Contents Section I: Getting Started Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access...
Page 6
Contents Manual Configuration Using DHCP/BOOTP 4-10 Managing Firmware 4-11 Downloading System Software from a Server 4-12 Saving or Restoring Configuration Settings 4-14 Downloading Configuration Settings from a Server 4-15 Console Port Settings 4-16 Telnet Settings 4-18 Configuring Event Logging 4-20 System Log Configuration 4-20 Remote Log Configuration...
Page 7
Contents Chapter 7: Client Security Configuring Port Security Chapter 8: Access Control Lists Configuring Access Control Lists Setting the ACL Name and Type Configuring a Standard ACL Configuring an Extended ACL Configuring a MAC ACL Configuring ACL Masks Specifying the Mask Type Configuring an IP ACL Mask 8-10 Configuring a MAC ACL Mask...
Page 8
Contents Displaying Basic VLAN Information 12-4 Displaying Current VLANs 12-5 Creating VLANs 12-6 Adding Static Members to VLANs (VLAN Index) 12-7 Adding Static Members to VLANs (Port Index) 12-9 Configuring VLAN Behavior for Interfaces 12-10 Configuring IEEE 802.1Q Tunneling 12-12 Adding an Interface to a QinQ Tunnel 12-16 Configuring Private VLANs...
Page 9
Contents Assigning Static Multicast Groups to Interfaces 15-15 Chapter 16: Domain Name Service 16-1 Configuring General DNS Service Parameters 16-1 Configuring Static DNS Host to Address Entries 16-3 Displaying the DNS Cache 16-5 Section III: Command Line Interface Chapter 17: Overview of Command Line Interface 17-1 Using the Command Line Interface 17-1...
Page 10
Contents show system 19-6 show users 19-7 show version 19-7 System Mode Commands 19-8 system mode 19-8 show system mode 19-9 System MTU Commands 19-9 jumbo frame 19-10 system mtu 19-11 show system mtu 19-11 File Management Commands 19-12 copy 19-13 delete 19-15...
Page 11
Contents show logging sendmail 19-37 Time Commands 19-37 sntp client 19-38 sntp server 19-39 sntp poll 19-39 show sntp 19-40 clock timezone 19-40 calendar set 19-41 show calendar 19-42 Chapter 20: SNMP Commands 20-1 snmp-server 20-2 show snmp 20-2 snmp-server community 20-3 snmp-server contact 20-4...
Page 12
Contents Web Server Commands 21-11 ip http port 21-11 ip http server 21-12 ip http secure-server 21-12 ip http secure-port 21-13 Telnet Server Commands 21-14 ip telnet server 21-14 Secure Shell Commands 21-15 ip ssh server 21-17 ip ssh timeout 21-18 ip ssh authentication-retries 21-19...
Page 13
Contents ip dhcp snooping vlan 22-9 ip dhcp snooping binding 22-10 ip dhcp snooping verify mac-address 22-11 ip dhcp snooping database flash 22-12 ip dhcp snooping trust 22-12 show ip dhcp snooping 22-13 show ip dhcp snooping binding 22-13 Chapter 23: Access Control List Commands 23-1 IP ACLs 23-1...
Page 14
Contents show interfaces switchport 24-11 Chapter 25: Link Aggregation Commands 25-1 channel-group 25-2 lacp 25-2 lacp system-priority 25-4 lacp admin-key (Ethernet Interface) 25-4 lacp admin-key (Port Channel) 25-5 lacp port-priority 25-6 show lacp 25-7 Chapter 26: Mirror Port Commands 26-1 port monitor 26-1 show port monitor...
Page 15
Contents spanning-tree link-type 29-15 spanning-tree mst cost 29-16 spanning-tree mst port-priority 29-17 spanning-tree protocol-migration 29-18 show spanning-tree 29-18 show spanning-tree mst configuration 29-20 Chapter 30: VLAN Commands 30-1 GVRP and Bridge Extension Commands 30-1 bridge-ext gvrp 30-2 show bridge-ext 30-2 switchport gvrp 30-3 show gvrp configuration...
Page 16
Contents queue bandwidth 31-4 queue cos-map 31-4 show queue bandwidth 31-5 show queue cos-map 31-6 vlan priority 31-6 show vlan based priority 31-7 Priority Commands (Layer 3 and 4) 31-8 map ip port (Global Configuration) 31-8 map ip port (Interface Configuration) 31-9 map ip precedence (Global Configuration) 31-9...
Page 17
Contents show ip igmp snooping mrouter 33-11 Multicast VLAN Registration Commands 33-11 mvr (Global Configuration) 33-12 mvr (Interface Configuration) 33-13 show mvr 33-14 Chapter 34: Domain Name Service Commands 34-1 ip host 34-1 clear host 34-2 ip domain-name 34-3 ip domain-list 34-3 ip name-server 34-4...
Page 23
Figures Figure 3-1 Home Page Figure 3-2 Front Panel Indicators Figure 4-1 System Information Figure 4-2 System Mode Figure 4-3 System MTU Figure 4-4 Configuring Support for Jumbo Frames Figure 4-5 Switch Information Figure 4-6 Displaying Bridge Extension Configuration Figure 4-7 IP Interface Configuration - Manual Figure 4-8 IP Interface Configuration - DHCP...
Page 25
Figures Figure 13-3 Queue Mode 13-5 Figure 13-4 Queue Scheduling 13-6 Figure 13-5 IP Precedence/DSCP Priority Status 13-8 Figure 13-6 IP Precedence Priority 13-9 Figure 13-7 IP DSCP Priority 13-10 Figure 13-8 IP Port Priority Status 13-11 Figure 13-9 IP Port Priority 13-12 Figure 14-1 Configuring Class Maps...
Section I: Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. Introduction ..........1-1 Initial Configuration .
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based VLANs, private VLANs, and QinQ tunneling Traffic Prioritization Default port priority, VLAN priority, traffic class map, queue scheduling, IP Precedence, or Differentiated Services Code Point (DSCP), and TCP/UDP Port Qualify of Service Supports Differentiated Services (DiffServ) Multicast Filtering...
Page 31
Description of Software Features Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
Page 32
Introduction Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 32 MB for frame buffering.
Page 33
Description of Software Features Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can be used to provide independent priorities for delay-sensitive data and best-effort data. This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 4-15). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 35
System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled Auto-negotiation...
Page 36
Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 IP Precedence Priority Disabled IP DSCP Priority Disabled...
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Initial Configuration • Configure up to 12 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IP address to the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1”...
Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 24-1 Console(config-if)#ip address dhcp...
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files.
Section II: Switch Management This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser, and a brief example for the Command Line Interface. Configuring the Switch ......... 3-1 Basic Management Tasks .
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password “admin” is used for the administrator.
Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Switch Main Menu Menu Description Page...
Page 53
Navigating the Web Browser Interface Table 3-2 Switch Main Menu (Continued) Menu Description Page SNMPv3 Engine ID Sets the SNMP v3 engine ID Remote Engine ID Sets the SNMP v3 engine ID on a remote device Users Configures SNMP v3 users Remote Users Configures SNMP v3 users on a remote device 5-11...
Page 54
Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description Page LACP Configuration Allows ports to dynamically join trunks Aggregation Port Configures parameters for link aggregation group members 9-10 Port Counters Information Displays statistics for LACP protocol messages 9-13 Port Internal Information Displays settings and operational state for the local side 9-14...
Page 55
Navigating the Web Browser Interface Table 3-2 Switch Main Menu (Continued) Menu Description Page Trunk Configuration Configures trunk settings for a specified MST instance 11-20 VLAN 12-1 802.1Q VLAN 12-1 GVRP Status Enables GVRP VLAN registration protocol 12-4 Basic Information Displays information on the VLAN type supported by this switch 12-4 Current Table...
Page 56
Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description Page 14-1 DiffServ Configure QoS classification criteria and service policies 14-1 Class Map Creates a class map for a type of traffic 14-2 Policy Map Creates a policy map for multiple interfaces 14-5 Service Policy Applies a policy map defined to an ingress port...
Chapter 4: Basic Management Tasks This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Basic Management Tasks Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 4-1 System Information CLI –...
Configuring the Switch for Normal Operation or Tunneling Mode POST Result: DUMMY Test 1 ....PASS UART Loopback Test ... PASS DRAM Test ....PASS Timer Test ....PASS I2C Bus Initialization ..PASS Switch Int Loopback Test ..PASS Console# * ES3528-WDM System Description: 24 port WDM Metro Access Switch †...
Basic Management Tasks Configuring the Maximum Frame Size The maximum transfer unit (or frame size) for traffic crossing the switch should be set to minimize unnecessary fragmentation and maximize the transfer of large sequential data streams. Command Usage • Fast Ethernet ports are only affected by the System MTU setting. •...
Configuring Support for Jumbo Frames CLI – This example sets the MTU for Fast Ethernet ports to 1528 bytes. 19-11 Console(config)#system mtu 1528 Console(config)#exit 19-11 Console#show system mtu System MTU size is 1528 Bytes System Jumbo MTU size is 1518 Bytes Console# Configuring Support for Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by...
Basic Management Tasks Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Displaying Bridge Extension Capabilities CLI – Use the following command to display version information. Console#show version 19-7 Unit 1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 0.01 Number of Ports: Agent (Master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version: 1.0.0.7 Operation Code Version: 1.0.1.7...
Basic Management Tasks Web – Click System, Bridge Extension. Figure 4-6 Displaying Bridge Extension Configuration CLI – Enter the following command. 30-2 Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable:...
Setting the Switch’s IP Address Command Attributes • Management VLAN – ID of the configured VLAN (1-4093). By default, all ports on the stack are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Basic Management Tasks CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 24-1 Console(config-if)#ip address 10.1.0.253 255.255.255.0 35-1 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 35-2 Console(config)# Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by these services.
Managing Firmware Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the stack is moved to another network segment, you will lose management access to the stack. In this case, you can reboot the stack or submit a client request to restart DHCP service via the CLI.
Basic Management Tasks Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web –...
Managing Firmware To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 4-11 Deleting Files CLI –...
Basic Management Tasks Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server, or copy files to and from switch units in a stack. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes •...
Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it.
Basic Management Tasks CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 19-13 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Console Port Settings • Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None) • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal).
Basic Management Tasks CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 19-19 19-20 Console(config-line)#login local Console(config-line)#password 0 secret 19-21...
Telnet Settings • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) •...
Basic Management Tasks Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Configuring Event Logging Web – Click System, Logs, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 4-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Basic Management Tasks Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 4-17 Remote Logs CLI –...
Configuring Event Logging Displaying Log Messages Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Basic Management Tasks • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list. •...
Resetting the System CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.
Basic Management Tasks Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Setting the System Clock CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. 19-38 Console(config)#sntp client Console(config)#sntp poll 16 19-39 19-39 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#exit 19-40 Console#show sntp Current time: 6 14:56:05 2004...
Chapter 5: Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Simple Network Management Protocol Table 5-1 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write) noAuthNoPriv user defined user defined user defined user defined Community string only noAuthNoPriv public defaultview...
Setting Community Access Strings Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Simple Network Management Protocol Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 89
Specifying Trap Managers and Trap Types Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. •...
Simple Network Management Protocol Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add.
Configuring SNMPv3 Management Access Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Configuring SNMPv3 Management Access Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, or notify view. Command Attributes •...
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Configuring SNMPv3 Management Access Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read and a write view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Configuring SNMPv3 Management Access Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 98
Simple Network Management Protocol Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, linkUp acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state).
Configuring SNMPv3 Management Access Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description swThermalFalling 1.3.6.1.4.1.259.8.2.2.2.1.0.59 This trap is sent when the temperature falls below Notification the switchThermalActionFallingThreshold. swModuleInsertion 1.3.6.1.4.1.259.8.2.2.2.1.0.60 This trap is sent when a module is inserted. Notificaiton swModuleRemoval 1.3.6.1.4.1.259.8.2.2.2.1.0.61...
Simple Network Management Protocol CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview 20-11 write defaultview notify defaultview Console(config)#exit Console#show snmp group...
Configuring SNMPv3 Management Access Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Page 102
Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* 20-10 included Console(config)#exit Console#show snmp view 20-11 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Chapter 6: User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
User Authentication Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then click Add. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 105
Configuring Local/Remote Logon Authentication the network. An authentication server contains a database of multiple user name/ password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport.
User Authentication - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request.
Configuring HTTPS 21-8 Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: Retransmit times: Request timeout: Server 1: Server IP address: 192.168.1.25 Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Console#config...
User Authentication • The following web browsers and operating systems currently support HTTPS: Table 6-1 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6 •...
Configuring the Secure Shell When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: 19-13 Console#copy tftp https-certificate TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name>...
Page 110
User Authentication To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Configuring the Secure Shell stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c.
User Authentication Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory). Otherwise, the host key pair is stored to RAM by default.
Configuring the Secure Shell CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. 21-20 Console#ip ssh crypto host-key generate Console#ip ssh save host-key 21-21 21-23 Console#show public-key host...
User Authentication Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. Figure 6-5 SSH Server Settings CLI –...
Configuring 802.1X Port Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
User Authentication • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP encryption method for passing authentication messages –...
Configuring 802.1X Port Authentication Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
User Authentication • Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client.
Page 119
Configuring 802.1X Port Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 21-29. 24-1 Console(config)#interface ethernet 1/2 Console(config-if)#dot1x port-control auto 21-26 21-27 Console(config-if)#dot1x re-authentication Console(config-if)#dot1x max-req 5...
User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Configuring 802.1X Port Authentication Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 6-9 802.1X Port Statistics CLI – This example displays the dot1x statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 21-29 Eth 1/4...
User Authentication Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage •...
Filtering IP Addresses for Management Access Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 6-10 IP Filter CLI – This example restricts management access for Telnet clients. 21-33 Console(config)#management telnet-client 192.168.1.19 Console(config)#management telnet-client 192.168.1.25 192.168.1.30...
Chapter 7: Client Security This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 126
Client Security MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch. Command Usage • A secure port has the following restrictions: - It cannot be used as a member of a static or dynamic trunk.
Configuring Port Security Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 7-1 Port Security CLI –...
Chapter 8: Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Access Control Lists • Each ACL can have up to 32 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20. • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.
Configuring Access Control Lists Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 8-1 Selecting ACL Type CLI –...
Access Control Lists Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 8-2 ACL Configuration - Standard IPv4 CLI –...
Page 133
Configuring Access Control Lists • Source/Destination Port – Source/destination port number for the specified protocol type. (Range: 0-65535) • Source/Destination Port Bit Mask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header.
Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Configuring Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range.
Configuring Access Control Lists Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. ACL rules matching the first entry in the mask are checked first. Rules matching subsequent entries in the mask are then checked in the specified order. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL.
Access Control Lists CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet. 23-6 Console(config)#access-list ip mask-precedence in 23-6...
Configuring Access Control Lists Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types.
Access Control Lists Configuring a MAC ACL Mask This mask defines the fields to check in the packet header. Command Usage You must configure a mask for an ACL rule before you can bind it to a port. Command Attributes •...
Binding a Port to an Access Control List CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. 23-12 Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any...
Access Control Lists Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress traffic, select the required ACL from the drop-down list, then click Apply. Figure 8-8 ACL Port Binding CLI –...
Chapter 9: Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 144
Port Configuration Field Attributes (CLI) Basic information: • Port type – Indicates port type. (100BASE-TX , 100BASE-BX , 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 4-8.) Configuration: •...
Configuring Interface Connections CLI – This example shows the connection status for Port 5. 24-9 Console#show interfaces status ethernet 1/5 Information of Eth 1/13 Basic information: Port type: 100TX Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast storm limit:...
Page 146
Port Configuration - 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1 Gbps full-duplex operation - Sym (Gigabit only) - Check this item to transmit and receive pause frames, or clear it to auto-negotiate the sender and receiver for asymmetric pause frames. (The current switch chip only supports symmetric pause frames.) - FC - Supports flow control Flow control can eliminate frame loss by “blocking”...
Configuring Interface Connections Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 9-2 Port - Port Configuration CLI – Select the interface, and then enter the required settings. 24-1 Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 24-2 24-6...
Port Configuration Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Creating Trunk Groups Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be statically able to link switches of different types, configured depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Port Configuration CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk. 24-1 Console(config)#interface port-channel 1 Console(config-if)#exit 24-1 Console(config)#interface ethernet 1/9 Console(config-if)#channel-group 1 25-2 Console(config-if)#exit Console(config)#interface ethernet 1/10...
Creating Trunk Groups Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Port Configuration Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. •...
Creating Trunk Groups Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 154
Port Configuration CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#lacp actor system-priority 3 25-4 25-4 Console(config-if)#lacp actor admin-key 120...
Creating Trunk Groups Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 9-1 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Port Configuration Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 9-2 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Creating Trunk Groups Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 9-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 25-7 Port channel: 1...
Port Configuration Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 9-3 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Setting Broadcast Storm Thresholds CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. 25-7 Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/2 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0...
Port Configuration • Threshold – Threshold as percentage of port bandwidth. (Options: 500-262143 packets per second; Default: 500 pps) • Trunk – Shows if port is a trunk member. Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply.
Configuring Port Mirroring Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.
Port Configuration Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Showing Port Statistics CLI - This example sets the rate limit for input and output traffic passing through port 1 to 60 Mbps. 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 60 27-1 Console(config-if)#rate-limit output 60 Console(config-if)# Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 164
Port Configuration Table 9-4 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. Transmit Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this...
Page 165
Showing Port Statistics Table 9-4 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 9-12 Port Statistics 9-24...
Chapter 10: Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Address Table Settings CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 28-1 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Displaying the Address Table Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 10-2 Dynamic Addresses CLI –...
Address Table Settings Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds;...
Chapter 11: Spanning Tree Algorithm The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 174
Spanning Tree Algorithm MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.
Displaying Global Settings Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
Spanning Tree Algorithm • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port.
Page 177
Displaying Global Settings CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 29-18 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Spanning Tree Algorithm Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 179
Configuring Global Settings address will then become the root device. (Note that lower numeric values indicate higher priority.) • Default: 32768 • Range: 0-61440, in steps of 4096 • Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration •...
Page 180
Spanning Tree Algorithm Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
Configuring Global Settings Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 11-2 STA Global Configuration 11-9...
Spanning Tree Algorithm CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 29-2 29-2 Console(config)#spanning-tree mode mstp Console(config)#spanning-tree priority 40000 29-6 29-4 Console(config)#spanning-tree hello-time 5 Console(config)#spanning-tree max-age 38 29-5 29-4 Console(config)#spanning-tree forward-time 20...
Page 183
Displaying Interface Settings • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port.
Spanning Tree Algorithm These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Spanning Tree Algorithm The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Configuring Interface Settings • Admin Link Type – The link type attached to this interface. • Point-to-Point – A connection to exactly one other bridge. • Shared – A connection to two or more bridges. • Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Spanning Tree Algorithm Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Configuring Multiple Spanning Trees Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Displaying Interface Settings for MSTP Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,”...
Configuring Interface Settings for MSTP Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices.
Chapter 12: VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
Page 196
VLAN Configuration Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA: VLAN Aware VU: VLAN Unaware tagged untagged...
Page 197
IEEE 802.1Q VLANs these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs.
VLAN Configuration Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network.
IEEE 802.1Q VLANs CLI – Enter the following command. Console#show bridge-ext 30-2 Max support VLAN numbers: Max support VLAN ID: 4093 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
VLAN Configuration Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. •...
IEEE 802.1Q VLANs Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 12-4 VLAN Static List - Creating VLANs CLI –...
VLAN Configuration Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. •...
VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
IEEE 802.1Q VLANs Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. 24-1 Console(config)#interface ethernet 1/3 30-9 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)#switchport ingress-filtering...
Page 207
Configuring IEEE 802.1Q Tunneling processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Page 208
VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into an Uplink Port An uplink port receives one of the following packets: •...
Page 209
Configuring IEEE 802.1Q Tunneling Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
VLAN Configuration Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the ingress port on the edge switch to dot1Q tunnel mode. Also set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Configuring Private VLANs CLI – This example sets port 2 to tunnel mode, indicates that the TPID used for 802.1Q tagged frames will be 9100 hexadecimal, and enables address monitor mode to pass traffic between the management VLANs and the tunnel port. 24-1 Console(config)#interface ethernet 1/2 Console(config-if)#switchport mode dot1q-tunnel...
VLAN Configuration Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Configuring Protocol-Based VLANs Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 6). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.
VLAN Configuration Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group. Command Usage • When creating a protocol-based VLAN, only assign interfaces using this configuration screen. If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table (page 7) or VLAN Static Membership by Port menu (page 9), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 215
Configuring Protocol-Based VLANs CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 3 30-17 Console(config-if)# 12-21...
Chapter 13: Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Class of Service Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 13-1 Default Port Priority CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 24-1 31-3...
Layer 2 Queue Settings Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
Class of Service Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 13-2 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping. Console(config)#interface ethernet 1/1 24-1 31-4...
Layer 2 Queue Settings Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Class of Service Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3, the traffic classes are mapped to one of the eight egress queues provided for each port.
Layer 3/4 Priority Settings CLI – The following example shows how to assign WRR weights to each of the priority queues. 31-4 Console(config)#queue bandwidth 1 3 5 7 9 11 13 15 Console(config)#exit 31-5 Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight --------...
Class of Service Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, then click Apply. Figure 13-5 IP Precedence/DSCP Priority Status CLI – The following example enables IP Precedence service on the switch. 31-9 Console(config)#map ip precedence Console(config)#...
Layer 3/4 Priority Settings Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 13-6 IP Precedence Priority CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
Class of Service Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping.
Layer 3/4 Priority Settings CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. 31-11 Console(config)#map ip dscp 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#map ip dscp 1 cos 0 31-11...
Class of Service Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 13-9 IP Port Priority CLI –...
Chapter 14: Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
Quality of Service 6. Use the “Service Policy” to assign a policy map to a specific interface. Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class.
Page 231
Configuring Quality of Service Parameters Match Class Settings • Class Name – List of class maps. • ACL List – Name of an access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) •...
Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 14-1 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Configuring Quality of Service Parameters Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 14-2. - Open the Policy Map page, and click Add Policy.
Page 234
Quality of Service Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 14-2).
Configuring Quality of Service Parameters Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 14-2 Configuring Policy Maps 14-7...
Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 32-4 32-5 Console(config-pmap)#class rd_class#3...
Chapter 15: Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and IGMP Query (page 15-3) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Layer 2 IGMP (Snooping and Query) Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 15-8). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently.
Multicast Filtering • IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired. (Range: 300-500 seconds, Default: 300) •...
Layer 2 IGMP (Snooping and Query) Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet.
Multicast Filtering Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Layer 2 IGMP (Snooping and Query) Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. •...
Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 15-3. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Multicast VLAN Registration Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Multicast Filtering Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
Multicast VLAN Registration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. 33-2 Console(config)#ip igmp snooping Console(config)#mvr 33-12 Console(config)#mvr group 228.1.23.1 10 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes •...
Multicast Filtering Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Multicast VLAN Registration Web – Click MVR, Port Configuration or Trunk Configuration. Figure 15-8 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source 33-13 Console(config-if)#exit...
Multicast Filtering Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN.
Multicast VLAN Registration Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...
Chapter 16: Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Domain Name Service Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 16-1 DNS General Configuration CLI - This example sets a default domain name and a domain list.
Configuring Static DNS Host to Address Entries Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Domain Name Service Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 16-2 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.
Displaying the DNS Cache Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...
Page 258
Domain Name Service CLI - This example displays all the resource records learned from the designated name servers. 34-7 Console#show dns cache FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME 207.46.134.155 www.microsoft.akadns.net CNAME 207.46.249.222 www.microsoft.akadns.net CNAME 207.46.249.27 www.microsoft.akadns.net ALIAS POINTER TO:4 www.microsoft.com...
Section III:Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of Command Line Interface ......17-1 General Commands .
Chapter 17: Overview of Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 262
Overview of Command Line Interface Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Overview of Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Entering Commands The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters protocol-vlan Protocol-vlan information status Information of interfaces status switchport Information of interfaces switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Overview of Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions.
Entering Commands Username: guest Password: [guest login password] CLI session with the Layer 2 Ethernet Metro Access Switch is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.
Overview of Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 17-2 Configuration Command Modes Mode Command Prompt Page Line...
Entering Commands Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Overview of Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below Table 17-4 Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the 18-1 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation,...
Page 271
Command Groups The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) LC (Line Configuration) CM (Class Map Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) GC (Global Configuration) PM (Policy Map Configuration) IC (Interface Configuration) VC (VLAN Database Configuration)
Page 272
Overview of Command Line Interface 17-12...
Chapter 18: General Commands These commands are used to control the command access mode, configuration mode, and other basic functions. Table 18-1 General Commands Command Function Mode Page enable Activates privileged mode 18-1 disable Returns to normal mode from privileged mode 18-2 configure Activates global configuration mode...
General Commands • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (18-2) enable password (21-3) disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics.
show history Example Console#configure Console(config)# Related Commands end (18-4) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
General Commands reload This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec...
exit Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exits the configuration program.
Page 278
General Commands Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 18-6...
Chapter 19: System Management Commands These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 19-1 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 19-1 System Status Displays system configuration, active managers, and version information...
System Management Commands Example Console(config)#hostname RD#1 Console(config)# System Status Commands This section describes commands used to display system information. Table 19-3 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 19-2 memory) that is used to start up the system show running-config...
System Status Commands - IP address - Layer 4 precedence settings - Spanning tree settings - Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-21-dc-e0_01</stackingMac> phymap 00-12-cf-21-dc-e0 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw! username admin access-level 15...
System Management Commands show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 283
System Status Commands Example Console#show running-config building running-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-21-dc-e0_01</stackingMac> phymap 00-12-cf-21-dc-e0 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community private rw snmp-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database...
System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 4-1. •...
System Status Commands show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
System Management Commands Example Console#show version Unit 1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 0.01 Number of Ports: Agent (Master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version: 1.0.0.7 Operation Code Version: 1.0.1.7 Console# System Mode Commands This section describes command used to configure the switch to operate in normal mode or QinQ mode.
System MTU Commands Example Console(config)#system mode qinq Console(config)# Related Commands show system mode (19-9) show system mode This command displays the switch system mode. Command Mode Privileged Exec Command Usage The system mode displays as QinQ or Normal mode. Example Console(config)#system mode qinq Console(config)#end Console#show system mode...
System Management Commands jumbo frame This command enables support for extended frame sizes on Fast Ethernet and Gigabit Ethernet ports. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage •...
System MTU Commands system mtu This command sets the maximum transfer unit for traffic crossing the switch. Use the no form to restore the default settings. Syntax system mtu {FE-size | jumbo GE-size} no system mtu • FE-size - Specifies the MTU size for Fast Ethernet ports. (Range: 1500-1546 bytes) •...
System Management Commands Example Console#show system mtu System MTU size is 1500 bytes System Jumbo MTU size is 1500 bytes Console# File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation.
File Management Commands copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 292
System Management Commands • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate”...
File Management Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
System Management Commands Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands...
File Management Commands Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: D1.0.0.7.bix Boot-Rom Image 1159752 V1.0.1.7.bix Operation Code 3542608 Factory_Default_Config.cfg Config File startup1.cfg Config File 3256 --------------------------------------------------------------------------- Total free space:...
Page 296
System Management Commands Default Setting None Command Mode Global Configuration Command Usage • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (19-16) whichboot (19-17) 19-18...
Line Commands Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 19-8 Line Commands Command Function...
System Management Commands Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections. Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands...
Line Commands Example Console(config-line)#login local Console(config-line)# Related Commands username (21-2) password (19-21) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
System Management Commands timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Line Commands Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. •...
System Management Commands silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Line Commands Example To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# Related Commands parity (19-25) parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity •...
System Management Commands Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
Line Commands Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (21-22) show users (19-7) show line This command displays the terminal line’s parameters.
System Management Commands Event Logging Commands This section describes commands used to configure event logging on the switch. Table 19-9 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 19-28 logging history Limits syslog messages saved to switch memory based on 19-29 severity logging host...
Event Logging Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Event Logging Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
System Management Commands Related Commands show log (19-33) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Event Logging Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
System Management Commands Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
SMTP Alert Commands • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command.
System Management Commands Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages.
Time Commands Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com...
Page 316
System Management Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration...
Time Commands sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP).
System Management Commands Example Console(config)#sntp poll 60 Console# Related Commands sntp client (19-38) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
Time Commands Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
System Management Commands show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar 15:12:34 February 1 2002 Console# 19-42...
Chapter 20: SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
snmp-server community Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables...
SNMP Commands • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.
snmp-server host Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (20-4) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}...
Page 326
SNMP Commands • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
snmp-server enable traps supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.
SNMP Commands conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 20-11). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (20-5) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
show snmp engine-id • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 20-14).
SNMP Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
show snmp view show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
SNMP Commands Default Setting • Default groups: public (read only), private (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothing is defined. • notifyview - Nothing is defined. Command Mode Global Configuration Command Usage •...
SNMP Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} •...
show snmp user need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# show snmp user...
Chapter 21: User Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
User Authentication Commands username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
User Account Commands enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
User Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 21-4 Authentication Sequence Commands Command Function Mode...
Authentication Sequence Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (21-2) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 18-1).
User Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
RADIUS Client Example Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages.
User Authentication Commands radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1 - 30) Default Setting Command Mode Global Configuration...
TACACS+ Client Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: Request timeout: Server 1: Server IP address: 192.168.1.1 Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: 2 Request timeout: 5 Console#...
User Authentication Commands Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages.
Web Server Commands show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with TACACS server: ***** Server port number: Console# Web Server Commands This section describes commands used to configure web browser management...
User Authentication Commands Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (21-12) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled...
Web Server Commands • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
User Authentication Commands • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000 Console(config)# Related Commands ip http secure-server (21-12) Telnet Server Commands This section describes commands used to configure Telnet management access to the switch.
Secure Shell Commands Secure Shell Commands This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Page 352
User Authentication Commands To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Secure Shell Commands stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c.
User Authentication Commands Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (21-20) show ssh (21-22) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting.
Secure Shell Commands ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
User Authentication Commands delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Secure Shell Commands Related Commands ip ssh crypto zeroize (21-21) ip ssh save host-key (21-21) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
User Authentication Commands Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (21-20) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0...
Secure Shell Commands Table 21-11 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
User Authentication Commands Example Console#show public-key host Host: RSA: 1024 65537 13236940658254764031382795526536375927835525327972629521130241 0719421061655759424590939236096954050362775257556251003866130989393834523 1033280214988866192159556859887989191950588394018138744046890877916030583 7768185490002831341625008348718449522087429212255691665655296328163516964 0408315547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication.
802.1X Port Authentication dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
User Authentication Commands dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
802.1X Port Authentication Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-105). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
User Authentication Commands Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. •...
802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
Page 366
User Authentication Commands Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status –...
Page 367
802.1X Port Authentication • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Page 368
User Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 1/47 disabled Single-Host ForceAuthorized 1/48 enabled Single-Host Auto 802.1X Port Details 802.1X is enabled on port 1/1 802.1X is enabled on port 26 reauth-enabled: Enable...
Management IP Filter Commands Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 21-13 Management IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access 21-33 show management Displays the switch to be monitored or configured from a browser 21-34...
User Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Chapter 22: Client Security Commands This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Client Security Commands port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
IP Source Guard Commands Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands shutdown (24-6) mac-address-table static (28-1) IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and...
Page 374
Client Security Commands Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. •...
IP Source Guard Commands Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (22-5) ip dhcp snooping (22-7) ip dhcp snooping vlan (22-9) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
Client Security Commands - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
DHCP Snooping Commands DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
Page 378
Client Security Commands • When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping, and static entries configured in the DHCP snooping table. • Table entries are only learned for untrusted interfaces. Each entry includes a MAC address, IP address, lease time, entry type (Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier.
DHCP Snooping Commands Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (22-9) ip dhcp snooping trust (22-12) ip dhcp snooping binding (22-10) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Client Security Commands Related Commands ip dhcp snooping (22-7) ip dhcp snooping trust (22-12) ip dhcp snooping binding (22-10) ip dhcp snooping binding This command adds a static address to the DHCP snooping binding table. Use the no form to remove an entry from the binding table. Syntax ip dhcp binding mac-address vlan vlan-id ip-address interface ethernet unit/port lease-time...
DHCP Snooping Commands - If there is a binding with same VLAN ID and MAC address, and the entry type is static IP source guard binding, static DHCP snooping binding, or dynamic DHCP snooping binding, the new entry will replace the old one. •...
Client Security Commands ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
DHCP Snooping Commands Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# Related Commands ip dhcp snooping (22-7) ip dhcp snooping vlan (22-9) ip dhcp snooping binding (22-10) show ip dhcp snooping This command shows the DHCP snooping configuration settings.
Chapter 23: Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Access Control List Commands access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name •...
IP ACLs Default Setting None Command Mode Standard IP ACL Command Usage • New rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 388
Access Control List Commands • precedence – IP precedence level. (Range: 0-7) • tos – Type of Service level. (Range: 0-15) • dscp – DSCP priority level. (Range: 0-63) • sport – Protocol source port number. (Range: 0-65535) • dport – Protocol destination port number.
IP ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination...
Access Control List Commands access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. •...
Page 391
IP ACLs • destination-bitmask – Destination address of rule must match this bitmask. • precedence – Check the IP precedence field. • tos – Check the TOS field. • dscp – Check the DSCP field. • source-port – Check the protocol source port field. •...
Page 392
Access Control List Commands This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any”...
Page 393
IP ACLs This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port 23 Console(config-ext-acl)#end Console#show access-list IP extended access-list A3:...
Access Control List Commands This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
IP ACLs Related Commands mask (IP ACL) (23-6) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) •...
Access Control List Commands MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, set a precedence mask to control the filter sequence, and then bind the access list to one or more ports Table 23-3 MAC ACL Commands Command...
MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (23-13) mac access-group (23-18) show mac access-list (23-14) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
MAC ACLs Related Commands permit, deny 23-13 mac access-group (23-18) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} •...
Access Control List Commands • host – The address must be for a single node. • source-bitmask – Source address of rule must match this bitmask. • destination-bitmask – Destination address of rule must match this bitmask. • vid – Check the VLAN ID field. •...
MAC ACLs This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.3 host 00-11-11-11-11-11 any deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 ethertype 0806 Console(config)#access-list mac mask-precedence out Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff any vid Console(config-mac-mask-acl)#exit...
Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
ACL Information ACL Information This section describes commands used to display ACL information. Table 23-4 ACL Information Commands Command Function Mode Page show access-list Show all IP ACLs and associated rules 23-19 show access-group Shows the IP ACLs assigned to each port 23-19 show access-list This command shows all IP ACLs and associated rules.
Page 405
Chapter 24: Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 24-1 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 24-1 mode description Adds a description to an interface configuration...
Interface Commands Command Mode Global Configuration Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Interface Commands Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. •...
flowcontrol Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half and 100full.
Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (24-3) capabilities (flowcontrol, symmetric) (24-4) media-type This command forces the port type selected for combination ports 27-28. Use the no form to restore the default mode.
switchport packet-rate Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
Interface Commands switchport block This command prevents flooding of unknown unicast or multicast packets to an interface. Use the no form to restore the default setting. Syntax [no] switchport block {unicast | multicast} • unicast - Specifies unknown unicast packets. •...
show interfaces status Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Interface Commands Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Disabled LACP:...
Interface Commands Example This example shows the configuration setting for port 4. Console#show interfaces switchport ethernet 1/4 Broadcast Threshold: Enabled, 500 packets/second Muilticast Threshold: Disabled LACP Status: Disabled Ingress Rate Limit: Disable, 1000M bits per second Egress Rate Limit: Disable, 1000M bits per second VLAN Membership Mode: Hybrid Ingress Rule:...
Page 417
Chapter 25: Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Link Aggregation Commands Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). •...
Page 419
lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
Link Aggregation Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. •...
lacp admin-key (Port Channel) Default Setting Command Mode Interface Configuration (Ethernet) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Link Aggregation Commands • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
show lacp show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • port-channel - Local identifier for a link aggregation group. (Range: 1-32) • counters - Statistics for LACP protocol messages. •...
Chapter 26: Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 26-1 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 26-1 show port monitor Shows the configuration for a mirror port 26-2 port monitor This command configures a mirror session.
Mirror Port Commands Example The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
Chapter 27: Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. The maximum data rate may also be set for specific Class of Service (CoS) priorities for traffic transmitted out of an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Rate Limit Commands Related Command show interfaces switchport (24-11) rate-limit cos This command defines the output rate limit for an interface based on specified CoS priorities. Use the no form to restore the default status of disabled. Syntax rate-limit cos cos_value rate no rate-limit cos •...
show rate-limit cos Example This example sets the maximum output rate for CoS traffic of priority level 0 to 50 Mbps on Port 1. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit cos 0 50 Console(config-if)# show rate-limit cos This command displays the output rate limit for CoS priorities. Command Mode Privileged Exec Command Usage...
Chapter 28: Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 28-1 Address Table Commands Command Function Mode Page mac-address-table static Maps a static address to a port in a VLAN 28-1 clear mac-address-table...
Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...
show mac-address-table show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Address Table Commands mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-1000000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...
Chapter 29: Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 29-1 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 29-2 spanning-tree mode Configures STP, RSTP or MSTP mode...
Spanning Tree Commands Table 29-1 Spanning Tree Commands (Continued) Command Function Mode Page show spanning-tree Shows spanning tree configuration for the common 29-18 spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree show spanning-tree mst Shows the multiple spanning tree configuration 29-20 configuration...
Page 439
spanning-tree mode Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Spanning Tree Commands spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
spanning-tree max-age Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (29-4) spanning-tree max-age (29-5) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds.
Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
spanning-tree transmission-limit Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 29-12) takes precedence over port priority (page 29-13).
Spanning Tree Commands Related Commands mst vlan (29-8) mst priority (29-9) name (29-9) revision (29-10) max-hops (29-11) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
mst priority mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) •...
Spanning Tree Commands Command Usage The MST region name and revision number (page 29-10) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
max-hops max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting Command Mode MST Configuration...
Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method 1-200,000,000 for long path cost method) Table 29-2 Recommended STA Path Cost Range...
spanning-tree port-priority Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Spanning Tree Commands spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
spanning-tree link-type Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
Spanning Tree Commands • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple...
spanning-tree mst port-priority Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (29-17) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority...
Spanning Tree Commands spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 455
show spanning-tree Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Chapter 30: VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
VLAN Commands bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
GVRP and Bridge Extension Commands show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
VLAN Commands Editing VLAN Groups Table 30-3 Commands for Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete 30-6 VLANs vlan Configures a VLAN, including VID, name and state 30-7 vlan database This command enters VLAN database mode.
Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4093, no leading zeroes) •...
Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {hybrid | trunk | dot1q-tunnel} no switchport mode • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
VLAN Commands Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)#...
Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) Default Setting VLAN 1 Command Mode...
VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port, or a trunk with switchport mode set to hybrid, must be assigned to at least one VLAN as untagged. • If a trunk has switchport mode set to trunk (i.e., 1Q Trunk), then you can only assign an interface to VLAN groups as a tagged member.
Displaying VLAN Information Command Usage • This command prevents a VLAN from being automatically added to the specified interface via GVRP. • If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface. Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1...
Configuring Private VLANs • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN. Example This example enables the private VLAN, and then sets port 12 as the uplink and ports 5-8 as the downlinks. Console(config)#pvlan Console(config)#pvlan up-link ethernet 1/12 down-link ethernet 1/5-8 Console(config)#...
VLAN Commands Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id •...
VLAN Commands Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 30-7), these interfaces will admit traffic of any protocol type into the associated VLAN.
Configuring Protocol-based VLANs show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
VLAN Commands Configuring IEEE 802.1Q Tunneling QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Configuring IEEE 802.1Q Tunneling switchport mode dot1q-tunnel This command configures an interface as a QinQ tunnel port. Use the no form to restore the default setting. Syntax switchport mode dot1q-tunnel no switchport mode dot1q-tunnel – Sets the port as an 802.1Q tunnel port. Default Setting All ports are in hybrid mode.
VLAN Commands Related Commands switchport mode dot1q-tunnel (page 30-21) switchport dot1q-ethertype This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form. Use the no form to restore the default setting. Syntax switchport dot1q-ethertype tpid no switchport dot1q-ethertype tpid –...
Chapter 31: Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Class of Service Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...
Priority Commands (Layer 2) Example Console#sh queue mode Wrr status: Enabled Console# switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic.
Class of Service Commands Related Commands show interfaces switchport (24-11) queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler.
Priority Commands (Layer 2) Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
Class of Service Commands Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- ------ show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Priority Commands (Layer 2) Default Setting The original priority value in the VLAN tag of a tagged packet, or a VLAN priority tag inserted by another device for an untagged packet. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Class of Service Commands Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 31-4 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip port Enables TCP/UDP class of service mapping 31-8 map ip port...
Priority Commands (Layer 3 and 4) map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number •...
Class of Service Commands Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...
Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage...
Class of Service Commands Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 31-6 Mapping IP DSCP to CoS Values IP DSCP Value CoS Value 10, 12, 14, 16...
Priority Commands (Layer 3 and 4) Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console#...
Class of Service Commands Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands...
Page 493
Priority Commands (Layer 3 and 4) Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands...
Chapter 32: Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. You should create a Class Map (page 32-2) before creating a Policy Map (page 32-4). Otherwise, you will not be able to specify a Class Map with the class command (page 32-5) after entering Policy-Map Configuration mode.
match match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Quality of Service Commands This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1: Console(config)#class-map rd_class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)#exit Console(config)#access-list mac mask-precedence in Console(config-ip-mask-acl)#mask any any vid 1 Console(config-ip-mask-acl)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode.
class class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map.
Quality of Service Commands This command services IP traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified by the match command on page 32-3). Use the no form to remove the traffic classification. Syntax [no] set {cos new-cos | ip dscp new-dscp | ip precedence new-precedence} •...
service-policy Command Usage • You can configure up to 63 policers (i.e., class maps) for Fast Ethernet and Gigabit Ethernet ingress ports. • Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the burst-byte field, and the average rate tokens are removed from the bucket is by specified by the rate-bps option.
Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps. Command Mode Privileged Exec Example...
show policy-map interface Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface...
Chapter 33: Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Multicast Filtering Commands ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static...
IGMP Snooping Commands ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...
Multicast Filtering Commands Command Usage • This command setting is only effective if IGMP snooping is enabled. • Any port can be designated as a multicast router port through dynamic or static configuration, including ports on Layer 2 or 3 switches. If there is more than one multicast router on a LAN segment performing IP multicasting, one of these devices is elected “querier”...
IGMP Snooping Commands Command Mode Interface Configuration (VLAN) Command Usage • If immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period.
Multicast Filtering Commands show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] • vlan-id - VLAN ID (1 to 4093) • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping. Default Setting None Command Mode...
IGMP Query Commands ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 33-3).
Multicast Filtering Commands Example The following shows how to configure the query count to 10: Console(config)#ip igmp snooping query-count 10 Console(config)# Related Commands ip igmp snooping query-max-response-time (33-8) ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval...
IGMP Query Commands • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.
Multicast Filtering Commands Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 33-4 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan Adds a multicast router port 33-10 mrouter show ip igmp snooping Shows multicast router ports...
Multicast VLAN Registration Commands show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...
Multicast Filtering Commands mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Multicast VLAN Registration Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
Multicast Filtering Commands response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. • Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Multicast VLAN Registration Commands Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Multicast Filtering Commands The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status Members ---------------- -------- ------- 225.0.0.1 ACTIVE eth1/1(d), eth1/2(s) 225.0.0.2 INACTIVE None 225.0.0.3 INACTIVE None 225.0.0.4 INACTIVE None...
Chapter 34: Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation.
Domain Name Service Commands Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device.
ip domain-name ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Domain Name Service Commands Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
ip domain-lookup Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console#...
Domain Name Service Commands Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (34-3) ip name-server (34-4) show hosts...
show dns show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache FLAG TYPE DOMAIN Console# 34-8...
Chapter 35: IP Interface Commands An IP address may be used for management access to the switch over your network. An IP address is obtained via DHCP by default for VLAN 1. You can manually configure a specific IP address, or direct the switch to obtain an address from a BOOTP or DHCP server when it is powered on.
IP Interface Commands Command Usage • You must assign an IP address to this device to gain management access over the network or to connect the switch to existing IP subnets. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server.
Basic IP Configuration Command Usage • A gateway must be defined if the management station is located in a different IP segment. • An default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254...
IP Interface Commands show ip interface This command displays the settings of an IP interface. Command Mode Normal Exec, Privileged Exec Example Console#show ip interface Console# Related Commands show ip redirects (35-4) show ip redirects This command shows the IP default gateway configured for this device. Default Setting None Command Mode...
Basic IP Configuration Example This example displays all entries in the ARP cache. Console#show arp IP Address MAC Address Type Interface --------------- ----------------- --------- ----------- 192.168.0.1 00-0f-3d-12-40-e1 dynamic 192.168.0.110 00-10-b5-62-03-74 dynamic 192.168.0.162 00-12-cf-0c-9a-a0 other Total entry : 3 Console# ping This command sends ICMP echo request packets to another node on the network.
Page 534
IP Interface Commands Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Page 535
Section IV:Appendices This section provides additional information on the following topics. Software Specifications ........A-1 Troubleshooting .
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS+, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC Fast Ethernet ports - 157 rules, 4 masks shared by 8-port groups Gigabit Ethernet ports - 29 rules, 4 masks DHCP Client DNS Proxy Port Configuration...
Software Specifications Quality of Service DiffServ supports class maps, policy maps, and service policies Multicast Filtering IGMP Snooping Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell...
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 544
Glossary Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification.
Page 545
Glossary IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging. IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links.
Page 546
Glossary Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device.
Page 547
Glossary Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical...
Page 548
Glossary Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) allows a device to set its internal clock based on periodic updates from a SNTP Network Time Protocol (NTP) server.
Page 549
Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 552
Index firmware jumbo frame 19-10 displaying version 4-6, 19-7 upgrading 4-12, 19-13 LACP configuration 25-1 GARP VLAN Registration Protocol See local parameters 9-14, 25-7 GVRP partner parameters 9-16, 25-7 gateway, default 4-9, 35-2 protocol message statistics 25-7 GVRP protocol parameters 9-10, 25-1 global setting 12-4, 30-2 Link Aggregation Control Protocol See interface configuration 12-10, 30-3...
Page 553
Index setting multicast groups 15-10, rate limits, setting 9-20 33-12 remote logging 19-31 specifying a VLAN 15-10, 33-12 restarting the system 4-25, 18-4 using immediate leave 15-12, 33-13 RSTP 11-1, 29-2 global configuration 11-3, 29-2 password, line 19-21 passwords 2-4 Secure Shell 6-7, 21-15 administrator setting 6-1, 21-2 configuration 6-7, 21-18, 21-19...
Page 554
Index STP Also see STA upgrading software 4-12, 19-13 switch settings, saving or user account 6-1 restoring 19-12 user password 6-1, 21-2, 21-3 switchport dot1q-ethertype 30-22 switchport mode dot1q-tunnel 30-21 VLANs 12-1–12-18, 30-1–30-15 system clock, setting 4-26, 19-37 802.1Q tunnel mode 12-16 system mode, normal or QinQ 4-3, adding static members 12-7, 12-9, 19-8...