Page 1 Powered by Accton 24/48 10/100 Ports + 2GE Intelligent Layer 2 Management Guide Fast Ethernet Switch www.edge-core.com...
Page 3 Management Guide Fast Ethernet Switch Layer 2 Standalone Switch with 24/48 10/100BASE-TX (RJ-45) Ports, and 2 Combination Gigabit Ports (RJ-45/SFP)
Page 4 ES3526XA ES3552XA F2.2.6.3 E122006-CS-R02 149100005500H...
Page 5: Table Of Contents
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 6 Contents Saving or Restoring Configuration Settings 3-22 Downloading Configuration Settings from a Server 3-23 Console Port Settings 3-24 Telnet Settings 3-26 Configuring Event Logging 3-28 System Log Configuration 3-28 Remote Log Configuration 3-30 Displaying Log Messages 3-31 Sending Simple Mail Transfer Protocol Alerts 3-32 Resetting the System 3-34...
Page 7 Contents Access Control Lists 3-82 Configuring Access Control Lists 3-82 Setting the ACL Name and Type 3-83 Configuring a Standard IP ACL 3-84 Configuring an Extended IP ACL 3-85 Configuring a MAC ACL 3-87 Binding a Port to an Access Control List 3-88 Port Configuration 3-89...
Page 8 Contents Displaying Current Private VLANs 3-153 Configuring Private VLANs 3-154 Associating VLANs 3-154 Displaying Private VLAN Interface Information 3-155 Configuring Private VLAN Interfaces 3-156 Class of Service Configuration 3-158 Layer 2 Queue Settings 3-158 Setting the Default Priority for Interfaces 3-158 Mapping CoS Values to Egress Queues 3-160...
Page 9 Contents Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 10 Contents prompt 4-25 hostname 4-26 User Access Commands 4-26 username 4-27 enable password 4-28 IP Filter Commands 4-29 management 4-29 show management 4-30 Web Server Commands 4-31 ip http port 4-31 ip http server 4-31 ip http secure-server 4-32 ip http secure-port 4-33 Telnet Server Commands 4-34...
Page 11 Contents sntp client 4-54 sntp server 4-55 sntp poll 4-56 show sntp 4-56 ntp client 4-57 ntp server 4-57 ntp poll 4-58 ntp authenticate 4-59 ntp authentication-key 4-59 show ntp 4-60 clock timezone 4-61 calendar set 4-62 show calendar 4-62 System Status Commands 4-63 show startup-config...
Page 12 Contents 802.1X Port Authentication 4-85 dot1x system-auth-control 4-86 dot1x default 4-86 dot1x max-req 4-87 dot1x port-control 4-87 dot1x operation-mode 4-88 dot1x re-authenticate 4-88 dot1x re-authentication 4-89 dot1x timeout quiet-period 4-89 dot1x timeout re-authperiod 4-90 dot1x timeout tx-period 4-90 show dot1x 4-90 Network Access 4-94...
Page 13 Contents snmp-server 4-117 show snmp 4-117 snmp-server community 4-118 snmp-server contact 4-119 snmp-server location 4-119 snmp-server host 4-120 snmp-server enable traps 4-122 snmp-server engine-id 4-123 show snmp engine-id 4-124 snmp-server view 4-125 show snmp view 4-126 snmp-server group 4-126 show snmp group 4-127 snmp-server user 4-128...
Page 14 Contents clear mac-address-table dynamic 4-158 show mac-address-table 4-158 mac-address-table aging-time 4-159 show mac-address-table aging-time 4-159 Spanning Tree Commands 4-160 spanning-tree 4-161 spanning-tree mode 4-161 spanning-tree forward-time 4-163 spanning-tree hello-time 4-163 spanning-tree max-age 4-164 spanning-tree priority 4-164 spanning-tree pathcost method 4-165 spanning-tree transmission-limit 4-166 spanning-tree mst-configuration...
Page 15 Contents private-vlan 4-189 private vlan association 4-190 switchport mode private-vlan 4-191 switchport private-vlan host-association 4-191 switchport private-vlan isolated 4-192 switchport private-vlan mapping 4-193 show vlan private-vlan 4-193 GVRP and Bridge Extension Commands 4-194 bridge-ext gvrp 4-194 show bridge-ext 4-195 switchport gvrp 4-195 show gvrp configuration 4-196...
Page 16 Contents ip igmp snooping query-max-response-time 4-218 ip igmp snooping router-port-expire-time 4-218 Static Multicast Routing Commands 4-219 ip igmp snooping vlan mrouter 4-219 show ip igmp snooping mrouter 4-220 IGMP Filtering and Throttling Commands 4-221 ip igmp filter (Global Configuration) 4-221 ip igmp profile 4-222 permit, deny...
Page 17 Contents cluster commander 4-250 cluster ip-pool 4-250 cluster member 4-251 rcommand 4-252 show cluster 4-252 show cluster members 4-253 show cluster candidates 4-253 Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs Glossary Index...
Page 18 Contents...
Page 19 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-29 Table 3-6 HTTPS System Support 3-59 Table 3-7 802.1X Statistics 3-73 Table 3-8 LACP Port Counters 3-99 Table 3-9 LACP Internal Configuration Information 3-101 Table 3-10...
Page 20 Tables Table 4-27 Authentication Commands 4-76 Table 4-28 Authentication Sequence 4-76 Table 4-29 RADIUS Client Commands 4-78 Table 4-30 TACACS Commands 4-81 Table 4-31 Port Security Commands 4-84 Table 4-32 802.1X Port Authentication 4-85 Table 4-33 Network Access 4-94 Table 4-35 IP ACLs 4-103 Table 4-34...
Page 21 Tables Table 4-72 IGMP Filtering and Throttling Commands 4-221 Table 4-73 Multicast VLAN Registration Commands 4-228 Table 4-74 show mvr - display description 4-231 Table 4-76 show mvr members - display description 4-232 Table 4-75 show mvr interface - display description 4-232 Table 4-77 DNS Commands...
Page 22 Tables xviii...
Page 23 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-10 Figure 3-4 Displaying Switch Information 3-12 Figure 3-5 Bridge Extension Configuration 3-13 Figure 3-6 Manual IP Configuration 3-15 Figure 3-7 IP Configuration using DHCP 3-16 Figure 3-8 DHCP Relay Option 82 Configuration 3-18 Figure 3-9...
Page 24 Figures Figure 3-43 Network Access Configuration 3-76 Figure 3-44 Network Access Port Configuration 3-77 Figure 3-45 Network Access MAC Address Information 3-78 Figure 3-46 Network Access MAC Filter Configuration 3-79 Figure 3-47 Creating a Web IP Filter List 3-81 Figure 3-48 Selecting ACL Type 3-83 Figure 3-49...
Page 25 Figures Figure 3-88 Port Priority Configuration 3-159 Figure 3-89 Traffic Classes 3-161 Figure 3-90 Queue Mode 3-162 Figure 3-91 Configuring Queue Scheduling 3-163 Figure 3-92 IP Precedence/DSCP Priority Status 3-164 Figure 3-93 Mapping IP Precedence Priority Values 3-165 Figure 3-94 Mapping IP DSCP Priority Values 3-167 Figure 3-95...
Page 26 Figures xxii...
Page 27: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 28: Description Of Software Features
Introduction Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Page 29 Description of Software Features Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity. Port Trunking –...
Page 30 Introduction Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard.
Page 31: System Defaults
System Defaults System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-24). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 32 Introduction (Continued) Table 1-2 System Defaults Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Status Disabled (all ports) Protection Broadcast Limit Rate 32,000 octets per second...
Page 33 System Defaults (Continued) Table 1-2 System Defaults Function Parameter Default System Log Status Enabled Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-6 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled...
Page 34 Introduction...
Page 35: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 36: Required Connections
Initial Configuration • Configure up to 4 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 37: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 38: Setting Passwords
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Page 39: Dynamic Configuration
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Page 40: Enabling Snmp Management Access
Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end...
Page 41: Trap Receivers
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 42: Configuring Access For Snmp Version 3 Clients
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Page 43: Managing System Files
Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: •...
Page 44 Initial Configuration 2-10...
Page 45: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Page 46: Navigating The Web Browser Interface
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Page 47: Configuration Options
Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 48: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 49 Main Menu (Continued) Table 3-2 Main Menu Menu Description Page 3-61 Host-Key Settings Generates the host key pair (public and private) 3-63 Settings Configures Secure Shell server settings 3-65 Port Security Configures per port security, including status, response for 3-66 security breach, and maximum allowed MAC addresses 802.1X Port authentication...
Page 50 Configuring the Switch (Continued) Table 3-2 Main Menu Menu Description Page Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-105 Mirror Port Configuration Sets the source and target ports for mirroring 3-106 Rate Limit 3-107 Granularity Enables or disables the rate limit feature 3-107 Input Port Configuration Sets the input rate limit for each port...
Page 51 Main Menu (Continued) Table 3-2 Main Menu Menu Description Page Private VLAN 3-152 Information Displays Private VLAN feature information 3-153 Configuration This page is used to create/remove primary or community 3-154 VLANs Association Each community VLAN must be associated with a primary VLAN 3-154 Port Information Shows VLAN port type, and associated primary or secondary...
Page 52 Configuring the Switch (Continued) Table 3-2 Main Menu Menu Description Page IGMP Snooping 3-170 IGMP Configuration Enables multicast filtering; configures parameters for multicast 3-171 query IGMP Filter Configuration Enables IGMP filtering and throttling for the switch, creates filter 3-178 profile numbers IGMP Immediate Leave Enables the immediate leave function 3-173...
Page 53: Table 3-2 Main Menu
Main Menu (Continued) Table 3-2 Main Menu Menu Description Page Member Configuration Adds switch Members to the cluster 3-195 Member Information Displays cluster Member switch information 3-196 Candidate Information Displays network Candidate switch information 3-197...
Page 54: Basic Configuration
Configuring the Switch Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. •...
Page 55: Displaying Switch Hardware/Software Versions
Basic Configuration CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-26 Console(config)#snmp-server location WC 9 4-119 Console(config)#snmp-server contact Ted 4-119 Console(config)#exit Console#show system 4-67 System description: Layer2+ Fast Ethernet Standalone Switch ES3526XA System OID string: 1.3.6.1.4.1.259.6.10.74 System information System Up time: 0 days, 2 hours, 4 minutes, and 7.13 seconds...
Page 56: Figure 3-4 Displaying Switch Information
Configuring the Switch These additional parameters are displayed for the CLI. • Unit - This is unit 1. • Redundant Power Status – Displays the status of the redundant power supply. Web – Click System, Switch Information. Figure 3-4 Displaying Switch Information CLI –...
Page 57: Displaying Bridge Extension Capabilities
Basic Configuration Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 58: Setting The Switch's Ip Address
Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-195 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
Page 59: Manual Configuration
Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Page 60: Using Dhcp/Bootp
Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Page 61: Dhcp Relay And Option 82 Information
Basic Configuration Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Page 62: Figure 3-8 Dhcp Relay Option 82 Configuration
Configuring the Switch • Drop – Discards the Option 82 information in a packet and then floods it to the entire VLAN. • DHCP Relay Server – IP addresses of DHCP servers to be used by the switch’s DHCP relay agent in order of preference. Up to five servers can be specified. Web –...
Page 63: Managing Firmware
Basic Configuration Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version.
Page 64: Downloading System Software From A Server
Configuring the Switch Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web –Click System, File Management, Copy Operation.
Page 65: Figure 3-11 Deleting Files
Basic Configuration To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI –...
Page 66: Saving Or Restoring Configuration Settings
Configuring the Switch Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server. The configuration files can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The configuration copy operation includes these options: - file to file –...
Page 67: Downloading Configuration Settings From A Server
Basic Configuration Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.
Page 68: Console Port Settings
Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-70 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Page 69: Figure 3-14 Console Port Settings
Basic Configuration • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: 9600 bps) •...
Page 70: Telnet Settings
Configuring the Switch CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-11 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret 4-13...
Page 71: Figure 3-15 Enabling Telnet
Basic Configuration • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Page 72: Configuring Event Logging
Configuring the Switch CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. Console(config)#line vty 4-11 Console(config-line)#login local 4-12 Console(config-line)#password 0 secret...
Page 73: Table 3-3 Logging Levels
Basic Configuration Table 3-3 Logging Levels Level Severity Name Description Debug Debugging messages Informational Informational messages only Notice Normal but significant condition, such as cold start Warning Warning conditions (e.g., return false, unexpected return) Error Error conditions (e.g., invalid input, default used) Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted)
Page 74: Remote Log Configuration
Configuring the Switch Remote Log Configuration The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers or other management stations. You can also limit the error messages sent to only those messages below a specified level. Command Attributes •...
Page 75: Displaying Log Messages
Basic Configuration CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.15 4-46 Console(config)#logging facility 23 4-46 Console(config)#logging trap 4 4-47 Console(config)#end Console#show logging trap 4-47 Syslog logging: Enabled REMOTELOG status: Enabled REMOTELOG facility type:...
Page 76: Sending Simple Mail Transfer Protocol Alerts
Configuring the Switch Sending Simple Mail Transfer Protocol Alerts To alert system administrators of problems, the switch can use SMTP (Simple Mail Transfer Protocol) to send email messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
Page 77: Figure 3-19 Enabling And Configuring Smtp Alerts
Basic Configuration Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add. To delete an IP address, click the entry in the SMTP Server List and click Remove.
Page 78: Resetting The System
Configuring the Switch CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.
Page 79: Setting The System Clock
Basic Configuration Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 80: Configuring Ntp
Configuring the Switch CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-55 Console(config)#sntp poll 60 4-56 Console(config)#sntp client 4-54 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 60...
Page 81: Figure 3-22 Ntp Client Configuration
Basic Configuration Figure 3-22 NTP Client Configuration CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 4-59 Console(config)#ntp authentication-key 30 md5 ntpkey30 Console(config)#ntp server 192.168.3.20 4-57 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2...
Page 82: Setting The Time Zone
Configuring the Switch Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 83 Simple Network Management Protocol the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports.
Page 84: Enabling The Snmp Agent
Configuring the Switch Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply.
Page 85: Specifying Trap Managers And Trap Types
Specifying Trap Managers and Trap Types Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-25 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw 4-118 Console(config)#...
Page 86 Configuring the Switch To send an inform to a SNMPv2c host, complete these steps: 1.Enable the SNMP agent (page 3-54). 2.Enable trap informs as described in the following pages. 3.Create a view with the required notification messages (page 3-53). 4.Create a group that includes the required notify view (page 3-49). To send an inform to a SNMPv3 host, complete these steps: 1.Enable the SNMP agent (page 3-54).
Page 87: Configuring Snmpv3 Management Access
Configuring SNMPv3 Management Access • Enable Authentication Traps – Issues a notification message to specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled) • Enable Link-up and Link-down Traps – Issues a notification message whenever a port link is established or broken. (Default: Enabled) Web –...
Page 88: Setting A Local Engine Id
Configuring the Switch v2c or v3) and security level (i.e., authentication and privacy). 4. Assign SNMP users to groups, along with their specific authentication and privacy passwords. Setting a Local Engine ID An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Page 89: Configuring Snmpv3 Users
Configuring SNMPv3 Management Access configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. (See “Specifying Trap Managers and Trap Types” on page 3-41 and “Configuring Remote SNMPv3 Users” on page 3-47.) The engine ID can be specified by entering 1 to 26 hexadecimal characters. If less than 26 characters are specified, trailing zeroes are added to the value.
Page 90: Figure 3-29 Configuring Snmpv3 Users
Configuring the Switch available for the SNMPv3 security model). • Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) • Authentication Password – A minimum of eight plain text characters is required. • Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Page 91: Configuring Remote Snmpv3 Users
Configuring SNMPv3 Management Access CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace priv des56 einstien 4-128 Console(config)#exit Console#show snmp user 4-130 EngineId: 80000034030001f488f5200000 User Name: chris...
Page 92: Figure 3-30 Configuring Remote Snmpv3 Users
Configuring the Switch • Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available. • Privacy Password – A minimum of eight plain text characters is required. Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list.
Page 93: Configuring Snmpv3 Groups
Configuring SNMPv3 Management Access CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 4-128 Console(config)#exit Console#show snmp user 4-130 No user exist.
Page 94 Configuring the Switch Table 3-5 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election.
Page 95 Configuring SNMPv3 Management Access Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description Private Traps - swPowerStatus 1.3.6.1.4.1.259.6.10.95.2.1.0.1 This trap is sent when the power state changes. ChangeTrap swFanFailureTrap 1.3.6.1.4.1.259.6.10.95.2.1.0.17 This trap is sent when the fan fails. swFanRecoverTrap 1.3.6.1.4.1.259.6.10.95.2.1.0.18 This trap is sent when the fan failure has recovered.
Page 96: Figure 3-31 Configuring Snmpv3 Groups
Configuring the Switch Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list.
Page 97: Setting Snmpv3 Views
Configuring SNMPv3 Management Access Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...
Page 98: User Authentication
Configuring the Switch CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-125 Console(config)#exit Console#show snmp view 4-126 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 99: Figure 3-33 Access Levels
User Authentication • New Account – Displays configuration settings for a new account. - User Name – The name of the user. (Maximum length: 8 characters) - Access Level – Specifies the user level. (Options: Normal and Privileged) - Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive) •...
Page 100: Configuring Local/Remote Logon Authentication
Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 101 User Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Page 102: Figure 3-34 Authentication Settings
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-34 Authentication Settings CLI –...
Page 103: Configuring Https
User Authentication Console#configure Console(config)#authentication login tacacs 4-76 Console(config)#tacacs-server host 10.20.30.40 4-82 Console(config)#tacacs-server port 200 4-82 Console(config)#tacacs-server key green 4-82 Console#show tacacs-server 4-83 Server IP address: 10.20.30.40 Communication key with tacacs server: ***** Server port number: 200 Console(config)# Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.
Page 104: Replacing The Default Secure-Site Certificate
Configuring the Switch Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-35 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-32 Console(config)#ip http secure-port 443 4-33...
Page 105: Configuring The Secure Shell
User Authentication Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
Page 106 Configuring the Switch Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-70) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-54.) The clients are subsequently authenticated using these keys.
Page 107: Generating The Host Key Pair
User Authentication Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).
Page 108: Figure 3-36 Ssh Host-Key Settings
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-36 SSH Host-Key Settings CLI –...
Page 109: Configuring The Ssh Server
User Authentication Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Page 110: Configuring Port Security
Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-37 Console(config)#ip ssh timeout 100 4-38 Console(config)#ip ssh authentication-retries 5 4-38...
Page 111: Figure 3-38 Configuring Port Security
User Authentication • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-91). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-132). •...
Page 112: Configuring 802.1X Port Authentication
Configuring the Switch Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 113: Displaying 802.1X Global Settings
User Authentication • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP encryption method for passing authentication messages –...
Page 114: Configuring 802.1X Global Settings
Configuring the Switch Configuring 802.1X Global Settings The 802.1X protocol includes port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes • 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
Page 115: Figure 3-41 802.1X Port Configuration
User Authentication • Re-authen – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Req – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Page 116 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-90. Console(config)#interface ethernet 1/2 4-131 Console(config-if)#dot1x port-control auto 4-87 Console(config-if)#dot1x re-authentication 4-89 Console(config-if)#dot1x max-req 5 4-87...
Page 117: Displaying 802.1X Statistics
User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 118: Mac Address Authentication
Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-42 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-90 Eth 1/4...
Page 119: Configuring The Mac Authentication Reauthentication Time
User Authentication address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed. On successful authentication, the RADIUS server may optionally assign VLAN settings for the switch port When enabled on a port interface, the authentication process sends a Password...
Page 120: Configuring Mac Authentication For Ports
Configuring the Switch Web – Click Security, Network Access, Configuration. Figure 3-43 Network Access Configuration CLI – This example sets and displays the reauthentication time. Console(config)#mac-authentication reauth-time 3000 4-98 Console(config)#exit Console#show network-access interface ethernet 1/1 4-99 Port:1/1 -------------------------------------------------- -------------------------------------------------- MAC Authentication :Disabled Maximum MAC Count :1024...
Page 121: Displaying Secure Mac Address Information
User Authentication Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Network Access Port Configuration page in the “Trunk” column. Web – Click Security, Network Access, Port Configuration. Figure 3-44 Network Access Port Configuration CLI –...
Page 122: Figure 3-45 Network Access Mac Address Information
Configuring the Switch • Query By – Specifies parameters to use in the MAC address query. • Port – Specifies a port interface. • MAC Address – Specifies a single MAC address information. • Attribute – Displays static or dynamic addresses. •...
Page 123: Configuring Mac Address Filters
User Authentication CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table 4-100 ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17...
Page 124: Filtering Addresses For Management Access
Configuring the Switch CLI – This example configures filter ID 1 with three MAC addresses, then applies the filter to port 1. Console(config)#network-access mac-filter 1 00-12-34-56-78-9A 4-96 Console(config)#network-access mac-filter 1 00-12-34-56-78-9B Console(config)#network-access mac-filter 1 00-12-34-56-78-9C Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 4-97 Console(config-if)#end Console#show network-access mac-filter 1...
Page 125: Figure 3-47 Creating A Web Ip Filter List
User Authentication Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry to update the filter list. Figure 3-47 Creating a Web IP Filter List CLI –...
Page 126: Access Control Lists
Configuring the Switch Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules and then bind the list to a specific port.
Page 127: Setting The Acl Name And Type
Access Control Lists The order in which active ACLs are checked is as follows: 1. User-defined rules in the Ingress MAC ACL for ingress ports. 2. User-defined rules in the Ingress IP ACL for ingress ports. 3. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. 4.
Page 128: Configuring A Standard Ip Acl
Configuring the Switch Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
Page 129: Configuring An Extended Ip Acl
Access Control Lists Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...
Page 130: Figure 3-50 Acl Configuration - Extended Ip
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 131: Configuring A Mac Acl
Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Page 132: Binding A Port To An Access Control List
Configuring the Switch Binding a Port to an Access Control List After configuring Access Control Lists (ACL), you should bind them to the ports that need to filter traffic. You can assign one IP access list to any port, but you can only assign one MAC access list to all the ports on the switch.
Page 133: Port Configuration
Port Configuration CLI – This example assigns an IP and MAC access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-131 Console(config-if)#ip access-group david in 4-107 Console(config-if)#mac access-group jerry in 4-112 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# Port Configuration...
Page 134: Figure 3-53 Displaying Port/Trunk Information
Configuring the Switch Web – Click Port, Port Information or Trunk Information. Figure 3-53 Displaying Port/Trunk Information Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address”...
Page 135: Configuring Interface Connections
Port Configuration • Max MAC count – Shows the maximum number of MAC address that can be learned by a port. (0 - 1024 addresses) • Port security action – Shows the response to take when a security violation is detected.
Page 136: Figure 3-54 Port/Trunk Configuration
Configuring the Switch • Flow Control – Allows automatic or manual selection of flow control. • Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/ disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.The following capabilities are supported.
Page 137: Creating Trunk Groups
Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 4-131 Console(config-if)#description RD SW#13 4-132 Console(config-if)#shutdown 4-136 Console(config-if)#no shutdown Console(config-if)#no negotiation 4-133 Console(config-if)#speed-duplex 100half 4-132 Console(config-if)#flowcontrol 4-135 Console(config-if)#negotiation Console(config-if)#capabilities 100half 4-134 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link.
Page 138: Statically Configuring A Trunk
Configuring the Switch • When configuring static trunks on switches of different types, they must be compatible with the Cisco EtherChannel standard. • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
Page 139: Enabling Lacp On Selected Ports
Port Configuration CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-131 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-131 Console(config-if)#channel-group 2 4-147 Console(config-if)#exit Console(config)#interface ethernet 1/2...
Page 140: Figure 3-56 Lacp Configuration
Configuring the Switch Command Attributes • Member List (Current) – Shows configured trunks (Unit, Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-26/52) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Page 141: Configuring Lacp Parameters
Port Configuration Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. •...
Page 142: Figure 3-57 Lacp - Aggregation Port
Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 143: Displaying Lacp Port Counters
Port Configuration CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-131 Console(config-if)#lacp actor system-priority 3 4-149 Console(config-if)#lacp actor admin-key 120 4-150 Console(config-if)#lacp actor port-priority 128 4-152 Console(config-if)#exit Console(config)#interface ethernet 1/4...
Page 144: Table 3-8 Lacp Port Counters
Configuring the Switch (Continued) Table 3-8 LACP Port Counters Field Description LACPDUs Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 145: Displaying Lacp Settings And Status For The Local Side
Port Configuration Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Page 146: Figure 3-59 Lacp - Port Internal Information
Configuring the Switch Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-59 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-152 Port channel : 1...
Page 147: Displaying Lacp Settings And Status For The Remote Side
Port Configuration Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Page 148 Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-152 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-30-F1-CE-2A-20...
Page 149: Setting Broadcast Storm Thresholds
Port Configuration Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 150: Configuring Port Mirroring
Configuring the Switch CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 octets per second for port 2 (which applies to all ports). Console(config)#interface ethernet 1/1 4-131 Console(config-if)#no switchport broadcast...
Page 151: Configuring Rate Limits
Port Configuration Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 3-62 Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port and traffic type.
Page 152: Rate Limit Configuration
Configuring the Switch Web – Click Port, Rate Limit, Granularity. Select the required rate limit granularity for Fast Ethernet and Gigabit Ethernet, and click apply. Figure 3-63 Rate Limit Granularity Configuration CLI - This example sets and displays Fast Ethernet and Gigabit Ethernet granularity. Console(config)#rate-limit fastethernet granularity 512 4-145 Console(config)#rate-limit gigabitethernet granularity 33300...
Page 153: Showing Port Statistics
Port Configuration Web – Click Port, Rate Limit, Input/Output Port/Trunk Configuration. Enable the Rate Limit Status for the required interfaces, set the Rate Limit Level, and click Apply. Figure 3-64 Output Rate Limit Port Configuration CLI - This example sets the rate limit level for input and output traffic passing through port 3.
Page 154 Configuring the Switch Table 3-11 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol. Received Multicast Packets The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a multicast address at this sub-layer.
Page 155 Port Configuration (Continued) Table 3-11 Port Statistics Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collision.
Page 156: Table 3-11 Port Statistics
Configuring the Switch (Continued) Table 3-11 Port Statistics Parameter Description Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error. 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but...
Page 157: Figure 3-65 Port Statistics
Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-65 Port Statistics 3-113...
Page 158: Address Table Settings
Configuring the Switch CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-139 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 159: Displaying The Address Table
Address Table Settings Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-66 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 160: Figure 3-67 Dynamic Addresses
Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-67 Dynamic Addresses CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-158 Interface Mac Address...
Page 161: Changing The Aging Time
Spanning Tree Algorithm Configuration Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-30000 seconds;...
Page 162 Configuring the Switch ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
Page 163: Displaying Global Settings
Spanning Tree Algorithm Configuration MSTP then builds a Internal Spanning Tree (IST) for the Region containing all commonly configured MSTP bridges. MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 164 Configuring the Switch • Bridge ID – A unique identifier for this bridge, consisting of the bridge priority, the MST Instance ID 0 for the Common Spanning Tree when spanning tree mode is set to MSTP (page 3-123), and MAC address (where the address is taken from the switch system).
Page 165: Figure 3-69 Sta Information
Spanning Tree Algorithm Configuration • Root Maximum Age – The maximum time (in seconds) this device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. If the root port ages out STA information (provided in the last configuration message), a new root port is selected from among the device ports attached to the network.
Page 166 Configuring the Switch CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-176 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 167: Configuring Global Settings
Spanning Tree Algorithm Configuration Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 168 Configuring the Switch address will then become the root device. (Note that lower numeric values indicate higher priority.) • Default: 32768 • Range: 0-61440, in steps of 4096 • Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration •...
Page 169 Spanning Tree Algorithm Configuration Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
Page 170: Figure 3-70 Sta Global Configuration
Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-70 STA Global Configuration 3-126...
Page 171: Displaying Interface Settings
Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 4-161 Console(config)#spanning-tree mode mstp 4-161 Console(config)#spanning-tree priority 40000 4-164 Console(config)#spanning-tree hello-time 5 4-163 Console(config)#spanning-tree max-age 38 4-164 Console(config)#spanning-tree forward-time 20 4-163...
Page 172 Configuring the Switch • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Page 173: Figure 3-71 Sta Port Information
Spanning Tree Algorithm Configuration • Internal path cost – The path cost for the MST. See the preceding item. • Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 174: Configuring Interface Settings
Configuring the Switch CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-176 1/ 5 information -------------------------------------------------------------- Admin status: enabled Role: disable State: discarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000...
Page 175 Spanning Tree Algorithm Configuration The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 176: Configuring Multiple Spanning Trees
Configuring the Switch other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device. (Default: Disabled) • Migration – If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode.
Page 177 Spanning Tree Algorithm Configuration To use multiple spanning trees: 1. Set the spanning tree type to MSTP (STA Configuration, page 3-123). 2. Enter the spanning tree priority for the selected MST instance (MSTP VLAN Configuration). 3. Add the VLANs that will share this MSTI (MSTP VLAN Configuration). Note: All VLANs are automatically added to the IST (Instance 0).
Page 178: Figure 3-73 Mstp Vlan Configuration
Configuring the Switch Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Page 179 Spanning Tree Algorithm Configuration --------------------------------------------------------------- 1/ 7 information --------------------------------------------------------------- Admin status: enabled Role: master State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: Designated port: 128.1 Designated root: 32768.1.0030F1D473A0...
Page 180: Displaying Interface Settings For Mstp
Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,”...
Page 181: Configuring Interface Settings For Mstp
Spanning Tree Algorithm Configuration --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: enabled Role: root State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: Designated port: 128.4 Designated root: 32768.0.0000E8AAAA00...
Page 182: Figure 3-75 Mstp Port Configuration
Configuring the Switch • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
Page 183: Vlan Configuration
VLAN Configuration VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
Page 184 Configuring the Switch Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA: VLAN Aware VU: VLAN Unaware tagged untagged...
Page 185 VLAN Configuration these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs. Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in...
Page 186: Enabling Or Disabling Gvrp (Global Setting)
Configuring the Switch Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network.
Page 187: Displaying Current Vlans
VLAN Configuration CLI – Enter the following command. Console#show bridge-ext 4-195 Max support vlan numbers: Max support vlan ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Enabled GMRP:...
Page 188: Figure 3-78 Vlan Current Table
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 3-78 VLAN Current Table Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP.
Page 189: Creating Vlans
VLAN Configuration CLI – Current VLAN information can be displayed with the following command. Console#show vlan id 1 4-187 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S)
Page 190: Figure 3-79 Vlan Static List - Creating Vlans
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-79 VLAN Static List - Creating VLANs CLI –...
Page 191: Adding Static Members To Vlans (Vlan Index)
VLAN Configuration Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
Page 192: Adding Static Members To Vlans (Port Index)
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
Page 193: Figure 3-81 Vlan Static Membership By Port
VLAN Configuration Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk). Click Query to display membership information for the interface. Select a VLAN ID, and then click Add to add the interface as a tagged member, or click Remove to remove the interface.
Page 194: Configuring Vlan Behavior For Interfaces
Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 195: Figure 3-82 Vlan Port Configuration
VLAN Configuration • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
Page 196: Private Vlans
Configuring the Switch CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-131 Console(config-if)#switchport acceptable-frame-types tagged 4-182...
Page 197: Displaying Current Private Vlans
VLAN Configuration Use the Private VLAN Port Configuration menu (page 3-156) to set the port type to promiscuous (i.e., the single channel to the external network), or isolated (i.e., having access only to the promiscuous port in its own VLAN). Then assign the promiscuous port and all host ports to an isolated VLAN.
Page 198: Configuring Private Vlans
Configuring the Switch Configuring Private VLANs The Private VLAN Configuration page is used to create/remove primary, community, or isolated VLANs. Command Attributes • VLAN ID – ID of configured VLAN (1-4094). • Type – There are three types of VLANs within a private VLAN: - Primary VLANs –...
Page 199: Displaying Private Vlan Interface Information
VLAN Configuration Web – Click VLAN, Private VLAN, Association. Select the required primary VLAN from the scroll-down box, highlight one or more community VLANs in the Non-Association list box, and click Add to associate these entries with the selected primary VLAN. (A community VLAN can only be associated with one primary VLAN.) Figure 3-85 Private VLAN Association CLI –...
Page 200: Configuring Private Vlan Interfaces
Configuring the Switch Web – Click VLAN, Private VLAN, Port Information or Trunk Information. Figure 3-86 Private VLAN Port Information CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Page 201: Figure 3-87 Private Vlan Port Configuration
VLAN Configuration • Community VLAN – A community VLAN conveys traffic between community ports, and from community ports to their designated promiscuous ports. Set PVLAN Port Type to “Host,” and then specify the associated Community VLAN. • Isolated VLAN – Conveys traffic only between the VLAN’s isolated ports and the promiscuous port.
Page 202: Class Of Service Configuration
Configuring the Switch Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 203 Class of Service Configuration Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-88 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-131 Console(config-if)#switchport priority default 5...
Page 204: Mapping Cos Values To Egress Queues
Configuring the Switch Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
Page 205 Class of Service Configuration Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-89 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-131 Console(config-if)#queue cos-map 0 0 4-201...
Page 206: Selecting The Queue Mode
Configuring the Switch Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 207: Setting The Service Weight For Traffic Classes
Class of Service Configuration Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-160, the traffic classes are mapped to one of the four egress queues provided for each port.
Page 208: Layer 3/4 Priority Settings
Configuring the Switch Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.
Page 209: Mapping Ip Precedence
Class of Service Configuration Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
Page 210: Mapping Dscp Priority
Configuring the Switch CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings. Console(config)#map ip precedence 4-204 Console(config)#interface ethernet 1/1 4-131 Console(config-if)#map ip precedence 1 cos 0 4-206...
Page 211 Class of Service Configuration Command Attributes • DSCP Priority Table – Shows the DSCP Priority to CoS map. • Class of Service Value – Maps a CoS value to the selected DSCP Priority value. Note that “0” represents low priority and “7” represent high priority. Note: IP DSCP settings apply to all interfaces.
Page 212: Mapping Ip Port Priority
Configuring the Switch Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes •...
Page 213: Mapping Cos Values To Acls
Class of Service Configuration CLI* – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port. Console(config)#map ip port 4-204 Console(config)#interface ethernet 1/5...
Page 214: Multicast Filtering
Configuring the Switch Web – Click Priority, ACL CoS Priority. Enable mapping for any port, select an ACL from the scroll-down list, then click Add. Figure 3-97 ACL CoS Priority CLI – This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 24.
Page 215: Layer 2 Igmp (Snooping And Query)
Multicast Filtering requesting to join the service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. This procedure is called multicast filtering.
Page 216 Configuring the Switch Command Attributes • IGMP Status — When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.
Page 217: Enabling Igmp Immediate Leave
Multicast Filtering CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 4-212 Console(config)#ip igmp snooping querier 4-216 Console(config)#ip igmp snooping query-count 10 4-216 Console(config)#ip igmp snooping query-interval 100 4-217 Console(config)#ip igmp snooping query-max-response-time 20 4-218 Console(config)#ip igmp snooping router-port-expire-time 300 4-218...
Page 218: Displaying Interfaces Attached To A Multicast Router
Configuring the Switch CLI – This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status. Console(config)#interface vlan 1 Console(config-if)#ip igmp snooping immediate-leave 4-213 Console(config-if)#end Console#show ip igmp snooping 4-214 Service status: Enabled Querier status: Enabled Query count: Query interval:...
Page 219: Specifying Static Interfaces For A Multicast Router
Multicast Filtering CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. Console#show ip igmp snooping mrouter vlan 1 4-220 VLAN M'cast Router Port Type ---- ------------------ ------- Eth 1/11 Static Console# Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to...
Page 220: Displaying Port Members Of Multicast Services
Configuring the Switch Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. • Multicast IP Address – The IP address for a specific multicast service. •...
Page 221: Assigning Ports To Multicast Services
Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP snooping and Query Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Page 222: Igmp Filtering And Throttling
Configuring the Switch CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 4-212 Console(config)#exit Console#show mac-address-table multicast vlan 1 4-215 VLAN M'cast IP addr.
Page 223: Configuring Igmp Filter Profiles
Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile number by entering the number in text box and clicking Add. Enable the IGMP filter status, then click Apply. Figure 3-104 Enabling IGMP Filtering and Throttling CLI – This example enables IGMP filtering and creates a profile number, then displays the current status and the existing profile numbers.
Page 224 Configuring the Switch Command Attributes • Profile ID – Selects an existing profile number to configure. After selecting an ID number, click the Query button to display the current configuration. • Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) •...
Page 225: Configuring Igmp Filtering And Throttling For Interfaces
Multicast Filtering CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 4-222 Console(config-igmp-profile)#permit 4-223...
Page 226 Configuring the Switch • Trunk – Indicates if a port is a trunk member. Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-106 IGMP Filter and Throttling Port Configuration CLI –...
Page 227: Multicast Vlan Registration
Multicast VLAN Registration Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Page 228: Configuring Global Mvr Settings
Configuring the Switch For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see “Assigning Static Multicast Groups to Interfaces” on page 3-188).
Page 229: Displaying Mvr Interface Status
Multicast VLAN Registration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping Console(config)#mvr Console(config)#mvr group 228.1.23.1 10 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes •...
Page 230: Displaying Port Members Of Multicast Groups
Configuring the Switch Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...
Page 231: Configuring Mvr Interface Status
Multicast VLAN Registration Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Page 232: Assigning Static Multicast Groups To Interfaces
Configuring the Switch Web – Click MVR, Port or Trunk Configuration. Figure 3-110 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source Console(config-if)#exit Console(config)#interface ethernet 1/2...
Page 233: Configuring Domain Name Service
Configuring Domain Name Service Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups. Select a multicast address from the displayed lists, and click the Add or Remove button to modify the Member list.
Page 234 Configuring the Switch • If there is no domain list, the default domain name is used. If there is a domain list, the default domain name is not used. • When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 235 Configuring Domain Name Service Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-112 DNS General Configuration CLI - This example sets a default domain name and a domain list.
Page 236: Configuring Static Dns Host To Address Entries
Configuring the Switch Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Page 237: Displaying The Dns Cache
Configuring Domain Name Service CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 4-233 Console(config)#ip host rd6 10.1.0.55 Console#show hosts 4-238 Hostname Inet address 10.1.0.55 192.168.1.55 Alias...
Page 238: Switch Clustering
Configuring the Switch CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache 4-239 FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME 207.46.134.155 www.microsoft.akadns.net CNAME 207.46.249.222 www.microsoft.akadns.net CNAME 207.46.249.27 www.microsoft.akadns.net ALIAS POINTER TO:4 www.microsoft.com...
Page 239: Cluster Member Configuration
Switch Clustering • Role – Indicates the current role of the switch in the cluster; either Commander, Member, or Candidate. • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID.
Page 240: Cluster Member Information
Configuring the Switch Web – Click Cluster, Member Configuration. Figure 3-116 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-251 Console(config)# Cluster Member Information...
Page 241: Cluster Candidate Information
Switch Clustering CLI – This example shows information about cluster Member switches. Vty-0#show cluster members 4-253 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.
Page 242 Configuring the Switch 3-198...
Page 243: Chapter 4: Command Line Interface
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 244 Command Line Interface To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254...
Page 245: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 246: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 247: Partial Keyword Lookup
Entering Commands Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Console#show s? snmp sntp...
Page 248: Exec Commands
Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List IGMP Profile Interface Line Multiple Spanning Tree VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Page 249: Configuration Commands
Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command. The configuration commands are organized into different modes: •...
Page 250: Command Line Processing
Command Line Interface Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 251: Command Groups
Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page Line Sets communication parameters for the serial port and Telnet, 4-11 including baud rate and console time-out General Basic commands for entering privileged access mode, restarting the 4-20...
Page 252 Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: NE (Normal Exec) IC (Interface Configuration) PE (Privileged Exec) LC (Line Configuration) GC (Global Configuration) VC (VLAN Database Configuration) ACL (Access Control List Configuration) MST (Multiple Spanning Tree) IPC (IGMP Profile Configuration) 4-10...
Page 253: Line Commands
Line Commands Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 4-5 Line Commands Command Function...
Page 254: Login
Command Line Interface Command Usage Telnet is considered a virtual terminal connection and will be shown as “Vty” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections. Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands...
Page 255: Password
Line Commands Example Console(config-line)#login local Console(config-line)# Related Commands username (4-27) password (4-13) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
Page 256: Timeout Login Response
Command Line Interface timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 257: Password-Thresh
Line Commands Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. •...
Page 258: Silent-Time
Command Line Interface Related Commands silent-time (4-16) timeout login response (4-13) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 259: Parity
Line Commands Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 260: Speed
Command Line Interface speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 9600...
Page 261: Disconnect
Line Commands disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Page 262: General Commands
Command Line Interface Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console#...
Page 263: Disable
General Commands Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-28.) •...
Page 264: Configure
Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration.
Page 265: Reload
General Commands The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config).
Page 266: Exit
Command Line Interface exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 267: System Management Commands
System Management Commands System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-25 User Access...
Page 268: Hostname
Command Line Interface Example Console(config)#prompt RD2 RD2(config)# hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 269: Username
System Management Commands username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
Page 270: Enable Password
Command Line Interface enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 271: Ip Filter Commands
System Management Commands IP Filter Commands Table 4-11 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-29 show management Displays the switch to be monitored or configured from a 4-30 browser management This command specifies the client IP addresses that are allowed management access to the switch through various protocols.
Page 272: Show Management
Command Line Interface Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Page 273: Web Server Commands
System Management Commands Web Server Commands Table 4-12 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface 4-31 ip http server Allows the switch to be monitored or configured from a browser GC 4-31 ip http secure-server Enables HTTPS/SSL for encrypted communications...
Page 274: Ip Http Secure-Server
Command Line Interface Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-31) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server Default Setting...
Page 275: Ip Http Secure-Port
System Management Commands Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-33) copy tftp https-certificate (4-70) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port...
Page 276: Telnet Server Commands
Command Line Interface Telnet Server Commands Table 4-14 Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet interface 4-31 ip telnet server Allows the switch to be monitored or configured from Telnet 4-31 ip telnet port This command specifies the TCP port number used by the Telnet interface.
Page 277: Secure Shell Commands
System Management Commands Related Commands ip telnet port (4-34) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 278 Command Line Interface The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-76.
Page 279: Ip Ssh Server
System Management Commands corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.
Page 280: Ip Ssh Timeout
Command Line Interface ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds...
Page 281: Ip Ssh Server-Key Size
System Management Commands Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-41) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...
Page 282: Ip Ssh Crypto Host-Key Generate
Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...
Page 283: Ip Ssh Save Host-Key
System Management Commands Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console#...
Page 284: Show Ssh
Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username...
Page 285: Show Public-Key
System Management Commands show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...
Page 286: Event Logging Commands
Command Line Interface Event Logging Commands Table 4-17 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-44 logging history Limits syslog messages saved to switch memory based on 4-45 severity logging host Adds a syslog server host IP address that will receive logging 4-46 messages logging facility...
Page 287: Logging History
System Management Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 288: Logging Host
Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Page 289: Logging Trap
System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 290: Show Logging
Command Line Interface Related Commands show logging (4-48) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Page 291: Show Log
System Management Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Page 292: Smtp Alert Commands
Command Line Interface Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [3] 00:00:54 2001-01-01 "STA root change notification."...
Page 293: Logging Sendmail Level
System Management Commands Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Page 294: Logging Sendmail Source-Email
Command Line Interface logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 0-41 characters) Default Setting None...
Page 295: Logging Sendmail
System Management Commands logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...
Page 296: Time Commands
Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified NTP time servers. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 297: Sntp Server
System Management Commands Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status: Enabled SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0 Current server: 10.1.0.19 Console# Related Commands sntp server (4-55) sntp poll (4-56) show sntp (4-56)
Page 298: Sntp Poll
Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...
Page 299: Ntp Client
System Management Commands ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 300: Ntp Poll
Command Line Interface Default Setting Version number: 3 Command Mode Global Configuration Command Usage • This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command.
Page 301: Ntp Authenticate
System Management Commands Example Console(config)#ntp poll 60 Console(config)# Related Commands ntp client (4-57) ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication. Syntax [no] ntp authenticate Default Setting Disabled Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
Page 302: Show Ntp
Command Line Interface • key - An MD5 authentication key string. The key string can be up to 32 case-sensitive printable ASCII characters (no spaces). Default Setting None Command Mode Global Configuration Command Usage • The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch.
Page 303: Clock Timezone
System Management Commands Example Console#show ntp Current time: 1 02:58:58 2001 Poll interval: 16 Current mode: unicast NTP status : Enabled NTP Authenticate status : Enabled Last Update NTP Server: 0.0.0.0 Port: 0 Last Update time: Dec 31 00:00:00 2000 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.3.22 version 2...
Page 304: Calendar Set
Command Line Interface Related Commands show sntp (4-56) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server.
Page 305: System Status Commands
System Management Commands System Status Commands Table 4-23 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 4-63 memory) that is used to start up the system show running-config Displays the configuration data currently in use 4-65 show system Displays system information...
Page 306: Related Commands
Command Line Interface Example Console#show startup-config building startup-config, please wait..username admin access-level 15 username admin password 0 admin username guest access-level 0 username guest password 0 guest enable password level 15 0 super snmp-server community public ro snmp-server community private rw logging history ram 6 logging history flash 3 vlan database...
Page 307: Show Running-Config
System Management Commands show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 308 Command Line Interface Example Console#show running-config building running-config, please wait..SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 clock timezone hours 0 minute 0 after-UTC SNMP-server community private rw SNMP-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca logging history ram 6...
Page 309: Show System
System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-10. •...
Page 310: Show Version
Command Line Interface Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users:...
Page 311: Frame Size Commands
System Management Commands Example Console#show version Unit1 Serial number :A419048860 Service tag: Hardware version :R0B Module A type :1000BaseT Module B type :1000BaseT Number of ports Main power status Redundant power status :not present Agent(master) Loader version: 2.2.1.4 Boot ROM version: 2.2.1.9 Operation code version: 0.2.6.3...
Page 312: Flash/File Commands
Command Line Interface • Enabling jumbo frames will limit the maximum threshold for broadcast storm switchport broadcast control. (See the command on page 4-137.) • The current setting for jumbo frames can be displayed with the show system command (page 4-67). Example Console(config)#jumbo frame Console(config)#...
Page 313 Flash/File Commands • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shell Commands” on page 4-35) Default Setting None Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. •...
Page 314 Command Line Interface The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
Page 315: Delete
Flash/File Commands delete This command deletes a file or image. Syntax delete filename filename - Name of the configuration file or image name. Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. •...
Page 316: Whichboot
Command Line Interface • File information is shown below: Table 4-26 File Directory Information Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.
Page 317: Boot System
Flash/File Commands boot system This command specifies the image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. •...
Page 318: Authentication Commands
Command Line Interface Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X. Table 4-27 Authentication Commands Command Group Function Page...
Page 319: Authentication Enable
Authentication Commands • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. • You can specify three authentication methods in a single command to indicate the authentication sequence.
Page 320: Radius Client
Command Line Interface authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked. Example Console(config)#authentication enable radius Console(config)# Related Commands enable password - sets the password for changing command modes (4-28) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to...
Page 321: Radius-Server Port
Authentication Commands • retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) • key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters) Default Setting •...
Page 322: Radius-Server Retransmit
Command Line Interface Default Setting None Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 323: Show Radius-Server
Authentication Commands Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings Communication key with RADIUS server: Server port number: 1812 Retransmit times:...
Page 324: Tacacs-Server Host
Command Line Interface tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server host host_ip_address no tacacs-server host host_ip_address - IP address of a TACACS+ server. Default Setting 10.11.12.13 Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)#...
Page 325: Show Tacacs-Server
Authentication Commands Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 20 characters) Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)#...
Page 326: Port Security Commands
Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 327: 802.1X Port Authentication
Authentication Commands Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 328: Dot1X System-Auth-Control
Command Line Interface (Continued) Table 4-32 802.1X Port Authentication Command Function Mode Page dot1x operation-mode Allows single or multiple hosts on an dot1x port 4-88 dot1x re-authenticate Forces re-authentication on specific ports 4-88 dot1x re-authentication Enables re-authentication for all ports 4-89 dot1x timeout quiet-period Sets the time that a switch port waits after the Max...
Page 329: Dot1X Max-Req
Authentication Commands dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax dot1x max-req count no dot1x max-req count –...
Page 330: Dot1X Operation-Mode
Command Line Interface dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Page 331: Dot1X Re-Authentication
Authentication Commands Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# dot1x timeout quiet-period...
Page 332: Dot1X Timeout Re-Authperiod
Command Line Interface dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mode Interface Configuration Example...
Page 333 Authentication Commands Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-26/52) Command Mode Privileged Exec Command Usage This command displays the following information: •...
Page 334 Command Line Interface - Port-control – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 4-87). - Supplicant – MAC address of authorized client. - Current Identifier – The integer (0-255) used by the Authenticator to identify the current authentication session.
Page 335 Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/26 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
Page 336: Network Access
Command Line Interface Network Access The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 337: Network-Access Max-Mac-Count
Authentication Commands Command Usage • When enabled on a port interface, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The username and password are both equal to the MAC address being authenticated. • On the RADIUS server, PAP username and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
Page 338: Network-Access Mac-Filter
Command Line Interface Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed.
Page 339: Network-Access Port-Mac-Filter
Authentication Commands Example The following example creates MAC filter 1 and adds MAC address 00-00-E8-12-11-01 to the filter. Console(config)#network-access mac-filter 1 00-00-e8-12-11-01 Console(config)# network-access port-mac-filter Use this command to apply a MAC address filter to a port interface. Use the no form of this command to remove a MAC address filter from an interface.
Page 340: Mac-Authentication Reauth-Time
Command Line Interface Command Usage • When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have been already created on the switch. GVRP is not used to create the VLANs. •...
Page 341: Clear Network-Access
Authentication Commands clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • static - Specifies static address entries. • dynamic - Specifies dynamic address entries. •...
Page 342: Show Network-Access Mac-Filter
Command Line Interface Example Console#show network-access interface ethernet 1/1 Port:1/1 -------------------------------------------------- -------------------------------------------------- MAC Authentication :Disabled Maximum MAC Count :1024 Dynamic VLAN Assignment :Disabled Reauthentication Time :1800 Authenticated Age :300 MAC Filter ID :None Console# show network-access mac-filter Use this command to display MAC authentication filters. Syntax show network-access mac-filter [filter-id] filter-id - Specifies a filter number.
Page 343: Default Setting
Authentication Commands • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-26/52) • sort - Sorts displayed entries by either MAC address or interface. Default Setting Displays all filters. Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means "care"...
Page 344: Access Control List Commands
Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
Page 345: Ip Acls
Access Control List Commands Table 4-34 Access Control Lists Command Groups Function Page IP ACLs Configures ACLs based on IP addresses, TCP/UDP port number, 4-103 protocol type, and TCP control code MAC ACLs Configures ACLs based on hardware addresses, packet format, and 4-110 Ethernet type ACL Information...
Page 346: Permit, Deny (Standard Acl)
Command Line Interface Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. •...
Page 347: Permit, Deny (Extended Acl)
Access Control List Commands Example This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)# Related Commands access-list ip (4-103) permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL.
Page 348 Command Line Interface Default Setting None Command Mode Extended ACL Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 349: Show Ip Access-List
Access Control List Commands This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-ext-acl)# Related Commands access-list ip (4-103) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] •...
Page 350: Show Ip Access-Group
Command Line Interface Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. •...
Page 351: Show Map Access-List Ip
Access Control List Commands Command Usage A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table. For information on mapping the CoS values to output queues, see queue cos-map on page 4-201. Table 4-36 Egress Queue Priority Mapping Queue Priority...
Page 352: Mac Acls
Command Line Interface MAC ACLs Table 4-37 MAC ACLs Command Function Mode Page access-list mac Creates a MAC ACL and enters configuration mode 4-110 permit, deny Filters packets matching a specified source and MAC-ACL 4-111 destination address, packet format, and Ethernet type show mac access-list Displays the rules for configured MAC ACLs 4-112...
Page 353: Permit, Deny (Mac Acl)
Access Control List Commands Related Commands permit, deny (MAC ACL) (4-111) mac access-group (4-112) show mac access-list (4-112) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 354: Show Mac Access-List
Command Line Interface Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (4-110) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name –...
Page 355: Show Mac Access-Group
Access Control List Commands Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/25 Console(config-if)#mac access-group jerry in...
Page 356: Show Map Access-List Mac
Command Line Interface Command Usage • You must configure an ACL mask before you can map CoS values to the rule. • A packet matching a rule within the specified ACL is mapped to one of the output queues as shown below. Table 4-38 Egress Queue Priority Mapping Queue Priority...
Page 357: Acl Information
Access Control List Commands ACL Information Table 4-39 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-115 show access-group Shows the ACLs assigned to each port 4-115 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 358: Snmp Commands
Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 359: Snmp-Server
SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
Page 360: Snmp-Server Community
Command Line Interface Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...
Page 361: Snmp-Server Contact
SNMP Commands • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.
Page 362: Snmp-Server Host
Command Line Interface Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-119) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}...
Page 363 SNMP Commands • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Page 364: Snmp-Server Enable Traps
Command Line Interface supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.
Page 365: Snmp-Server Engine-Id
SNMP Commands conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 4-126). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-120) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
Page 366: Show Snmp Engine-Id
Command Line Interface • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 4-128).
Page 367: Snmp-Server View
SNMP Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
Page 368: Show Snmp View
Command Line Interface show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 369: Show Snmp Group
SNMP Commands Default Setting • Default groups: public (read only), private (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothing is defined. • notifyview - Nothing is defined. Command Mode Global Configuration Command Usage •...
Page 370: Snmp-Server User
Command Line Interface Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c...
Page 371 SNMP Commands • remote - Specifies an SNMP engine on a remote device. • ip-address - The Internet address of the remote device. • v1 | v2c | v3 - Use SNMP version 1, 2c or 3. • encrypted - Accepts the password as encrypted input. •...
Page 372: Show Snmp User
Command Line Interface show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 373: Interface Commands
Interface Commands Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-45 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-131 mode description Adds a description to an interface configuration...
Page 374: Description
Command Line Interface Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 375: Negotiation
Interface Commands Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
Page 376: Capabilities
Command Line Interface • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-134) speed-duplex (4-132) capabilities This command advertises the port capabilities of a given interface during autonegotiation.
Page 377: Flowcontrol
Interface Commands Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-133) speed-duplex (4-132) flowcontrol (4-135) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting...
Page 378: Shutdown
Command Line Interface Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-133) capabilities (flowcontrol, symmetric) (4-134) shutdown This command disables an interface. To restart a disabled interface, use the no form.
Page 379: Switchport Broadcast Packet-Rate
Interface Commands switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast octet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., octets per second. (Range: 64-95232000) Default Setting Enabled for all ports Packet-rate limit: 32000 octets per second...
Page 380: Show Interfaces Status
Command Line Interface Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 381: Show Interfaces Counters
Interface Commands Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-00-AB-CD-00-01 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, Broadcast storm: Enabled Broadcast storm limit: 32000 octets/second Flow control: Disabled Lacp: Disabled...
Page 382: Show Interfaces Switchport
Command Line Interface Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
Page 383: Table 4-46 Interfaces Switchport Statistics
Interface Commands Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast threshold: Enabled, 600 octets/second LACP status: Enabled Ingress rate limit: disable, Level: 30 Egress rate limit: disable, Level: 30 VLAN membership mode: Hybrid Ingress rule: Disabled...
Page 384: Mirror Port Commands
Command Line Interface Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-47 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-142 show port monitor Shows the configuration for a mirror port 4-143 port monitor...
Page 385: Show Port Monitor
Mirror Port Commands Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
Page 386: Rate Limit Commands
Command Line Interface Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 387: Rate-Limit Granularity
Rate Limit Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input level 20 Console(config-if)# rate-limit granularity Use this command to define the rate limit granularity for the Fast Ethernet ports, and the Gigabit Ethernet ports. Use the no form of this command to restore the default setting.
Page 388: Link Aggregation Commands
Command Line Interface Command Usage • For Fast Ethernet interfaces, the rate limit granularity is 512 Kbps, 1 Mbps, or 3.3 Mbps. • For Gigabit Ethernet interfaces, the rate limit granularity is 33.3 Mbps. Example Console#show rate-limit Fast ethernet granularity: 1000 Gigabit ethernet granularity: 33300...
Page 389: Channel-Group
Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. •...
Page 390: Lacp
Command Line Interface Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1...
Page 391: Lacp System-Priority
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Page 392: Lacp Admin-Key (Ethernet Interface)
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 393: Lacp Admin-Key (Port Channel)
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 394: Lacp Port-Priority
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 395: Table 4-50 Show Lacp Counters - Display Description
Link Aggregation Commands Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Channel group : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-50 show lacp counters - display description...
Page 396: Table 4-51 Show Lacp Internal - Display Description
Command Line Interface Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation,...
Page 397: Table 4-52 Show Lacp Neighbors - Display Description
Link Aggregation Commands Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...
Page 398: Address Table Commands
Command Line Interface Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 Console# Table 4-53 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group.
Page 399: Mac-Address-Table Static
Address Table Commands mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id •...
Page 400: Clear Mac-Address-Table Dynamic
Command Line Interface clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database.
Page 401: Mac-Address-Table Aging-Time
Address Table Commands means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address...
Page 402: Spanning Tree Commands
Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-55 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-161 spanning-tree mode...
Page 403: Spanning-Tree
Spanning Tree Commands spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
Page 404: Spanning-Tree Forward-Time
Command Line Interface - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
Page 405: Spanning-Tree Hello-Time
Spanning Tree Commands Global Configuration Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 406: Spanning-Tree Max-Age
Command Line Interface spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 407: Spanning-Tree Pathcost Method
Spanning Tree Commands Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 408: Spanning-Tree Transmission-Limit
Command Line Interface spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
Page 409: Mst Vlan
Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range •...
Page 410: Mst Priority
Command Line Interface mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) •...
Page 411: Revision
Spanning Tree Commands The MST region name and revision number (page 4-169) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 412: Spanning-Tree Spanning-Disabled
Command Line Interface Default Setting Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Page 413: Spanning-Tree Port-Priority
Spanning Tree Commands The recommended range is: •Ethernet: 200,000-20,000,000 •Fast Ethernet: 20,000-2,000,000 •Gigabit Ethernet: 2,000-200,000 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
Page 414: Spanning-Tree Edge-Port
Command Line Interface Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 415: Spanning-Tree Portfast
Spanning Tree Commands spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port.
Page 416: Spanning-Tree Mst Cost
Command Line Interface Default Setting auto Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. •...
Page 417: Spanning-Tree Mst Port-Priority
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
Page 418: Spanning-Tree Protocol-Migration
Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (4-174) spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface •...
Page 419 Spanning Tree Commands • port-channel channel-id (Range: 1-32) • instance_id - Instance identifier of the multiple spanning tree. (Range: 0-4094, no leading zeroes) Default Setting None Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree.
Page 420: Show Spanning-Tree Mst Configuration
Command Line Interface --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000...
Page 421: Vlan Commands
VLAN Commands VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 422: Vlan
Command Line Interface Example Console(config)#vlan database Console(config-vlan)# Related Commands show vlan (4-187) vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] •...
Page 423: Configuring Vlan Interfaces
VLAN Commands Configuring VLAN Interfaces Table 4-58 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN 4-181 switchport mode Configures VLAN membership mode for an interface 4-182 switchport Configures frame types to be accepted by an interface 4-182 acceptable-frame-types switchport ingress-filtering...
Page 424: Switchport Mode
Command Line Interface switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid | private-vlan} no switchport mode • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
Page 425: Switchport Ingress-Filtering
VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged...
Page 426: Switchport Native Vlan
Command Line Interface Example The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default.
Page 427: Switchport Allowed Vlan
VLAN Commands switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 428: Switchport Forbidden Vlan
Command Line Interface switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 429: Show Vlan
VLAN Commands show vlan This command shows VLAN information. Syntax show vlan [id vlan-id | name vlan-name | private-vlan private-vlan-type] • id - Keyword to be followed by the VLAN ID. - vlan-id - ID of the configured VLAN. (Range: 1-4094, no leading zeroes) •...
Page 430: Configuring Private Vlans
Command Line Interface Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
Page 431: Private-Vlan
VLAN Commands Use the switchport mode private-vlan command to configure ports as promiscuous (i.e., having access to all ports in the primary VLAN) or host (i.e., community port). Use the switchport private-vlan host-association command to assign a port to a secondary VLAN. Use the switchport private-vlan mapping command to assign a port to a primary VLAN.
Page 432: Private Vlan Association
Command Line Interface an associated “primary” VLAN that contains promiscuous ports. When using an isolated VLAN, it must be configured to contain a single promiscuous port. • Port membership for private VLANs is static. Once a port has been assigned to a private VLAN, it cannot be dynamically moved to another VLAN via GVRP.
Page 433: Switchport Mode Private-Vlan
VLAN Commands switchport mode private-vlan Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. Syntax switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan • host – This port type can subsequently be assigned to a community or isolated VLAN.
Page 434: Switchport Private-Vlan Isolated
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage All ports assigned to a secondary (i.e., community) VLAN can pass traffic between group members, but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN. Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan host-association 3...
Page 435: Switchport Private-Vlan Mapping
VLAN Commands switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode...
Page 436: Gvrp And Bridge Extension Commands
Command Line Interface Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 isolated Console# GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 437: Show Bridge-Ext
GVRP and Bridge Extension Commands Example Console(config)#bridge-ext gvrp Console(config)# show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Enabling or Disabling GVRP (Global Setting)” on page 3-142 and “Displaying Bridge Extension Capabilities”...
Page 438: Show Gvrp Configuration
Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-26/52) • port-channel channel-id (Range: 1-4) Default Setting Shows both global and interface-specific configuration.
Page 439: Show Garp Timer
GVRP and Bridge Extension Commands Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.
Page 440: Priority Commands
Command Line Interface Related Commands garp timer (4-196) Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 441: Queue Mode
Priority Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...
Page 442: Queue Bandwidth
Command Line Interface Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
Page 443: Queue Cos-Map
Priority Commands Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to priority queues 1 - 3: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands show queue bandwidth (4-202)
Page 444: Show Queue Mode
Command Line Interface Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to map CoS values 0, 1 and 2 to egress queue 0, value 3 to egress queue 1, values 4 and 5 to egress queue 2, and values 6 and 7 to egress queue 3: Console(config)#interface ethernet 1/1...
Page 445: Show Queue Cos-Map
Priority Commands Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - This is unit 1. - port - Port number.
Page 446: Priority Commands (Layer 3 And 4)
Command Line Interface Priority Commands (Layer 3 and 4) Table 4-65 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip port Enables TCP class of service mapping 4-204 map ip port Maps TCP socket to a class of service 4-205 map ip precedence Enables IP precedence class of service mapping...
Page 447: Map Ip Port (Interface Configuration)
Priority Commands map ip port (Interface Configuration) This command set IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port number cos cos-value no map ip port port-number • port-number - 16-bit TCP/UDP port number.(Range 1-65535) •...
Page 448: Map Ip Precedence (Interface Configuration)
Command Line Interface Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...
Page 449: Map Ip Dscp (Global Configuration)
Priority Commands map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 450: Show Map Ip Port
Command Line Interface Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-67 IP DSCP to CoS Vales IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24...
Page 451: Show Map Ip Precedence
Priority Commands Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console# Related Commands map ip port (Global Configuration) (4-204)
Page 452: Show Map Ip Dscp
Command Line Interface Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands...
Page 453: Multicast Filtering Commands
Multicast Filtering Commands Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-207)
Page 454: Ip Igmp Snooping
Command Line Interface Table 4-69 IGMP Snooping Commands Command Function Mode Page ip igmp snooping version Configures the IGMP version for snooping 4-213 ip igmp snooping Enables IGMP immediate leave for a VLAN interface 4-213 immediate-leave show ip igmp snooping Shows the IGMP snooping and query configuration 4-214 show mac-address-table...
Page 455: Ip Igmp Snooping Version
Multicast Filtering Commands Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
Page 456: Show Ip Igmp Snooping
Command Line Interface Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage The IGMP snooping immediate-leave feature enables a Layer 2 LAN interface to be removed from the multicast forwarding table without first sending an IGMP group-specific query to the interface. Upon receiving a group-specific IGMPv2 leave message, the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port.
Page 457 Multicast Filtering Commands Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] • vlan-id - VLAN ID (1 to 4094) • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping. Default Setting None Command Mode Privileged Exec...
Page 458: Igmp Query Commands (Layer 2)
Command Line Interface IGMP Query Commands (Layer 2) Table 4-70 IGMP Query Commands (Layer 2) Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 4-216 ip igmp snooping Configures the query count 4-216 query-count ip igmp snooping...
Page 459: Ip Igmp Snooping Query-Interval
Multicast Filtering Commands Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-max- response-time.
Page 460: Ip Igmp Snooping Query-Max-Response-Time
Command Line Interface ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-25) Default Setting 10 seconds Command Mode...
Page 461: Static Multicast Routing Commands
Multicast Filtering Commands Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)# Related Commands ip igmp snooping version (4-213)
Page 462: Show Ip Igmp Snooping Mrouter
Command Line Interface Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 463: Igmp Filtering And Throttling Commands
Multicast Filtering Commands IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Page 464: Ip Igmp Profile
Command Line Interface • IGMP filtering and throttling only applies to dynamically learned multicast groups, it does not apply to statically configured groups. • The IGMP filtering feature operates in the same manner when MVR is used to forward the multicast traffic. Example Console(config)#ip igmp filter Console(config)#...
Page 465: Range
Multicast Filtering Commands Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.
Page 466: Ip Igmp Max-Groups
Command Line Interface Default Setting None Command Mode Interface Configuration Command Usage • The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. • Only one profile can be assigned to an interface. •...
Page 467: Ip Igmp Max-Groups Action
Multicast Filtering Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups 10 Console(config-if)# ip igmp max-groups action This command sets the IGMP throttling action for an interface on the switch. Syntax ip igmp max-groups action <replace | deny> • replace - The new multicast group replaces an existing group. •...
Page 468: Show Ip Igmp Throttle Interface
Command Line Interface Command Mode Privileged Exec Example Console#show ip igmp filter IGMP filter enable Console#show ip igmp filter interface ethernet 1/1 Information of Eth 1/1 IGMP Profile 19 deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Page 469: Multicast Vlan Registration Commands
Multicast Filtering Commands • port-channel channel-id (Range: 1-4) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 Information of Eth 1/1 status : TRUE action : deny max multicast groups : 32 current multicast groups : 0...
Page 470: Mvr (Global Configuration)
Command Line Interface mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Page 471: Mvr (Interface Configuration)
Multicast Filtering Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
Page 472: Show Mvr
Command Line Interface response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. • Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Page 473: Table 4-74 Show Mvr - Display Description
Multicast Filtering Commands Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN. Example The following shows the global MVR settings: Console#show mvr...
Page 474: Domain Name Service Commands
Command Line Interface The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status Members ---------------- -------- ------- 225.0.0.1 ACTIVE eth1/1(d), eth1/2(s) 225.0.0.2 INACTIVE None 225.0.0.3 INACTIVE None 225.0.0.4 INACTIVE None...
Page 475: Clear Host
Domain Name Service Commands (Continued) Table 4-77 DNS Commands Command Function Mode Page show dns Displays the configuration for DNS services 4-238 show dns cache Displays entries in the DNS cache 4-238 clear dns cache Clears all entries from the DNS cache 4-239 ip host This command creates a static entry in the DNS table that maps a host name to an...
Page 476: Ip Domain-Name
Command Line Interface • * - Removes all entries. Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table. Console(config)#clear host * Console(config)# ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation).
Page 477: Ip Domain-List
Domain Name Service Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host.
Page 478: Ip Name-Server
Command Line Interface ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. Syntax [no] ip name-server server-address1 [server-address2 … server-address6] •...
Page 479: Show Hosts
Domain Name Service Commands Default Setting Disabled Command Mode Global Configuration Command Usage • At least one name server must be specified before you can enable DNS. • If all name servers are deleted, DNS will automatically be disabled. Example This example enables DNS and then displays the configuration.
Page 480: Show Dns
Command Line Interface show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Page 481: Show Dns
Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache FLAG TYPE DOMAIN Console# 4-239...
Page 482: Dhcp Commands
Command Line Interface DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) relay and Option 82 functions. The switch can be configured to relay DHCP client configuration requests to a DHCP server on another network and include information about the switch and its DHCP clients.
Page 483: Ip Dhcp Relay Information Policy
DHCP Commands ip dhcp relay information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp relay information policy <drop | keep | replace> • drop - Discards the client’s DHCP information and then floods the packet to the VLAN.
Page 484: Show Ip Dhcp-Relay
Command Line Interface Usage Guidelines You must specify the IP address for at least one DHCP server. Otherwise, the switch’s DHCP relay agent will not operate and all DHCP request and reply packets will be flooded to the entire VLAN. Example Console(config)#ip dhcp relay server 192.168.1.9 192.168.1.54 Console(config)#...
Page 485: Ip Dhcp Relay Information Option
IP Interface Commands IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 486: Ip Default-Gateway
Command Line Interface Command Usage • You must assign an IP address to this device to gain management access over the network. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 487: Ip Dhcp Restart
IP Interface Commands Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (4-246) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage •...
Page 488: Show Ip Redirects
Command Line Interface Example Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console# Related Commands show ip redirects (4-246) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode...
Page 489 IP Interface Commands - Normal response - The normal response occurs in one to ten seconds, depending on network traffic. - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
Page 490: Switch Cluster Commands
Command Line Interface Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster. The management station uses Telnet to communicate directly with the Commander throught its IP address, and the Commander manages Member switches using cluster “internal”...
Page 491: Cluster Commander
Switch Cluster Commands Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 492: Cluster Member
Command Line Interface Command Usage • An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
Page 493: Show Cluster
Switch Cluster Commands Command Mode Privileged Exec Command Usage • This command only operates through a Telnet connection to the Commander switch. Managing cluster Members using the local console CLI on the Commander is not supported. There is no need to enter the username and password for access to the •...
Page 494: Show Cluster Candidates
Command Line Interface show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Console# 4-252...
Page 495: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 88 lists) DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex Flow Control Full Duplex: IEEE 802.3-2002 Half Duplex: Back pressure...
Page 496: Management Features
Software Specifications Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading TFTP in-band or XModem out-of-band...
Page 497: Management Information Bases
Management Information Bases Management Information Bases Bridge MIB (RFC 1493) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs MAU MIB (RFC 2668)
Page 498 Software Specifications...
Page 499: Appendix B: Troubleshooting
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 500: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 501: Glossary
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 502 Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so...
Page 503 Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Page 504 Glossary MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 505 Glossary Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Rapid Spanning Tree Protocol (RSTP) reduces the convergence time for network topology changes to about 10% of RSTP that required by the older IEEE 802.1D STP standard.
Page 506 Glossary User Datagram Protocol (UDP) provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Page 507: Index
Index Numerics 802.1X, port authentication 3-68 default gateway, configuration 3-14, 4-245 default priority, ingress port 3-158, 4-199 acceptable frame type 3-150, 4-182 default settings, system 1-5 Access Control List See ACL DHCP 3-16, 4-244 client 3-14, 4-233 Extended IP 3-83, 4-102, 4-103, dynamic configuration 2-5 4-105 DHCP Relay Option 82 3-17...
Page 508 Index link type, STA 3-129, 3-131, 4-173 logging GARP VLAN Registration Protocol See syslog traps 4-47 GVRP to syslog servers 4-46 gateway, default 3-14, 4-245 log-in, Web interface 3-2 GVRP logon authentication 3-54, 4-76 global setting 4-194 RADIUS client 4-78 interface configuration 3-150, 4-195 RADIUS server 4-78 GVRP, global setting 3-142...
Page 509 Index path cost 3-120, 3-128 method 3-124, 4-165 secure shell 3-61, 4-35 STA 3-120, 3-128, 4-165 Secure Shell configuration 3-61, 4-38 port authentication 3-68 serial port port priority configuring 4-11 configuring 3-158, 4-198 Simple Network Management Protocol default ingress 3-158, 4-199 See SNMP STA 3-129, 4-171 SNMP 3-38...
Page 510 Index 3-148, 4-185 creating 3-145, 4-180 TACACS+, logon authentication 3-56, description 3-139, 3-158 4-81 displaying basic information 3-142, time, setting 3-35, 4-54 4-195 traffic class weights 3-163, 4-200 displaying port members 3-143, trap manager 2-7, 3-41, 4-120 4-187 troubleshooting B-1 egress mode 3-151, 4-182 trunk interface configuration 3-150,...
Page 512 ES3526XA ES3552XA E122006-CS-R02D 149100005500H...

This manual is also suitable for:

Edge-core es3526xa Edge-core es3552xa

Accton Technology 24/48 10/100 Ports + 2GE Management Manual

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Chapter 4: Command Line Interface

Quick Links

Related Manuals for Accton Technology 24/48 10/100 Ports + 2GE

Summary of Contents for Accton Technology 24/48 10/100 Ports + 2GE