Description Switch Clustering Supports up to 36 Member switches in a cluster Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation.
Page 32 Description of Software Features Rate Limiting – This feature controls the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 33 Introduction seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
Page 34 Description of Software Features Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.
Page 35: System Defaults
Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-21). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 36 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Status Enabled (all ports) Protection Broadcast Limit Rate 64 kbits per second...
Page 37 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default System Log Status Enabled Messages Logged Levels 0-6 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled Clock Synchronization Disabled DHCP Snooping Status...
Page 38: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 39: Required Connections
Initial Configuration • Configure up to 8 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 40: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 41: Setting Passwords
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Page 42: Dynamic Configuration
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Page 43: Enabling Snmp Management Access
Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end...
Page 44: Trap Receivers
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 45: Configuring Access For Snmp Version 3 Clients
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Page 46: Managing System Files
Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: •...
Page 47 Initial Configuration 2-10...
Page 48: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above).
Page 49: Navigating The Web Browser Interface
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Page 50: Configuration Options
Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 51: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 52: Table 3-2 Main Menu
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-44 Users Configures SNMP v3 users on this switch 3-44 Remote Users Configures SNMP v3 users from a remote device 3-46 Groups Configures SNMP v3 groups...
Page 53 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Information Displays global configuration settings for 802.1X Port 3-83 authentication Configuration Configures the global configuration settings 3-83 Port Configuration Sets parameters for individual ports 3-84 Statistics Displays protocol statistics for the selected port 3-87 Web Authentication 3-88...
Page 54 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Port Neighbors Information Displays settings and operational state for the remote side 3-124 Port Broadcast Control Sets the broadcast storm threshold for each port 3-125 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-125 Mirror Port Configuration Sets the source and target ports for mirroring...
Page 55 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page GVRP Status Enables GVRP on the switch 3-160 802.1Q Tunnel Enables 802.1Q (QinQ) Tunneling 3-172 Configuration Basic Information Displays information on the VLAN type supported by this switch 3-161 Current Table Shows the current port members of each VLAN and whether or 3-161...
Page 56 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Remote Port Information Displays LLDP information about a remote device connected to 3-189 a port on this switch Remote Trunk Information Displays LLDP information about a remote device connected to 3-189 a trunk on this switch Remote Information Details...
Page 57 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Static Multicast Router Port Assigns ports that are attached to a neighboring multicast router 3-219 Configuration IP Multicast Registration Displays all multicast groups active on this switch, including 3-220 Table multicast IP addresses and VLAN ID IGMP Member Port Table...
Page 58 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Member Configuration Adds switch Members to the cluster 3-244 Member Information Displays cluster Member switch information 3-245 Candidate Information Displays network Candidate switch information 3-246 UPNP 3-247 Configuration Enables UPNP and defines timeout values 3-247 3-11...
Page 59: Basic Configuration
Configuring the Switch Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. •...
Page 60: Displaying Switch Hardware/Software Versions
Basic Configuration CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-27 Console(config)#snmp-server location WC 9 4-152 Console(config)#snmp-server contact Ted 4-152 Console(config)#exit Console#show system 4-81 System description : TL-SL5428 System OID string : 1.3.6.1.4.1.11863.1.1.59 System information System Up time : 0 days, 0 hours, 14 minutes, and 32.93 seconds System Name : R&D 5...
Page 61: Figure 3-4 Switch Information
Configuring the Switch Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version 4-82 Unit 1 Serial number: A733006612 Hardware version: Chip Device ID: Marvell 98DX107-A2, 88E6095[F] EPLD Version: 0.07 Number of ports: Main power status:...
Page 62: Displaying Bridge Extension Capabilities
Basic Configuration Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 63: Setting The Switch's Ip Address
Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-239 Max support VLAN numbers: Max support VLAN ID: 4092 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
Page 64: Manual Configuration
Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Page 65: Using Dhcp/Bootp
Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Page 66: Enabling Jumbo Frames
Basic Configuration Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Page 67: Downloading System Software From A Server
Configuring the Switch • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored...
Page 68: Saving Or Restoring Configuration Settings
Basic Configuration To delete a file, select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI –...
Page 69: Downloading Configuration Settings From A Server
Configuring the Switch - startup-config to tftp – Copies the startup configuration to a TFTP server. - tftp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a file from a TFTP server to the running config. - tftp to startup-config –...
Page 70: Console Port Settings
Basic Configuration Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch.
Page 71: Figure 3-14 Console Port Settings
Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded.
Page 72: Telnet Settings
Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-12 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret 4-13...
Page 73: Figure 3-15 Enabling Telnet
Configuring the Switch • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Page 74 Basic Configuration CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. Console(config)#line vty 4-12 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret 4-13...
Page 75: Configuring Event Logging
Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages.
Page 76: Table 3-3 Logging Levels
Basic Configuration The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logged to RAM. Command Attributes •...
Page 77: Remote Log Configuration
Configuring the Switch CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Console(config)#logging on 4-54 Console(config)#logging history ram 0 4-55 Console(config)#end Console#show logging flash...
Page 78: Simple Mail Transfer Protocol
Basic Configuration Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-18 Remote Logs CLI –...
Page 79: Figure 3-19 Enabling And Configuring Smtp
Configuring the Switch • Debugging – Sends a debugging notification. (Level 7) • Information – Sends informatative notification only. (Level 6) • Notice – Sends notification of a normal but significant condition, such as a cold start. (Level 5) • Warning – Sends notification of a warning condition such as return false, or unexpected return.
Page 80: Resetting The System
Basic Configuration CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.19 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email bill@this-company.com...
Page 81: Setting The System Clock
Configuring the Switch CLI – Use the reload command to restart the switch. When prompted, confirm that you want to reset the switch. Console#reload 4-23 System will be restarted, continue <y/n>? y Note: When restarting the system, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory (See “Saving or Restoring Configuration Settings”...
Page 82: Configuring Ntp
Basic Configuration Web – Select SNTP, Configuration. Modify any of the required SNTP parameters, and click Apply. Figure 3-21 SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-65 Console(config)#sntp poll 60...
Page 83: Figure 3-22 Ntp Client Configuration
Configuring the Switch • Version – Specifies the NTP version supported by the server. (Range: 1-3; Default: 3) • Authenticate Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. The authentication key must match the key configured on the NTP server.
Page 84: Setting The Time Zone
Basic Configuration CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 4-70 Console(config)#ntp authentication-key 30 md5 ntpkey30 Console(config)#ntp server 192.168.3.20 4-68 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)#ntp poll 60 4-69...
Page 85: Simple Network Management Protocol
Configuring the Switch Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC using either a predefined or custom definition, and click Apply. Figure 3-23 Setting the System Clock CLI - This example shows how to set the time zone for the system clock using one of the predefined time zone configurations.
Page 86 Simple Network Management Protocol Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels.
Page 87: Setting Community Access Strings
Configuring the Switch Setting Community Access Strings You may configure up to five community strings authorized for management access. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes •...
Page 88: Figure 3-25 Configuring Ip Trap Managers
Simple Network Management Protocol Command Attributes • Trap Manager Capability – This switch supports up to five trap managers. • Current – Displays a list of the trap managers currently configured. • Trap Manager IP Address – IP address of the host (the targeted recipient). •...
Page 89: Enabling Snmp Agent Status
Configuring the Switch Enabling SNMP Agent Status Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes • SNMP Agent Status – Check the box to enable or disable the SNMP Agent. Web – Click SNMP, Agent Status. Figure 3-26 Enabling SNMP Agent Status Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps:...
Page 90: Figure 3-27 Setting An Engine Id
Simple Network Management Protocol A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet. For example, the value “123456789”...
Page 91: Specifying A Remote Engine Id
Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 92: Figure 3-29 Configuring Snmpv3 Users
Simple Network Management Protocol • Authentication Password – A minimum of eight plain text characters is required. • Privacy – The encryption algorithm use for data privacy; only 56-bit DES is currently available. • Actions – Enables the user to be assigned to another SNMPv3 group. Web –...
Page 93: Configuring Remote Snmpv3 Users
Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 94: Configuring Snmpv3 Groups
Simple Network Management Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 95 Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, linkDown acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
Page 96: Setting Snmpv3 Views
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Page 97: User Authentication
Configuring the Switch • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view.
Page 98: Configuring User Accounts
User Authentication management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: • User Accounts – Manually configures management access rights for users. • Authentication Settings – Uses remote authentication to configure access rights. •...
Page 99: Figure 3-33 Access Levels
Configuring the Switch Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 100: Configuring Local/Remote Logon Authentication
User Authentication Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 101 Configuring the Switch Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Page 102: Figure 3-34 Authentication Settings
User Authentication Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-34 Authentication Settings 3-55...
Page 103 Configuring the Switch CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-91 Console(config)#radius-server auth-port 181 4-95 Console(config)#radius-server key green 4-95 Console(config)#radius-server retransmit 5 4-96 Console(config)#radius-server timeout 10 4-96 Console(config)#radius-server 1 host 192.168.1.25 4-94 Console(config)#end Console#show radius-server 4-96 Global Settings:...
Page 104: Configuring Encryption Keys
User Authentication Configuring Encryption Keys The Encryption Key feature provides a central location for the management of all RADIUS and TACACS+ server encryption keys. Command Attributes • RADIUS Settings - Global – Provides globally applicable RADIUS encryption key settings. - ServerIndex – Specifies one of five RADIUS servers for which an encryption key may be configured.
Page 105: Aaa Authorization And Accounting
Configuring the Switch AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. •...
Page 106: Configuring Aaa Radius Group Settings
AAA Authorization and Accounting Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) •...
Page 107: Configuring Aaa Accounting
Configuring the Switch Web – Click Security, AAA, TACACS+ Group Settings. Enter the TACACS+ group name, followed by the number of the server, then click Add. Figure 3-37 AAA TACACS+ Group Settings CLI – Specify the group name for a list of TACACS+ servers, and then specify the index number of a TACACS+ server to add it to the group.
Page 108: Figure 3-38 Aaa Accounting Settings
AAA Authorization and Accounting Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-38 AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius 4-102 Console(config)#...
Page 109: Aaa Accounting Update
Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web –...
Page 110: Aaa Accounting Exec Command Privileges
AAA Authorization and Accounting Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply. Figure 3-40 AAA Accounting 802.1X Port Settings CLI – Specify the accounting method to apply to the selected interface. Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps-method 4-106...
Page 111: Figure 3-41 Aaa Accounting Exec Command Privileges
Configuring the Switch Web – Click Security, AAA, Accounting, Command Privileges. Enter a defined method name for console and Telnet privilege levels. Click Apply. Figure 3-41 AAA Accounting Exec Command Privileges CLI – Specify the accounting method to use for console and Telnet privilege levels. Console(config)#line console 4-12 Console(config-line)#accounting commands 15 tps-method...
Page 112: Aaa Accounting Exec Settings
AAA Authorization and Accounting AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 113: Figure 3-43 Aaa Accounting Summary
Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-43 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-109 Accounting Type : dot1x Method List : default Group List : radius Interface...
Page 114: Authorization Settings
AAA Authorization and Accounting Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type : exec Username : admin Interface : vty 0 Time elapsed since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services.
Page 115: Authorization Exec Settings
Configuring the Switch Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 116: Configuring Https
AAA Authorization and Accounting Web – Click Security, AAA, Authorization, Summary. Figure 3-46 AAA Authorization Summary Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.
Page 117: Replacing The Default Secure-Site Certificate
Configuring the Switch • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-47 HTTPS Settings CLI –...
Page 118: Configuring The Secure Shell
AAA Authorization and Accounting • Source Certificate File Name – Specifies the name of certificate file as stored on the TFTP server. • Source Private File Name – Specifies the name of the private key file as stored on the TFTP server. •...
Page 119 Configuring the Switch SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered. Note: You need to install an SSH client on the management station to access the switch for management via the SSH protocol. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Page 120 AAA Authorization and Accounting Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch.
Page 121: Configuring The Ssh Server
Configuring the Switch Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Page 122: Generating The Host Key Pair
AAA Authorization and Accounting CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-47 Console(config)#ip ssh timeout 100 4-48 Console(config)#ip ssh authentication-retries 5 4-48...
Page 123: Figure 3-50 Ssh Host-Key Settings
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-50 SSH Host-Key Settings CLI –...
Page 124: Importing User Public Keys
AAA Authorization and Accounting Importing User Public Keys A user’s Public Key must be uploaded to the switch in order for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Page 125: Figure 3-51 Ssh User Public-Key Settings
Configuring the Switch Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key. Figure 3-51 SSH User Public-Key Settings 3-78...
Page 126 AAA Authorization and Accounting CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Console#copy tftp public-key 4-84 TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2.
Page 127: Configuring Port Security
Configuring the Switch Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 128: Configuring 802.1X Port Authentication
AAA Authorization and Accounting Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-52 Configuring Port Security CLI –...
Page 129 Configuring the Switch This switch uses the Extensible Authentication Protocol over LANs (EAPOL) 802.1x to exchange authentication client protocol messages with the client, and a remote RADIUS 1. Client attempts to access a switch port. authentication server to verify 2. Switch sends client an identity request. user identity and access RADIUS 3.
Page 130: Displaying 802.1X Global Settings
AAA Authorization and Accounting Displaying 802.1X Global Settings The 802.1X protocol provides client authentication. Command Attributes • 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 3-53 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-117 Global 802.1X Parameters...
Page 131: Configuring Port Settings For 802.1X
Configuring the Switch Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-54 802.1X Global Configuration CLI – This example enables 802.1X globally for the switch. Console(config)#dot1x system-auth-control 4-112 Console(config)# Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the...
Page 132: Figure 3-55 802.1X Port Configuration
AAA Authorization and Accounting • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • Tx Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet.
Page 133 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-117. Console(config)#interface ethernet 1/2 4-166 Console(config-if)#dot1x port-control auto 4-113 Console(config-if)#dot1x re-authentication 4-115 Console(config-if)#dot1x max-req 5 4-113...
Page 134: Displaying 802.1X Statistics
AAA Authorization and Accounting Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 135: Web Authentication
Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-56 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-117 Eth 1/4...
Page 136: Configuring Web Authentication
AAA Authorization and Accounting Notes: 1. MAC authentication, web authentication, 802.1X, and port security cannot be configured together on the same port. Only one security mechanism can be applied. RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication”...
Page 137: Configuring Web Authentication For Ports
Configuring the Switch CLI – This example globally enables the system authentication control, configures the session timeout, quiet period and login attempts, and displays the configured global parameters. Console(config)#mac-authentication reauth-time 3000 4-126 Console(config)#web-auth system-auth-control 4-133 Console(config)#web-auth session-timeout 1800 4-132 Console(config)#web-auth quiet-period 20 4-132 Console(config)#web-auth login-attempts 2 4-130...
Page 138: Displaying Web Authentication Port Information
AAA Authorization and Accounting CLI – This example enables web authentication for ethernet port 1/5 and displays a summary of web authentication parameters. Console(config)#interface ethernet 1/5 4-166 Console(config-if)#web-auth 4-133 Console(config-if)#end Console#show web-auth summary 4-136 Global Web-Auth Parameters System Auth Control : Enabled Port Status...
Page 139: Re-Authenticating Web Authenticated Ports
Configuring the Switch Web – Click Security, Web Authentication, Port Information. Figure 3-59 Web Authentication Port Information CLI – This example displays web authentication parameters for port 1/5. Console#show web-auth interface ethernet 1/5 4-134 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ----------------------...
Page 140: Network Access - Mac Address Authentication
AAA Authorization and Accounting CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 4-135 Failed to reauth . Console# Network Access – MAC Address Authentication Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 141: Configuring The Mac Authentication Reauthentication Time
Configuring the Switch Configuring the MAC Authentication Reauthentication Time MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally to all ports on the switch. Command Attributes • Authenticated Age – The secure MAC address table aging time. This parameter setting is the same as switch MAC address table aging time and is only configurable from the Address Table, Aging Time web page (see page 3-136).
Page 142: Figure 3-62 Network Access Port Configuration
AAA Authorization and Accounting • Maximum MAC Count – Sets the maximum number of MAC addresses that can be authenticated on a port. The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024.
Page 143: Configuring Port Link Detection
Configuring the Switch CLI – This example configures MAC authentication for port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access mode mac-authentication 4-120 Console(config-if)#network-access max-mac-count 10 4-121 Console(config-if)#mac-authentication max-mac-count 24 4-122 Console(config-if)#network-access dynamic-vlan 4-123 Console(config-if)#network-access dynamic-qos 4-123 Console(config-if)#network-access guest-vlan 4-124 Console(config-if)#network-access link-detection 4-124 Console(config-if)#network-access link-detection link-up action trap4-125 Console(config-if)#end Console#show network-access interface ethernet 1/1...
Page 144: Displaying Secure Mac Address Information
AAA Authorization and Accounting Web – Click Security, Network Access, Port Link Detection Configuration. Modify the Status, Condition and Action. Click Apply. Figure 3-63 Network Access Port Link Detection Configuration CLI – This example configures Port Link Detection to send an SNMP trap for all link events on port 1.
Page 145: Mac Authentication
Configuring the Switch • Attribute – Indicates a static or dynamic address. • Remove – Click the Remove button to remove selected MAC addresses from the secure MAC address table. Web – Click Security, Network Access, MAC Address Information. Restrict the displayed addresses by port, MAC Address, or attribute, then select the method of sorting the displayed addresses.
Page 146: Figure 3-65 Mac Authentication Port Configuration
AAA Authorization and Accounting • Status – Indicates whether MAC Authentication is enabled or disabled for the port. See “Configuring MAC Authentication for Ports” on page 3-94. The following parameters are unavailable for modification if MAC Authentication is not enabled for the port.
Page 147: Access Control Lists
Configuring the Switch Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 148: Configuring A Standard Ip Acl
Access Control Lists MAC address and the Ethernet frame type (RFC 1060). Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list.
Page 149: Configuring An Extended Ip Acl
Configuring the Switch Figure 3-67 Configuring Standard IP ACLs CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 4-140 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)# Configuring an Extended IP ACL Command Attributes...
Page 150 Access Control Lists • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • Control Code Bit Mask – Decimal number representing the code bits to match. The control bitmask is a decimal number (for an equivalent binary bit mask) that is applied to the control code.
Page 151: Figure 3-68 Configuring Extended Ip Acls
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 152: Configuring A Mac Acl
Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Page 153: Binding A Port To An Access Control List
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Page 154: Filtering Ip Addresses For Management Access
Access Control Lists Command Attributes • Port – Fixed port or SFP module. (Range: 1-28/52) • IP – Specifies the IP ACL to bind to a port. • MAC – Specifies the MAC ACL to bind to a port. • IN – ACL for ingress packets. Web –...
Page 155 Configuring the Switch an entry to a filter list, access to that interface is restricted to the specified addresses. • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 156: Figure 3-71 Creating An Ip Filter List
Access Control Lists Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-71 Creating an IP Filter List CLI –...
Page 157: Port Configuration
Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 158 Port Configuration Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-16.) Configuration: •...
Page 159: Configuring Interface Connections
Configuring the Switch CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 4-173 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast storm limit:...
Page 160: Figure 3-73 Port/Trunk Configuration
Port Configuration (Default: Autonegotiation enabled; Advertised capabilities for 100BASE-TX – 10half, 10full, 100half, 100full; 1000BASE-T – 10half, 10full, 100half, 100full, 1000full; 1000BASE-SX/LX/LH – 1000full) • Media Type – Media type used for the combo ports. (Options: Coppper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) •...
Page 161: Creating Trunk Groups
Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 162: Statically Configuring A Trunk
Port Configuration Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be statically able to link switches of different types, configured depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 163: Enabling Lacp On Selected Ports
Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-166 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-166 Console(config-if)#channel-group 2 4-181 Console(config-if)#exit...
Page 164: Figure 3-75 Lacp Trunk Configuration
Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28/52) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Page 165: Configuring Lacp Parameters
Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#lacp 4-182 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 166: Figure 3-76 Lacp Port Configuration
Port Configuration - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.
Page 167: Displaying Lacp Port Counters
Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#lacp actor system-priority 3 4-183 Console(config-if)#lacp actor admin-key 120 4-184 Console(config-if)#lacp actor port-priority 128 4-186 Console(config-if)#exit Console(config)#interface ethernet 1/4...
Page 168: Figure 3-77 Lacp - Port Counters Information
Port Configuration Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 169: Displaying Lacp Settings And Status For The Local Side
Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Page 170: Figure 3-78 Lacp - Port Internal Information
Port Configuration Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-78 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-186 Port channel : 1...
Page 171: Displaying Lacp Settings And Status For The Remote Side
Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Page 172: Setting Broadcast Storm Thresholds
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-186 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-12-CF-CE-2A-20...
Page 173: Figure 3-80 Port Broadcast Control
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-80 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
Page 174: Configuring Port Mirroring
Port Configuration Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.
Page 175: Configuring Rate Limits
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 176: Showing Port Statistics
Port Configuration Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Page 177 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
Page 178 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Page 179: Figure 3-83 Port Statistics
Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-83 Port Statistics 3-132...
Page 180: Address Table Settings
Address Table Settings CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-174 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 181: Displaying The Address Table
Configuring the Switch Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-84 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 182: Figure 3-85 Configuring A Dynamic Address Table
Address Table Settings Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-85 Configuring a Dynamic Address Table CLI –...
Page 183: Changing The Aging Time
Configuring the Switch Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds;...
Page 184: Spanning Tree Algorithm Configuration
Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 185 Configuring the Switch isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing. One or more VLANs can be grouped into a Multiple Spanning Tree Instance (MSTI).
Page 186: Configuring Port And Trunk Loopback Detection
Spanning Tree Algorithm Configuration Configuring Port and Trunk Loopback Detection When Port Loopback Detection is enabled and a port receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap and places the port in discarding mode. This loopback state can be released manually or automatically. If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: •...
Page 187: Displaying Global Settings
Configuring the Switch CLI – This command enables loopback detection for port 1/5, configures automatic release-mode and enables SNMP trap notification for detected loopback BPDU’s. Console(config)#interface ethernet 1/5 4-166 Console(config-if)#spanning-tree loopback-detection 4-231 Console(config-if)#spanning-tree loopback-detection release-mode auto4-232 Console(config-if)#spanning-tree loopback-detection trap 4-233 Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
Page 188: Figure 3-88 Displaying Spanning Tree Information
Spanning Tree Algorithm Configuration • Spanning tree mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s) •...
Page 189: Configuring Global Settings
Configuring the Switch CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-235 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: RSTP Spanning tree enabled/disabled: enabled Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Page 190 Spanning Tree Algorithm Configuration - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments.
Page 191 Configuring the Switch • Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 192: Figure 3-89 Configuring Spanning Tree
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-89 Configuring Spanning Tree CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-218 Console(config)#spanning-tree mode rstp...
Page 193: Displaying Interface Settings
Configuring the Switch Displaying Interface Settings The STA Port Information and STA Trunk Information pages display the current status of ports and trunks in the Spanning Tree. Field Attributes • Spanning Tree – Shows if STA has been enabled on this interface. •...
Page 194 Spanning Tree Algorithm Configuration R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port. Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port.
Page 195: Configuring Interface Settings
Configuring the Switch the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to reconfigure when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
Page 196 Spanning Tree Algorithm Configuration indicate a point-to-point connection or shared-media connection, and edge port to indicate if the attached device can support fast forwarding. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.) Command Attributes The following attributes are read-only and cannot be changed: •...
Page 197: Configuring Multiple Spanning Trees
Configuring the Switch • Admin Edge Port (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Page 198 Spanning Tree Algorithm Configuration your network. However, remember that you must configure all bridges within the same MSTI Region (page 3-133) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree.
Page 199: Figure 3-92 Configuring Multiple Spanning Trees
Configuring the Switch Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Page 200: Displaying Interface Settings For Mstp
Spanning Tree Algorithm Configuration CLI – This example sets STA attributes for port 1, followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20...
Page 201: Figure 3-93 Displaying Mstp Interface Settings
Configuring the Switch Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values. Figure 3-93 Displaying MSTP Interface Settings 3-154...
Page 202: Configuring Interface Settings For Mstp
Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-231 4-235 Spanning-tree information...
Page 203 Configuring the Switch - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. - Forwarding –...
Page 204: Vlan Configuration
VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-94 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...
Page 205: Assigning Ports To Vlans
Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 206 VLAN Configuration Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.
Page 207: Enabling Or Disabling Gvrp (Global Setting)
Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 208: Displaying Basic Vlan Information
VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...
Page 209: Figure 3-97 Displaying Current Vlans
Configuring the Switch • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web –...
Page 210: Creating Vlans
VLAN Configuration CLI – Current VLAN information can be displayed with the following command. Console#show vlan id 1 4-250 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S)
Page 211: Adding Static Members To Vlans (Vlan Index)
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-98 Configuring a VLAN Static List CLI –...
Page 212 VLAN Configuration Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. •...
Page 213: Adding Static Members To Vlans (Port Index)
Configuring the Switch Figure 3-99 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#switchport allowed vlan add 2 tagged 4-248 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 2 untagged Console(config-if)#exit Console(config)#interface ethernet 1/13 Console(config-if)#switchport allowed vlan add 2 tagged...
Page 214: Configuring Vlan Behavior For Interfaces
VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 215: Figure 3-101 Configuring Vlans Per Port
Configuring the Switch or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
Page 216: Configuring Ieee 802.1Q Tunneling
VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-166 Console(config-if)#switchport acceptable-frame-types tagged 4-246 Console(config-if)#switchport ingress-filtering...
Page 217 Configuring the Switch processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Page 218 VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: •...
Page 219: Enabling Qinq Tunneling On The Switch
Configuring the Switch Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.
Page 220: Figure 3-102 802.1Q Tunnel Status And Ethernet Type
VLAN Configuration Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. Command Usage • Use the TPID field to set a custom 802.1Q ethertype value on the selected interface.
Page 221: Adding An Interface To A Qinq Tunnel
Configuring the Switch CLI – This example sets the switch to operate in QinQ mode. 4-252 Console(config)#dot1q-tunnel system-tunnel-control Console(config)#exit 4-254 Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100.
Page 222: Private Vlans
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-103 Tunnel Port Configuration CLI –...
Page 223: Displaying Current Private Vlans
Configuring the Switch contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
Page 224: Configuring Private Vlans
VLAN Configuration Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-104 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
Page 225: Associating Vlans
Configuring the Switch Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
Page 226: Displaying Private Vlan Interface Information
VLAN Configuration CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database 4-242 Console(config-vlan)#private-vlan 5 association 6 4-256 Console(config-vlan)#private-vlan 5 association 7 4-256 Console(config)# Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs.
Page 227: Configuring Private Vlan Interfaces
Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Page 228: Protocol Vlans
VLAN Configuration Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.
Page 229: Protocol Vlan System Configuration
Configuring the Switch • Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. • Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, and RARP. If LLC Other is chosen for the Frame Type, the only available Protocol Type is IPX Raw Note: Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN...
Page 230: Link Layer Discovery Protocol
Link Layer Discovery Protocol Web – Click VLAN, Protocol VLAN, System Configuration. Figure 3-110 Protocol VLAN System Configuration CLI – This example shows the switch configured with Protocol Group 2 mapped to VLAN 2. Console(config)#protocol-vlan protocol-group 2 vlan 2 4-262 Console(config)# Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about...
Page 231 Configuring the Switch Command Attributes • LLDP – Enables LLDP globally on the switch. (Default: Enabled) • Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) This attribute must comply with the following rule: (transmission-interval * holdtime-multiplier) ≤...
Page 232: Configuring Lldp Interface Attributes
Link Layer Discovery Protocol critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service. Web – Click LLDP, Configuration. Enable LLDP, modify any of the timing parameters as required, and click Apply. Figure 3-111 LLDP Configuration CLI –...
Page 233 Configuring the Switch Command Attributes • Admin Status – Enables LLDP message transmit and receive modes for LLDP Protocol Data Units. (Options: Tx only, Rx only, TxRx, Disabled; Default: TxRx) • SNMP Notification – Enables the transmission of SNMP trap notifications about LLDP and LLDP-MED changes.
Page 234: Figure 3-112 Lldp Port Configuration
Link Layer Discovery Protocol configure the system name, see “Displaying System Information” on page 3-12. - System Capabilities – The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. •...
Page 235: Displaying Lldp Local Device Information
Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#lldp admin-status tx-rx 4-199 Console(config-if)#lldp notification 4-199...
Page 236: Displaying Lldp Remote Port Information
Link Layer Discovery Protocol CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-212 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : TL-SL5428 System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.101 (IPv4)
Page 237: Displaying Lldp Remote Information Details
Configuring the Switch CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP. Console#show lldp info remote-device 4-213 LLDP Remote Devices Information Interface | ChassisId PortId SysName --------- + ----------------- ----------------- --------------------- Eth 1/1 | 00-01-02-03-04-05 00-01-02-03-04-06 Console#...
Page 238: Displaying Device Statistics
Link Layer Discovery Protocol CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch. Console#show lldp info remote-device detail ethernet 1/1 4-213 LLDP Remote Devices Information Detail --------------------------------------------------------------- Local PortName : Eth 1/1 Chassis Type : MAC Address...
Page 239: Displaying Detailed Device Statistics
Configuring the Switch CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-213 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count...
Page 240: Class Of Service Configuration
Class of Service Configuration CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-213 LLDP Port Statistics Detail PortName : Eth 1/1 Frames Discarded Frames Invalid Frames Received...
Page 241: Mapping Cos Values To Egress Queues
Configuring the Switch Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port.
Page 242: Table 3-12 Mapping Cos Values To Egress Queues
Class of Service Configuration Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table. Table 3-12 Mapping CoS Values to Egress Queues Queue Priority The priority levels recommended in the IEEE 802.1p standard for various network...
Page 243: Enabling Cos
Configuring the Switch Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-119 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#queue cos-map 0 0...
Page 244: Selecting The Queue Mode
Class of Service Configuration Web – Click Priority, Traffic Classes Status. Figure 3-120 Enable Traffic Classes Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 245: Layer 3/4 Priority Settings
Configuring the Switch Values to Egress Queues” on page 3-194, the traffic classes are mapped to one of the eight egress queues provided for each port. You can assign a weight to each of these queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue will be polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
Page 246: Enabling Ip Dscp Priority
Class of Service Configuration a Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Because different priority information may be contained in the traffic, this switch maps priority values to the output queues in the following manner: •...
Page 247: Mapping Dscp Priority
Configuring the Switch Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 248: Quality Of Service
Quality of Service CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-269 Console(config)#interface ethernet 1/1 4-166 Console(config-if)#map ip dscp 1 cos 0 4-270...
Page 249: Configuring Quality Of Service Parameters
Configuring the Switch You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 3-207). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1.
Page 250 Quality of Service • Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. •...
Page 251: Figure 3-125 Configuring Class Maps
Configuring the Switch Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-125 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.
Page 252: Creating Qos Policies
Quality of Service Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-202. - Open the Policy Map page, and click Add Policy.
Page 253 Configuring the Switch • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-202).
Page 254: Figure 3-126 Configuring Policy Maps
Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-126 Configuring Policy Maps 3-207...
Page 255: Attaching A Policy Map To Ingress Queues
Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 4-200 Console(config-pmap)#class rd_class#3 4-200...
Page 256: Voip Traffic Configuration
VoIP Traffic Configuration VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality.
Page 257: Configuring Voip Traffic Port
Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-128 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
Page 258: Figure 3-129 Voip Traffic Port Configuration
VoIP Traffic Configuration address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...
Page 259: Configuring Telephony Oui
Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 Console(config-if)#switchport voice vlan auto 4-283 Console(config-if)#switchport voice vlan security 4-284 Console(config-if)#switchport voice vlan rule oui 4-284 Console(config-if)#switchport voice vlan priority 5 4-285 Console(config-if)#exit...
Page 260: Figure 3-130 Telephony Oui List
VoIP Traffic Configuration • Telephony OUI – Specifies a MAC address range to add to the list. Enter the MAC address in format 01-23-45-67-89-AB. • Mask – Identifies a range of MAC addresses. Selecting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets). Other masks restrict the MAC address range.
Page 261: Multicast Filtering
Configuring the Switch Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Page 262: Configuring Igmp Snooping And Query Parameters
Multicast Filtering these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources. IGMPv3 hosts may also request that service be forwarded from all sources except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources.
Page 263 Configuring the Switch the multicast filtering table is already full, the switch will continue flooding the traffic into the VLAN. • IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/switch on the LAN performing IP multicasting, one of these devices is elected “querier”...
Page 264: Enabling Igmp Immediate Leave
Multicast Filtering Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-131 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
Page 265: Displaying Interfaces Attached To A Multicast Router
Configuring the Switch is determined by the IGMP Query Report Delay (see “Configuring IGMP Snooping and Query Parameters” on page 3-215). • If immediate leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Page 266: Specifying Static Interfaces For A Multicast Router
Multicast Filtering support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch. You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router/switch for each VLAN ID.
Page 267: Displaying Port Members Of Multicast Services
Configuring the Switch • Port or Trunk – Specifies the interface attached to a multicast router. Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add.
Page 268: Assigning Ports To Multicast Services
Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-135 IP Multicast Registration Table CLI –...
Page 269: Igmp Filtering And Throttling
Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add.
Page 270: Enabling Igmp Filtering And Throttling
Multicast Filtering IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.
Page 271: Configuring Igmp Filter Profiles
Configuring the Switch CLI – This example enables IGMP filtering and creates a profile number. It then displays the current status and the existing profile numbers. Console(config)#ip igmp filter 4-298 Console(config)#ip igmp profile 19 4-298 Console(config)#end Console#show ip igmp profile 4-302 IGMP Profile 19 IGMP Profile 25...
Page 272: Configuring Igmp Filtering And Throttling For Interfaces
Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile number you want to configure; then click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list.
Page 273: Figure 3-139 Igmp Filter And Throttling Port Configuration
Configuring the Switch • An IGMP profile or throttling setting can also be applied to a trunk interface. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time.
Page 274: Multicast Vlan Registration
Multicast VLAN Registration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed. Console(config)#interface ethernet 1/1 4-166 Console(config-if)#ip igmp filter 19 4-300 Console(config-if)#ip igmp max-groups 64...
Page 275: Configuring Global Mvr Settings
Configuring the Switch Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box General Configuration Guidelines for MVR Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings”...
Page 276: Displaying Mvr Interface Status
Multicast VLAN Registration • MVR Running Status – Indicates whether or not all necessary conditions in the MVR environment are satisfied. • MVR VLAN – Identifier of the VLAN that serves as the channel for streaming multicast services using MVR. (Range: 1-4093; Default: 1) •...
Page 277: Displaying Port Members Of Multicast Groups
Configuring the Switch • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Page 278: Configuring Mvr Interface Status
Multicast VLAN Registration Web – Click MVR, Group IP Information. Figure 3-142 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr interface 4-307 MVR Group IP Status Members ---------------- -------- -------...
Page 279: Figure 3-143 Mvr Port Configuration
Configuring the Switch • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Page 280: Assigning Static Multicast Groups To Interfaces
Multicast VLAN Registration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source 4-305 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#mvr type receiver 4-305 Console(config-if)#mvr immediate 4-305 Console(config-if)# Assigning Static Multicast Groups to Interfaces...
Page 281: Dhcp Snooping
Configuring the Switch CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 Console(config-if)#mvr group 228.1.23.1 4-305 Console(config-if)# DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 282: Dhcp Snooping Configuration
DHCP Snooping If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted.
Page 283: Dhcp Snooping Information Option Configuration
Configuring the Switch Web – Click DHCP Snooping, VLAN Configuration. Figure 3-146 DHCP Snooping VLAN Configuration CLI – This example first enables DHCP Snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 4-319 Console(config)# DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
Page 284: Dhcp Snooping Port Configuration
DHCP Snooping Web – Click DHCP Snooping, Information Option Configuration. Figure 3-147 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-321 Console(config)#ip dhcp snooping information policy replace 4-322 Console(config)# DHCP Snooping Port Configuration...
Page 285: Dhcp Snooping Binding Information
Configuring the Switch CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-320 Console(config-if)# DHCP Snooping Binding Information Displays the DHCP snooping binding information. Command Attributes • No. – Entry number for DHCP snooping binding information. •...
Page 286: Ip Source Guard
IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-234).
Page 287: Static Ip Source Guard Binding Configuration
Configuring the Switch CLI – This example shows how to enable IP source guard on port 5 Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip 4-313 Console(config-if)#end Console#show ip source-guard 4-316 Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED...
Page 288: Dynamic Ip Source Guard Binding Information
IP Source Guard Web – Click IP Source Guard, Static Configuration. Figure 3-151 Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5 Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 4-315 Console(config)#...
Page 289: Switch Clustering
Configuring the Switch Web – Click IP Source Guard, Dynamic Information. Figure 3-152 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5 4-316 Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN...
Page 290: Cluster Configuration
Switch Clustering switches only become cluster Members when manually selected by the administrator through the management station. After the Commander and Members have been configured, any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu.
Page 291: Cluster Member Configuration
Configuring the Switch Web – Click Cluster, Configuration. Figure 3-154 Cluster Configuration CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster 4-324 Console(config)#cluster commander 4-325 Console(config)#cluster ip-pool 10.2.3.4 4-326...
Page 292: Cluster Member Information
Switch Clustering Web – Click Cluster, Member Configuration. Figure 3-155 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-326 Console(config)# Cluster Member Information...
Page 293: Cluster Candidate Information
Configuring the Switch CLI – This example shows information about cluster Member switches. Vty-0#show cluster members 4-328 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.
Page 294: Upnp
UPnP UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. The first step in UPnP networking is discovery.
Page 295 Configuring the Switch CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration. Console(config)#upnp device 4-215 Console(config)#upnp device advertise duration 200 4-216 Console(config)#upnp device ttl 6 4-216 Console(config)#end Console#sh upnp...
Page 296: Chapter 4: Command Line Interface
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 297: Telnet Connection
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 298: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 299: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 300 Entering Commands Console#show ? access-group Access groups access-list Access lists accounting Uses an accounting list with this name banner Banner info bridge-ext Bridge extension information calendar Date and time information class-map Displays class maps cluster Display cluster dot1q-tunnel dot1q-tunnel dot1x 802.1x content garp GARP properties...
Page 301: Partial Keyword Lookup
Command Line Interface The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 302: Exec Commands
Entering Commands current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Page 303: Configuration Commands
Command Line Interface Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command. The configuration commands are organized into different modes: •...
Page 304: Command Line Processing
Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 305: Command Groups
Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page Line Sets communication parameters for the serial port and Telnet, 4-11 including baud rate and console time-out General Basic commands for entering privileged access mode, restarting the 4-20...
Page 306: Line Commands
Line Commands Table 4-4 Command Groups (Continued) Command Group Description Page IP Cluster Configures switch clustering 4-324 UPnP Configures UPnP settings 4-324 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) MST (Multiple Spanning Tree) CM (Class Map Configuration) NE (Normal Exec)
Page 307: Line
Command Line Interface line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 308: Password
Line Commands - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
Page 309: Timeout Login Response
Command Line Interface during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (4-12) password-thresh (4-15) timeout login response This command sets the interval that the system waits for a user to log into the CLI.
Page 310: Password-Thresh
Line Commands Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.
Page 311: Silent-Time
Command Line Interface Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
Page 312: Parity
Line Commands Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
Page 313: Speed
Command Line Interface Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting.
Page 314: Disconnect
Line Commands Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage...
Page 315: General Commands
Command Line Interface Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console#...
Page 316: Disable
General Commands The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. Enter level 15 to access Privileged Exec mode. Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec.
Page 317: Configure
Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration.
Page 318: Reload
General Commands The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config).
Page 319: Show Reload
Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to cancel a configured delayed reset of the switch: Console#reload cancel Console# show reload This command displays the remaining time until a pending delayed reset will take place.
Page 320: Exit
General Commands exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 321: System Management Commands
Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-26 Banner...
Page 322: Hostname
System Management Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 323: Banner Configure
Command Line Interface Table 4-9 Banner Commands Command Function Mode Page banner configure Configures the Equipment Location information that is displayed 4-32 equipment-location by banner banner configure Configures the IP and LAN information that is displayed by 4-32 ip-lan banner banner configure Configures the LP Number information that is displayed by 4-33...
Page 324: Banner Configure Company
System Management Commands Example Console(config)#banner configure Company: TPL Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment.
Page 325: Banner Configure Dc-Power-Info
Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure company TPL Console(config)#...
Page 326: Banner Configure Equipment-Info
System Management Commands Syntax banner configure department dept-name no banner configure company dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure department command interprets spaces as data input boundaries.
Page 327: Banner Configure Equipment-Location
Command Line Interface Command Usage The user-entered data cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure equipment-info manufacturer-id TL-SL5428 floor 3 row 10 rack 15 shelf-rack 12 manufacturer TPL_Networks...
Page 328: Banner Configure Lp-Number
System Management Commands ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
Page 329: Banner Configure Manager-Info
Command Line Interface banner configure manager-info This command allows the administrator to configure the manager contact information displayed in the banner. Use the no form to remove the manager contact information from the banner display. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 330: Banner Configure Note
System Management Commands no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries.
Page 331: Show Banner
Command Line Interface Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmware- upgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected Console(config)# show banner This command displays all banner information. Syntax show banner Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show banner WARNING - MONITORED ACTIONS AND ACCESSES R&D_Dept Albert_Einstein - 123-555-1212 Steve - 123-555-9876 Lamar - 123-555-3322...
Page 332: User Access Commands
System Management Commands User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-11), user authentication via a remote authentication server (page 4-90), and host access authentication for specific ports (page 4-111).
Page 333: Enable Password
Command Line Interface Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how to set the access level and password for a user.
Page 334: Ip Filter Commands
System Management Commands Related Commands enable (4-20) authentication enable (4-92) IP Filter Commands Table 4-12 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-39 show management Displays the switch to be monitored or configured from a 4-40 browser management...
Page 335: Show Management
Command Line Interface • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management...
Page 336: Web Server Commands
System Management Commands Web Server Commands Table 4-13 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface 4-41 ip http server Allows the switch to be monitored or configured from a browser GC 4-41 ip http secure-server Enables HTTPS for encrypted communications...
Page 337: Ip Http Secure-Server
Command Line Interface Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-41) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server Default Setting...
Page 338: Ip Http Secure-Port
System Management Commands Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-43) copy tftp https-certificate (4-84) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port...
Page 339: Telnet Server Commands
Command Line Interface Telnet Server Commands Table 4-15 Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet interface 4-41 ip telnet server Allows the switch to be monitored or configured from Telnet 4-41 ip telnet port This command specifies the TCP port number used by the Telnet interface.
Page 340: Related Commands
System Management Commands Related Commands ip telnet port (4-44) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 341 Command Line Interface The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-91.
Page 342: Ip Ssh Server
System Management Commands corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.
Page 343: Ip Ssh Timeout
Command Line Interface ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds...
Page 344: Ip Ssh Server-Key Size
System Management Commands Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-51) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...
Page 345: Ip Ssh Crypto Host-Key Generate
Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...
Page 346: Ip Ssh Save Host-Key
System Management Commands Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console#...
Page 347: Show Ssh
Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username...
Page 348: Show Public-Key
System Management Commands show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...
Page 349: Event Logging Commands
Command Line Interface Event Logging Commands Table 4-18 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-54 logging history Limits syslog messages saved to switch memory based on 4-55 severity logging host Adds a syslog server host IP address that will receive logging 4-56 messages logging facility...
Page 350: Logging History
System Management Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 351: Logging Host
Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Page 352: Logging Trap
System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 353: Show Logging
Command Line Interface Related Commands show logging (4-58) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Page 354: Show Log
System Management Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Page 355: Smtp Alert Commands
Command Line Interface Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [3] 00:00:54 2001-01-01 "STA root change notification."...
Page 356: Logging Sendmail Level
System Management Commands Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Page 357: Logging Sendmail Source-Email
Command Line Interface logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 0-41 characters) Default Setting None...
Page 358: Logging Sendmail
System Management Commands logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...
Page 359: Time Commands
Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 360: Sntp Server
System Management Commands Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). •...
Page 361: Sntp Poll
Command Line Interface Example Console(config)#sntp server 10.1.0.19 Related Commands sntp client (4-64) sntp poll (4-66) show sntp (4-66) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll...
Page 362: Ntp Client
System Management Commands Example Console#show sntp Current time: Dec 23 05:13:28 2002 Poll interval: 16 Current mode: unicast SNTP status : Enabled SNTP server 137.92.140.80 0.0.0.0 0.0.0.0 Current server: 137.92.140.80 Console# ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command.
Page 363: Ntp Server
Command Line Interface ntp server This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. Syntax ntp server ip-address [version number] [key key-number] no ntp server [ip-address]...
Page 364: Ntp Poll
System Management Commands ntp poll This command sets the interval between sending time requests when the switch is set to NTP client mode. Use the no form to restore to the default. Syntax ntp poll seconds no ntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...
Page 365: Ntp Authentication-Key
Command Line Interface Example Console(config)#ntp authenticate Console(config)# Related Commands ntp authentication-key (4-70) ntp authentication-key This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list.
Page 366: Show Ntp
System Management Commands show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
Page 367: Clock Timezone
Command Line Interface Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 368: Clock Summer-Time (Date)
System Management Commands clock summer-time (date) This command allows the user to manually configure the start, end, and offset times of summer-time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer-time. Syntax clock summer-time name date b-month b-day b-year b-hour b-minute e-month e-day e-year e-hour e-minute offset no clock summer-time...
Page 369: Clock Summer-Time (Predefined)
Command Line Interface Example Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console(config)# Related Commands show sntp (4-66) clock summer-time (predefined) This command configures the summer time (daylight savings time) status and settings for the switch using predefined configurations for several major regions of the world.
Page 370: Clock Summer-Time (Recurring)
System Management Commands Related Commands show sntp (4-66) clock summer-time (recurring) This command allows the user to manually configure the start, end, and offset times of summer-time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time. Syntax clock summer-time name recurring b-week b-day b-month b-hour b-minute e-week e-day e-month e-hour e-minute offset...
Page 371: Calendar Set
Command Line Interface Example Console(config)#clock summer-time MESZ recurring 1 friday june 23 59 3 saturday september 2 55 60 Console(config)# Related Commands show sntp (4-66) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server.
Page 372: System Status Commands
System Management Commands System Status Commands Table 4-25 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 4-77 memory) that is used to start up the system show running-config Displays the configuration data currently in use 4-78 show system Displays system information...
Page 373: Show Running-Config
Command Line Interface Example Console#show startup-config building startup-config, please wait..username admin access-level 15 username admin password 0 admin username guest access-level 0 username guest password 0 guest enable password level 15 0 super snmp-server community public ro snmp-server community private rw logging history ram 6 logging history flash 3 vlan database...
Page 374 System Management Commands is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - MAC address for each switch in the stack - SNTP server settings - Local time zone - SNMP community strings - Users (names, access levels, and encrypted passwords) - Event log settings...
Page 375 Command Line Interface Example Console#show running-config building startup-config, please wait..phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 clock timezone hours 0 minute 0 after-UTC SNMP-server community private rw SNMP-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4...
Page 376: Show System
System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. •...
Page 377: Show Version
Command Line Interface Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users:...
Page 378: Frame Size Commands
System Management Commands Example Console#show version Unit1 Serial number: S416000937 Service tag: Hardware version: Module A type: 1000BaseT Module B type: 1000BaseT Number of ports: Main power status: Redundant power status :not present Agent (master) Unit ID: Loader version: 2.2.1.4 Boot ROM version: 2.2.1.8 Operation code version:...
Page 379: Flash/File Commands
Command Line Interface • Enabling jumbo frames will limit the maximum threshold for broadcast storm control to 64 packets per second. (See the switchport broadcast command on page 4-172.) • The current setting for jumbo frames can be displayed with the show system command (page 4-81).
Page 380 Flash/File Commands • https-certificate - Copies an HTTPS certificate from an TFTP server to the switch. • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shell Commands” on page 4-45) • unit - Keyword that allows you to copy to/from a unit. Default Setting None Command Mode...
Page 381 Command Line Interface Example The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed.
Page 382: Delete
Flash/File Commands This example shows how to copy a public-key used by SSH from a TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch: Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
Page 383: Dir
Command Line Interface This command displays a list of files in flash memory. Syntax dir [unit:] {{boot-rom: | config: | opcode:} [:filename]} The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. •...
Page 384: Whichboot
Flash/File Commands whichboot This command displays which files were booted when the system powered up. Syntax whichboot [unit] unit - Stack unit. (Range: 1) Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Page 385: Authentication Commands
Command Line Interface Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-88) whichboot (4-89) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
Page 386: Authentication Login
Authentication Commands authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. •...
Page 387: Authentication Enable
Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-20). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable...
Page 388: Radius Client
Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 389: Radius-Server Host
Command Line Interface radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] •...
Page 390: Radius-Server Auth-Port
Authentication Commands Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server auth-port This command sets the RADIUS server network port for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port port_number - RADIUS server UDP port used for authentication messages.
Page 391: Radius-Server Retransmit
Command Line Interface radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) Default Setting Command Mode Global Configuration...
Page 392: Tacacs+ Client
Authentication Commands Example Console#show radius-server Remote RADIUS server configuration: Global settings Communication key with RADIUS server: Server port number: 1812 Retransmit times: Request timeout: Sever 1: Server IP address: 192.168.1.1 Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: Request timeout: Console#...
Page 393: Tacacs-Server Port
Command Line Interface • timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-540 seconds) • retransmit - Number of times the switch will resend an authentication request to the TACACS+ server. (Range: 1-30) •...
Page 394: Tacacs-Server Retransmit
Authentication Commands Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 20 characters) Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)#...
Page 395: Show Tacacs-Server
Command Line Interface Default Setting 5 seconds Command Mode Global Configuration Example Console(config)#tacacs-server timeout 10 Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number:...
Page 396: Aaa Commands
Authentication Commands AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-33 AAA Commands Command Function Mode...
Page 397: Server
Command Line Interface Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} •...
Page 398: Aaa Accounting Exec
Authentication Commands - radius - Specifies all RADIUS hosts configure with the radius-server host command described on page 4-94. - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101.
Page 399: Aaa Accounting Commands
Command Line Interface - radius - Specifies all RADIUS hosts configure with the radius-server host command described on page 4-94. - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101.
Page 400: Aaa Accounting Update
Authentication Commands - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101. (Range: 1-255 characters) Default Setting Accounting is not enabled...
Page 401: Accounting Dot1X
Command Line Interface Example Console(config)#aaa accounting update periodic 30 Console(config)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x •...
Page 402: Accounting Commands
Authentication Commands Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# accounting commands This command applies an accounting method to entered CLI commands. Use the no form to disable accounting for entered commands. Syntax accounting commands level {default | list-name} no accounting commands level •...
Page 403: Authorization Exec
Command Line Interface - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-97. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-101. (Range: 1-255 characters) Default Setting Authorization is not enabled...
Page 404: Show Accounting
Authentication Commands Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics [username user-name | interface]] •...
Page 405: Port Security Commands
Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 406: 802.1X Port Authentication
Authentication Commands Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 407: Dot1X System-Auth-Control
Command Line Interface Table 4-35 802.1X Port Authentication (Continued) Command Function Mode Page dot1x operation-mode Allows single or multiple hosts on an dot1x port 4-114 dot1x re-authenticate Forces re-authentication on specific ports 4-114 dot1x re-authentication Enables re-authentication for all ports 4-115 dot1x timeout quiet-period Sets the time that a switch port waits after the Max...
Page 408: Dot1X Max-Req
Authentication Commands dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax dot1x max-req count no dot1x max-req count –...
Page 409: Dot1X Operation-Mode
Command Line Interface dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Page 410: Dot1X Re-Authentication
Authentication Commands Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# dot1x timeout quiet-period...
Page 411: Dot1X Timeout Re-Authperiod
Command Line Interface dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mode Interface Configuration Example...
Page 412: Dot1X Intrusion-Action
Authentication Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action Default...
Page 413 Command Line Interface - Status – Administrative state for port access control. - Operation Mode – Dot1x port control operation mode (page 4-114). - Mode – Dot1x port control mode (page 4-113). - Authorized – Authorization status (yes or n/a - not authorized). •...
Page 414 Authentication Commands - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. • Reauthentication State Machine - State – Current state (including initialize, reauthenticate). Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name...
Page 415: Network Access - Mac Address Authentication
Command Line Interface Network Access – MAC Address Authentication The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 416: Network-Access Max-Mac-Count
Authentication Commands Default Setting Disabled Command Mode Interface Configuration Command Usage • When enabled on a port interface, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The username and password are both equal to the MAC address being authenticated.
Page 417: Mac-Authentication Intrusion-Action
Command Line Interface count - The maximum number of authenticated MAC addresses allowed. (Range: 1 to 2048; 0 for unlimited) Default Setting 2048 Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024.
Page 418: Network-Access Dynamic-Qos
Authentication Commands Default Setting 1024 Command Mode Interface Config Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# network-access dynamic-qos Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode...
Page 419: Network-Access Guest-Vlan
Command Line Interface • The VLAN settings specified by the first authenticated MAC address are implemented for a port. Other authenticated MAC addresses on the port must have same VLAN configuration, or they are treated as authentication failure. • If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success.
Page 420: Network-Access Link-Detection Link-Down
Authentication Commands Default Setting Disabled Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# network-access link-detection link-down Use this command to configure the link detection feature to detect and link down events. When a link down event is detected, the feature can shut down the port, send an SNMP trap, or both.
Page 421: Network-Access Link-Detection Link-Up-Down
Command Line Interface Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access link-detection link-up-down Use this command to configure the link detection feature to detect link-up and link-down events. When either a link-up or link-down event is detected, the feature can shut down the port, send an SNMP trap, or both.
Page 422: Clear Network-Access
Authentication Commands Command Usage • The reauthentication time is a global setting and applies to all ports. • When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected. Example Console(config)#mac-authentication reauth-time 300 Console(config)#...
Page 423: Show Network-Access Mac-Address-Table
Command Line Interface Default Setting Displays the settings for all interfaces. Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Page 424: Web Authentication
Authentication Commands Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means "care" and a 0 means "don't care". For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF-00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF-FF-FF to be displayed.
Page 425: Web-Auth Login-Attempts
Command Line Interface Table 4-37 Web Authentication (Continued) Command Function Mode Page web-auth Defines the amount of time to wait after the limit for failed 4-132 quiet-period login attempts is exceeded. web-auth Defines the amount of time a session remains valid 4-132 session-timeout web-auth...
Page 426: Web-Auth Login-Page-Url
Authentication Commands fail-url - The URL to which a host is directed after a failed web authentication attempt. Default Setting None Command Mode Global Configuration Command Usage This command is not supported in the current release of the firmware. Example Console(config)#web-auth login-fail-page-url http://www.example.com/fail/ Console(config)# web-auth login-page-url...
Page 427: Web-Auth Quiet-Period
Command Line Interface success-url - The URL to which a host is directed after a successful web authentication login. Default Setting None Command Mode Global Configuration Command Usage This command is not supported in the current release of the firmware. Example Console(config)#web-auth login-success-page-url http://www.example.com/ success/...
Page 428: Web-Auth System-Auth-Control
Authentication Commands timeout - The amount of time that an authenticated session remains valid. (Range: 300-3600 seconds) Default Setting 3600 seconds Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default.
Page 429: Show Web-Auth
Command Line Interface Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active. Example Console(config-if)#web-auth Console(config-if)# show web-auth This command displays global web authentication parameters. Syntax show web-auth Default Setting None...
Page 430: Web-Auth Re-Authenticate (Port)
Authentication Commands Command Mode Privileged Exec Example Console#show web-auth interface eth 1/2 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- Console# web-auth re-authenticate (Port) This command ends all web authentication sessions connected to the port and forces the users to re-authenticate.
Page 431: Show Web-Auth Summary
Command Line Interface Default Setting None Command Mode Privileged Exec Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Failed to reauth port. Console# show web-auth summary This command displays a summary of web authentication port parameters and statistics. Syntax show web-auth summary Default Setting None Command Mode...
Page 432 Authentication Commands Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------ 1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled 1/ 6 Disabled 1/ 7 Disabled 1/ 8...
Page 433: Access Control List Commands
Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
Page 434: Ip Acls
Access Control List Commands IP ACLs Table 4-39 IP ACLs Command Function Mode Page access-list ip Creates an IP ACL and enters configuration mode 4-139 permit, deny Filters packets matching a specified source IP address STD-ACL 4-140 permit, deny Filters packets meeting the specified criteria, including EXT-ACL 4-140 source and destination IP address, TCP/UDP port number,...
Page 435: Permit, Deny (Standard Acl)
Command Line Interface Related Commands permit, deny 4-140 ip access-group (4-142) show ip access-list (4-142) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 436 Access Control List Commands Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] •...
Page 437: Show Ip Access-List
Command Line Interface This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# Related Commands access-list ip (4-139) show ip access-list This command displays the rules for configured IP ACLs.
Page 438: Show Ip Access-Group
Access Control List Commands Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one.
Page 439: Access-List Mac
Command Line Interface Table 4-40 MAC ACL Commands Command Function Mode Page mac access-group Adds a port to a MAC ACL 4-147 show mac access-group Shows port assignments for MAC ACLs 4-147 access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL.
Page 440: Permit, Deny (Mac Acl)
Access Control List Commands permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 441: Show Mac Access-List
Command Line Interface Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP...
Page 442: Mac Access-Group
Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
Page 443: Acl Information
Command Line Interface ACL Information Table 4-41 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-148 show access-group Shows the ACLs assigned to each port 4-148 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 444: Snmp Commands
SNMP Commands SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 445: Snmp-Server
Command Line Interface snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp...
Page 446: Snmp-Server Community
SNMP Commands Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables...
Page 447: Snmp-Server Contact
Command Line Interface • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.
Page 448: Snmp-Server Host
SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-152) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}...
Page 449 Command Line Interface • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Page 450: Snmp-Server Enable Traps
SNMP Commands supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.
Page 451: Snmp-Server Engine-Id
Command Line Interface conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 4-159). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-153) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
Page 452: Show Snmp Engine-Id
SNMP Commands • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 4-162).
Page 453: Snmp-Server View
Command Line Interface snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
Page 454: Show Snmp View
SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active...
Page 455: Show Snmp Group
Command Line Interface Default Setting • Default groups: public (read only), private (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothing is defined. • notifyview - Nothing is defined. Command Mode Global Configuration Command Usage •...
Page 456 SNMP Commands Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c...
Page 457: Snmp-Server User
Command Line Interface Table 4-45 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 458 SNMP Commands Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. •...
Page 459: Show Snmp User
Command Line Interface show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 460: Interface Commands
Interface Commands Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-1 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-166 mode description Adds a description to an interface configuration...
Page 461: Description
Command Line Interface Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 462: Negotiation
Interface Commands • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
Page 463: Capabilities
Command Line Interface Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-169) speed-duplex (4-167) capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Page 464: Flowcontrol
Interface Commands Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-168) speed-duplex (4-167) flowcontrol (4-170) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting...
Page 465: Shutdown
Command Line Interface Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-168) capabilities (flowcontrol, symmetric) (4-169) shutdown This command disables an interface. To restart a disabled interface, use the no form.
Page 466: Switchport Packet-Rate
Interface Commands switchport packet-rate This command configures broadcast and multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport broadcast packet-rate rate no switchport broadcast • broadcast - Specifies storm control for broadcast traffic. •...
Page 467: Show Interfaces Status
Command Line Interface Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 468: Show Interfaces Counters
Interface Commands Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, Broadcast storm: Enabled Broadcast storm limit: 64 Kbits/second Flow control: Disabled Lacp: Disabled...
Page 469: Show Interfaces Switchport
Command Line Interface Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
Page 470 Interface Commands Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast threshold: Enabled, 64 Kbits/second LACP status: Enabled Ingress Rate Limit: Disabled, 100000 Kbits per second Egress Rate Limit: Disabled, 100000 Kbits per second VLAN membership mode: Hybrid Ingress rule:...
Page 471: Mirror Port Commands
Command Line Interface Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-3 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-177 show port monitor Shows the configuration for a mirror port 4-178 port monitor...
Page 472: Show Port Monitor
Mirror Port Commands Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
Page 473: Rate Limit Commands
Command Line Interface Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 474: Link Aggregation Commands
Link Aggregation Commands Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 475: Channel-Group
Command Line Interface Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. •...
Page 476: Lacp
Link Aggregation Commands Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting...
Page 477: Lacp System-Priority
Command Line Interface Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Page 478: Lacp Admin-Key (Ethernet Interface)
Link Aggregation Commands Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 479: Lacp Admin-Key (Port Channel)
Command Line Interface • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 480: Lacp Port-Priority
Link Aggregation Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 481: Show Lacp
Command Line Interface Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-6...
Page 482 Link Aggregation Commands Table 4-7 show lacp internal - display description Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel.
Page 483 Command Line Interface Table 4-8 show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Current administrative value of the port number for the protocol Partner.
Page 484: Address Table Commands
Address Table Commands Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 4-10 Address Table Commands Command Function Mode Page mac-address-table static Maps a static address to a port in a VLAN 4-190 clear mac-address-table...
Page 485: Clear Mac-Address-Table Dynamic
Command Line Interface Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...
Page 486: Mac-Address-Table Aging-Time
Address Table Commands • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: - Learned - Dynamic address entries - Permanent - Static entry - Delete-on-reset - Static entry to be deleted when system is reset...
Page 487: Show Mac-Address-Table Aging-Time
Command Line Interface Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
Page 488 LLDP Commands Table 4-11 LLDP Commands (Continued) Command Function Mode Page lldp reinit-delay Configures the delay before attempting to re-initialize after 4-198 LLDP ports are disabled or the link goes down lldp tx-delay Configures a delay between the successive transmission of 4-198 advertisements initiated by a change in local LLDP MIB variables...
Page 489: Lldp
Command Line Interface Table 4-11 LLDP Commands (Continued) Command Function Mode Page lldp medtlv Configures an LLDP-MED-enabled port to advertise its 4-209 med-cap Media Endpoint Device capabilities lldp medtlv Configures an LLDP-MED-enabled port to advertise its 4-209 network-policy network policy configuration show lldp config Shows LLDP configuration settings for all ports 4-210...
Page 490: Lldp Medfaststartcount
LLDP Commands Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during...
Page 491: Lldp Refresh-Interval
Command Line Interface Default Setting 5 seconds Command Mode Global Configuration Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Page 492: Lldp Reinit-Delay
LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP. (Range: 1 - 10 seconds) Default Setting 2 seconds...
Page 493: Lldp Admin-Status
Command Line Interface • This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status...
Page 494: Lldp Mednotification
LLDP Commands the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 4-153). • Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Page 495: Lldp Basic-Tlv Management-Ip-Address
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode...
Page 496: Lldp Basic-Tlv System-Capabilities
LLDP Commands Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Page 497: Lldp Basic-Tlv System-Name
Command Line Interface Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.
Page 498: Lldp Dot1-Tlv Proto-Vid
LLDP Commands Syntax dot1-tlv proto-ident [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information.
Page 499: Lldp Dot1-Tlv Vlan-Name
Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-247). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)#...
Page 500: Lldp Dot3-Tlv Mac-Phy
LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg...
Page 501: Lldp Dot3-Tlv Poe
Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands” on page 4-83 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its...
Page 502: Lldp Medtlv Inventory
LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Page 503: Lldp Medtlv Med-Cap
Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities.
Page 504: Show Lldp Config
LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Page 505 Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...
Page 506: Show Lldp Info Local-Device
LLDP Commands show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 507: Show Lldp Info Remote-Device
Command Line Interface show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit.
Page 508 LLDP Commands • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) • port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example switch#show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count...
Page 509: Upnp Commands
Command Line Interface UPnP Commands Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards.
Page 510: Upnp Device Ttl
UPnP Commands upnp device ttl This command sets the time-to-live (TTL) value for sending of UPnP messages from the device. Syntax upnp device ttl {value} • value - The number of router hops a UPnP packet can travel before it is discarded.
Page 511: Show Upnp
Command Line Interface Related Commands upnp device ttl (4-216) show upnp This command displays the UPnP management status and time out settings. Command Mode Privileged Exec Example Console#show upnp UPnP global settings: Status: Enabled Advertise duration: TTL: Console# Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Page 512: Spanning-Tree
Spanning Tree Commands Table 4-12 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Disables spanning tree for an interface 4-227 spanning-disabled spanning-tree cost Configures the spanning tree path cost of an interface 4-227 spanning-tree port-priority Configures the spanning tree priority of an interface 4-228 spanning-tree edge-port Enables fast forwarding for edge ports...
Page 513: Spanning-Tree Mode
Command Line Interface an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree...
Page 514: Spanning-Tree Forward-Time
Spanning Tree Commands • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments.
Page 515: Spanning-Tree Hello-Time
Command Line Interface spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) -1].
Page 516: Spanning-Tree Priority
Spanning Tree Commands ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Page 517: Spanning-Tree Transmission-Limit
Command Line Interface no spanning-tree pathcost method • long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. • short - Specifies 16-bit based values that range from 1-65535. This method is based on the IEEE 802.1 Spanning Tree Protocol.
Page 518: Mst Vlan
Spanning Tree Commands • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address. Command Mode Global Configuration Example Console(config)#spanning-tree mst configuration Console(config-mstp)# Related Commands mst vlan (4-224) mst priority (4-225) name (4-225) revision (4-226) max-hops (4-226) mst vlan...
Page 519: Mst Priority
Command Line Interface Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) •...
Page 520: Revision
Spanning Tree Commands MST Configuration Command Usage The MST region name and revision number (page 4-226) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 521: Spanning-Tree Spanning-Disabled
Command Line Interface hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed.
Page 522: Spanning-Tree Port-Priority
Spanning Tree Commands cost - The path cost for the port. (Range: 0 for auto-configuration, or 1-200,000,000) The recommended range is: • Ethernet: 200,000-20,000,000 • Fast Ethernet: 20,000-2,000,000 • Gigabit Ethernet: 2,000-200,000 • 10 Gigabit Ethernet: 200-20,000 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
Page 523: Spanning-Tree Edge-Port
Command Line Interface Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 524: Spanning-Tree Portfast
Spanning Tree Commands Related Commands spanning-tree portfast (4-230) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 525: Spanning-Tree Link-Type
Command Line Interface spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. •...
Page 526: Spanning-Tree Loopback-Detection Release-Mode
Spanning Tree Commands 9.3.4 (Note 1). • Port Loopback Detection will not be active if Spanning Tree is disabled on the switch Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection spanning-tree loopback-detection release-mode This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received.
Page 527: Spanning-Tree Loopback-Detection Trap
Command Line Interface spanning-tree loopback-detection trap This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default. Syntax spanning-tree loopback-detection trap no spanning-tree loopback-detection trap Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap...
Page 528: Spanning-Tree Mst Port-Priority
Spanning Tree Commands • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
Page 529: Spanning-Tree Protocol-Migration
Command Line Interface spanning-tree mst cost (4-233) spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) •...
Page 530 Spanning Tree Commands Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. •...
Page 531: Show Spanning-Tree Mst Configuration
Command Line Interface --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000...
Page 532: Vlan Commands
VLAN Commands VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 533: Bridge-Ext Gvrp
Command Line Interface bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
Page 534: Switchport Gvrp
VLAN Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
Page 535 Command Line Interface garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 536: Garp Timer
VLAN Commands Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) • port-channel channel-id (Range: 1-8) Default Setting Shows all GARP timers. Command Mode Normal Exec, Privileged Exec Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status:...
Page 537: Vlan
Command Line Interface Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
Page 538: Configuring Vlan Interfaces
VLAN Commands Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# Related Commands show vlan (4-250) Configuring VLAN Interfaces Table 4-16 Configuring VLAN Interfaces Command Function...
Page 539: Switchport Mode
Command Line Interface Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-171) switchport mode This command configures the VLAN membership mode for a port.
Page 540: Switchport Acceptable-Frame-Types
VLAN Commands switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...
Page 541: Switchport Native Vlan
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. •...
Page 542: Switchport Allowed Vlan
VLAN Commands switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged.
Page 543: Switchport Forbidden Vlan
Command Line Interface Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs.
Page 544: Displaying Vlan Information
VLAN Commands Displaying VLAN Information Table 4-17 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-250 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-173 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-175 interface...
Page 545: Configuring Ieee 802.1Q Tunneling
Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 546: Switchport Dot1Q-Tunnel Mode
VLAN Commands Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (4-253) show interfaces switchport (4-175) switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port.
Page 547: Switchport Dot1Q-Tunnel Tpid
Command Line Interface switchport dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 548: Configuring Private Vlans
VLAN Commands Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100.
Page 549 Command Line Interface Table 4-19 Private VLAN Commands Command Function Mode Page private-vlan association Associates a community VLAN with a primary VLAN 4-256 Configure Private VLAN Interfaces switchport mode Sets an interface to host mode or promiscuous mode 4-257 private-vlan switchport private-vlan Associates an interface with a secondary VLAN 4-258...
Page 550: Private-Vlan
VLAN Commands private-vlan Use this command to create a primary, community, or isolated private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4092, no leading zeroes). •...
Page 551: Switchport Mode Private-Vlan
Command Line Interface no private-vlan primary-vlan-id association • primary-vlan-id - ID of primary VLAN. (Range: 1-4092, no leading zeroes). • secondary-vlan-id - ID of secondary (i.e, community) VLAN. (Range: 1-4092, no leading zeroes). Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members.
Page 552: Switchport Private-Vlan Host-Association
VLAN Commands • To assign a promiscuous port or host port to an isolated VLAN, use the switchport private-vlan isolated command. Example Console(config)#interface ethernet 1/2 Console(config-if)#switchport mode private-vlan promiscuous Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#switchport mode private-vlan host Console(config-if)# switchport private-vlan host-association Use this command to associate an interface with a secondary VLAN.
Page 553: Switchport Private-Vlan Mapping
Command Line Interface Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Host ports assigned to a isolated VLAN cannot pass traffic between group members, and must communicate with resources outside of the group via a promiscuous port. Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan isolated 3...
Page 554 VLAN Commands Syntax show vlan private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces. • isolated – Displays an isolated VLAN, along with the assigned promiscuous interface and host interfaces. The Primary and Secondary fields both display the isolated VLAN ID.
Page 555: Configuring Protocol-Based Vlans
Command Line Interface Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 556: Protocol-Vlan Protocol-Group (Configuring Vlans)
VLAN Commands • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • frame - Frame type used by this protocol. (Options: ethernet, rfc_1042, llc_other) • protocol - Protocol type. The only option for the llc_other frame type is ipx_raw.
Page 557: Show Protocol-Vlan Protocol-Group
Command Line Interface applied to tagged frames. - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for the interface.
Page 558: Show Protocol-Vlan Protocol-Group-Vid
Priority Commands This shows that traffic matching the specifications for protocol group 2 will be mapped to VLAN 2: Console#show protocol-vlan protocol-group-vid ProtocolGroup ID VLAN ID ------------------ ----------- VLAN2 Console# Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion.
Page 559: Queue Mode
Command Line Interface queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...
Page 560: Queue Bandwidth
Priority Commands Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority.
Page 561: Queue Cos-Map
Command Line Interface Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to priority queues 0 - 2: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands show queue bandwidth (4-268)
Page 562: Show Queue Mode
Priority Commands Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to change the CoS assignments: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1...
Page 563: Show Queue Cos-Map
Command Line Interface Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 564: Map Ip Dscp (Interface Configuration)
Priority Commands Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration)
Page 565: Show Map Ip Dscp
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues.
Page 566: Quality Of Service Commands
Quality of Service Commands Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-269)
Page 567 Command Line Interface To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specify type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 568: Match
Quality of Service Commands • The class map is used with a policy map (page 4-275) to create a service policy (page 4-278) for a specific interface that defines packet classification, service tagging, and bandwidth policing. Example This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3...
Page 569: Policy-Map
Command Line Interface This example creates a class map call “rd_class#2,” and sets it to match packets marked for IP Precedence service value 5: Console(config)#class-map rd_class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1: Console(config)#class-map rd_class#3 match-any Console(config-cmap)#match vlan 1...
Page 570: Class
Quality of Service Commands class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map.
Page 571: Set
Command Line Interface This command services IP traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified by the match command on page 4-274). Use the no form to remove the traffic classification. Syntax [no] set {cos new-cos | ip dscp new-dscp | ip precedence new-precedence | ipv6 dscp new-dscp} •...
Page 572: Service-Policy
Quality of Service Commands Policy Map Class Configuration Command Usage • You can configure up to 64 policers (i.e., meters or class maps) for each of the following access list types: MAC ACL, IP ACL (including Standard ACL and Extended ACL), IPv6 Standard ACL, and IPv6 Extended ACL. This limitation applies to each switch chip (TL-SL5428: ports 1-28;...
Page 573: Show Policy-Map
Command Line Interface Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map.
Page 574: Voice Vlan Commands
Voice VLAN Commands Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface...
Page 575: Voice Vlan
Command Line Interface Table 4-27 Voice VLAN Commands Command Function Mode Page switchport voice vlan security Enables Voice VLAN security on ports 4-284 switchport voice vlan priority Sets the VoIP traffic priority for ports 4-285 show voice vlan Displays Voice VLAN settings 4-286 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID.
Page 576: Voice Vlan Aging
Voice VLAN Commands voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes...
Page 577: Switchport Voice Vlan
Command Line Interface Command Usage • VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 578: Switchport Voice Vlan Rule
Voice VLAN Commands switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} •...
Page 579: Switchport Voice Vlan Priority
Command Line Interface Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.
Page 580: Show Voice Vlan
Voice VLAN Commands show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings. Default Setting None Command Mode...
Page 581: Multicast Filtering Commands
Command Line Interface Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 582: Ip Igmp Snooping
Multicast Filtering Commands ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static...
Page 583: Ip Igmp Snooping Version
Command Line Interface ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...
Page 584: Ip Igmp Snooping Immediate-Leave
Multicast Filtering Commands Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier. Example Console(config)#ip igmp snooping leave-proxy Console(config)#...
Page 585: Show Ip Igmp Snooping
Command Line Interface show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-215 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping...
Page 586: Igmp Query Commands (Layer 2)
Multicast Filtering Commands Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
Page 587: Ip Igmp Snooping Query-Count
Command Line Interface Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Page 588: Ip Igmp Snooping Query-Max-Response-Time
Multicast Filtering Commands Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.
Page 589: Ip Igmp Snooping Router-Port-Expire-Time
Command Line Interface ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
Page 590: Ip Igmp Snooping Vlan Mrouter
Multicast Filtering Commands ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration. Syntax [no] ip igmp snooping vlan vlan-id mrouter interface • vlan-id - VLAN ID (Range: 1-4092) •...
Page 591: Igmp Filtering And Throttling Commands
Command Line Interface Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static...
Page 592: Ip Igmp Filter (Global Configuration)
Multicast Filtering Commands ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 593: Permit, Deny
Command Line Interface Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode;...
Page 594: Ip Igmp Filter (Interface Configuration)
Multicast Filtering Commands Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Page 595: Ip Igmp Max-Groups Action
Command Line Interface number - The maximum number of multicast groups an interface can join at the same time. (Range: 0-64) Default Setting Command Mode Interface Configuration Command Usage • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time.
Page 596: Show Ip Igmp Filter
Multicast Filtering Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 597: Show Ip Igmp Throttle Interface
Command Line Interface Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface...
Page 598: Multicast Vlan Registration Commands
Multicast VLAN Registration Commands Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Page 599: Mvr (Interface Configuration)
Command Line Interface Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.
Page 600 Multicast VLAN Registration Commands Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN.
Page 601: Show Mvr
Command Line Interface show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
Page 602: Show Mvr
Multicast VLAN Registration Commands The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port Type Status Immediate Leave ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP Disable eth1/2 RECEIVER ACTIVE/UP Disable eth1/5 RECEIVER INACTIVE/DOWN Disable eth1/6 RECEIVER INACTIVE/DOWN...
Page 603: Ip Interface Commands
Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 604: Ip Default-Gateway
IP Interface Commands • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
Page 605: Ip Dhcp Restart
Command Line Interface ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. •...
Page 606: Show Ip Redirects
IP Interface Commands show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-310) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] •...
Page 607: Ip Source Guard Commands
Command Line Interface Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Page 608: Ip Source Guard Commands
IP Source Guard Commands • sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table. Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 609: Ip Source-Guard Binding
Command Line Interface yet configured, the switch will drop all IP traffic on that port, except for DHCP packets. Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (4-315) ip dhcp snooping (4-317) ip dhcp snooping vlan (4-319) ip source-guard binding...
Page 610: Show Ip Source-Guard
IP Source Guard Commands - If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding. - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one.
Page 611: Dhcp Snooping Commands
Command Line Interface Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 612: Dhcp Snooping Commands
DHCP Snooping Commands messages received on an unsecure interface from outside the network or firewall. When DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by the ip dhcp snooping vlan command (page 4-319), DHCP messages received on an untrusted interface (as specified by the no ip dhcp snooping trust command, page 4-320) from a device not listed in the DHCP snooping table will be dropped.
Page 613: Ip Dhcp Snooping Vlan
Command Line Interface switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
Page 614: Ip Dhcp Snooping Trust
DHCP Snooping Commands Related Commands ip dhcp snooping (4-317) ip dhcp snooping trust (4-320) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode...
Page 615: Ip Dhcp Snooping Verify Mac-Address
Command Line Interface ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function. Syntax [no] ip dhcp snooping verify mac-address Default Setting Enabled Command Mode...
Page 616: Ip Dhcp Snooping Information Policy
DHCP Snooping Commands • When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
Page 617: Ip Dhcp Snooping Database Flash
Command Line Interface ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Page 618: Show Ip Dhcp Snooping Binding
Switch Cluster Commands show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console#...
Page 619: Cluster Commander
Command Line Interface Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
Page 620: Cluster Ip-Pool
Switch Cluster Commands cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool <ip-address> no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 621: Rcommand
Command Line Interface Command Usage • The maximum number of cluster Members is 36. The maximum number of switch Candidates is 100 • Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id <member-id>...
Page 622: Show Cluster Members
Switch Cluster Commands show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Console# show cluster candidates This command shows the discovered Candidate switches in the network.
Page 623 Command Line Interface 4-328...
Page 624: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X, MAC Authentication, Web Authentication), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 100 rules per system DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.3-2005...
Page 625: Management Features
Software Specifications Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Management Features...
Page 626: Management Information Bases
Management Information Bases RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665)
Page 627 Software Specifications...
Page 628: Problems Accessing The Management Interface
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 629: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 630 Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 631 Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so...
Page 632 Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Page 633 Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 634 Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Page 635 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 636 Index authentication Numerics MAC 3-99 802.1Q tunnel 3-170, 4-251 MAC address auth 3-94 configuration, guidelines 3-173 MAC, configuring ports 3-99 configuration, limitations 3-173 network access 3-94 description 3-170 public key 3-74 ethernet type 3-174 web 3-89 interface configuration 3-175, web auth for ports, configuring 3-91 4-252–4-253 web auth port info, displaying 3-92 mode selection 3-175...
Page 637 Index default settings, system 1-6 DHCP 3-18, 4-215, 4-216, 4-309 GARP VLAN Registration Protocol See client 3-16 GVRP dynamic configuration 2-5 gateway, default 3-16, 4-310 DHCP snooping GVRP global configuration 4-317, 4-324, enabling 3-161 4-325 global setting 3-161, 4-239 specifying trusted interfaces 4-320 interface configuration 3-168, 4-240 verifying MAC addresses 4-321, 4-322...
Page 638 Index parameters 3-216 configuring 3-186 snooping, configuring 3-216, 4-287 local device information, importing user public keys 3-77 displaying 3-189 ingress filtering 3-168, 4-246 remote information, IP address displaying 3-191 BOOTP/DHCP 3-18, 4-215, 4-216, remote port information, 4-309, 4-311 displaying 3-190 setting 2-4, 3-16, 4-215, 4-216, timing attributes, configuring 3-184 4-309...
Page 639 Index MSTP 4-219 port priority configuring 3-151 configuring 3-194, 4-264, 4-272 global settings 4-217 default ingress 3-194, 4-265 global settings, configuring 3-143 STA 3-148, 4-228 global settings, displaying 3-141 port security, configuring 3-81, 4-111 interface settings 4-218 port, statistics 3-130, 4-174 interface settings, configuring 3-149, ports 3-156...
Page 640 Index 4-236 interface settings, configuring 3-149 RADIUS, logon authentication 4-94 interface settings, displaying 3-147 RADIUS, settings 3-55 link type 3-149, 3-150, 3-152, 3-155, rate limits, setting 3-129, 4-179 3-158, 4-231, 4-232, 4-233 remote logging 4-58 path cost 3-141, 3-148, 4-227 restarting the system 3-33, 4-24, 4-25 path cost method 3-145, 4-222 RSA encryption 3-76, 3-77...
Page 641 Index Type Length Value See also 4-246–4-249 LLDP-MED private 3-176, 4-254 protocol 3-182, 4-261 protocol, configuring 3-182 protocol, system configuration 3-183 voice VLAN 3-210, 4-280 upgrading software 3-20 VoIP Traffic 3-210, 4-280 UPnP 3-248 ports, configuring 3-211 configuration 3-248 telephony OUI, configuring 3-213 user password 3-52, 3-60, 3-61, 3-63, voice VLAN, configuring 3-210 3-66, 4-38, 4-39...

TP-Link TL-SL5428 User Manual

Table of Contents

Table of Contents

Figures

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Chapter 4: Command Line Interface

Appendix A: Software Specifications

Quick Links

Chapters

Related Manuals for TP-Link TL-SL5428

Summary of Contents for TP-Link TL-SL5428