Page 1 Powered by Accton ES3528 ES3528-WDM Layer 2 Metro Access Switch Management Guide www.edge-core.com...
Page 3 Management Guide ES3528 Fast Ethernet Switch Layer 2 Ethernet Metro Access Switch with 24 Fast Ethernet Ports (RJ-45), 2 Gigabit Combination Ports (RJ-45/SFP), 2 Gigabit Extender Module Slots (RJ-45/SFP), 1 Fast Ethernet Management Port (RJ-45) ES3528-WDM Fast Ethernet Switch Layer 2 WDM Metro Access Switch with 24 100BASE-BX Single-Fiber Ports (SC), 2 Gigabit Combination Ports (RJ-45/SFP), 2 Gigabit Extender Module Slots (RJ-45/SFP),...
Page 4 ES3528 ES3528-WDM F1.0.1.7 E122006/ST-R01 149100033100A...
Page 5: Table Of Contents
Contents Section I: Getting Started Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access...
Page 6 Contents Manual Configuration Using DHCP/BOOTP 4-10 Managing Firmware 4-11 Downloading System Software from a Server 4-12 Saving or Restoring Configuration Settings 4-14 Downloading Configuration Settings from a Server 4-15 Console Port Settings 4-16 Telnet Settings 4-18 Configuring Event Logging 4-20 System Log Configuration 4-20 Remote Log Configuration...
Page 7 Contents Chapter 7: Client Security Configuring Port Security Chapter 8: Access Control Lists Configuring Access Control Lists Setting the ACL Name and Type Configuring a Standard ACL Configuring an Extended ACL Configuring a MAC ACL Configuring ACL Masks Specifying the Mask Type Configuring an IP ACL Mask 8-10 Configuring a MAC ACL Mask...
Page 8 Contents Displaying Basic VLAN Information 12-4 Displaying Current VLANs 12-5 Creating VLANs 12-6 Adding Static Members to VLANs (VLAN Index) 12-7 Adding Static Members to VLANs (Port Index) 12-9 Configuring VLAN Behavior for Interfaces 12-10 Configuring IEEE 802.1Q Tunneling 12-12 Adding an Interface to a QinQ Tunnel 12-16 Configuring Private VLANs...
Page 9 Contents Assigning Static Multicast Groups to Interfaces 15-15 Chapter 16: Domain Name Service 16-1 Configuring General DNS Service Parameters 16-1 Configuring Static DNS Host to Address Entries 16-3 Displaying the DNS Cache 16-5 Section III: Command Line Interface Chapter 17: Overview of Command Line Interface 17-1 Using the Command Line Interface 17-1...
Page 10 Contents show system 19-6 show users 19-7 show version 19-7 System Mode Commands 19-8 system mode 19-8 show system mode 19-9 System MTU Commands 19-9 jumbo frame 19-10 system mtu 19-11 show system mtu 19-11 File Management Commands 19-12 copy 19-13 delete 19-15...
Page 11 Contents show logging sendmail 19-37 Time Commands 19-37 sntp client 19-38 sntp server 19-39 sntp poll 19-39 show sntp 19-40 clock timezone 19-40 calendar set 19-41 show calendar 19-42 Chapter 20: SNMP Commands 20-1 snmp-server 20-2 show snmp 20-2 snmp-server community 20-3 snmp-server contact 20-4...
Page 12 Contents Web Server Commands 21-11 ip http port 21-11 ip http server 21-12 ip http secure-server 21-12 ip http secure-port 21-13 Telnet Server Commands 21-14 ip telnet server 21-14 Secure Shell Commands 21-15 ip ssh server 21-17 ip ssh timeout 21-18 ip ssh authentication-retries 21-19...
Page 13 Contents ip dhcp snooping vlan 22-9 ip dhcp snooping binding 22-10 ip dhcp snooping verify mac-address 22-11 ip dhcp snooping database flash 22-12 ip dhcp snooping trust 22-12 show ip dhcp snooping 22-13 show ip dhcp snooping binding 22-13 Chapter 23: Access Control List Commands 23-1 IP ACLs 23-1...
Page 14 Contents show interfaces switchport 24-11 Chapter 25: Link Aggregation Commands 25-1 channel-group 25-2 lacp 25-2 lacp system-priority 25-4 lacp admin-key (Ethernet Interface) 25-4 lacp admin-key (Port Channel) 25-5 lacp port-priority 25-6 show lacp 25-7 Chapter 26: Mirror Port Commands 26-1 port monitor 26-1 show port monitor...
Page 15 Contents spanning-tree link-type 29-15 spanning-tree mst cost 29-16 spanning-tree mst port-priority 29-17 spanning-tree protocol-migration 29-18 show spanning-tree 29-18 show spanning-tree mst configuration 29-20 Chapter 30: VLAN Commands 30-1 GVRP and Bridge Extension Commands 30-1 bridge-ext gvrp 30-2 show bridge-ext 30-2 switchport gvrp 30-3 show gvrp configuration...
Page 16 Contents queue bandwidth 31-4 queue cos-map 31-4 show queue bandwidth 31-5 show queue cos-map 31-6 vlan priority 31-6 show vlan based priority 31-7 Priority Commands (Layer 3 and 4) 31-8 map ip port (Global Configuration) 31-8 map ip port (Interface Configuration) 31-9 map ip precedence (Global Configuration) 31-9...
Page 17 Contents show ip igmp snooping mrouter 33-11 Multicast VLAN Registration Commands 33-11 mvr (Global Configuration) 33-12 mvr (Interface Configuration) 33-13 show mvr 33-14 Chapter 34: Domain Name Service Commands 34-1 ip host 34-1 clear host 34-2 ip domain-name 34-3 ip domain-list 34-3 ip name-server 34-4...
Page 18 Contents xviii...
Page 19 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Web Page Configuration Buttons Table 3-2 Switch Main Menu Table 4-1 Logging Levels 4-20 Table 5-1 SNMPv3 Security Models and Levels Table 5-2 Supported Notification Messages 5-13 Table 6-1 HTTPS System Support Table 6-2 802.1X Statistics...
Page 20 Tables Table 20-4 show snmp group - display description 20-13 Table 20-5 show snmp user - display description 20-15 Table 21-1 Authentication Commands 21-1 Table 21-2 User Access Commands 21-1 Table 21-3 Default Login Settings 21-2 Table 21-4 Authentication Sequence Commands 21-4 Table 21-5 RADIUS Client Commands...
Page 21 Tables Table 30-8 IEEE 802.1Q Tunneling Commands 30-20 Table 31-1 Priority Commands 31-1 Table 31-2 Priority Commands (Layer 2) 31-1 Table 31-3 Default CoS Priority Levels 31-5 Table 31-4 Priority Commands (Layer 3 and 4) 31-8 Table 31-5 Mapping IP Precedence to CoS Values 31-10 Table 31-6 Mapping IP DSCP to CoS Values...
Page 22 Tables xxii...
Page 23 Figures Figure 3-1 Home Page Figure 3-2 Front Panel Indicators Figure 4-1 System Information Figure 4-2 System Mode Figure 4-3 System MTU Figure 4-4 Configuring Support for Jumbo Frames Figure 4-5 Switch Information Figure 4-6 Displaying Bridge Extension Configuration Figure 4-7 IP Interface Configuration - Manual Figure 4-8 IP Interface Configuration - DHCP...
Page 24 Figures Figure 7-1 Port Security Figure 8-1 Selecting ACL Type Figure 8-2 ACL Configuration - Standard IPv4 Figure 8-3 ACL Configuration - Extended IPv4 Figure 8-4 ACL Configuration - MAC Figure 8-5 Selecting ACL Mask Types Figure 8-6 ACL Mask Configuration - IP 8-11 Figure 8-7 ACL Mask Configuration - MAC...
Page 25 Figures Figure 13-3 Queue Mode 13-5 Figure 13-4 Queue Scheduling 13-6 Figure 13-5 IP Precedence/DSCP Priority Status 13-8 Figure 13-6 IP Precedence Priority 13-9 Figure 13-7 IP DSCP Priority 13-10 Figure 13-8 IP Port Priority Status 13-11 Figure 13-9 IP Port Priority 13-12 Figure 14-1 Configuring Class Maps...
Page 26 Figures xxvi...
Page 27: Section I: Getting Started
Section I: Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. Introduction ..........1-1 Initial Configuration .
Page 28 Getting Started...
Page 29: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 30: Description Of Software Features
Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based VLANs, private VLANs, and QinQ tunneling Traffic Prioritization Default port priority, VLAN priority, traffic class map, queue scheduling, IP Precedence, or Differentiated Services Code Point (DSCP), and TCP/UDP Port Qualify of Service Supports Differentiated Services (DiffServ) Multicast Filtering...
Page 31 Description of Software Features Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
Page 32 Introduction Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 32 MB for frame buffering.
Page 33 Description of Software Features Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can be used to provide independent priorities for delay-sensitive data and best-effort data. This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 34: System Defaults
Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 4-15). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 35 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled Auto-negotiation...
Page 36 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 IP Precedence Priority Disabled IP DSCP Priority Disabled...
Page 37: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 38: Required Connections
Initial Configuration • Configure up to 12 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 39: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 40: Setting Passwords
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Page 41: Dynamic Configuration
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IP address to the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1”...
Page 42: Enabling Snmp Management Access
Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 24-1 Console(config-if)#ip address dhcp...
Page 43: Trap Receivers
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 44: Configuring Access For Snmp Version 3 Clients
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Page 45: Saving Configuration Settings
Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files.
Page 46 Initial Configuration 2-10...
Page 47: Section Ii: Switch Management
Section II: Switch Management This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser, and a brief example for the Command Line Interface. Configuring the Switch ......... 3-1 Basic Management Tasks .
Page 48 Switch Management...
Page 49: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Page 50: Navigating The Web Browser Interface
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password “admin” is used for the administrator.
Page 51: Configuration Options
Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 52: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Switch Main Menu Menu Description Page...
Page 53 Navigating the Web Browser Interface Table 3-2 Switch Main Menu (Continued) Menu Description Page SNMPv3 Engine ID Sets the SNMP v3 engine ID Remote Engine ID Sets the SNMP v3 engine ID on a remote device Users Configures SNMP v3 users Remote Users Configures SNMP v3 users on a remote device 5-11...
Page 54 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description Page LACP Configuration Allows ports to dynamically join trunks Aggregation Port Configures parameters for link aggregation group members 9-10 Port Counters Information Displays statistics for LACP protocol messages 9-13 Port Internal Information Displays settings and operational state for the local side 9-14...
Page 55 Navigating the Web Browser Interface Table 3-2 Switch Main Menu (Continued) Menu Description Page Trunk Configuration Configures trunk settings for a specified MST instance 11-20 VLAN 12-1 802.1Q VLAN 12-1 GVRP Status Enables GVRP VLAN registration protocol 12-4 Basic Information Displays information on the VLAN type supported by this switch 12-4 Current Table...
Page 56 Configuring the Switch Table 3-2 Switch Main Menu (Continued) Menu Description Page 14-1 DiffServ Configure QoS classification criteria and service policies 14-1 Class Map Creates a class map for a type of traffic 14-2 Policy Map Creates a policy map for multiple interfaces 14-5 Service Policy Applies a policy map defined to an ingress port...
Page 57: Chapter 4: Basic Management Tasks
Chapter 4: Basic Management Tasks This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Page 58: Figure 4-1 System Information
Basic Management Tasks Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 4-1 System Information CLI –...
Page 59: Configuring The Switch For Normal Operation Or Tunneling Mode
Configuring the Switch for Normal Operation or Tunneling Mode POST Result: DUMMY Test 1 ....PASS UART Loopback Test ... PASS DRAM Test ....PASS Timer Test ....PASS I2C Bus Initialization ..PASS Switch Int Loopback Test ..PASS Console# * ES3528-WDM System Description: 24 port WDM Metro Access Switch †...
Page 60: Configuring The Maximum Frame Size
Basic Management Tasks Configuring the Maximum Frame Size The maximum transfer unit (or frame size) for traffic crossing the switch should be set to minimize unnecessary fragmentation and maximize the transfer of large sequential data streams. Command Usage • Fast Ethernet ports are only affected by the System MTU setting. •...
Page 61: Configuring Support For Jumbo Frames
Configuring Support for Jumbo Frames CLI – This example sets the MTU for Fast Ethernet ports to 1528 bytes. 19-11 Console(config)#system mtu 1528 Console(config)#exit 19-11 Console#show system mtu System MTU size is 1528 Bytes System Jumbo MTU size is 1518 Bytes Console# Configuring Support for Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by...
Page 62: Displaying Switch Hardware/Software Versions
Basic Management Tasks Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 63: Displaying Bridge Extension Capabilities
Displaying Bridge Extension Capabilities CLI – Use the following command to display version information. Console#show version 19-7 Unit 1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 0.01 Number of Ports: Agent (Master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version: 1.0.0.7 Operation Code Version: 1.0.1.7...
Page 64: Setting The Switch's Ip Address
Basic Management Tasks Web – Click System, Bridge Extension. Figure 4-6 Displaying Bridge Extension Configuration CLI – Enter the following command. 30-2 Console#show bridge-ext Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable:...
Page 65: Manual Configuration
Setting the Switch’s IP Address Command Attributes • Management VLAN – ID of the configured VLAN (1-4093). By default, all ports on the stack are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 66: Using Dhcp/Bootp
Basic Management Tasks CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 24-1 Console(config-if)#ip address 10.1.0.253 255.255.255.0 35-1 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 35-2 Console(config)# Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by these services.
Page 67: Managing Firmware
Managing Firmware Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the stack is moved to another network segment, you will lose management access to the stack. In this case, you can reboot the stack or submit a client request to restart DHCP service via the CLI.
Page 68: Downloading System Software From A Server
Basic Management Tasks Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web –...
Page 69: Figure 4-11 Deleting Files
Managing Firmware To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted. Figure 4-11 Deleting Files CLI –...
Page 70: Saving Or Restoring Configuration Settings
Basic Management Tasks Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server, or copy files to and from switch units in a stack. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes •...
Page 71: Downloading Configuration Settings From A Server
Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it.
Page 72: Console Port Settings
Basic Management Tasks CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 19-13 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Page 73: Figure 4-14 Configuring The Console Port
Console Port Settings • Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None) • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal).
Page 74: Telnet Settings
Basic Management Tasks CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 19-19 19-20 Console(config-line)#login local Console(config-line)#password 0 secret 19-21...
Page 75: Figure 4-15 Configuring The Telnet Interface
Telnet Settings • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) •...
Page 76: Configuring Event Logging
Basic Management Tasks Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Page 77: Remote Log Configuration
Configuring Event Logging Web – Click System, Logs, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 4-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Page 78: Figure 4-17 Remote Logs
Basic Management Tasks Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 4-17 Remote Logs CLI –...
Page 79: Displaying Log Messages
Configuring Event Logging Displaying Log Messages Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 80: Figure 4-19 Enabling And Configuring Smtp Alerts
Basic Management Tasks • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list. •...
Page 81: Resetting The System
Resetting the System CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.
Page 82: Setting The System Clock
Basic Management Tasks Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 83: Setting The Time Zone
Setting the System Clock CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. 19-38 Console(config)#sntp client Console(config)#sntp poll 16 19-39 19-39 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#exit 19-40 Console#show sntp Current time: 6 14:56:05 2004...
Page 84 Basic Management Tasks 4-28...
Page 85: Chapter 5: Simple Network Management Protocol
Chapter 5: Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 86: Enabling The Snmp Agent
Simple Network Management Protocol Table 5-1 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write) noAuthNoPriv user defined user defined user defined user defined Community string only noAuthNoPriv public defaultview...
Page 87: Setting Community Access Strings
Setting Community Access Strings Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Page 88: Specifying Trap Managers And Trap Types
Simple Network Management Protocol Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 89 Specifying Trap Managers and Trap Types Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. •...
Page 90: Figure 5-3 Configuring Snmp Trap Managers
Simple Network Management Protocol Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add.
Page 91: Configuring Snmpv3 Management Access
Configuring SNMPv3 Management Access Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Page 92: Specifying A Remote Engine Id
Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 93: Configuring Snmpv3 Users
Configuring SNMPv3 Management Access Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, or notify view. Command Attributes •...
Page 94: Figure 5-6 Configuring Snmpv3 Users
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 95: Configuring Remote Snmpv3 Users
Configuring SNMPv3 Management Access Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read and a write view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 96: Figure 5-7 Configuring Remote Snmpv3 Users
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 97: Configuring Snmpv3 Groups
Configuring SNMPv3 Management Access Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 98 Simple Network Management Protocol Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, linkUp acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state).
Page 99: Figure 5-8 Configuring Snmpv3 Groups
Configuring SNMPv3 Management Access Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description swThermalFalling 1.3.6.1.4.1.259.8.2.2.2.1.0.59 This trap is sent when the temperature falls below Notification the switchThermalActionFallingThreshold. swModuleInsertion 1.3.6.1.4.1.259.8.2.2.2.1.0.60 This trap is sent when a module is inserted. Notificaiton swModuleRemoval 1.3.6.1.4.1.259.8.2.2.2.1.0.61...
Page 100: Setting Snmpv3 Views
Simple Network Management Protocol CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview 20-11 write defaultview notify defaultview Console(config)#exit Console#show snmp group...
Page 101: Figure 5-9 Configuring Snmpv3 Views
Configuring SNMPv3 Management Access Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Page 102 Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* 20-10 included Console(config)#exit Console#show snmp view 20-11 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 103: Chapter 6: User Authentication
Chapter 6: User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 104: Configuring Local/Remote Logon Authentication
User Authentication Web – Click Security, User Accounts. To configure a new user account, enter the user name, access level, and password, then click Add. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 105 Configuring Local/Remote Logon Authentication the network. An authentication server contains a database of multiple user name/ password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport.
Page 106: Figure 6-2 Authentication Server Settings
User Authentication - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request.
Page 107: Configuring Https
Configuring HTTPS 21-8 Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: Retransmit times: Request timeout: Server 1: Server IP address: 192.168.1.25 Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Console#config...
Page 108: Replacing The Default Secure-Site Certificate
User Authentication • The following web browsers and operating systems currently support HTTPS: Table 6-1 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6 •...
Page 109: Configuring The Secure Shell
Configuring the Secure Shell When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: 19-13 Console#copy tftp https-certificate TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name>...
Page 110 User Authentication To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 111: Generating The Host Key Pair
Configuring the Secure Shell stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c.
Page 112: Figure 6-4 Ssh Host-Key Settings
User Authentication Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory). Otherwise, the host key pair is stored to RAM by default.
Page 113: Configuring The Ssh Server
Configuring the Secure Shell CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. 21-20 Console#ip ssh crypto host-key generate Console#ip ssh save host-key 21-21 21-23 Console#show public-key host...
Page 114: Figure 6-5 Ssh Server Settings
User Authentication Web – Click Security, SSH, Settings. Enable SSH and adjust the authentication parameters as required, then click Apply. Note that you must first generate the host key pair on the SSH Host-Key Settings page before you can enable the SSH server. Figure 6-5 SSH Server Settings CLI –...
Page 115: Configuring 802.1X Port Authentication
Configuring 802.1X Port Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 116: Displaying 802.1X Global Settings
User Authentication • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP encryption method for passing authentication messages –...
Page 117: Configuring 802.1X Global Settings
Configuring 802.1X Port Authentication Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
Page 118: Figure 6-8 802.1X Port Configuration
User Authentication • Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client.
Page 119 Configuring 802.1X Port Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 21-29. 24-1 Console(config)#interface ethernet 1/2 Console(config-if)#dot1x port-control auto 21-26 21-27 Console(config-if)#dot1x re-authentication Console(config-if)#dot1x max-req 5...
Page 120: Displaying 802.1X Statistics
User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 121: Figure 6-9 802.1X Port Statistics
Configuring 802.1X Port Authentication Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 6-9 802.1X Port Statistics CLI – This example displays the dot1x statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 21-29 Eth 1/4...
Page 122: Filtering Ip Addresses For Management Access
User Authentication Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage •...
Page 123: Figure 6-10 Ip Filter
Filtering IP Addresses for Management Access Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 6-10 IP Filter CLI – This example restricts management access for Telnet clients. 21-33 Console(config)#management telnet-client 192.168.1.19 Console(config)#management telnet-client 192.168.1.25 192.168.1.30...
Page 124 User Authentication 6-22...
Page 125: Chapter 7: Client Security
Chapter 7: Client Security This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 126 Client Security MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch. Command Usage • A secure port has the following restrictions: - It cannot be used as a member of a static or dynamic trunk.
Page 127: Figure 7-1 Port Security
Configuring Port Security Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 7-1 Port Security CLI –...
Page 128 Client Security...
Page 129: Chapter 8: Access Control Lists
Chapter 8: Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Page 130: Setting The Acl Name And Type
Access Control Lists • Each ACL can have up to 32 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20. • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.
Page 131: Configuring A Standard Acl
Configuring Access Control Lists Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 8-1 Selecting ACL Type CLI –...
Page 132: Configuring An Extended Acl
Access Control Lists Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 8-2 ACL Configuration - Standard IPv4 CLI –...
Page 133 Configuring Access Control Lists • Source/Destination Port – Source/destination port number for the specified protocol type. (Range: 0-65535) • Source/Destination Port Bit Mask – Decimal number representing the port bits to match. (Range: 0-65535) • Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header.
Page 134: Figure 8-3 Acl Configuration - Extended Ipv4
Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 135: Configuring A Mac Acl
Configuring Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Page 136: Figure 8-4 Acl Configuration - Mac
Access Control Lists Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range.
Page 137: Configuring Acl Masks
Configuring Access Control Lists Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. ACL rules matching the first entry in the mask are checked first. Rules matching subsequent entries in the mask are then checked in the specified order. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL.
Page 138: Configuring An Ip Acl Mask
Access Control Lists CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet. 23-6 Console(config)#access-list ip mask-precedence in 23-6...
Page 139: Figure 8-6 Acl Mask Configuration - Ip
Configuring Access Control Lists Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types.
Page 140: Configuring A Mac Acl Mask
Access Control Lists Configuring a MAC ACL Mask This mask defines the fields to check in the packet header. Command Usage You must configure a mask for an ACL rule before you can bind it to a port. Command Attributes •...
Page 141: Binding A Port To An Access Control List
Binding a Port to an Access Control List CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. 23-12 Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any...
Page 142: Figure 8-8 Acl Port Binding
Access Control Lists Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress traffic, select the required ACL from the drop-down list, then click Apply. Figure 8-8 ACL Port Binding CLI –...
Page 143: Chapter 9: Port Configuration
Chapter 9: Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 144 Port Configuration Field Attributes (CLI) Basic information: • Port type – Indicates port type. (100BASE-TX , 100BASE-BX , 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 4-8.) Configuration: •...
Page 145: Configuring Interface Connections
Configuring Interface Connections CLI – This example shows the connection status for Port 5. 24-9 Console#show interfaces status ethernet 1/5 Information of Eth 1/13 Basic information: Port type: 100TX Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast storm limit:...
Page 146 Port Configuration - 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1 Gbps full-duplex operation - Sym (Gigabit only) - Check this item to transmit and receive pause frames, or clear it to auto-negotiate the sender and receiver for asymmetric pause frames. (The current switch chip only supports symmetric pause frames.) - FC - Supports flow control Flow control can eliminate frame loss by “blocking”...
Page 147: Figure 9-2 Port - Port Configuration
Configuring Interface Connections Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 9-2 Port - Port Configuration CLI – Select the interface, and then enter the required settings. 24-1 Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 24-2 24-6...
Page 148: Creating Trunk Groups
Port Configuration Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 149: Statically Configuring A Trunk
Creating Trunk Groups Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be statically able to link switches of different types, configured depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 150: Enabling Lacp On Selected Ports
Port Configuration CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk. 24-1 Console(config)#interface port-channel 1 Console(config-if)#exit 24-1 Console(config)#interface ethernet 1/9 Console(config-if)#channel-group 1 25-2 Console(config-if)#exit Console(config)#interface ethernet 1/10...
Page 151: Figure 9-4 Lacp Trunk Configuration
Creating Trunk Groups Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Page 152: Configuring Lacp Parameters
Port Configuration Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. •...
Page 153: Figure 9-5 Lacp - Aggregation Port
Creating Trunk Groups Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 154 Port Configuration CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#lacp actor system-priority 3 25-4 25-4 Console(config-if)#lacp actor admin-key 120...
Page 155: Displaying Lacp Port Counters
Creating Trunk Groups Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 9-1 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Page 156: Displaying Lacp Settings And Status For The Local Side
Port Configuration Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 9-2 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Page 157: Figure 9-7 Lacp - Port Internal Information
Creating Trunk Groups Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 9-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 25-7 Port channel: 1...
Page 158: Displaying Lacp Settings And Status For The Remote Side
Port Configuration Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 9-3 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Page 159: Setting Broadcast Storm Thresholds
Setting Broadcast Storm Thresholds CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. 25-7 Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/2 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0...
Page 160: Figure 9-9 Port Broadcast Control
Port Configuration • Threshold – Threshold as percentage of port bandwidth. (Options: 500-262143 packets per second; Default: 500 pps) • Trunk – Shows if port is a trunk member. Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply.
Page 161: Configuring Port Mirroring
Configuring Port Mirroring Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.
Page 162: Configuring Rate Limits
Port Configuration Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 163: Showing Port Statistics
Showing Port Statistics CLI - This example sets the rate limit for input and output traffic passing through port 1 to 60 Mbps. 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 60 27-1 Console(config-if)#rate-limit output 60 Console(config-if)# Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 164 Port Configuration Table 9-4 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. Transmit Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this...
Page 165 Showing Port Statistics Table 9-4 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Page 166: Figure 9-12 Port Statistics
Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 9-12 Port Statistics 9-24...
Page 167 Showing Port Statistics CLI – This example shows statistics for port 12. Console#show interfaces counters ethernet 1/12 24-10 Ethernet 1/12 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 168 Port Configuration 9-26...
Page 169: Chapter 10: Address Table Settings
Chapter 10: Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 170: Displaying The Address Table
Address Table Settings CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 28-1 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Page 171: Figure 10-2 Dynamic Addresses
Displaying the Address Table Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 10-2 Dynamic Addresses CLI –...
Page 172: Changing The Aging Time
Address Table Settings Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-1000000 seconds;...
Page 173: Chapter 11: Spanning Tree Algorithm
Chapter 11: Spanning Tree Algorithm The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 174 Spanning Tree Algorithm MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.
Page 175: Displaying Global Settings
Displaying Global Settings Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
Page 176: Figure 11-1 Sta Information
Spanning Tree Algorithm • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port.
Page 177 Displaying Global Settings CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 29-18 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 178: Configuring Global Settings
Spanning Tree Algorithm Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 179 Configuring Global Settings address will then become the root device. (Note that lower numeric values indicate higher priority.) • Default: 32768 • Range: 0-61440, in steps of 4096 • Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration •...
Page 180 Spanning Tree Algorithm Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
Page 181: Figure 11-2 Sta Global Configuration
Configuring Global Settings Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 11-2 STA Global Configuration 11-9...
Page 182: Displaying Interface Settings
Spanning Tree Algorithm CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 29-2 29-2 Console(config)#spanning-tree mode mstp Console(config)#spanning-tree priority 40000 29-6 29-4 Console(config)#spanning-tree hello-time 5 Console(config)#spanning-tree max-age 38 29-5 29-4 Console(config)#spanning-tree forward-time 20...
Page 183 Displaying Interface Settings • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port.
Page 184: Figure 11-3 Sta Port Information
Spanning Tree Algorithm These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 185: Configuring Interface Settings
Configuring Interface Settings CLI – This example shows the STA attributes for port 5. 29-18 Console#show spanning-tree ethernet 1/5 1/ 5 information -------------------------------------------------------------- Admin status: enabled Role: disable State: discarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000...
Page 186: Table 11-2 Recommended Sta Path Costs
Spanning Tree Algorithm The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 187: Figure 11-4 Sta Port Configuration
Configuring Interface Settings • Admin Link Type – The link type attached to this interface. • Point-to-Point – A connection to exactly one other bridge. • Shared – A connection to two or more bridges. • Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Page 188: Configuring Multiple Spanning Trees
Spanning Tree Algorithm Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 189: Figure 11-5 Mstp Vlan Configuration
Configuring Multiple Spanning Trees Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Page 190 Spanning Tree Algorithm --------------------------------------------------------------- 1/ 7 information --------------------------------------------------------------- Admin status: enabled Role: master State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: Designated port: 128.1 Designated root: 32768.1.0030F1D473A0...
Page 191: Displaying Interface Settings For Mstp
Displaying Interface Settings for MSTP Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes MST Instance ID – Instance identifier to configure. (Range: 0-4094; Default: 0) The other attributes are described under “Displaying Interface Settings,”...
Page 192: Configuring Interface Settings For Mstp
Spanning Tree Algorithm --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: enabled Role: root State: forwarding External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: Designated port: 128.4 Designated root: 32768.0.0000E8AAAA00...
Page 193: Figure 11-7 Mstp Port Configuration
Configuring Interface Settings for MSTP Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices.
Page 194 Spanning Tree Algorithm 11-22...
Page 195: Chapter 12: Vlan Configuration
Chapter 12: VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
Page 196 VLAN Configuration Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA: VLAN Aware VU: VLAN Unaware tagged untagged...
Page 197 IEEE 802.1Q VLANs these hosts, and core switches in the network, enable GVRP on the links between these devices. You should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs.
Page 198: Enabling Or Disabling Gvrp (Global Setting)
VLAN Configuration Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network.
Page 199: Displaying Current Vlans
IEEE 802.1Q VLANs CLI – Enter the following command. Console#show bridge-ext 30-2 Max support VLAN numbers: Max support VLAN ID: 4093 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
Page 200: Creating Vlans
VLAN Configuration Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. •...
Page 201: Adding Static Members To Vlans (Vlan Index)
IEEE 802.1Q VLANs Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 12-4 VLAN Static List - Creating VLANs CLI –...
Page 202: Figure 12-5 Vlan Static Table - Adding Static Members
VLAN Configuration Command Attributes • VLAN – ID of configured VLAN (1-4093). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. •...
Page 203: Adding Static Members To Vlans (Port Index)
IEEE 802.1Q VLANs CLI – The following example adds tagged and untagged ports to VLAN 2. Console(config)#interface ethernet 1/1 24-1 Console(config-if)#switchport allowed vlan add 2 tagged 30-11 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 2 untagged Console(config-if)#exit Console(config)#interface ethernet 1/13 Console(config-if)#switchport allowed vlan add 2 tagged Console(config-if)# Adding Static Members to VLANs (Port Index)
Page 204: Configuring Vlan Behavior For Interfaces
VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 205: Figure 12-7 Vlan Port Configuration
IEEE 802.1Q VLANs Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
Page 206: Configuring Ieee 802.1Q Tunneling
VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. 24-1 Console(config)#interface ethernet 1/3 30-9 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)#switchport ingress-filtering...
Page 207 Configuring IEEE 802.1Q Tunneling processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Page 208 VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into an Uplink Port An uplink port receives one of the following packets: •...
Page 209 Configuring IEEE 802.1Q Tunneling Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
Page 210: Adding An Interface To A Qinq Tunnel
VLAN Configuration Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the ingress port on the edge switch to dot1Q tunnel mode. Also set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 211: Configuring Private Vlans
Configuring Private VLANs CLI – This example sets port 2 to tunnel mode, indicates that the TPID used for 802.1Q tagged frames will be 9100 hexadecimal, and enables address monitor mode to pass traffic between the management VLANs and the tunnel port. 24-1 Console(config)#interface ethernet 1/2 Console(config-if)#switchport mode dot1q-tunnel...
Page 212: Configuring Uplink And Downlink Ports
VLAN Configuration Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Page 213: Configuring Protocol Groups
Configuring Protocol-Based VLANs Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 6). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.
Page 214: Mapping Protocols To Vlans
VLAN Configuration Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group. Command Usage • When creating a protocol-based VLAN, only assign interfaces using this configuration screen. If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table (page 7) or VLAN Static Membership by Port menu (page 9), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 215 Configuring Protocol-Based VLANs CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 3 30-17 Console(config-if)# 12-21...
Page 216 VLAN Configuration 12-22...
Page 217: Chapter 13: Class Of Service
Chapter 13: Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 218: Figure 13-1 Default Port Priority
Class of Service Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 13-1 Default Port Priority CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 24-1 31-3...
Page 219: Mapping Cos Values To Egress Queues
Layer 2 Queue Settings Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
Page 220: Figure 13-2 Traffic Classes
Class of Service Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 13-2 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping. Console(config)#interface ethernet 1/1 24-1 31-4...
Page 221: Selecting The Queue Mode
Layer 2 Queue Settings Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 222: Setting The Service Weight For Traffic Classes
Class of Service Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3, the traffic classes are mapped to one of the eight egress queues provided for each port.
Page 223: Layer 3/4 Priority Settings
Layer 3/4 Priority Settings CLI – The following example shows how to assign WRR weights to each of the priority queues. 31-4 Console(config)#queue bandwidth 1 3 5 7 9 11 13 15 Console(config)#exit 31-5 Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight --------...
Page 224: Mapping Ip Precedence
Class of Service Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, then click Apply. Figure 13-5 IP Precedence/DSCP Priority Status CLI – The following example enables IP Precedence service on the switch. 31-9 Console(config)#map ip precedence Console(config)#...
Page 225: Figure 13-6 Ip Precedence Priority
Layer 3/4 Priority Settings Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 13-6 IP Precedence Priority CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
Page 226: Mapping Dscp Priority
Class of Service Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping.
Page 227: Mapping Ip Port Priority
Layer 3/4 Priority Settings CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. 31-11 Console(config)#map ip dscp 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#map ip dscp 1 cos 0 31-11...
Page 228: Figure 13-9 Ip Port Priority
Class of Service Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 13-9 IP Port Priority CLI –...
Page 229: Chapter 14: Quality Of Service
Chapter 14: Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
Page 230: Configuring A Class Map
Quality of Service 6. Use the “Service Policy” to assign a policy map to a specific interface. Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class.
Page 231 Configuring Quality of Service Parameters Match Class Settings • Class Name – List of class maps. • ACL List – Name of an access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) •...
Page 232: Figure 14-1 Configuring Class Maps
Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 14-1 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Page 233: Creating Qos Policies
Configuring Quality of Service Parameters Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 14-2. - Open the Policy Map page, and click Add Policy.
Page 234 Quality of Service Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 14-2).
Page 235: Figure 14-2 Configuring Policy Maps
Configuring Quality of Service Parameters Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 14-2 Configuring Policy Maps 14-7...
Page 236: Attaching A Policy Map To Ingress Queues
Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 32-4 32-5 Console(config-pmap)#class rd_class#3...
Page 237: Chapter 15: Multicast Filtering
Chapter 15: Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Page 238: Layer 2 Igmp (Snooping And Query)
Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and IGMP Query (page 15-3) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Page 239: Configuring Igmp Snooping And Query Parameters
Layer 2 IGMP (Snooping and Query) Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 15-8). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently.
Page 240: Figure 15-1 Igmp Configuration
Multicast Filtering • IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired. (Range: 300-500 seconds, Default: 300) •...
Page 241: Displaying Interfaces Attached To A Multicast Router
Layer 2 IGMP (Snooping and Query) Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet.
Page 242: Specifying Static Interfaces For A Multicast Router
Multicast Filtering Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Page 243: Displaying Port Members Of Multicast Services
Layer 2 IGMP (Snooping and Query) Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attribute • VLAN ID – Selects the VLAN for which to display port members. •...
Page 244: Assigning Ports To Multicast Services
Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 15-3. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Page 245: Multicast Vlan Registration
Multicast VLAN Registration Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Page 246: Configuring Global Mvr Settings
Multicast Filtering Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
Page 247: Displaying Mvr Interface Status
Multicast VLAN Registration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. 33-2 Console(config)#ip igmp snooping Console(config)#mvr 33-12 Console(config)#mvr group 228.1.23.1 10 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes •...
Page 248: Configuring Mvr Interface Status
Multicast Filtering Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Page 249: Figure 15-8 Mvr Port Configuration
Multicast VLAN Registration Web – Click MVR, Port Configuration or Trunk Configuration. Figure 15-8 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. 24-1 Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source 33-13 Console(config-if)#exit...
Page 250: Displaying Port Members Of Multicast Groups
Multicast Filtering Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN.
Page 251: Assigning Static Multicast Groups To Interfaces
Multicast VLAN Registration Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...
Page 252 Multicast Filtering 15-16...
Page 253: Chapter 16: Domain Name Service
Chapter 16: Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 254: Figure 16-1 Dns General Configuration
Domain Name Service Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 16-1 DNS General Configuration CLI - This example sets a default domain name and a domain list.
Page 255: Configuring Static Dns Host To Address Entries
Configuring Static DNS Host to Address Entries Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Page 256: Figure 16-2 Dns Static Host Table
Domain Name Service Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 16-2 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.
Page 257: Displaying The Dns Cache
Displaying the DNS Cache Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...
Page 258 Domain Name Service CLI - This example displays all the resource records learned from the designated name servers. 34-7 Console#show dns cache FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME 207.46.134.155 www.microsoft.akadns.net CNAME 207.46.249.222 www.microsoft.akadns.net CNAME 207.46.249.27 www.microsoft.akadns.net ALIAS POINTER TO:4 www.microsoft.com...
Page 259: Section Iii:command Line Interface
Section III:Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of Command Line Interface ......17-1 General Commands .
Page 260 Command Line Interface...
Page 261: Chapter 17: Overview Of Command Line Interface
Chapter 17: Overview of Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 262 Overview of Command Line Interface Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Page 263: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 264: Showing Commands
Overview of Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Page 265: Partial Keyword Lookup
Entering Commands The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters protocol-vlan Protocol-vlan information status Information of interfaces status switchport Information of interfaces switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 266: Understanding Command Modes
Overview of Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions.
Page 267: Configuration Commands
Entering Commands Username: guest Password: [guest login password] CLI session with the Layer 2 Ethernet Metro Access Switch is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.
Page 268: Table 17-2 Configuration Command Modes
Overview of Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 17-2 Configuration Command Modes Mode Command Prompt Page Line...
Page 269: Command Line Processing
Entering Commands Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 270: Command Groups
Overview of Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below Table 17-4 Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the 18-1 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation,...
Page 271 Command Groups The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) LC (Line Configuration) CM (Class Map Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) GC (Global Configuration) PM (Policy Map Configuration) IC (Interface Configuration) VC (VLAN Database Configuration)
Page 272 Overview of Command Line Interface 17-12...
Page 273: Chapter 18: General Commands
Chapter 18: General Commands These commands are used to control the command access mode, configuration mode, and other basic functions. Table 18-1 General Commands Command Function Mode Page enable Activates privileged mode 18-1 disable Returns to normal mode from privileged mode 18-2 configure Activates global configuration mode...
Page 274: Disable
General Commands • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (18-2) enable password (21-3) disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics.
Page 275: Show History
show history Example Console#configure Console(config)# Related Commands end (18-4) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
Page 276: Reload
General Commands reload This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec...
Page 277: Exit
exit Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exits the configuration program.
Page 278 General Commands Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 18-6...
Page 279: Chapter 19: System Management Commands
Chapter 19: System Management Commands These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 19-1 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 19-1 System Status Displays system configuration, active managers, and version information...
Page 280: System Status Commands
System Management Commands Example Console(config)#hostname RD#1 Console(config)# System Status Commands This section describes commands used to display system information. Table 19-3 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 19-2 memory) that is used to start up the system show running-config...
Page 281: Related Commands
System Status Commands - IP address - Layer 4 precedence settings - Spanning tree settings - Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-21-dc-e0_01</stackingMac> phymap 00-12-cf-21-dc-e0 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw! username admin access-level 15...
Page 282: Show Running-Config
System Management Commands show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 283 System Status Commands Example Console#show running-config building running-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-21-dc-e0_01</stackingMac> phymap 00-12-cf-21-dc-e0 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community private rw snmp-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database...
Page 284: Show System
System Management Commands show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 4-1. •...
Page 285: Show Users
System Status Commands show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 286: System Mode Commands
System Management Commands Example Console#show version Unit 1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 0.01 Number of Ports: Agent (Master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version: 1.0.0.7 Operation Code Version: 1.0.1.7 Console# System Mode Commands This section describes command used to configure the switch to operate in normal mode or QinQ mode.
Page 287: Show System Mode
System MTU Commands Example Console(config)#system mode qinq Console(config)# Related Commands show system mode (19-9) show system mode This command displays the switch system mode. Command Mode Privileged Exec Command Usage The system mode displays as QinQ or Normal mode. Example Console(config)#system mode qinq Console(config)#end Console#show system mode...
Page 288: Jumbo Frame
System Management Commands jumbo frame This command enables support for extended frame sizes on Fast Ethernet and Gigabit Ethernet ports. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 289: System Mtu
System MTU Commands system mtu This command sets the maximum transfer unit for traffic crossing the switch. Use the no form to restore the default settings. Syntax system mtu {FE-size | jumbo GE-size} no system mtu • FE-size - Specifies the MTU size for Fast Ethernet ports. (Range: 1500-1546 bytes) •...
Page 290: File Management Commands
System Management Commands Example Console#show system mtu System MTU size is 1500 bytes System Jumbo MTU size is 1500 bytes Console# File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation.
Page 291: Copy
File Management Commands copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 292 System Management Commands • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate”...
Page 293: Delete
File Management Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Page 294: Dir
System Management Commands Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands...
Page 295: Whichboot
File Management Commands Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: D1.0.0.7.bix Boot-Rom Image 1159752 V1.0.1.7.bix Operation Code 3542608 Factory_Default_Config.cfg Config File startup1.cfg Config File 3256 --------------------------------------------------------------------------- Total free space:...
Page 296 System Management Commands Default Setting None Command Mode Global Configuration Command Usage • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (19-16) whichboot (19-17) 19-18...
Page 297: Line Commands
Line Commands Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 19-8 Line Commands Command Function...
Page 298: Login
System Management Commands Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections. Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands...
Page 299: Password
Line Commands Example Console(config-line)#login local Console(config-line)# Related Commands username (21-2) password (19-21) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
Page 300: Timeout Login Response
System Management Commands timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 301: Password-Thresh
Line Commands Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. •...
Page 302: Silent-Time
System Management Commands silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 303: Parity
Line Commands Example To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# Related Commands parity (19-25) parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity •...
Page 304: Stopbits
System Management Commands Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
Page 305: Show Line
Line Commands Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (21-22) show users (19-7) show line This command displays the terminal line’s parameters.
Page 306: Event Logging Commands
System Management Commands Event Logging Commands This section describes commands used to configure event logging on the switch. Table 19-9 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 19-28 logging history Limits syslog messages saved to switch memory based on 19-29 severity logging host...
Page 307: Logging History
Event Logging Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 308: Logging Host
System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Page 309: Logging Trap
Event Logging Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 310: Show Logging
System Management Commands Related Commands show log (19-33) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Page 311: Show Log
Event Logging Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Page 312: Smtp Alert Commands
System Management Commands Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
Page 313: Logging Sendmail Level
SMTP Alert Commands • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command.
Page 314: Logging Sendmail Destination-Email
System Management Commands Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages.
Page 315: Show Logging Sendmail
Time Commands Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com...
Page 316 System Management Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration...
Page 317: Time Commands
Time Commands sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP).
Page 318: Show Sntp
System Management Commands Example Console(config)#sntp poll 60 Console# Related Commands sntp client (19-38) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
Page 319: Calendar Set
Time Commands Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 320: Show Calendar
System Management Commands show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar 15:12:34 February 1 2002 Console# 19-42...
Page 321: Chapter 20: Snmp Commands
Chapter 20: SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 322: Snmp-Server
SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
Page 323: Snmp-Server Community
snmp-server community Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables...
Page 324: Snmp-Server Contact
SNMP Commands • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.
Page 325: Snmp-Server Host
snmp-server host Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (20-4) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}...
Page 326 SNMP Commands • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Page 327: Snmp-Server Enable Traps
snmp-server enable traps supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.
Page 328: Snmp-Server Engine-Id
SNMP Commands conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 20-11). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (20-5) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
Page 329: Show Snmp Engine-Id
show snmp engine-id • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 20-14).
Page 330: Snmp-Server View
SNMP Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
Page 331: Show Snmp View
show snmp view show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 332: Show Snmp Group
SNMP Commands Default Setting • Default groups: public (read only), private (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothing is defined. • notifyview - Nothing is defined. Command Mode Global Configuration Command Usage •...
Page 333: Table 20-4 Show Snmp Group - Display Description
show snmp group Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c...
Page 334: Snmp-Server User
SNMP Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} •...
Page 335: Show Snmp User
show snmp user need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# show snmp user...
Page 336 SNMP Commands 20-16...
Page 337: Chapter 21: User Authentication Commands
Chapter 21: User Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 338: Username
User Authentication Commands username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
Page 339: Enable Password
User Account Commands enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 340: Authentication Sequence
User Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 21-4 Authentication Sequence Commands Command Function Mode...
Page 341: Authentication Enable
Authentication Sequence Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (21-2) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 18-1).
Page 342: Radius Client
User Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 343: Radius-Server Port
RADIUS Client Example Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages.
Page 344: Radius-Server Retransmit
User Authentication Commands radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1 - 30) Default Setting Command Mode Global Configuration...
Page 345: Tacacs+ Client
TACACS+ Client Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: Request timeout: Server 1: Server IP address: 192.168.1.1 Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: 2 Request timeout: 5 Console#...
Page 346: Tacacs-Server Port
User Authentication Commands Command Mode Global Configuration Example Console(config)#tacacs-server host 192.168.1.25 Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages.
Page 347: Show Tacacs-Server
Web Server Commands show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with TACACS server: ***** Server port number: Console# Web Server Commands This section describes commands used to configure web browser management...
Page 348: Ip Http Server
User Authentication Commands Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (21-12) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled...
Page 349: Ip Http Secure-Port
Web Server Commands • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Page 350: Telnet Server Commands
User Authentication Commands • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000 Console(config)# Related Commands ip http secure-server (21-12) Telnet Server Commands This section describes commands used to configure Telnet management access to the switch.
Page 351: Secure Shell Commands
Secure Shell Commands Secure Shell Commands This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Page 352 User Authentication Commands To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 353: Ip Ssh Server
Secure Shell Commands stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c.
Page 354: Ip Ssh Timeout
User Authentication Commands Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (21-20) show ssh (21-22) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting.
Page 355: Ip Ssh Authentication-Retries
Secure Shell Commands ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Page 356: Delete Public-Key
User Authentication Commands delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Page 357: Ip Ssh Crypto Zeroize
Secure Shell Commands Related Commands ip ssh crypto zeroize (21-21) ip ssh save host-key (21-21) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
Page 358: Show Ip Ssh
User Authentication Commands Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (21-20) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0...
Page 359: Show Public-Key
Secure Shell Commands Table 21-11 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 360: 802.1X Port Authentication
User Authentication Commands Example Console#show public-key host Host: RSA: 1024 65537 13236940658254764031382795526536375927835525327972629521130241 0719421061655759424590939236096954050362775257556251003866130989393834523 1033280214988866192159556859887989191950588394018138744046890877916030583 7768185490002831341625008348718449522087429212255691665655296328163516964 0408315547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication.
Page 361: Dot1X System-Auth-Control
802.1X Port Authentication dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
Page 362: Dot1X Port-Control
User Authentication Commands dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 363: Dot1X Re-Authenticate
802.1X Port Authentication Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-105). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
Page 364: Dot1X Timeout Quiet-Period
User Authentication Commands Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. •...
Page 365: Dot1X Timeout Tx-Period
802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
Page 366 User Authentication Commands Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status –...
Page 367 802.1X Port Authentication • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Page 368 User Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 1/47 disabled Single-Host ForceAuthorized 1/48 enabled Single-Host Auto 802.1X Port Details 802.1X is enabled on port 1/1 802.1X is enabled on port 26 reauth-enabled: Enable...
Page 369: Management Ip Filter Commands
Management IP Filter Commands Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 21-13 Management IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access 21-33 show management Displays the switch to be monitored or configured from a browser 21-34...
Page 370: Show Management
User Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Page 371: Chapter 22: Client Security Commands
Chapter 22: Client Security Commands This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 372: Port Security
Client Security Commands port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
Page 373: Ip Source Guard Commands
IP Source Guard Commands Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands shutdown (24-6) mac-address-table static (28-1) IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and...
Page 374 Client Security Commands Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. •...
Page 375: Ip Source-Guard Binding
IP Source Guard Commands Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (22-5) ip dhcp snooping (22-7) ip dhcp snooping vlan (22-9) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
Page 376: Show Ip Source-Guard
Client Security Commands - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Page 377: Dhcp Snooping Commands
DHCP Snooping Commands DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
Page 378 Client Security Commands • When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping, and static entries configured in the DHCP snooping table. • Table entries are only learned for untrusted interfaces. Each entry includes a MAC address, IP address, lease time, entry type (Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier.
Page 379: Ip Dhcp Snooping Vlan
DHCP Snooping Commands Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (22-9) ip dhcp snooping trust (22-12) ip dhcp snooping binding (22-10) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Page 380: Ip Dhcp Snooping Binding
Client Security Commands Related Commands ip dhcp snooping (22-7) ip dhcp snooping trust (22-12) ip dhcp snooping binding (22-10) ip dhcp snooping binding This command adds a static address to the DHCP snooping binding table. Use the no form to remove an entry from the binding table. Syntax ip dhcp binding mac-address vlan vlan-id ip-address interface ethernet unit/port lease-time...
Page 381: Ip Dhcp Snooping Verify Mac-Address
DHCP Snooping Commands - If there is a binding with same VLAN ID and MAC address, and the entry type is static IP source guard binding, static DHCP snooping binding, or dynamic DHCP snooping binding, the new entry will replace the old one. •...
Page 382: Ip Dhcp Snooping Database Flash
Client Security Commands ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Page 383: Show Ip Dhcp Snooping
DHCP Snooping Commands Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# Related Commands ip dhcp snooping (22-7) ip dhcp snooping vlan (22-9) ip dhcp snooping binding (22-10) show ip dhcp snooping This command shows the DHCP snooping configuration settings.
Page 384 Client Security Commands 22-14...
Page 385: Chapter 23: Access Control List Commands
Chapter 23: Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Page 386: Access-List Ip
Access Control List Commands access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name •...
Page 387: Permit, Deny (Extended Acl)
IP ACLs Default Setting None Command Mode Standard IP ACL Command Usage • New rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 388 Access Control List Commands • precedence – IP precedence level. (Range: 0-7) • tos – Type of Service level. (Range: 0-15) • dscp – DSCP priority level. (Range: 0-63) • sport – Protocol source port number. (Range: 0-65535) • dport – Protocol destination port number.
Page 389: Show Ip Access-List
IP ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination...
Page 390: Access-List Ip Mask-Precedence
Access Control List Commands access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. •...
Page 391 IP ACLs • destination-bitmask – Destination address of rule must match this bitmask. • precedence – Check the IP precedence field. • tos – Check the TOS field. • dscp – Check the DSCP field. • source-port – Check the protocol source port field. •...
Page 392 Access Control List Commands This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any”...
Page 393 IP ACLs This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port 23 Console(config-ext-acl)#end Console#show access-list IP extended access-list A3:...
Page 394: Show Access-List Ip Mask-Precedence
Access Control List Commands This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
Page 395: Ip Access-Group
IP ACLs Related Commands mask (IP ACL) (23-6) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) •...
Page 396: Mac Acls
Access Control List Commands MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, set a precedence mask to control the filter sequence, and then bind the access list to one or more ports Table 23-3 MAC ACL Commands Command...
Page 397: Permit, Deny (Mac Acl)
MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (23-13) mac access-group (23-18) show mac access-list (23-14) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 398: Show Mac Access-List
Access Control List Commands • address-bitmask – Bitmask for MAC address (in hexidecimal format). • vid – VLAN ID. (Range: 1-4093) • vid-bitmask – VLAN bitmask. (Range: 1-4093) • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask –...
Page 399: Access-List Mac Mask-Precedence
MAC ACLs Related Commands permit, deny 23-13 mac access-group (23-18) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} •...
Page 400: Default Setting
Access Control List Commands • host – The address must be for a single node. • source-bitmask – Source address of rule must match this bitmask. • destination-bitmask – Destination address of rule must match this bitmask. • vid – Check the VLAN ID field. •...
Page 401: Show Access-List Mac Mask-Precedence
MAC ACLs This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.3 host 00-11-11-11-11-11 any deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 ethertype 0806 Console(config)#access-list mac mask-precedence out Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff any vid Console(config-mac-mask-acl)#exit...
Page 402: Mac Access-Group
Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
Page 403: Acl Information
ACL Information ACL Information This section describes commands used to display ACL information. Table 23-4 ACL Information Commands Command Function Mode Page show access-list Show all IP ACLs and associated rules 23-19 show access-group Shows the IP ACLs assigned to each port 23-19 show access-list This command shows all IP ACLs and associated rules.
Page 404 Access Control List Commands 23-20...
Page 405 Chapter 24: Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 24-1 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 24-1 mode description Adds a description to an interface configuration...
Page 406: Chapter 24: Interface Commands
Interface Commands Command Mode Global Configuration Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 407: Negotiation
negotiation Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is: - Fast Ethernet ports – 100full (100 Mbps full-duplex) - Gigabit Ethernet ports – 1000full (1 Gbps full-duplex) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 408: Capabilities
Interface Commands Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. •...
Page 409: Flowcontrol
flowcontrol Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half and 100full.
Page 410: Media-Type
Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (24-3) capabilities (flowcontrol, symmetric) (24-4) media-type This command forces the port type selected for combination ports 27-28. Use the no form to restore the default mode.
Page 411: Switchport Packet-Rate
switchport packet-rate Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
Page 412: Switchport Block
Interface Commands switchport block This command prevents flooding of unknown unicast or multicast packets to an interface. Use the no form to restore the default setting. Syntax [no] switchport block {unicast | multicast} • unicast - Specifies unknown unicast packets. •...
Page 413: Show Interfaces Status
show interfaces status Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 414: Show Interfaces Counters
Interface Commands Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Disabled LACP:...
Page 415: Show Interfaces Switchport
show interfaces switchport Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
Page 416: Table 24-2 Show Interfaces Switchport - Display Description
Interface Commands Example This example shows the configuration setting for port 4. Console#show interfaces switchport ethernet 1/4 Broadcast Threshold: Enabled, 500 packets/second Muilticast Threshold: Disabled LACP Status: Disabled Ingress Rate Limit: Disable, 1000M bits per second Egress Rate Limit: Disable, 1000M bits per second VLAN Membership Mode: Hybrid Ingress Rule:...
Page 417 Chapter 25: Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 418: Chapter 25: Link Aggregation Commands
Link Aggregation Commands Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. • Ports must have the same port admin key (Ethernet Interface). •...
Page 419 lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
Page 420: Lacp System-Priority
Link Aggregation Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. •...
Page 421: Lacp Admin-Key (Port Channel)
lacp admin-key (Port Channel) Default Setting Command Mode Interface Configuration (Ethernet) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 422: Lacp Port-Priority
Link Aggregation Commands • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
Page 423: Show Lacp
show lacp show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • port-channel - Local identifier for a link aggregation group. (Range: 1-32) • counters - Statistics for LACP protocol messages. •...
Page 424: Table 25-3 Show Lacp Internal - Display Description
Link Aggregation Commands Console#show lacp 1 internal Port channel: 1 ------------------------------------------------------------------------- Oper Key: Admin Key: 0 Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key: Oper Key: Admin State: defaulted, aggregation, long timeout, LACP-activity Oper State: distributing, collecting, synchronization, aggregation, long timeout, LACP-activity...
Page 425: Table 25-4 Show Lacp Neighbors - Display Description
show lacp Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: Oper Key:...
Page 426: Table 25-5 Show Lacp Sysid - Display Description
Link Aggregation Commands Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 Table 25-5 show lacp sysid - display description Field Description Channel group...
Page 427: Chapter 26: Mirror Port Commands
Chapter 26: Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 26-1 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 26-1 show port monitor Shows the configuration for a mirror port 26-2 port monitor This command configures a mirror session.
Page 428: Show Port Monitor
Mirror Port Commands Example The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
Page 429: Chapter 27: Rate Limit Commands
Chapter 27: Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. The maximum data rate may also be set for specific Class of Service (CoS) priorities for traffic transmitted out of an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 430: Rate-Limit Cos
Rate Limit Commands Related Command show interfaces switchport (24-11) rate-limit cos This command defines the output rate limit for an interface based on specified CoS priorities. Use the no form to restore the default status of disabled. Syntax rate-limit cos cos_value rate no rate-limit cos •...
Page 431: Show Rate-Limit Cos
show rate-limit cos Example This example sets the maximum output rate for CoS traffic of priority level 0 to 50 Mbps on Port 1. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit cos 0 50 Console(config-if)# show rate-limit cos This command displays the output rate limit for CoS priorities. Command Mode Privileged Exec Command Usage...
Page 432 Rate Limit Commands 27-4...
Page 433: Chapter 28: Address Table Commands
Chapter 28: Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 28-1 Address Table Commands Command Function Mode Page mac-address-table static Maps a static address to a port in a VLAN 28-1 clear mac-address-table...
Page 434: Clear Mac-Address-Table Dynamic
Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...
Page 435: Show Mac-Address-Table
show mac-address-table show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Page 436: Mac-Address-Table Aging-Time
Address Table Commands mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-1000000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...
Page 437: Chapter 29: Spanning Tree Commands
Chapter 29: Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 29-1 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 29-2 spanning-tree mode Configures STP, RSTP or MSTP mode...
Page 438: Spanning-Tree
Spanning Tree Commands Table 29-1 Spanning Tree Commands (Continued) Command Function Mode Page show spanning-tree Shows spanning tree configuration for the common 29-18 spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree show spanning-tree mst Shows the multiple spanning tree configuration 29-20 configuration...
Page 439 spanning-tree mode Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 440: Spanning-Tree Forward-Time
Spanning Tree Commands spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Page 441: Spanning-Tree Max-Age
spanning-tree max-age Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (29-4) spanning-tree max-age (29-5) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds.
Page 442: Spanning-Tree Priority
Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
Page 443: Spanning-Tree Transmission-Limit
spanning-tree transmission-limit Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 29-12) takes precedence over port priority (page 29-13).
Page 444: Mst Vlan
Spanning Tree Commands Related Commands mst vlan (29-8) mst priority (29-9) name (29-9) revision (29-10) max-hops (29-11) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
Page 445: Mst Priority
mst priority mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) •...
Page 446: Revision
Spanning Tree Commands Command Usage The MST region name and revision number (page 29-10) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 447: Max-Hops
max-hops max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting Command Mode MST Configuration...
Page 448: Spanning-Tree Cost
Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method 1-200,000,000 for long path cost method) Table 29-2 Recommended STA Path Cost Range...
Page 449: Spanning-Tree Port-Priority
spanning-tree port-priority Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 450: Spanning-Tree Edge-Port
Spanning Tree Commands spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
Page 451: Spanning-Tree Link-Type
spanning-tree link-type Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
Page 452: Spanning-Tree Mst Cost
Spanning Tree Commands • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple...
Page 453: Spanning-Tree Mst Port-Priority
spanning-tree mst port-priority Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (29-17) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority...
Page 454: Spanning-Tree Protocol-Migration
Spanning Tree Commands spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 455 show spanning-tree Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Page 456: Show Spanning-Tree Mst Configuration
Spanning Tree Commands --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000...
Page 457: Chapter 30: Vlan Commands
Chapter 30: VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 458: Bridge-Ext Gvrp
VLAN Commands bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
Page 459: Switchport Gvrp
GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
Page 460: Garp Timer
VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 461: Show Garp Timer
GVRP and Bridge Extension Commands show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 462: Editing Vlan Groups
VLAN Commands Editing VLAN Groups Table 30-3 Commands for Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete 30-6 VLANs vlan Configures a VLAN, including VID, name and state 30-7 vlan database This command enters VLAN database mode.
Page 463: Vlan
Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4093, no leading zeroes) •...
Page 464: Configuring Vlan Interfaces
VLAN Commands Configuring VLAN Interfaces Table 30-4 Commands for Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN 30-8 switchport mode Configures VLAN membership mode for an interface 30-9 switchport Configures frame types to be accepted by an interface 30-9 acceptable-frame-types switchport ingress-filtering...
Page 465: Switchport Mode
Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {hybrid | trunk | dot1q-tunnel} no switchport mode • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
Page 466: Switchport Ingress-Filtering
VLAN Commands Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)#...
Page 467: Switchport Native Vlan
Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) Default Setting VLAN 1 Command Mode...
Page 468: Switchport Forbidden Vlan
VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port, or a trunk with switchport mode set to hybrid, must be assigned to at least one VLAN as untagged. • If a trunk has switchport mode set to trunk (i.e., 1Q Trunk), then you can only assign an interface to VLAN groups as a tagged member.
Page 469: Displaying Vlan Information
Displaying VLAN Information Command Usage • This command prevents a VLAN from being automatically added to the specified interface via GVRP. • If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface. Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1...
Page 470: Configuring Private Vlans
VLAN Commands Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S)
Page 471: Show Pvlan
Configuring Private VLANs • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN. Example This example enables the private VLAN, and then sets port 12 as the uplink and ports 5-8 as the downlinks. Console(config)#pvlan Console(config)#pvlan up-link ethernet 1/12 down-link ethernet 1/5-8 Console(config)#...
Page 472: Configuring Protocol-Based Vlans
VLAN Commands Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 473: Protocol-Vlan Protocol-Group (Configuring Groups)
Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id •...
Page 474: Show Protocol-Vlan Protocol-Group
VLAN Commands Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as vlan on page 30-7), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 475: Show Interfaces Protocol-Vlan Protocol-Group
Configuring Protocol-based VLANs show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) •...
Page 476: Configuring Ieee 802.1Q Tunneling
VLAN Commands Configuring IEEE 802.1Q Tunneling QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 477: Switchport Mode Dot1Q-Tunnel
Configuring IEEE 802.1Q Tunneling switchport mode dot1q-tunnel This command configures an interface as a QinQ tunnel port. Use the no form to restore the default setting. Syntax switchport mode dot1q-tunnel no switchport mode dot1q-tunnel – Sets the port as an 802.1Q tunnel port. Default Setting All ports are in hybrid mode.
Page 478: Switchport Dot1Q-Ethertype
VLAN Commands Related Commands switchport mode dot1q-tunnel (page 30-21) switchport dot1q-ethertype This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form. Use the no form to restore the default setting. Syntax switchport dot1q-ethertype tpid no switchport dot1q-ethertype tpid –...
Page 479: Chapter 31: Class Of Service Commands
Chapter 31: Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 480: Queue Mode
Class of Service Commands queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...
Page 481: Switchport Priority Default
Priority Commands (Layer 2) Example Console#sh queue mode Wrr status: Enabled Console# switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic.
Page 482: Queue Bandwidth
Class of Service Commands Related Commands show interfaces switchport (24-11) queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler.
Page 483: Show Queue Bandwidth
Priority Commands (Layer 2) Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
Page 484: Show Queue Cos-Map
Class of Service Commands Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- ------ show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 485: Show Vlan Based Priority
Priority Commands (Layer 2) Default Setting The original priority value in the VLAN tag of a tagged packet, or a VLAN priority tag inserted by another device for an untagged packet. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 486: Priority Commands (Layer 3 And 4)
Class of Service Commands Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 31-4 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip port Enables TCP/UDP class of service mapping 31-8 map ip port...
Page 487: Map Ip Port (Interface Configuration)
Priority Commands (Layer 3 and 4) map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number •...
Page 488: Map Ip Precedence (Interface Configuration)
Class of Service Commands Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...
Page 489: Map Ip Dscp (Global Configuration)
Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 490: Show Map Ip Port
Class of Service Commands Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 31-6 Mapping IP DSCP to CoS Values IP DSCP Value CoS Value 10, 12, 14, 16...
Page 491: Show Map Ip Precedence
Priority Commands (Layer 3 and 4) Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console#...
Page 492: Show Map Ip Dscp
Class of Service Commands Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands...
Page 493 Priority Commands (Layer 3 and 4) Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands...
Page 494 Class of Service Commands 31-16...
Page 495: Chapter 32: Quality Of Service Commands
Chapter 32: Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 496: Class-Map
Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. You should create a Class Map (page 32-2) before creating a Policy Map (page 32-4). Otherwise, you will not be able to specify a Class Map with the class command (page 32-5) after entering Policy-Map Configuration mode.
Page 497: Match
match match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Page 498: Policy-Map
Quality of Service Commands This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1: Console(config)#class-map rd_class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)#exit Console(config)#access-list mac mask-precedence in Console(config-ip-mask-acl)#mask any any vid 1 Console(config-ip-mask-acl)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode.
Page 499: Class
class class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map.
Page 500: Set
Quality of Service Commands This command services IP traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified by the match command on page 32-3). Use the no form to remove the traffic classification. Syntax [no] set {cos new-cos | ip dscp new-dscp | ip precedence new-precedence} •...
Page 501: Service-Policy
service-policy Command Usage • You can configure up to 63 policers (i.e., class maps) for Fast Ethernet and Gigabit Ethernet ingress ports. • Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the burst-byte field, and the average rate tokens are removed from the bucket is by specified by the rate-bps option.
Page 502: Show Class-Map
Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps. Command Mode Privileged Exec Example...
Page 503: Show Policy-Map Interface
show policy-map interface Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface...
Page 504 Quality of Service Commands 32-10...
Page 505: Chapter 33: Multicast Filtering Commands
Chapter 33: Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 506: Ip Igmp Snooping Vlan Static
Multicast Filtering Commands ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static...
Page 507: Ip Igmp Snooping Version
IGMP Snooping Commands ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...
Page 508: Ip Igmp Snooping Immediate-Leave
Multicast Filtering Commands Command Usage • This command setting is only effective if IGMP snooping is enabled. • Any port can be designated as a multicast router port through dynamic or static configuration, including ports on Layer 2 or 3 switches. If there is more than one multicast router on a LAN segment performing IP multicasting, one of these devices is elected “querier”...
Page 509: Show Ip Igmp Snooping
IGMP Snooping Commands Command Mode Interface Configuration (VLAN) Command Usage • If immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period.
Page 510: Show Mac-Address-Table Multicast
Multicast Filtering Commands show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] • vlan-id - VLAN ID (1 to 4093) • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping. Default Setting None Command Mode...
Page 511: Ip Igmp Snooping Querier
IGMP Query Commands ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 33-3).
Page 512: Ip Igmp Snooping Query-Interval
Multicast Filtering Commands Example The following shows how to configure the query count to 10: Console(config)#ip igmp snooping query-count 10 Console(config)# Related Commands ip igmp snooping query-max-response-time (33-8) ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval...
Page 513: Ip Igmp Snooping Router-Port-Expire-Time
IGMP Query Commands • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.
Page 514: Static Multicast Routing Commands
Multicast Filtering Commands Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 33-4 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan Adds a multicast router port 33-10 mrouter show ip igmp snooping Shows multicast router ports...
Page 515: Show Ip Igmp Snooping Mrouter
Multicast VLAN Registration Commands show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...
Page 516: Mvr (Global Configuration)
Multicast Filtering Commands mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Page 517: Mvr (Interface Configuration)
Multicast VLAN Registration Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
Page 518: Show Mvr
Multicast Filtering Commands response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. • Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Page 519: Table 33-6 Show Mvr - Display Description
Multicast VLAN Registration Commands Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Page 520: Table 33-8 Show Mvr Members - Display Description
Multicast Filtering Commands The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status Members ---------------- -------- ------- 225.0.0.1 ACTIVE eth1/1(d), eth1/2(s) 225.0.0.2 INACTIVE None 225.0.0.3 INACTIVE None 225.0.0.4 INACTIVE None...
Page 521: Chapter 34: Domain Name Service Commands
Chapter 34: Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation.
Page 522: Clear Host
Domain Name Service Commands Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device.
Page 523: Ip Domain-Name
ip domain-name ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Page 524: Ip Name-Server
Domain Name Service Commands Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 525: Ip Domain-Lookup
ip domain-lookup Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console#...
Page 526: Show Hosts
Domain Name Service Commands Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (34-3) ip name-server (34-4) show hosts...
Page 527: Show Dns
show dns show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Page 528: Clear Dns Cache
Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache FLAG TYPE DOMAIN Console# 34-8...
Page 529: Chapter 35: Ip Interface Commands
Chapter 35: IP Interface Commands An IP address may be used for management access to the switch over your network. An IP address is obtained via DHCP by default for VLAN 1. You can manually configure a specific IP address, or direct the switch to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 530: Ip Default-Gateway
IP Interface Commands Command Usage • You must assign an IP address to this device to gain management access over the network or to connect the switch to existing IP subnets. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server.
Page 531: Ip Dhcp Restart
Basic IP Configuration Command Usage • A gateway must be defined if the management station is located in a different IP segment. • An default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254...
Page 532: Show Ip Interface
IP Interface Commands show ip interface This command displays the settings of an IP interface. Command Mode Normal Exec, Privileged Exec Example Console#show ip interface Console# Related Commands show ip redirects (35-4) show ip redirects This command shows the IP default gateway configured for this device. Default Setting None Command Mode...
Page 533: Ping
Basic IP Configuration Example This example displays all entries in the ARP cache. Console#show arp IP Address MAC Address Type Interface --------------- ----------------- --------- ----------- 192.168.0.1 00-0f-3d-12-40-e1 dynamic 192.168.0.110 00-10-b5-62-03-74 dynamic 192.168.0.162 00-12-cf-0c-9a-a0 other Total entry : 3 Console# ping This command sends ICMP echo request packets to another node on the network.
Page 534 IP Interface Commands Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Page 535 Section IV:Appendices This section provides additional information on the following topics. Software Specifications ........A-1 Troubleshooting .
Page 536 Appendices...
Page 537: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS+, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC Fast Ethernet ports - 157 rules, 4 masks shared by 8-port groups Gigabit Ethernet ports - 29 rules, 4 masks DHCP Client DNS Proxy Port Configuration...
Page 538: Management Features
Software Specifications Quality of Service DiffServ supports class maps, policy maps, and service policies Multicast Filtering IGMP Snooping Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell...
Page 539: Management Information Bases
Management Information Bases IPv4 IGMP (RFC 3228) RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.0) TELNET (RFC 854, 855, 856) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493)
Page 540 Software Specifications UDP MIB (RFC 2013)
Page 541: Appendix B: Troubleshooting
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 542: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 543: Glossary
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 544 Glossary Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification.
Page 545 Glossary IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging. IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links.
Page 546 Glossary Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device.
Page 547 Glossary Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical...
Page 548 Glossary Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) allows a device to set its internal clock based on periodic updates from a SNTP Network Time Protocol (NTP) server.
Page 549 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 550 Glossary Glossary-8...
Page 551: Index
Index Numerics 802.1Q tunnel 12-12, 30-20 default gateway, configuration 4-9, description 12-12 35-2 interface configuration 12-16, default priority, ingress port 13-1, 31-3 30-21–30-22 default settings, system 1-6 mode selection 12-16 DHCP 4-10, 35-1 TPID 12-11, 12-16, 30-22 client 4-9, 34-1 802.1X, port authentication 6-13, dynamic configuration 2-5 21-24...
Page 552 Index firmware jumbo frame 19-10 displaying version 4-6, 19-7 upgrading 4-12, 19-13 LACP configuration 25-1 GARP VLAN Registration Protocol See local parameters 9-14, 25-7 GVRP partner parameters 9-16, 25-7 gateway, default 4-9, 35-2 protocol message statistics 25-7 GVRP protocol parameters 9-10, 25-1 global setting 12-4, 30-2 Link Aggregation Control Protocol See interface configuration 12-10, 30-3...
Page 553 Index setting multicast groups 15-10, rate limits, setting 9-20 33-12 remote logging 19-31 specifying a VLAN 15-10, 33-12 restarting the system 4-25, 18-4 using immediate leave 15-12, 33-13 RSTP 11-1, 29-2 global configuration 11-3, 29-2 password, line 19-21 passwords 2-4 Secure Shell 6-7, 21-15 administrator setting 6-1, 21-2 configuration 6-7, 21-18, 21-19...
Page 554 Index STP Also see STA upgrading software 4-12, 19-13 switch settings, saving or user account 6-1 restoring 19-12 user password 6-1, 21-2, 21-3 switchport dot1q-ethertype 30-22 switchport mode dot1q-tunnel 30-21 VLANs 12-1–12-18, 30-1–30-15 system clock, setting 4-26, 19-37 802.1Q tunnel mode 12-16 system mode, normal or QinQ 4-3, adding static members 12-7, 12-9, 19-8...
Page 556 ES3528 ES3528-WDM E122006/ST-R01 149100033100A...

This manual is also suitable for:

Es3528

Edge-Core ES3528-WDM Management Manual

Section I: Getting Started

Chapter 1: Introduction

Chapter 2: Initial Configuration

Section II: Switch Management

Chapter 3: Configuring the Switch

Chapter 4: Basic Management Tasks

Chapter 5: Simple Network Management Protocol

Chapter 6: User Authentication

Chapter 7: Client Security

Chapter 8: Access Control Lists

Chapter 9: Port Configuration

Chapter 10: Address Table Settings

Chapter 11: Spanning Tree Algorithm

Chapter 12: VLAN Configuration

Chapter 13: Class of Service

Chapter 14: Quality of Service

Chapter 15: Multicast Filtering

Chapter 16: Domain Name Service

Quick Links

Related Manuals for Edge-Core ES3528-WDM

Summary of Contents for Edge-Core ES3528-WDM