Download Print this page

Supermicro SSE-G2252 User Manual

Supermicro SSE-G2252 User Manual

52-port layer 2 gigabit ethernet switch / with 48 poe-capable ports

Hide thumbs Also See for SSE-G2252:

Installation manual (64 pages)

,

User manual (1401 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

See also: User Manual , Installation Manual

SSE-G2252 Switches

52-Port Layer 2 Gigabit Ethernet Switch

SSE-G2252

SSE-G2252P Switches

52-Port Layer 2 Gigabit Ethernet Switch with

48 PoE-Capable Ports

SSE-G2252P

USER'S MANUAL

Revison 1.0b

i

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the SSE-G2252 and is the answer not in the manual?

Questions and answers

Summary of Contents for Supermicro SSE-G2252

Page 1 SSE-G2252 Switches 52-Port Layer 2 Gigabit Ethernet Switch SSE-G2252 SSE-G2252P Switches 52-Port Layer 2 Gigabit Ethernet Switch with 48 PoE-Capable Ports SSE-G2252P USER’S MANUAL Revison 1.0b...
Page 2 Please Note: For the most up-to-date version of this manual, please see our web site at www.supermicro.com. Super Micro Computer, Inc. (“Supermicro”) reserves the right to make changes to the product described in this manual at any time and without notice. This product, including software, if any, and documentation may not, in whole or in part, be copied, photocopied, reproduced, translated or reduced to any medium or machine without prior written consent.
Page 3: About This Manual
LANs (Local Area Networks). It provides information for the installation and use of Supermicro's SSE-G2252 and SSE-G2252P switches. Installation and maintenance should be performed by experienced professionals only.
Page 4 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Glossary Term Description Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding DiffServ treatment, or per-hop behavior, at each network node.
Page 5 Preface Glossary Term Description VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual IEEE 802.1Q LANs, and defines a standard way for VLANs to communicate across switched networks. An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Page 6 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Glossary Term Description Link Aggregation See Port Trunk. Link Layer Discovery Protocol is used to discover basic information about neighboring devices in the local broadcast domain by using periodic LLDP broadcasts to advertise information such as device identification, capabilities and configuration settings.
Page 7 Preface Glossary Term Description QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific QinQ VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. Quality of Service.
Page 8 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Glossary Term Description Universal Time Coordinate. UTC is a time scale that couples Greenwich Mean Time (based solely on the Earth’s rotation rate) with highly accurate atomic time. The UTC does not have daylight saving time.
Page 9: Table Of Contents
Table of Contents Chapter 1 Introduction ............... 1-1 1-1 Key Features ..................1-1 1-2 Description of Software Features ........... 1-2 Configuration Backup and Restore ............1-2 Authentication ..................1-3 Access Control Lists ................1-3 Port Configuration ................... 1-3 Port Mirroring ..................1-3 Port Trunking...................
Page 10 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Restricted Area ..................2-9 Battery Handling ................... 2-10 Redundant Power Supplies ..............2-12 Backplane Voltage ................2-13 Comply with Local and National Electrical Codes......... 2-15 Product Disposal................... 2-16 Hot Swap Fan Warning ................. 2-17 Power Cable and AC Adapter .............. 2-18 Chapter 3 Initial Configuration .............
Page 11 Table of Contents 5-3 Configuring Support for Jumbo Frames ........5-3 5-4 Displaying Bridge Extension Capabilities ........5-4 5-5 Managing System Files ..............5-6 Copying Files via FTP/TFTP or HTTP ............ 5-6 Saving the Running Configuration to a Local File........5-8 Setting The Start-Up File.................
Page 12 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Configuring Uplink and Downlink Ports..........6-37 6-5 VLAN Trunking ................6-38 Chapter 7 VLAN Configuration ............. 7-1 7-1 IEEE 802.1Q VLANs ................. 7-1 Assigning Ports to VLANs ............... 7-2 VLAN Classification................7-2 Port Overlapping .................. 7-3 Untagged VLANs .................
Page 13 Table of Contents 9-4 Configuring Interface Settings for STA ........9-12 9-5 Displaying Interface Settings for STA .......... 9-16 9-6 Configuring Multiple Spanning Trees ........... 9-19 9-7 Configuring Interface Settings for MSTP ........9-22 Chapter 10 Congestion Control ..........10-1 10-1 Rate Limiting ..................
Page 14 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Configuring AAA Authorization ............14-14 14-2 Configuring User Accounts ............14-17 14-3 Web Authentication ..............14-19 Configuring Global Settings for Web Authentication ......14-19 Configuring Interface Settings for Web Authentication ....... 14-21 14-4 Network Access (MAC Address Authentication) ....
Page 15 Table of Contents Configuring Port Authenticator Settings for 802.1X ......14-75 Configuring Port Supplicant Settings for 802.1X......... 14-79 Displaying 802.1X Statistics..............14-81 14-12 IP Source Guard ............... 14-84 Configuring Ports for IP Source Guard ..........14-84 Configuring Static Bindings for IP Source Guard ........ 14-86 Displaying Information for Dynamic IP Source Guard Bindings..
Page 16 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Configuring RMON Events..............15-57 Configuring RMON History Samples ..........15-60 Configuring RMON Statistical Samples ..........15-63 15-6 Switch Clustering ................ 15-66 Configuring General Settings for Clusters .......... 15-67 Cluster Member Configuration ............15-68 15-7 Setting A Time Range ..............
Page 17 Table of Contents Configuring IGMP Filter Profiles ............18-19 Configuring IGMP Filtering and Throttling for Interfaces..... 18-22 18-4 Multicast VLAN Registration ............. 18-23 Configuring Global MVR Settings ............18-25 Configuring MVR Interface Status............18-26 Assigning Static Multicast Groups to Interfaces ........18-28 Showing Multicast Group Members ............
Page 18 SSE-G2252/SSE-G2252P Switches USER’S MANUAL exit ......................20-8 Chapter 21 System Management Commands ....21-1 21-1 Device Designation ............... 21-2 hostname ....................21-2 21-2 System Status ................21-3 show access-list tcam-utilization............21-3 show memory..................21-4 show process cpu ................. 21-4 show running-config................21-4 show startup-config ................
Page 19 Table of Contents 21-6 Event Logging ................21-37 logging facility ..................21-37 logging history..................21-38 logging host..................21-39 logging on ................... 21-40 logging trap ..................21-41 clear log ....................21-42 show log....................21-43 show logging ..................21-44 21-7 SMTP Alerts .................
Page 20 SSE-G2252/SSE-G2252P Switches USER’S MANUAL show cluster candidates..............21-70 Chapter 22 SNMP Commands ............. 22-1 snmp-server ..................22-2 snmp-server community................ 22-3 snmp-server contact ................22-4 snmp-server location................22-5 show snmp.................... 22-6 snmp-server enable traps ..............22-7 snmp-server host ................. 22-8 snmp-server engine-id ................ 22-10 snmp-server group................
Page 21 Table of Contents radius-server acct-port ................24-7 radius-server auth-port................24-8 radius-server host ................. 24-9 radius-server key ................24-10 radius-server retransmit ..............24-10 radius-server timeout ................24-11 show radius-server................24-12 24-4 TACACS+ Client ................24-13 tacacs-server host................24-13 tacacs-server key ................24-14 tacacs-server port ................
Page 22 SSE-G2252/SSE-G2252P Switches USER’S MANUAL delete public-key ................. 24-40 ip ssh crypto host-key generate ............24-41 ip ssh crypto zeroize ................24-42 ip ssh save host-key ................24-43 show ip ssh ..................24-43 show public-key .................. 24-44 show ssh ..................... 24-44 24-9 802.1X Port Authentication...
Page 23 Table of Contents network-access dynamic-vlan............... 25-9 network-access guest-vlan ..............25-10 network-access link-detection............. 25-10 network-access link-detection link-down..........25-11 network-access link-detection link-up ..........25-12 network-access link-detection link-up-down ........25-12 network-access max-mac-count ............25-13 network-access mode mac-authentication.......... 25-14 network-access port-mac-filter............25-15 mac-authentication intrusion-action ............ 25-15 mac-authentication max-mac-count............
Page 24 SSE-G2252/SSE-G2252P Switches USER’S MANUAL ip source-guard max-binding .............. 25-41 show ip source-guard................25-42 show ip source-guard binding ............. 25-42 25-6 ARP Inspection ................25-43 ip arp inspection.................. 25-44 ip arp inspection filter ................25-45 ip arp inspection log-buffer logs ............25-46 ip arp inspection validate ..............
Page 25 Table of Contents permit, deny (ARP ACL) ..............26-25 show arp access-list................26-26 26-5 ACL Information ................26-27 show access-group ................26-27 show access-list.................. 26-28 Chapter 27 Interface Commands ..........27-1 interface ....................27-2 alias....................... 27-3 capabilities .................... 27-4 description..................... 27-5 flowcontrol.....................
Page 26 SSE-G2252/SSE-G2252P Switches USER’S MANUAL power inline priority ................29-4 power inline time-range................. 29-6 show power inline status ............... 29-6 show power inline time-range ............... 29-8 show power poe..................29-9 Chapter 30 Port Mirroring Commands ........30-1 30-1 Local Port Mirroring Commands ..........
Page 27 Table of Contents mac-address-table static ............... 33-2 clear mac-address-table dynamic ............33-4 show mac-address-table ............... 33-4 show mac-address-table aging-time ............. 33-5 show mac-address-table count ............. 33-6 Chapter 34 Spanning Tree Commands ......... 34-1 spanning-tree ..................34-2 spanning-tree cisco-prestandard............34-3 spanning-tree forward-time ..............34-3 spanning-tree hello-time ...............
Page 28 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Chapter 35 VLAN Commands ............. 35-1 35-1 GVRP and Bridge Extension Commands ......... 35-2 bridge-ext gvrp ..................35-2 garp timer....................35-3 switchport forbidden vlan ..............35-4 switchport gvrp..................35-5 show bridge-ext..................35-6 show garp timer ..................35-6 show gvrp configuration ................
Page 29 Table of Contents 35-9 Configuring MAC Based VLANs ..........35-33 mac-vlan ..................... 35-33 show mac-vlan ..................35-34 35-10 Configuring Voice VLANs ............35-35 voice vlan .................... 35-36 voice vlan aging .................. 35-37 voice vlan mac-address ..............35-38 switchport voice vlan ................35-39 switchport voice vlan priority ...............
Page 30 SSE-G2252/SSE-G2252P Switches USER’S MANUAL set cos....................37-14 set ip dscp................... 37-15 set phb ....................37-16 service-policy ..................37-17 show class-map .................. 37-18 show policy-map ................. 37-19 show policy-map interface ..............37-20 Chapter 38 Multicast Filtering Commands ......38-1 38-1 IGMP Snooping ................
Page 31 Table of Contents ip igmp filter (Interface Configuration)..........38-30 ip igmp max-groups ................38-31 ip igmp max-groups action ..............38-32 show ip igmp filter ................38-32 show ip igmp profile ................38-33 show ip igmp throttle interface ............38-34 38-4 Multicast VLAN Registration .............
Page 32 SSE-G2252/SSE-G2252P Switches USER’S MANUAL lldp med-tlv med-cap................39-20 lldp med-tlv network-policy..............39-21 lldp notification ..................39-21 show lldp config .................. 39-22 show lldp info local-device ..............39-24 show lldp info remote-device .............. 39-25 show lldp info statistics................ 39-26 Chapter 40 Domain Name Service Commands ....
Page 33 Table of Contents clear arp-cache ..................42-9 show arp ..................... 42-10 42-2 IPv6 Interface ................42-11 ipv6 default-gateway ................42-12 ipv6 address..................42-13 ipv6 address autoconfig ..............42-14 ipv6 address eui-64................42-16 ipv6 address link-local................. 42-18 ipv6 enable..................42-19 show ipv6 default-gateway..............42-20 show ipv6 interface ................
Page 34 SSE-G2252/SSE-G2252P Switches USER’S MANUAL Notes xxxiv...
Page 35: Chapter 1 Introduction
Chapter 1: Introduction Chapter 1 Introduction This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. These switches provide a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual.
Page 36: Description Of Software Features
SSE-G2252/SSE-G2252P Switches User’s Manual Table 1-1. Key Features (Continued) Feature Description IP Version 4 Supports IPv4 addressing, and management IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad frames Switching...
Page 37: Authentication
Chapter 1: Introduction Authentication This switch authenticates management access via the console port, Telnet, or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol.
Page 38: Rate Limiting
SSE-G2252/SSE-G2252P Switches User’s Manual Rate Limiting This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 39: Spanning Tree Algorithm
Chapter 1: Introduction Spanning Tree Algorithm The switch supports these spanning tree protocols: • Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network.
Page 40: Traffic Prioritization
SSE-G2252/SSE-G2252P Switches User’s Manual Traffic Prioritization This switch prioritizes each packet based on the required level of service, using four priority queues with strict priority, scheduling, or a combination of strict and weighted queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application.
Page 41 Chapter 1: Introduction Table 1-2. System Defaults (Continued) Function Parameter Default Username “ADMIN” Privileged Exec Level Password “ADMIN” Username “guest” Normal Exec Level Password “guest” Enable Privileged Exec from Normal Password “super” Exec Level RADIUS Authentication Disabled Authentication TACACS+ Authentication Disabled 802.1X Port Authentication Disabled...
Page 42 SSE-G2252/SSE-G2252P Switches User’s Manual Table 1-2. System Defaults (Continued) Function Parameter Default LLDP Status Enabled Default VLAN PVID Acceptable Frame Type Virtual LANs Ingress Filtering Disabled Switchport Mode (Egress Mode) Access GVRP (global) Disabled GVRP (port interface) Disabled Traffic Prioritization...
Page 43: Description Of Hardware
Each port also supports IEEE 802.3x auto-negotiation of flow control, so the switch can automatically prevent port buffers from becoming saturated. SFP Transceiver Slots The SFP transceiver slots on the SSE-G2252 and SSE-G2252P are not shared. These are additional ports independent of the RJ-45 ports. The following...
Page 44: Port And System Status Leds
Port and System Status LEDs The switch includes a display panel for key system and port indications that simplify installation and network troubleshooting. The LEDs, which are located on the front panel for easy viewing, are shown below in Figure 1-1 and described in the following Table 1-4 Table...
Page 45: Mode Button
Table 1-5. System Status LEDs Condition Status On Green The unit’s internal power supply is operating normally. Power The unit has no power connected. On Green The system diagnostic test has completed successfully. Diag/PoE Flashing Green The system boot up is in progress. (Mode button not On Amber The system diagnostic test is in progress.
Page 46: Reset Button
. The console device can be a PC or workstation running a VT- 100 terminal emulator, or a VT-100 terminal. A crossover RJ-45 to DB-9 cable is supplied with the unit for connecting to the console port. Figure 1-4. Console Port SSE-G2252 Console Port...
Page 47: Chapter 2 Standardized Warning Statements
The following statements are industry standard warnings, provided to warn the user of situations which have the potential for bodily injury. Should you have questions or experience difficulty, Contact Supermicro's Technical Support department for assistance. Only certified technicians should attempt to install or configure components.
Page 48 SSE-G2252/SSE-G2252P Switches User’s Manual Warnung WICHTIGE SICHERHEITSHINWEISE Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu Verletzungen führen kann. Machen Sie sich vor der Arbeit mit Geräten mit den Gefahren elektrischer Schaltungen und den üblichen Verfahren zur Vorbeugung vor Unfällen vertraut.
Page 49 Chapter 2: Standardized Warning Statements BELANGRIJKE VEILIGHEIDSINSTRUCTIES Dit waarschuwings symbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij een elektrische installatie betrokken risico's en dient u op de hoogte te zijn van de standaard procedures om ongelukken te voorkomen.
Page 50: Installation Instructions
SSE-G2252/SSE-G2252P Switches User’s Manual Installation Instructions Warning! Read the installation instructions before connecting the system to the power source. Warnung Vor dem Anschließen des Systems an die Stromquelle die Installationsanweisungen lesen. ¡Advertencia! Lea las instrucciones de instalación antes de conectar el sistema a la red de alimentación.
Page 51: Circuit Breaker
Chapter 2: Standardized Warning Statements Circuit Breaker Warning! This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than: 250 V, 20 A. Warnung Dieses Produkt ist darauf angewiesen, dass im Gebäude ein Kurzschluss- bzw. Überstromschutz installiert ist.
Page 52: Power Disconnection Warning
SSE-G2252/SSE-G2252P Switches User’s Manual Waarschuwing Dit product is afhankelijk van de kortsluitbeveiliging (overspanning) van uw electrische installatie. Controleer of het beveiligde aparaat niet groter gedimensioneerd is dan 220V,20A. Power Disconnection Warning Warning! The system must be disconnected from all sources of power and the power cord removed from the power supply module(s) before accessing the chassis interior to install or remove system components.
Page 53 Chapter 2: Standardized Warning Statements Attention Le système doit être débranché de toutes les sources de puissance ainsi que de son cordon d'alimentation secteur avant d'accéder à l'intérieur du chassis pour installer ou enlever des composants de systéme. ‫אזהרה מפני ניתוק חשמל י י‬ !‫אזהרה‬...
Page 54: Equipment Installation
SSE-G2252/SSE-G2252P Switches User’s Manual Equipment Installation Warning! Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Warnung Das Installieren, Ersetzen oder Bedienen dieser Ausrüstung sollte nur geschultem, qualifiziertem Personal gestattet werden. ¡Advertencia! Solamente el personal calificado debe instalar, reemplazar o utilizar este equipo.
Page 55: Restricted Area
Chapter 2: Standardized Warning Statements Restricted Area Warning! This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security. (This warning does not apply to workstations). Warnung Diese Einheit ist zur Installation in Bereichen mit beschränktem Zutritt vorgesehen.
Page 56: Battery Handling
SSE-G2252/SSE-G2252P Switches User’s Manual Waarschuwing Dit apparaat is bedoeld voor installatie in gebieden met een beperkte toegang. Toegang tot dergelijke gebieden kunnen alleen verkregen worden door gebruik te maken van speciaal gereedschap, slot en sleutel of andere veiligheidsmaatregelen. Battery Handling Warning! There is the danger of explosion if the battery is replaced incorrectly.
Page 57 Chapter 2: Standardized Warning Statements ¡Advertencia! Existe peligro de explosión si la batería se reemplaza de manera incorrecta. Reemplazar la batería exclusivamente con el mismo tipo o el equivalente recomendado por el fabricante. Desechar las baterías gastadas según las instrucciones del fabricante. !‫אזהרה‬...
Page 58: Redundant Power Supplies
SSE-G2252/SSE-G2252P Switches User’s Manual Redundant Power Supplies Warning! This unit might have more than one power supply connection. All connections must be removed to de-energize the unit. Warnung Dieses Gerät kann mehr als eine Stromzufuhr haben. Um sicherzustellen, dass der Einheit kein trom zugeführt wird, müssen alle Verbindungen entfernt werden.
Page 59: Backplane Voltage
Chapter 2: Standardized Warning Statements Waarschuwing Deze eenheid kan meer dan één stroomtoevoeraansluiting bevatten. Alle aansluitingen dienen verwijderd te worden om het apparaat stroomloos te maken. Backplane Voltage Warning! Hazardous voltage or energy is present on the backplane when the system is operating.
Page 60 SSE-G2252/SSE-G2252P Switches User’s Manual Waarschuwing Een gevaarlijke spanning of energie is aanwezig op de backplane wanneer het systeem in gebruik is. Voorzichtigheid is geboden tijdens het onderhoud. 2-14...
Page 61: Comply With Local And National Electrical Codes
Chapter 2: Standardized Warning Statements Comply with Local and National Electrical Codes Warning! Installation of the equipment must comply with local and national electrical codes. Warnung Die Installation der Geräte muss den Sicherheitsstandards entsprechen. ¡Advertencia! La instalacion del equipo debe cumplir con las normas de electricidad locales y nacionales.
Page 62: Product Disposal
SSE-G2252/SSE-G2252P Switches User’s Manual Product Disposal Warning! Ultimate disposal of this product should be handled according to all national laws and regulations. Warnung Die Entsorgung dieses Produkts sollte gemäß allen Bestimmungen und Gesetzen des Landes erfolgen. ¡Advertencia! Al deshacerse por completo de este producto debe seguir todas las leyes y reglamentos nacionales.
Page 63: Hot Swap Fan Warning
Chapter 2: Standardized Warning Statements Hot Swap Fan Warning Warning! The fans might still be turning when you remove the fan assembly from the chassis. Keep fingers, screwdrivers, and other objects away from the openings in the fan assembly's housing. Warnung Die Lüfter drehen sich u.
Page 64: Power Cable And Ac Adapter
Fehlfunktion oder ein Brand entstehen. Elektrische Geräte und Material Safety Law verbietet die Verwendung von UL-oder CSA-zertifizierte Kabel, UL oder CSA auf der Code für alle anderen elektrischen Geräte als Produkte von Supermicro nur bezeichnet gezeigt haben.
Page 65 Appareils électroménagers et de loi sur la sécurité Matériel interdit l'utilisation de UL ou CSA câbles certifiés qui ont UL ou CSA indiqué sur le code pour tous les autres appareils électriques que les produits désignés par Supermicro seulement. ‫י מ‬...
Page 66 Het gebruik van andere kabels en adapters kan leiden tot een storing of een brand. Elektrisch apparaat en veiligheidsinformatiebladen wet verbiedt het gebruik van UL of CSA gecertificeerde kabels die UL of CSA die op de code voor andere elektrische apparaten dan de producten die door Supermicro alleen. 2-20...
Page 67: Chapter 3 Initial Configuration
Chapter 3: Initial Configuration Chapter 3 Initial Configuration This chapter includes information on connecting to the switch and basic configuration procedures. 3-1 Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface.
Page 68: Required Connections
SSE-G2252/SSE-G2252P Switches User’s Manual • Filter packets using Access Control Lists (ACLs) • Configure up to 256 IEEE 802.1Q VLANs • Enable GVRP automatic VLAN registration • Configure IGMP multicast filtering • Upload and download system firmware or configuration files via HTTP (using the web interface) or FTP/TFTP (using the command line or web interface) •...
Page 69: Remote Connections
Chapter 3: Initial Configuration NOTE: Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see Chapter 19: "Using the Command Line Interface" on page 19-1. For a list of all the CLI commands and detailed information on using the CLI, refer to Section 19-3: "CLI Command Groups"...
Page 70: Basic Configuration
3. At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.) 4. The session is opened and the CLI displays the “SSE-G2252#” prompt indicating you have access at the Privileged Exec level. Setting Passwords If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username”...
Page 71: Setting An Ip Address
Chapter 3: Initial Configuration NOTE: This manual covers the SSE-G2252 and SSE-G2252P Gigabit Ethernet switches. Other than the support for PoE on the SSE-G2252P, there are no other significant differences. Therefore nearly all of the screen display examples are based on the SSE-G2252.
Page 72 SSE-G2252/SSE-G2252P Switches User’s Manual To assign an IPv4 address to the switch, complete the following steps 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. 2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask”...
Page 73 4. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press <Enter>. SSE-G2252(config)#interface vlan 1 SSE-G2252(config-if)#ipv6 address 2001:DB8:2222:7272::/64 SSE-G2252(config-if)#exit...
Page 74: Dynamic Configuration
SSE-G2252/SSE-G2252P Switches User’s Manual FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds SSE-G2252#show ipv6 default-gateway ipv6 default gateway: 2001:DB8:2222:7272::254 SSE-G2252# Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp”...
Page 75 Chapter 3: Initial Configuration Index: 1001, MTU: 1500, Bandwidth: 1g Address Mode is DHCP IP Address: 192.168.0.5 Mask: 255.255.255.0 SSE-G2252#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Obtaining an IPv6 Address Link Local Address —...
Page 76: Downloading A Configuration File Referenced By A Dhcp Server
SSE-G2252/SSE-G2252P Switches User’s Manual SSE-G2252(config)#interface vlan 1 SSE-G2252(config-if)#ipv6 address autoconfig Console(config-if)#ipv6 enable SSE-G2252(config-if)#end SSE-G2252#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::212:CFFF:FE0B:4600/64 Global unicast address(es): 2005::212:CFFF:FE0B:4600, subnet is 2005:0:0:0::/64 3FFE:501:FFFF:100:212:CFFF:FE0B:4600, subnet is 3FFE:501:FFFF:100::/ Joined group address(es):...
Page 77 Chapter 3: Initial Configuration To successfully transmit a bootup configuration file to the switch the DHCP daemon (using a Linux based system for this example) must be configured with the following information: • Options 60, 66 and 67 statements can be added to the daemon’s configuration file. Table 3-1.
Page 78: Enabling Snmp Management Access
SSE-G2252/SSE-G2252P Switches User’s Manual range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100";#Default Option 66 option bootfile-name "bootfile"; #Default Option 67 class "Option66,67_1" { #DHCP Option 60 Vendor class one match if option vendor-class-identifier = "SM_SSE-G2252_Op.bix"; #option 43 option vendor-class-information code 43 = encapsulate dynamicProvision;...
Page 79: Trap Receivers
Then press <Enter>. For a more detailed description of these parameters, see "snmp-server host" on page 22-8. The following example creates a trap host for each type of SNMP client. SSE-G2252(config)#snmp-server host 10.1.19.23 batman SSE-G2252(config)#snmp-server host 10.1.19.98 robin version 2c SSE-G2252(config)#snmp-server host 10.1.19.34 barbie version 3 auth SSE-G2252(config)# 3-13...
Page 80: Configuring Access For Snmp Version 3 Clients
SSE-G2252(config)#snmp-server view mib-2 1.3.6.1.2.1 included SSE-G2252(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included SSE-G2252(config)#snmp-server group r&d v3 auth mib-2 802.1d SSE-G2252(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien SSE-G2252(config)# For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to the specific CLI commands for SNMP in Chapter 22: "SNMP...
Page 81: Saving Or Restoring Configuration Settings
1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. 2. Enter the name of the start-up file. Press <Enter>. SSE-G2252#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish.
Page 82 SSE-G2252/SSE-G2252P Switches User’s Manual SSE-G2252#copy file startup-config SSE-G2252#copy tftp startup-config TFTP server IP address: 192.168.0.4 Source configuration file name: startup-rd.cfg Startup configuration file name [startup1.cfg]: Success. SSE-G2252# 3-16...
Page 83: Chapter 4 Using The Web Interface
Chapter 4: Using the Web Interface Chapter 4 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 84: Navigating The Web Browser Interface
SSE-G2252/SSE-G2252P Switches User’s Manual NOTE: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. NOTE: Connection to the web interface is not supported for HTTPS using an IPv6 link local address.
Page 85: Configuration Options
Other than the support for PoE on the SSE-G2252P, there are no other significant differences. Therefore nearly all of the screen display examples are based on the SSE-G2252. The panel graphics for both switches are shown on the following page.
Page 86: Panel Display
SSE-G2252/SSE-G2252P Switches User’s Manual Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control).
Page 87: Main Menu
Chapter 4: Using the Web Interface Figure 4-4. Displaying Configuration Settings or Status Information 2 Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Page 88 SSE-G2252/SSE-G2252P Switches User’s Manual Table 4-2. Switch Main Menu (Continued) Menu Description File Copy Allows the transfer and copying files Set Startup Sets the startup file Show Shows the files stored in flash memory; allows deletion of files Automatically upgrades operation code if a newer version is...
Page 89 Chapter 4: Using the Web Interface Table 4-2. Switch Main Menu (Continued) Menu Description Configure General Configure Configures trunk connection settings Show Displays trunk connection settings Information Dynamic Configure Configures administration key for specific LACP groups Aggregator Configure Aggregation Port Configure General Allows ports to dynamically join trunks...
Page 90 SSE-G2252/SSE-G2252P Switches User’s Manual Table 4-2. Switch Main Menu (Continued) Menu Description VLAN Trunking Allows unknown VLAN groups to pass through the specified interface VLAN Virtual LAN Static Configure VLAN Configures VLAN groups, administrative status, and remote type Modify VLAN and...
Page 91 Chapter 4: Using the Web Interface Table 4-2. Switch Main Menu (Continued) Menu Description MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping Mirror Mirrors traffic from one or more source VLANs to a target port Show Shows mirror list MAC Address...
Page 92 SSE-G2252/SSE-G2252P Switches User’s Manual Table 4-2. Switch Main Menu (Continued) Menu Description Show Information Shows global settings for an MST instance Configure Interface Configure Configures interface settings for an MST instance Show Information Displays interface settings for an MST instance...
Page 93 Chapter 4: Using the Web Interface Table 4-2. Switch Main Menu (Continued) Menu Description Show Rule Shows the traffic classification rules for a class map Configure Policy Creates a policy map to apply to multiple interfaces Show Shows configured policy maps Modify Modifies the name of a policy map Sets the boundary parameters used for monitoring inbound traffic,...
Page 94 SSE-G2252/SSE-G2252P Switches User’s Manual Table 4-2. Switch Main Menu (Continued) Menu Description Show Information Shows the configured accounting methods, and the methods applied Summary to specific interfaces Statistics Shows basic accounting information recorded for user sessions Authorization Enables authorization of requested services...
Page 95 Chapter 4: Using the Web Interface Table 4-2. Switch Main Menu (Continued) Menu Description Configure Global Configures SSH server settings Configure Host Key Generate Generates the host key pair (public and private) Show Displays RSA and DSA host keys; deletes host keys Configure User Key Copy Imports user public keys from TFTP server...
Page 96 SSE-G2252/SSE-G2252P Switches User’s Manual Table 4-2. Switch Main Menu (Continued) Menu Description Authenticator Displays protocol statistics for port authenticator Supplicant Displays protocol statistics for port supplicant Filters IP traffic based on static entries in the IP Source Guard table, IP Source Guard...
Page 97 Chapter 4: Using the Web Interface Table 4-2. Switch Main Menu (Continued) Menu Description Displays detailed information about a remote device connected to Port/Trunk Details this switch Show Device Statistics General Displays statistics for all connected remote devices Port/Trunk Displays statistics for remote devices on a selected port or trunk Power over Ethernet Configure Global Displays the power budget for the switch...
Page 98 SSE-G2252/SSE-G2252P Switches User’s Manual Table 4-2. Switch Main Menu (Continued) Menu Description Configure Notification Configures notification managers to receive messages on key events that occur this switch Show Shows configured notification managers RMON Remote Monitoring Configure Global Alarm Sets threshold bounds for a monitored variable...
Page 99 Chapter 4: Using the Web Interface Table 4-2. Switch Main Menu (Continued) Menu Description Show Rule Shows the time specified by a rule General Ping Sends ICMP echo request packets to another node on the network Address Resolution Protocol Configure General Sets the aging time for dynamic entries in the ARP cache Show Information Shows entries in the Address Resolution Protocol (ARP) cache...
Page 100 SSE-G2252/SSE-G2252P Switches User’s Manual Table 4-2. Switch Main Menu (Continued) Menu Description DHCP Dynamic Host Configuration Protocol Snooping Enables DHCP snooping globally, MAC-address verification, Configure Global information option; and sets the information policy Configure VLAN Enables DHCP snooping on a VLAN...
Page 101 Chapter 4: Using the Web Interface Table 4-2. Switch Main Menu (Continued) Menu Description Assigns IGMP filter profiles to port interfaces and sets throttling Configure Interface action Multicast VLAN Registration Globally enables MVR, sets the MVR VLAN, adds multicast Configure General stream addresses Configures MVR interface type and immediate leave mode;...
Page 102 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 4-20...
Page 103: Chapter 5 Basic Management Tasks
System Description – Brief description of device type. • System Object ID – MIB II object ID for switch’s network management subsystem. (SSE-G2252: 1.3.6.1.4.1.10876.101.202, SSE-G2252P: 1.3.6.1.4.1.10876.101.203) • System Up Time – Length of time the management agent has been up.
Page 104: Displaying Switch Hardware/Software Versions
System Contact – Administrator responsible for the system. • System Fan – Shows the current status of all system fans. The number of fans provided: SSE-G2252 - 0, SSE-G2252P - 2 Web Interface To configure general system information: 1. Click S >...
Page 105: Configuring Support For Jumbo Frames
Chapter 5: Basic Management Tasks Main Board Information • Serial Number – The serial number of the switch. • Number of Ports – Number of built-in ports. • Hardware Version – Hardware version of the main board. • Internal Power Status – Displays the status of the internal power supply. Management Software Information •...
Page 106: Displaying Bridge Extension Capabilities
SSE-G2252/SSE-G2252P Switches User’s Manual Usage Guidelines To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size.
Page 107 Chapter 5: Basic Management Tasks • Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to Chapter 11: "Class of Service" on page 11-1.) • Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses.
Page 108: Managing System Files
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 5-4. Displaying Bridge Extension Configuration 5-5 Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. CLI References "copy" on page 21-15 for CLI reference information.
Page 109 Chapter 5: Basic Management Tasks • FTP Upgrade – Copies a file from an FTP server to the switch. • FTP Download – Copies a file from the switch to an FTP server. • HTTP Upgrade – Copies a file from a management station to the switch. •...
Page 110: Saving The Running Configuration To A Local File
SSE-G2252/SSE-G2252P Switches User’s Manual 6. Set the file type to O > C or L PERATION OADER 7. Enter the name of the file to download. 8. Select a file on the switch to overwrite or specify a new file name.
Page 111: Setting The Start-Up File
Chapter 5: Basic Management Tasks Web Interface To save the running configuration file: 1. Click S , then F YSTEM 2. Select C from the Action list. 3. Select R from the C list. UNNING ONFIG 4. Select the current startup file on the switch to overwrite or specify a new file name. 5.
Page 112: Showing System Files
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 5-7. Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Showing System Files Use the System > File (Show) page to show the files in the system directory, or to delete a file.
Page 113: Automatic Operation Code Upgrade
Chapter 5: Basic Management Tasks Figure 5-8. Displaying System Files Automatic Operation Code Upgrade Use the S > F ) page to automatically YSTEM UTOMATIC PERATION PGRADE download an operation code file when a file newer than the currently installed one is discovered on the file server.
Page 114 SSE-G2252/SSE-G2252P Switches User’s Manual • The FTP connection is made with PASV mode enabled. PASV mode is needed to traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be disabled. • The switch-based search function is case-insensitive in that it will accept a file name in upper or lower case (i.e., the switch will accept SSE-G2252_OP.BIX from the...
Page 115 Chapter 5: Basic Management Tasks The following syntax must be observed: tftp://host[/filedir]/ • tftp:// – Defines TFTP protocol for the server connection. • host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. •...
Page 116: Web Interface
SSE-G2252/SSE-G2252P Switches User’s Manual • ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank. The image file is in the FTP root directory. • ftp://switches:upgrade@192.168.0.1/ The user name is “switches” and the password is “upgrade”. The image file is in the FTP root.
Page 117: Setting The System Clock
Chapter 5: Basic Management Tasks 5-6 Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 118: Setting The Sntp Polling Interval
SSE-G2252/SSE-G2252P Switches User’s Manual 5. Click A PPLY Figure 5-10. Manually Setting the System Clock Setting the SNTP Polling Interval Use the S > T - SNTP) page to set the polling interval at YSTEM ONFIGURE ENERAL which the switch will query the specified time servers.
Page 119: Specifying Sntp Time Servers
Chapter 5: Basic Management Tasks Figure 5-11. Setting the Polling Interval for SNTP Specifying SNTP Time Servers Use the S > T ) page to specify the IP address for up YSTEM ONFIGURE ERVER to three SNTP time servers. CLI References "sntp server"...
Page 120: Setting The Time Zone
SSE-G2252/SSE-G2252P Switches User’s Manual Setting the Time Zone Use the S > T ) page to set the time zone. SNTP YSTEM ONFIGURE ERVER uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 121: Configuring The Console Port
Chapter 5: Basic Management Tasks Figure 5-13. Setting the Time Zone 5-7 Configuring the Console Port Use the S > C menu to configure connection parameters for the switch’s YSTEM ONSOLE console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 122 SSE-G2252/SSE-G2252P Switches User’s Manual • Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) •...
Page 123: Configuring Telnet Settings
Chapter 5: Basic Management Tasks Figure 5-14. Console Port Settings 5-8 Configuring Telnet Settings Use the S > T menu to configure parameters for accessing the CLI over a YSTEM ELNET Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal).
Page 124: Displaying Cpu Utilization
SSE-G2252/SSE-G2252P Switches User’s Manual • Silent Time – Sets the amount of time the management interface is inaccessible after the number of unsuccessful logon attempts has been exceeded. (Range: 0-65535 seconds; Default: 30 seconds) • Max Sessions – Sets the maximum number of Telnet sessions that can simultaneously connect to this system.
Page 125: Displaying Memory Utilization
Chapter 5: Basic Management Tasks • CPU Utilization – CPU utilization over specified interval. Web Interface To display CPU utilization: 1. Click S , then CPU U YSTEM TILIZATION 2. Change the update interval if required. Note that the interval is changed as soon as a new setting is selected.
Page 126: Resetting The System
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 5-17. Displaying Memory Utilization 5-11 Resetting the System Use the S > R menu to restart the switch immediately, at a specified time, YSTEM ELOAD after a specified delay, or at a periodic interval. CLI References See the following for CLI reference information: •...
Page 127 Chapter 5: Basic Management Tasks • minutes – The number of minutes, combined with the hours, before the switch resets. (Range: 0-59) • At – Specifies a periodic interval at which to reload the switch. • DD - The day of the month at which to reload. (Range: 1-31) •...
Page 128 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 5-18. Restarting the Switch (Immediately) Figure 5-19. Restarting the Switch (In) 5-26...
Page 129 Chapter 5: Basic Management Tasks Figure 5-20. Restarting the Switch (At) Figure 5-21. Restarting the Switch (Regularly) 5-27...
Page 130 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 5-28...
Page 131: Chapter 6 Interface Configuration
Chapter 6: Interface Configuration Chapter 6 Interface Configuration This chapter describes the following topics: • Port Configuration – Configures connection settings, including auto-negotiation, or manual setting of speed, duplex mode, and flow control. • Configuring Local Port Mirroring – Sets the source and target ports for mirroring on the local switch.
Page 132 You may also disable an interface for security reasons. • Media Type – Configures the forced/preferred port type to use for the combination ports (49-52 on the SSE-G2252/P). • Copper-Forced - Always uses the built-in RJ-45 port.
Page 133 (i.e., with auto-negotiation disabled) • Giga PHY Mode – Forces two connected ports into a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports 49-52 on the SSE-G2252/ SSE-G2252P. The following options are supported: • Master - Sets the selected port as master.
Page 134: Configuring By Port Range
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 6-1. Configuring Connections by Port List Configuring by Port Range Use the I > P > G ) page to enable/ NTERFACE ENERAL ONFIGURE BY ANGE disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 135 Chapter 6: Interface Configuration Figure 6-2. Configuring Connections by Port Range...
Page 136: Displaying Connection Status
SSE-G2252/SSE-G2252P Switches User’s Manual Displaying Connection Status Use the Interface > P > G ) page to display the current ENERAL NFORMATION connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. CLI References "show interfaces status" on page 27-15 for CLI reference information.
Page 137: Configuring Local Port Mirroring
Chapter 6: Interface Configuration Figure 6-3. Displaying Port Information Configuring Local Port Mirroring Use the I > P > M page to mirror traffic from any source port to a NTERFACE IRROR target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 138 SSE-G2252/SSE-G2252P Switches User’s Manual • When mirroring port traffic, the target port must be included in the same VLAN as the source port when using MSTP (see Chapter 9: "Spanning Tree Algorithm" on page 9-1). • When mirroring VLAN traffic (see Section 7-6: "Configuring VLAN Mirroring"...
Page 139: Configuring Remote Port Mirroring
Chapter 6: Interface Configuration To display the configured mirror sessions: 1. Click I > P > M NTERFACE IRROR 2. Select S from the Action List. Figure 6-6. Displaying Local Port Mirror Sessions Configuring Remote Port Mirroring Use the I >...
Page 140 SSE-G2252/SSE-G2252P Switches User’s Manual CLI References Section 30-2: "RSPAN Mirroring Commands" on page 30-5 for CLI reference information. Command Usage Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in "Configuring Local Port Mirroring"...
Page 141 Chapter 6: Interface Configuration • MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports.
Page 142 SSE-G2252/SSE-G2252P Switches User’s Manual • Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, Tx, Both) • Destination Port – Specifies the destination port to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
Page 143: Showing Port Or Trunk Statistics
Chapter 6: Interface Configuration Figure 6-9. Configuring Remote Port Mirroring (Intermediate) Figure 6-10. Configuring Remote Port Mirroring (Destination) Showing Port or Trunk Statistics Use the I > P > S or C page to display standard NTERFACE RUNK TATISTICS HART statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 144 SSE-G2252/SSE-G2252P Switches User’s Manual NOTE: RMON groups 2, 3 and 9 can only be accessed using SNMP management software. CLI References "show interfaces counters" on page 27-14 for CLI reference information. Parameters These parameters are displayed in the web interface: Table 6-1.
Page 145 Chapter 6: Interface Configuration Table 6-1. Port Statistics (Continued) Parameter Description The total number of packets that higher-level protocols requested be Transmitted Broadcast Packets transmitted, and which were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent. The number of packets received via the interface which were Received Unknown Packets discarded because of an unknown or unsupported protocol.
Page 146 SSE-G2252/SSE-G2252P Switches User’s Manual Table 6-1. Port Statistics (Continued) Parameter Description Total number of octets of data received on the network. This statistic Received Octets can be used as a reasonable indication of Ethernet utilization. Received Packets The total number of packets (bad, broadcast and multicast) received.
Page 147 Chapter 6: Interface Configuration Figure 6-11. Showing Port Statistics (Table) To show a chart of port statistics: 1. Click I > P > C NTERFACE HART 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list.
Page 148: Performing Cable Diagnostics
Ports are linked down while running cable diagnostics. Parameters These parameters are displayed in the web interface: • Port – Switch port identifier. (SSE-G2252/P: 1-52) • Type – Displays media type. (FE – Fast Ethernet, GE – Gigabit Ethernet) •...
Page 149: Trunk Configuration
Chapter 6: Interface Configuration For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters. For link-up ports, the accuracy is +/- 10 meters. • Last Updated – Shows the last time this port was tested. Web Interface To test the cable attached to a port: 1.
Page 150: Configuring A Static Trunk
SSE-G2252/SSE-G2252P Switches User’s Manual The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP). Static trunks have to be manually configured at both ends of the link, and the switches must comply with the Cisco EtherChannel standard. On the other hand, LACP configured ports can automatically negotiate a trunked link with LACP-configured ports on another device.
Page 151 Chapter 6: Interface Configuration Figure 6-14. Configuring Static Trunks statically configured active links CLI References Chapter 28: "Link Aggregation Commands" on page 28-1 Chapter 27: "Interface Commands" on page 27-1 for CLI reference information. Command Usage • When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation.
Page 152 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 6-15. Creating Static Trunks To configure connection parameters for a static trunk: 1. Click I > T > S NTERFACE RUNK TATIC 2. Select C from the Step list. ONFIGURE ENERAL 3. Select C from the Action list.
Page 153: Configuring A Dynamic Trunk
Chapter 6: Interface Configuration Figure 6-17. Showing Information for Static Trunks Configuring a Dynamic Trunk Use the I > T > D ) page to set the NTERFACE RUNK YNAMIC ONFIGURE GGREGATOR administrative key for an aggregation group, enable LACP on a port, and configure protocol parameters for local and partner ports.
Page 154 Admin Key – LACP administration key is used to identify a specific link aggregation group (LAG) during local LACP setup on the switch. (Range: 0-65535) Configure Aggregation Port - General • Port – Port identifier. (SSE-G2252/P: 1-52) • LACP Status – Enables or disables LACP on a port. Configure Aggregation Port - Actor/Partner •...
Page 155 Chapter 6: Interface Configuration NOTE: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor. Web Interface To configure the admin key for a dynamic trunk: 1.
Page 156 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 6-20. Enabling LACP on a Port To configure LACP parameters for group members: 1. Click I > T > D NTERFACE RUNK YNAMIC 2. Select C from the Step list. ONFIGURE GGREGATION 3. Select C from the Action list.
Page 157 Chapter 6: Interface Configuration 4. Modify the required interface settings. (Refer to "Configuring by Port List" on page 6-1 for a description of the parameters.) 5. Click A PPLY Figure 6-22. Configuring Connection Parameters for a Dynamic Trunk To show the connection parameters for a dynamic trunk: 1.
Page 158: Displaying Lacp Port Counters
SSE-G2252/SSE-G2252P Switches User’s Manual Displaying LACP Port Counters Use the I > T > D NTERFACE RUNK YNAMIC ONFIGURE GGREGATION ) page to display statistics for LACP protocol messages. NFORMATION OUNTERS CLI References "show lacp" on page 28-9 for CLI reference information.
Page 159: Displaying Lacp Settings And Status For The Local Side
Chapter 6: Interface Configuration Figure 6-25. Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Use the I > T > D NTERFACE RUNK YNAMIC ONFIGURE GGREGATION ) page to display the configuration settings and operational state NFORMATION NTERNAL for the local side of a link aggregation.
Page 160 SSE-G2252/SSE-G2252P Switches User’s Manual Table 6-3. LACP Internal Configuration Information (Continued) Parameter Description LACPDUs Interval Number of seconds before invalidating received LACPDU information. Administrative or operational values of the actor’s state parameters: Expired – The actor’s receive machine is in the expired state;...
Page 161: Displaying Lacp Settings And Status For The Remote Side
Chapter 6: Interface Configuration Figure 6-26. Displaying LACP Port Internal Information Displaying LACP Settings and Status for the Remote Side Use the I > T > D NTERFACE RUNK YNAMIC ONFIGURE GGREGATION ) page to display the configuration settings and operational NFORMATION EIGHBORS state for the remote side of a link aggregation.
Page 162: Configuring Trunk Mirroring
SSE-G2252/SSE-G2252P Switches User’s Manual Table 6-4. LACP Internal Configuration Information (Continued) Parameter Description Administrative values of the partner’s state parameters. (See preceding Admin State table.) Operational values of the partner’s state parameters. (See preceding Oper State table.) Web Interface To display LACP settings and status for the remote side: 1.
Page 163 (Range: 1-12) • Target Port – The port that will mirror the traffic on the source trunk. (SSE-G2252/P: 1-52) • Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both. (Default: Both)
Page 164: Saving Power
SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure a local mirror session: 1. Click I > T > M NTERFACE RUNK IRROR 2. Select A from the Action List. 3. Specify the source trunk. 4. Specify the monitor port. 5. Specify the traffic type to be mirrored.
Page 165 Chapter 6: Interface Configuration Command Usage • IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Page 166: Traffic Segmentation
SSE-G2252/SSE-G2252P Switches User’s Manual 3. Click A PPLY Figure 6-31. Enabling Power Savings 6-4 Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports.
Page 167: Configuring Uplink And Downlink Ports
These parameters are displayed in the web interface: • Interface – Displays a list of ports or trunks. • Port – Port Identifier. (SSE-G2252/P: 1-52) • Trunk – Trunk Identifier. (Range: 1-12) • Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink.
Page 168: Vlan Trunking
SSE-G2252/SSE-G2252P Switches User’s Manual 3. Click P or T to specify the interface type. RUNK 4. Select U or D in the Direction list to add a group member. PLINK OWNLINK 5. Click A PPLY Figure 6-33. Configuring Members for Traffic Segmentation...
Page 169 These parameters are displayed in the web interface: • Interface – Displays a list of ports or trunks. • Port – Port Identifier. (SSE-G2252/P: 1-52) • Trunk – Trunk Identifier. (Range: 1-12) • VLAN Trunking Status – Enables VLAN trunking on the selected interface.
Page 170 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 6-35. Configuring VLAN Trunking 6-40...
Page 171: Chapter 7 Vlan Configuration
Chapter 7: VLAN Configuration Chapter 7 VLAN Configuration This chapter includes the following topics: • IEEE 802.1Q VLANs – Configures static and dynamic VLANs. • IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 172: Assigning Ports To Vlans
SSE-G2252/SSE-G2252P Switches User’s Manual • Port overlapping, allowing a port to participate in multiple VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate.
Page 173: Port Overlapping
Chapter 7: VLAN Configuration Port Overlapping Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch.
Page 174: Forwarding Tagged/Untagged Frames
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 7-2. Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 175 Chapter 7: VLAN Configuration Parameters These parameters are displayed in the web interface: • VLAN ID – ID of VLAN or range of VLANs (1-4093). Up to 256 VLAN groups can be defined. VLAN 1 is the default untagged VLAN. VLAN 4093 is dedicated for Switch Clustering.
Page 176: Adding Static Members To Vlans
Groups" on page 7-4. • Interface – Displays a list of ports or trunks. • Port – Port Identifier. (SSE-G2252/P: 1-52) • Trunk – Trunk Identifier. (Range: 1-12) • Mode – Indicates VLAN membership mode for an interface. (Default: Access) •...
Page 177 Chapter 7: VLAN Configuration • PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN. When using Hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member.
Page 178 All parameters are the same as those described under the earlier section for Modify VLAN and Member Ports, except for the items shown below. • Port Range – Displays a list of ports. (SSE-G2252/P: 1-52) • Trunk Range – Displays a list of ports. (Range: 1-12)
Page 179 Chapter 7: VLAN Configuration 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click A PPLY Figure 7-5. Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN > S TATIC 2.
Page 180: Configuring Dynamic Vlan Registration
(Default: Disabled) Configure Interface • Interface – Displays a list of ports or trunks. • Port – Port Identifier. (SSE-G2252/P: 1-52) • Trunk – Trunk Identifier. (Range: 1-12) • GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect (using the Configure General page).
Page 181 Chapter 7: VLAN Configuration • LeaveAll – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.
Page 182 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 7-8. Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN > D YNAMIC 2. Select S VLAN from the Step list. YNAMIC 3. Select S VLAN from the Action list.
Page 183: Ieee 802.1Q Tunneling
Chapter 7: VLAN Configuration Figure 7-10. Showing the Members of a Dynamic VLAN 7-2 IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 184 SSE-G2252/SSE-G2252P Switches User’s Manual When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet.
Page 185 Chapter 7: VLAN Configuration 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5.
Page 186 SSE-G2252/SSE-G2252P Switches User’s Manual 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ •...
Page 187: Enabling Qinq Tunneling On The Switch
Chapter 7: VLAN Configuration Enabling QinQ Tunneling on the Switch Use the VLAN > T ) page to configure the switch to operate in UNNEL ONFIGURE LOBAL IEEE 802.1Q (QinQ) tunneling mode, which is used for passing Layer 2 traffic across a service provider’s metropolitan area network.
Page 188: Adding An Interface To A Qinq Tunnel
These parameters are displayed in the web interface: • Interface – Displays a list of ports or trunks. • Port – Port Identifier. (SSE-G2252/P: 1-52) • Trunk – Trunk Identifier. (Range: 1-12) • Mode – Sets the VLAN membership mode of the port.
Page 189: Protocol Vlans
Chapter 7: VLAN Configuration • Uplink – Configures QinQ tunneling for an uplink port to another device within the service provider network. Web Interface To add an interface to a QinQ tunnel: 1. Click VLAN > T UNNEL 2. Select C from the Step list.
Page 190: Configuring Protocol Vlan Groups
SSE-G2252/SSE-G2252P Switches User’s Manual VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the C ) page.
Page 191: Mapping Protocol Groups To Interfaces
Chapter 7: VLAN Configuration 4. Select an entry from the Frame Type list. 5. Select an entry from the Protocol Type list. 6. Enter an identifier for the protocol group.] 7. Click A PPLY Figure 7-14. Configuring Protocol VLANs To configure a protocol group: 1.
Page 192 These parameters are displayed in the web interface: • Interface – Displays a list of ports or trunks. • Port – Port Identifier. (SSE-G2252/P: 1-52) • Trunk – Trunk Identifier. (Range: 1-12) • Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group.
Page 193: Configuring Ip Subnet Vlans
Chapter 7: VLAN Configuration Figure 7-16. Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN > P ROTOCOL 2. Select C from the Step list. ONFIGURE NTERFACE 3. Select S from the Action list.
Page 194 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a mask. • When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame.
Page 195: Configuring Mac-Based Vlans
Chapter 7: VLAN Configuration Figure 7-18. Configuring IP Subnet VLANs To show the configured IP subnet VLANs: 1. Click VLAN > IP S UBNET 2. Select S from the Action list. Figure 7-19. Showing IP Subnet VLANs 7-5 Configuring MAC-based VLANs Use the VLAN >...
Page 196 SSE-G2252/SSE-G2252P Switches User’s Manual • Configured MAC addresses cannot be broadcast or multicast addresses. • When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. Parameters These parameters are displayed in the web interface: •...
Page 197: Configuring Vlan Mirroring
Chapter 7: VLAN Configuration Figure 7-21. Showing MAC-Based VLANs 7-6 Configuring VLAN Mirroring Use the VLAN > M ) page to mirror traffic from one or more source VLANs to IRROR a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 198 SSE-G2252/SSE-G2252P Switches User’s Manual Parameters These parameters are displayed in the web interface: • Source VLAN – A VLAN whose traffic will be monitored. (Range: 1-4093) • Target Port – The destination port that receives the mirrored traffic from the source VLAN.
Page 199: Chapter 8 Address Table Settings
Chapter 8: Address Table Settings Chapter 8 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 200 SSE-G2252/SSE-G2252P Switches User’s Manual Parameters These parameters are displayed in the web interface: • VLAN – ID of configured VLAN. (Range: 1-4093) • Interface – Port or trunk associated with the device assigned a static address. • MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 201: Changing The Aging Time
• Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (SSE-G2252/P: 10-844 seconds; Default: 300 seconds) Web Interface To set the aging time for entries in the dynamic address table: 1.
Page 202: Displaying The Dynamic Address Table
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 8-3. Setting the Address Aging Time 8-3 Displaying the Dynamic Address Table Use the MAC A > D MAC) page to display the MAC DDRESS YNAMIC YNAMIC addresses learned by monitoring the source address for traffic entering the switch.
Page 203: Clearing The Dynamic Address Table
Chapter 8: Address Table Settings Figure 8-4. Displaying the Dynamic MAC Address Table 8-4 Clearing the Dynamic Address Table Use the MAC A > D MAC) page to remove any learned DDRESS YNAMIC LEAR YNAMIC entries from the forwarding database. CLI References "clear mac-address-table dynamic"...
Page 204: Configuring Mac Address Mirroring
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 8-5. Clearing Entries in the Dynamic MAC Address Table 8-5 Configuring MAC Address Mirroring Use the MAC A > M ) page to mirror traffic matching a specified DDRESS IRROR source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 205 Chapter 8: Address Table Settings • Target Port – The port that will mirror the traffic from the source port. (SSE-G2252/ P: 1-52) Web Interface To mirror packets based on a MAC address: 1. Click MAC A > M DDRESS IRROR 2.
Page 206 SSE-G2252/SSE-G2252P Switches User’s Manual Notes...
Page 207: Chapter 9 Spanning Tree Algorithm
Chapter 9: Spanning Tree Algorithm Chapter 9 Spanning Tree Algorithm This chapter describes the following basic topics: • Configuring Loopback Detection – Describes the configuration for detection and response to loopback BPDUs. • Configuring Global Settings for STA – Describes the configuration for global bridge settings for STP, RSTP and MSTP.
Page 208: Stp
SSE-G2252/SSE-G2252P Switches User’s Manual STP uses a distributed algorithm to select a bridging device (STP-compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device.
Page 209 Chapter 9: Spanning Tree Algorithm Figure 9-2. MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 210: Configuring Loopback Detection
SSE-G2252/SSE-G2252P Switches User’s Manual Once you specify the VLANs to include in a Multiple Spanning Tree Instance (MSTI), the protocol will automatically build an MSTI tree to maintain connectivity among each of the VLANs. MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree (CST).
Page 211: Configuring Global Settings For Sta
Chapter 9: Spanning Tree Algorithm • Release – Allows an interface to be manually released from discard mode. This is only available if the interface is configured for manual release mode. Web Interface To configure loopback detection: 1. Click S >...
Page 212 SSE-G2252/SSE-G2252P Switches User’s Manual Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 213 Chapter 9: Spanning Tree Algorithm • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 214 SSE-G2252/SSE-G2252P Switches User’s Manual • Maximum: The lower of 40 or [2 x (Forward Delay - 1)] • Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 215 Chapter 9: Spanning Tree Algorithm Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
Page 216 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 9-5. Configuring Global Settings for STA (STP) Figure 9-6. Configuring Global Settings for STA (RSTP) 9-10...
Page 217: Displaying Global Settings For Sta
Chapter 9: Spanning Tree Algorithm Figure 9-7. Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the S > STA (C ) page to PANNING ONFIGURE LOBAL NFORMATION display a summary of the current bridge STA information that applies to the entire switch.
Page 218: Configuring Interface Settings For Sta
SSE-G2252/SSE-G2252P Switches User’s Manual • Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 219 Chapter 9: Spanning Tree Algorithm ARAMETERS These parameters are displayed in the web interface: • Interface – Displays a list of ports or trunks. • Admin Edge Status for all ports – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration...
Page 220 SSE-G2252/SSE-G2252P Switches User’s Manual • Range: 0-240, in steps of 16 • Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 221 Chapter 9: Spanning Tree Algorithm • Admin Edge Port – Refer to “Admin Edge Status for all ports” at the beginning of this section. • BPDU Guard – This feature protects edge ports from receiving BPDUs. It prevents loops by shutting down an edge port when a BPDU is received instead of putting it into the spanning tree discarding state.
Page 222: Displaying Interface Settings For Sta
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 9-9. Configuring Interface Settings for STA 9-5 Displaying Interface Settings for STA Use the S > STA (C ) page to PANNING ONFIGURE NTERFACE NFORMATION display the current status of ports or trunks in the Spanning Tree.
Page 223 Chapter 9: Spanning Tree Algorithm • If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. •...
Page 224 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 9-10. STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port. Backup port receives more...
Page 225: Configuring Multiple Spanning Trees
Chapter 9: Spanning Tree Algorithm Figure 9-11. Displaying Interface Settings for STA 9-6 Configuring Multiple Spanning Trees Use the S > MSTP (C ) page to create an MSTP PANNING ONFIGURE LOBAL instance, or to add VLAN groups to an MSTP instance. CLI References Chapter 34: "Spanning Tree Commands"...
Page 226 SSE-G2252/SSE-G2252P Switches User’s Manual 3. Add the VLANs that will share this MSTI on the Spanning Tree > MSTP (Configure Global - Add Member) page. NOTE: All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings.
Page 227 Chapter 9: Spanning Tree Algorithm 3. Select S from the Action list. NFORMATION 4. Select an MST ID. The attributes displayed on this page are described under "Displaying Global Settings for STA" on page 9-11. Figure 9-13. Displaying Global Settings for an MST Instance To add additional VLAN groups to an MSTP instance: 1.
Page 228: Configuring Interface Settings For Mstp
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 9-15. Displaying Members of an MST Instance 9-7 Configuring Interface Settings for MSTP Use the S > MSTP (C ) page to configure PANNING ONFIGURE NTERFACE ONFIGURE the STA interface settings for an MST instance.
Page 229 Chapter 9: Spanning Tree Algorithm • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 230 SSE-G2252/SSE-G2252P Switches User’s Manual To display MSTP parameters for a port or trunk: 1. Click S > MSTP. PANNING 2. Select C from the Step list. ONFIGURE NTERFACE 3. Select S from the Action list. NFORMATION Figure 9-17. Displaying MSTP Interface Settings...
Page 231: Chapter 10 Congestion Control
Chapter 10: Congestion Control Chapter 10 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 232 SSE-G2252/SSE-G2252P Switches User’s Manual Therefore, when the rate limit is set at 64 kbit/s, each scale has a shared bandwidth of 80 bytes. When the packet size = 64 bytes, and the gap = 20 bytes, each packet = 84 bytes > 80bytes. Only one packet can pass through in each scale.
Page 233 Chapter 10: Congestion Control Parameters These parameters are displayed in the web interface: • Port – Displays the port number. • Type – Indicates the port type. (100Base-TX, 1000Base-T, or SFP) • Status – Enables or disables the rate limit. (Default: Disabled) •...
Page 234: Storm Control
SSE-G2252/SSE-G2252P Switches User’s Manual 10-2 Storm Control Use the T > C > S page to configure RAFFIC ONGESTION ONTROL TORM ONTROL broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Page 235 Chapter 10: Congestion Control Parameters These parameters are displayed in the web interface: • Interface – Displays a list of ports or trunks. • Type – Indicates interface type. (100Base-TX, 1000Base-T, or SFP) • Unknown Unicast – Specifies storm control for unknown unicast traffic. •...
Page 236: Automatic Traffic Control
SSE-G2252/SSE-G2252P Switches User’s Manual 10-3 Automatic Traffic Control Use the T > C > A pages to configure RAFFIC ONGESTION ONTROL RAFFIC ONTROL bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port.
Page 237: Setting The Atc Timers
Chapter 10: Congestion Control • The traffic control response of rate limiting can be released automatically or manually. The control response of shutting down a port can only be released manually. Figure 10-4. Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided.
Page 238 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • After the apply timer expires, the settings in the T > A RAFFIC UTOMATIC RAFFIC ) page are used to determine if a control action will ONTROL ONFIGURE NTERFACE be triggered (as configured under the A...
Page 239: Configuring Atc Thresholds And Responses
Chapter 10: Congestion Control Configuring ATC Thresholds and Responses Use the T > C > A RAFFIC ONGESTION ONTROL RAFFIC ONTROL ONFIGURE ) page to set the storm control mode (broadcast or multicast), the traffic NTERFACE thresholds, the control response, to automatically release a response of rate limiting, or to send related SNMP trap messages.
Page 240 SSE-G2252/SSE-G2252P Switches User’s Manual • Alarm Fire Threshold – The upper threshold for ingress traffic beyond which a storm control response is triggered after the Apply Timer expires. (Range: 1-255 kilo-packets per second; Default: 128 Kpps) Once the traffic rate exceeds the upper threshold and the Apply Timer expires, a trap message will be sent if configured by the Trap Storm Fire attribute.
Page 241 Chapter 10: Congestion Control Figure 10-6. Configuring ATC Interface Attributes 10-11...
Page 242 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 10-12...
Page 243: Chapter 11 Class Of Service
Chapter 11: Class of Service Chapter 11 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 244: Selecting The Queue Mode
SSE-G2252/SSE-G2252P Switches User’s Manual • If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed in the web interface: • Interface – Displays a list of ports or trunks.
Page 245 Chapter 11: Class of Service CLI References "queue mode" on page 36-2 "show queue mode" on page 36-6 for CLI reference information. Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. •...
Page 246 SSE-G2252/SSE-G2252P Switches User’s Manual • Strict Mode – If “Strict and WRR” mode is selected, then a combination of strict and weighted service is used as specified for each queue. Use this parameter to specify the queues assigned to use strict priority when using the strict-weighted queuing mode.
Page 247: Mapping Cos Values To Egress Queues
Chapter 11: Class of Service Figure 11-4. Setting the Queue Mode (Strict and WRR) Mapping CoS Values to Egress Queues Use the T > P > PHB page to specify the hardware output RAFFIC RIORITY UEUE queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see "Mapping CoS Priorities to Internal DSCP Values"...
Page 248 SSE-G2252/SSE-G2252P Switches User’s Manual Table 11-2. CoS Priority Levels (Continued) Priority Level Traffic Type Excellent Effort Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control CLI References "qos map phb-queue" on page 36-10 for CLI reference information.
Page 249: Layer 3/4 Priority Settings
Chapter 11: Class of Service Figure 11-5. Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click T > P > PHB RAFFIC RIORITY UEUE 2. Select S from the Action list. Figure 11-6. Showing CoS Values to Egress Queue Mapping 11-2 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet...
Page 250: Setting Priority Processing To Dscp Or Cos
SSE-G2252/SSE-G2252P Switches User’s Manual Because different priority information may be contained in the traffic, this switch maps priority values to the output queues in the following manner – The precedence for priority mapping is DSCP Priority and then Default Port Priority.
Page 251: Mapping Ingress Dscp Values To Internal Dscp Values
Chapter 11: Class of Service Web Interface To configure the trust mode: 1. Click P > T RIORITY RUST 2. Select the interface type to display (P or T RUNK 3. Set the trust mode. 4. Click A PPLY Figure 11-7. Setting the Trust Mode Mapping Ingress DSCP Values to Internal DSCP Values Use the T...
Page 252 SSE-G2252/SSE-G2252P Switches User’s Manual • This map is only used when the priority mapping mode is set to DSCP (see page 11-8), and the ingress packet type is IPv4. • Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain.
Page 253: Mapping Cos Priorities To Internal Dscp Values
Chapter 11: Class of Service Web Interface To map DSCP values to internal PHB/drop precedence: 1. Click T > P > DSCP DSCP. RAFFIC RIORITY 2. Select A from the Action list. 3. Set the PHB and drop precedence for any DSCP value. 4.
Page 254 SSE-G2252/SSE-G2252P Switches User’s Manual CLI References "qos map cos-dscp" on page 36-7 for CLI reference information. Command Usage • The default mapping of CoS to PHB values is shown in Table 11-5: "Default Mapping of CoS/CFI to Internal PHB/Drop Precedence" on page 11-12.
Page 255 Chapter 11: Class of Service Table 11-5. Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI CoS (6,0) (6,0) (7,0) (7,0) Web Interface To map CoS/CFI values to internal PHB/drop precedence: 1. Click T > P > C DSCP. RAFFIC RIORITY 2.
Page 256 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 11-11. Showing CoS to DSCP Internal Mapping 11-14...
Page 257: Chapter 12 Quality Of Service
Chapter 12: Quality of Service Chapter 12 Quality of Service This chapter describes the following tasks required to apply QoS policies: "Configuring a Class Map" – Creates a map which identifies a specific class of traffic. "Creating QoS Policies"– Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic.
Page 258: Configuring A Class Map
SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 259 Chapter 12: Quality of Service Add Rule • Class Name – Name of the class map. • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. •...
Page 260 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 12-2. Showing Class Maps To edit the rules for a class map: 1. Click T > D RAFFIC 2. Select C from the Step list. ONFIGURE LASS 3. Select A from the Action list. 4. Select the name of a class map.
Page 261: Creating Qos Policies
Chapter 12: Quality of Service Figure 12-4. Showing the Rules for a Class Map 12-3 Creating QoS Policies Use the T > D ) page to create a policy map that can RAFFIC ONFIGURE OLICY be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 12-2), modify service tagging, and enforce bandwidth policing.
Page 262 SSE-G2252/SSE-G2252P Switches User’s Manual • The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. In addition to the actions defined by this command to transmit, remark the DSCP service value, or drop a packet, the switch will also mark the two color bits used to set the drop precedence of a packet for Random Early Detection.
Page 263 Chapter 12: Quality of Service The metering policy guarantees a deterministic behavior where the volume of green packets is never smaller than what has been determined by the CIR and BC, that is, tokens of a given color are always spent on packets of that color. Refer to RFC 2697 for more information on other aspects of srTCM.
Page 264 SSE-G2252/SSE-G2252P Switches User’s Manual • if the packet has been precolored as yellow or if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else • the packet is green and both Tp and Tc are decremented by B.
Page 265 Chapter 12: Quality of Service Table 11-5: "Default Mapping of CoS/CFI to Internal PHB/Drop Precedence" on page 11-12). • Set PHB – Configures the service provided to ingress traffic by setting the internal per-hop behavior for a matching packet (as specified in rule settings for a class map).
Page 266 SSE-G2252/SSE-G2252P Switches User’s Manual • srTCM (Police Meter) – Defines the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate) and excess burst size (BE), and the action to take for traffic conforming to the maximum throughput, exceeding the maximum throughput but within the excess burst size, or exceeding the excess burst size.
Page 267 Chapter 12: Quality of Service • trTCM (Police Meter) – Defines the committed information rate (CIR, or maximum throughput), peak information rate (PIR), and their associated burst sizes – committed burst size (BC, or burst rate) and peak burst size (BP), and the action to take for traffic conforming to the maximum throughput, exceeding the maximum throughput but within the peak information rate, or exceeding the peak information rate.
Page 268 SSE-G2252/SSE-G2252P Switches User’s Manual • Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63). • Drop – Drops out of conformance traffic. Web Interface To configure a policy map: 1. Click T > D RAFFIC 2.
Page 269 Chapter 12: Quality of Service To edit the rules for a policy map: 1. Click T > D RAFFIC 2. Select C from the Step list. ONFIGURE OLICY 3. Select A from the Action list. 4. Select the name of a policy map. 5.
Page 270: Attaching A Policy Map To A Port
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 12-8. Showing the Rules for a Policy Map 12-4 Attaching a Policy Map to a Port Use the T > D ) page to bind a policy map to an RAFFIC ONFIGURE NTERFACE ingress port.
Page 271 Chapter 12: Quality of Service Figure 12-9. Attaching a Policy Map to a Port 12-15...
Page 272 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 12-16...
Page 273: Chapter 13 Voip Traffic Configuration
Chapter 13: VoIP Traffic Configuration Chapter 13 VoIP Traffic Configuration This chapter covers the following topics: • "Configuring VoIP Traffic" – Configures VOIP globally, sets the Voice VLAN, and the aging time for attached ports. • "Configuring Telephony OUI"– Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Page 274 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage All ports are set to VLAN access mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first set the VLAN membership mode to hybrid (see "Adding Static Members to VLANs"...
Page 275: Configuring Telephony Oui
Chapter 13: VoIP Traffic Configuration 13-3 Configuring Telephony OUI VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 276: Configuring Voip Traffic Ports
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 13-2. Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click T > V RAFFIC 2. Select C OUI from the Step list. ONFIGURE 3. Select S from the Action list.
Page 277 Chapter 13: VoIP Traffic Configuration • Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) • None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN.
Page 278 SSE-G2252/SSE-G2252P Switches User’s Manual 3. Configure any required changes to the VoIP settings each port. 4. Click A PPLY Figure 13-4. Configuring Port Settings for a Voice VLAN 13-6...
Page 279: Chapter 14 Security Measures
Chapter 14: Security Measures Chapter 14 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 280: Aaa Authorization And Accounting
SSE-G2252/SSE-G2252P Switches User’s Manual 14-1 AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network.
Page 281: Configuring Local/Remote Logon Authentication
Chapter 14: Security Measures Configuring Local/Remote Logon Authentication Use the S > AAA > S page to specify local or remote ECURITY YSTEM UTHENTICATION authentication. Local authentication restricts management access based on user names and passwords manually configured on the switch. Remote authentication uses a remote access authentication server based on RADIUS or TACACS+ protocols to verify management access.
Page 282: Configuring Remote Logon Authentication Servers
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-1. Configuring the Authentication Sequence Configuring Remote Logon Authentication Servers Use the S > AAA > S page to configure the message exchange ECURITY ERVER parameters for RADIUS or TACACS+ remote access authentication servers. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller...
Page 283 Chapter 14: Security Measures CLI References Section 24-3: "RADIUS Client" on page 24-7, Section 24-4: "TACACS+ Client" on page 24-13 Section 24-5: "AAA" on page 24-16 for CLI reference information. Command Usage • If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol.
Page 284 SSE-G2252/SSE-G2252P Switches User’s Manual • Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) • Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made.
Page 285 Chapter 14: Security Measures 4. Select G to specify the parameters that apply globally to all specified servers, LOBAL or select a specific Server Index to specify the parameters that apply to a specific server. 5. To set or modify the authentication key, mark the S box, enter the key, and then confirm it 6.
Page 286 SSE-G2252/SSE-G2252P Switches User’s Manual 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click A PPLY Figure 14-5. Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1.
Page 287: Configuring Aaa Accounting
Chapter 14: Security Measures Configuring AAA Accounting Use the S > AAA > A page to enable accounting of requested ECURITY CCOUNTING services for billing or security purposes, and also to display the configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions.
Page 288 SSE-G2252/SSE-G2252P Switches User’s Manual Configure Service • Accounting Type – Specifies the service as 802.1X, Command or Exec as described in the preceding section. • 802.1X • Method Name – Specifies a user defined accounting method to apply to an interface.
Page 289 Chapter 14: Security Measures Figure 14-7. Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: 1. Click S > AAA > A ECURITY CCOUNTING 2. Select C from the Step list. ONFIGURE ETHOD 3.
Page 290 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-9. Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click S > AAA > A...
Page 291 Chapter 14: Security Measures Figure 14-11. Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click S > AAA > A ECURITY CCOUNTING 2. Select S from the Step list.
Page 292: Configuring Aaa Authorization
SSE-G2252/SSE-G2252P Switches User’s Manual Configuring AAA Authorization Use the S > AAA > A page to enable authorization of requested ECURITY UTHORIZATION services, and also to display the configured authorization methods, and the methods applied to specific interfaces. CLI References Section 24-5: "AAA"...
Page 293 Chapter 14: Security Measures • Interface - Displays the console or Telnet interface to which these rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) Web Interface To configure the authorization method applied to the Exec service type and the assigned server group: 1.
Page 294 SSE-G2252/SSE-G2252P Switches User’s Manual To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click S > AAA > A ECURITY UTHORIZATION 2. Select C from the Step list. ONFIGURE ERVICE 3. Enter the required authorization method.
Page 295: Configuring User Accounts
Chapter 14: Security Measures 14-2 Configuring User Accounts Use the S > U page to control management access to the switch ECURITY CCOUNTS based on manually configured user names and passwords. CLI References Section 24-1: "User Accounts" on page 24-2 for CLI reference information.
Page 296 SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure user accounts: 1. Click S > U ECURITY CCOUNTS 2. Select A from the Action list. 3. Specify a user name, select the user's access level, then enter a password if required and confirm it.
Page 297: Configuring Global Settings For Web Authentication
Chapter 14: Security Measures 14-3 Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
Page 298 SSE-G2252/SSE-G2252P Switches User’s Manual • Login Attempts – Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period. (Range: 1-3 attempts; Default: 3 attempts) Web Interface To configure global parameters for web authentication: 1.
Page 299: Configuring Interface Settings For Web Authentication
Chapter 14: Security Measures Configuring Interface Settings for Web Authentication Use the S > W ) page to enable web ECURITY UTHENTICATION ONFIGURE NTERFACE authentication on a port, and display information for any connected hosts. CLI References Section 25-3: "Web Authentication" on page 25-20 for CLI reference information.
Page 300: Network Access (Mac Address Authentication)
SSE-G2252/SSE-G2252P Switches User’s Manual 14-4 Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points. The switch enables network access from these devices to be controlled by authenticating device MAC addresses with a central RADIUS server.
Page 301 Chapter 14: Security Measures • When port status changes to down, all MAC addresses mapped to that port are cleared from the secure MAC address table. Static VLAN assignments are not restored. • The RADIUS server may optionally return a VLAN identifier list to be applied to the switch port.
Page 302: Configuring Global Settings For Network Access
SSE-G2252/SSE-G2252P Switches User’s Manual • The Filter-ID attribute is empty. • The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize the whole Filter-ID attribute). • Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur: •...
Page 303: Configuring Network Access For Ports
Chapter 14: Security Measures • Reauthentication Time – Sets the time period after which a connected host must be reauthenticated. When the reauthentication time expires for a secure MAC address, it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected.
Page 304 SSE-G2252/SSE-G2252P Switches User’s Manual • Max MAC Count – Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication; that is, the Network Access process described in this section. (Range: 1-1024; Default: 1024) •...
Page 305: Configuring Port Link Detection
Chapter 14: Security Measures 3. Click the G button. ENERAL 4. Make any configuration changes required to enable address authentication on a port, set the maximum number of secure addresses supported, the guest VLAN to use when MAC Authentication or 802.1X Authentication fails, and the dynamic VLAN and QoS assignments.
Page 306: Configuring A Mac Address Filter
SSE-G2252/SSE-G2252P Switches User’s Manual • Trap and shutdown – An SNMP trap is sent and the port is shut down. • Shutdown – The port is shut down. Web Interface To configure link detection on switch ports: 1. Click S >...
Page 307 Chapter 14: Security Measures Command Usage • Specified MAC addresses are exempt from authentication. • Up to 65 filter tables can be defined. • There is no limitation on the number of entries used in a filter table. Parameters These parameters are displayed in the web interface: •...
Page 308: Displaying Secure Mac Address Information
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-26. Showing the MAC Address Filter Table for Network Access Displaying Secure MAC Address Information Use the S > N ) page to display the ECURITY ETWORK CCESS NFORMATION authenticated MAC addresses stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
Page 309: Configuring Https
Chapter 14: Security Measures Web Interface To display the authenticated MAC addresses stored in the secure MAC address table: 1. Click S > N ECURITY ETWORK CCESS 2. Select S from the Step list. NFORMATION 3. Use the sort key to display addresses based MAC A , Or DDRESS NTERFACE...
Page 310 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • HTTP and HTTPS are implemented as mutually exclusive services on the switch. (HTTP can only be configured through the CLI using the ip http server command described on page 24-28.) • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] •...
Page 311: Replacing The Default Secure-Site Certificate
(unrecognized) certificate with an authorized one. NOTE: The switch must be reset for the new certificate to be activated. To reset the switch, see Section 5-11: "Resetting the System" on page 5-24 or type “reload” at the command prompt: SSE-G2252#reload 14-33...
Page 312: Configuring The Secure Shell
SSE-G2252/SSE-G2252P Switches User’s Manual CLI References Section 24-6: "Web Server" on page 24-27 for CLI reference information. Parameters These parameters are displayed in the web interface: • TFTP Server IP Address – IP address of TFTP server which contains the certificate file.
Page 313 Chapter 14: Security Measures The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkeley remote access tools. SSH can also provide remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
Page 314 SSE-G2252/SSE-G2252P Switches User’s Manual Accounts page as described on Section 14-2: "Configuring User Accounts" on page 14-17.) The clients are subsequently authenticated using these keys. The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key:...
Page 315: Configuring The Ssh Server
Chapter 14: Security Measures Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to pro- ceed with the authentication process.
Page 316: Generating The Host Key Pair
SSE-G2252/SSE-G2252P Switches User’s Manual • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits. Web Interface To configure the SSH server: 1.
Page 317 Chapter 14: Security Measures • Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both; Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 318: Importing User Public Keys
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-32. Showing the SSH Host Key Pair Importing User Public Keys Use the S > SSH (C ) page to upload a user’s public ECURITY ONFIGURE key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism.
Page 319 Chapter 14: Security Measures • Source File Name – The public key file to upload. Web Interface To copy the SSH user’s public key: 1. Click S > SSH. ECURITY 2. Select C from the Step list. ONFIGURE 3. Select C from the Action list.
Page 320: Access Control Lists
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-34. Showing the SSH User’s Public Key 14-7 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type).
Page 321: Showing Tcam Utilization
Chapter 14: Security Measures Showing TCAM Utilization Use the S > ACL (C ACL - S TCAM) page to show utilization ECURITY ONFIGURE parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Page 322: Setting The Acl Name And Type
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-35. Showing TCAM Utilization Setting the ACL Name and Type Use the S > ACL (C ACL - A ) page to create an ACL. ECURITY ONFIGURE CLI References "access-list ip" on page 26-2, "show ip access-list" on page 26-9, "access-list ipv6"...
Page 323: Configuring A Standard Ipv4 Acl
Chapter 14: Security Measures Web Interface To configure the name and type of an ACL: 1. Click S > ACL. ECURITY 2. Select C ACL from the Step list. ONFIGURE 3. Select A from the Action list. 4. Fill in the ACL N field, and select the ACL type.
Page 324 SSE-G2252/SSE-G2252P Switches User’s Manual Parameters These parameters are displayed in the web interface: • Type – Selects the type of ACLs to show in the Name list. • Name – Shows the names of ACLs matching the selected type. •...
Page 325: Configuring An Extended Ipv4 Acl
Chapter 14: Security Measures Figure 14-38. Configuring a Standard IPv4 ACL Configuring an Extended IPv4 ACL Use the S > ACL (C ACL - A - IP E ) page to configure ECURITY ONFIGURE XTENDED an Extended IPv4 ACL. CLI References "permit, deny, redirect-to (Extended IPv4 ACL)"...
Page 326 SSE-G2252/SSE-G2252P Switches User’s Manual • Type – Selects the type of ACLs to show in the Name list. • Name – Shows the names of ACLs matching the selected type. • Action – An ACL can contain any combination of rules which permit or deny a packet, or re-direct a packet to another port.
Page 327 Chapter 14: Security Measures • 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: • SYN flag valid, use control-code 2, control bit mask 2 • Both SYN and ACK valid, use control-code 18, control bit mask 18 •...
Page 328: Configuring A Standard Ipv6 Acl
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-39. Configuring an Extended IPv4 ACL Configuring a Standard IPv6 ACL Use the S > ACL (C ACL - A - IP ) page to ECURITY ONFIGURE TANDARD configure a Standard IPv6ACL. CLI References "permit, deny, redirect-to (Standard IPv6 ACL)" on page 26-12, "show ipv6...
Page 329 Chapter 14: Security Measures • Source IPv6 Address – An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 330: Configuring An Extended Ipv6 Acl
SSE-G2252/SSE-G2252P Switches User’s Manual Configuring an Extended IPv6 ACL Use the S > ACL (C ACL - A - IP ) page to ECURITY ONFIGURE XTENDED configure an Extended IPv6 ACL. CLI References "permit, deny, redirect-to (Extended IPv6 ACL)" on page 26-13, "show ipv6...
Page 331 Chapter 14: Security Measures UDP Upper-layer Header (RFC 1700) Routing (RFC 2460) Fragment (RFC 2460) Encapsulating Security Payload (RFC 2406) Authentication (RFC 2402) Destination Options (RFC 2460) • Time Range – Name of a time range. Web Interface To add rules to an Extended IPv6 ACL: 1.
Page 332: Configuring A Mac Acl
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-41. Configuring an Extended IPv6 ACL Configuring a MAC ACL Use the S > ACL (C ACL - A - MAC) page to configure a MAC ECURITY ONFIGURE ACL based on hardware addresses, packet format, and Ethernet type.
Page 333 Chapter 14: Security Measures • Source/Destination Bit Mask – Hexadecimal mask for source or destination MAC address. • Packet Format – This attribute includes the following packet types: • Any – Any Ethernet packet type. • Untagged-eth2 – Untagged Ethernet II packets. •...
Page 334: Configuring An Arp Acl
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-42. Configuring a MAC ACL Configuring an ARP ACL Use the S > ACL (C ACL - A - ARP) page to configure ACLs ECURITY ONFIGURE based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 335 Chapter 14: Security Measures • Source/Destination IP Subnet Mask – Subnet mask for source or destination address. (See the description for Subnet Mask on page 14-45.) • Source/Destination MAC Address Type – Use “A ” to include all possible addresses, “H ”...
Page 336: Binding A Port To An Access Control List
These parameters are displayed in the web interface: • Type – Selects the type of ACLs to bind to a port. • Port – Fixed port or SFP module. (SSE-G2252/P: 1-52) • ACL – ACL used for ingress packets. •...
Page 337 Chapter 14: Security Measures Web Interface To bind an ACL to a port: 1. Click S > ACL. ECURITY 2. Select C from the Step list. ONFIGURE NTERFACE 3. Select IP or MAC from the Type list. 4. Select a port. 5.
Page 338: Arp Inspection
SSE-G2252/SSE-G2252P Switches User’s Manual • By default, ARP Inspection is disabled both globally and on all VLANs. • If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled. • When ARP Inspection is enabled globally, all ARP request and reply packets on inspection-enabled VLANs are redirected to the CPU and their switching behavior handled by the ARP Inspection engine.
Page 339 Chapter 14: Security Measures • IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses. •...
Page 340: Configuring Vlan Settings For Arp Inspection
SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure global settings for ARP Inspection: 1. Click S > ARP I ECURITY NSPECTION 2. Select C from the Step list. ONFIGURE ENERAL 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required.
Page 341: Configuring Interface Settings For Arp Inspection
Chapter 14: Security Measures • If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. Parameters These parameters are displayed in the web interface: •...
Page 342 SSE-G2252/SSE-G2252P Switches User’s Manual CLI References Section 25-6: "ARP Inspection" on page 25-43 for CLI reference information. Parameters These parameters are displayed in the web interface: • Port – Port identifier. • Trust Status – Configures the port as trusted or untrusted. (Default: Untrusted) By default, all untrusted ports are subject to ARP packet rate limiting, and all trusted ports are exempt from ARP packet rate limiting.
Page 343: Displaying Arp Inspection Statistics
Chapter 14: Security Measures Figure 14-47. Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Use the S > ARP I ) page to ECURITY NSPECTION NFORMATION TATISTICS display statistics about the number of ARP packets processed, or dropped for various reasons.
Page 344: Displaying The Arp Inspection Log
SSE-G2252/SSE-G2252P Switches User’s Manual Table 14-4. ARP Inspection Statistics (Continued) Parameter Description Total ARP packets processed by ARP Count of all ARP packets processed by the ARP Inspection inspection engine. ARP packets dropped by additional Count of packets that failed the source MAC address test.
Page 345: Filtering Ip Addresses For Management Access
Chapter 14: Security Measures Table 14-5. ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src. IP Address The source IP address in the packet. Dst. IP Address The destination IP address in the packet.
Page 346 SSE-G2252/SSE-G2252P Switches User’s Manual • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 347: Configuring Port Security
Chapter 14: Security Measures Figure 14-50. Creating an IP Address Filter for Management Access To show a list of IP addresses authorized for management access: 1. Click S > IP F ECURITY ILTER 2. Select S from the Action list. Figure 14-51.
Page 348 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • The default maximum number of MAC addresses allowed on a secure port is zero (that is, disabled). To use port security, you must configure the maximum number of addresses allowed on a port.
Page 349 Chapter 14: Security Measures Web Interface To set the maximum number of addresses which can be learned on a port: 1. Click S > P ECURITY ECURITY 2. If port security is enabled on the selected port, first clear the check box in S ECURITY column to disable security.
Page 350: Configuring 802.1X Port Authentication
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-53. Configuring the Status and Response for Port Security 14-11 Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 351 Chapter 14: Security Measures This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request.
Page 352: Configuring 802.1X Global Settings
SSE-G2252/SSE-G2252P Switches User’s Manual • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP authentication type –...
Page 353: Configuring Port Authenticator Settings For 802.1X
Chapter 14: Security Measures • Identity Profile Password – The dot1x supplicant password used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator. (Range: 1-8 characters) • Confirm Profile Password – This field is used to confirm the dot1x supplicant password.
Page 354 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • When the switch functions as a local authenticator between supplicant devices attached to the switch and the authentication server, configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page.
Page 355 Chapter 14: Security Measures In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Page 356 SSE-G2252/SSE-G2252P Switches User’s Manual • Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See "Configuring VLAN Groups" on page 7-4) and mapped on each port (See "Configuring Network Access for Ports"...
Page 357: Configuring Port Supplicant Settings For 802.1X
Chapter 14: Security Measures Figure 14-56. Configuring Interface Settings for 802.1X Port Authenticator Configuring Port Supplicant Settings for 802.1X Use the S > P – S ) page ECURITY UTHENTICATION ONFIGURE NTERFACE UPPLICANT to configure 802.1X port settings for supplicant requests issued from a port to an authenticator on another device.
Page 358 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 14-74) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate clients through the remote authenticator on this configuration page.
Page 359: Displaying 802.1X Statistics
Chapter 14: Security Measures 3. Click S UPPLICANT 4. Modify the supplicant settings for each port as required. 5. Click A PPLY Figure 14-57. Configuring Interface Settings for 802.1X Port Supplicant Displaying 802.1X Statistics Use the S > P ) page to display statistics ECURITY UTHENTICATION TATISTICS...
Page 360 SSE-G2252/SSE-G2252P Switches User’s Manual Table 14-6. 802.1X Statistics (Continued) Parameter Description The source MAC address carried in the most recent EAPOL frame Rx Last EAPOLSrc received by this Authenticator. The number of EAP Resp/Id frames that have been received by this Rx EAP Resp/Id Authenticator.
Page 361 Chapter 14: Security Measures Web Interface To display port authenticator statistics for 802.1X: 1. Click S > P ECURITY UTHENTICATION 2. Select S from the Step list. TATISTICS 3. Click A UTHENTICATOR Figure 14-58. Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: 1.
Page 362: Ip Source Guard
SSE-G2252/SSE-G2252P Switches User’s Manual 14-12 IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 363 Chapter 14: Security Measures • If DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the SIP-MAC option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
Page 364: Configuring Static Bindings For Ip Source Guard
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 14-60. Setting the Filter Type for IP Source Guard Configuring Static Bindings for IP Source Guard Use the S > IP S > S page to bind a static ECURITY OURCE UARD TATIC ONFIGURATION address to a port. Table entries include a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier.
Page 365 Chapter 14: Security Measures • MAC Address – A valid unicast MAC address. • IP Address – A valid unicast IP address, including classful types A, B or C. Web Interface To configure static bindings for IP Source Guard: 1. Click S >...
Page 366: Displaying Information For Dynamic Ip Source Guard Bindings
SSE-G2252/SSE-G2252P Switches User’s Manual Displaying Information for Dynamic IP Source Guard Bindings Use the S > IP S > D page to display the ECURITY OURCE UARD YNAMIC INDING source-guard binding table for a selected interface. CLI References "show ip dhcp snooping binding" on page 25-37 for CLI reference information.
Page 367: Dhcp Snooping
Chapter 14: Security Measures Figure 14-63. Showing the IP Source Guard Binding Table 14-13 DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
Page 368 SSE-G2252/SSE-G2252P Switches User’s Manual • If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Page 369: Dhcp Snooping Configuration
Chapter 14: Security Measures • When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Page 370: Dhcp Snooping Vlan Configuration
SSE-G2252/SSE-G2252P Switches User’s Manual • Replace – Replaces the Option 82 information circuit-id and remote-id fields in the client’s request with information about the relay agent itself, inserts the relay agent’s address (when DHCP snooping is enabled), and forwards the packets to trusted ports.
Page 371 Chapter 14: Security Measures • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. • When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
Page 372 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Page 373: Displaying Dhcp Snooping Binding Information
Chapter 14: Security Measures Figure 14-66. Configuring the Port Mode for DHCP Snooping Displaying DHCP Snooping Binding Information Use the IP S > DHCP > S ) page to display entries in ERVICE NOOPING NFORMATION the binding table. CLI References "show ip dhcp snooping binding"...
Page 374 SSE-G2252/SSE-G2252P Switches User’s Manual • Store – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Page 375: Chapter 15 Basic Administration Protocols
Chapter 15: Basic Administration Protocols Chapter 15 Basic Administration Protocols This chapter describes basic administration tasks including: • Configuring Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 376 SSE-G2252/SSE-G2252P Switches User’s Manual CLI References Section 21-6: "Event Logging" on page 21-37 for CLI reference information. Parameters These parameters are displayed in the web interface: • System Log Status – Enables/disables the logging of debug or error messages to the logging process.
Page 377 Chapter 15: Basic Administration Protocols NOTE: All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). Web Interface To configure the logging of error messages to system memory: 1.
Page 378: Remote Log Configuration
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-2. Showing Error Messages Logged to System Memory Remote Log Configuration Use the A > L > R page to send log messages to syslog servers DMINISTRATION EMOTE or other management stations. You can also limit the event messages sent to only those messages below a specified level.
Page 379: Sending Simple Mail Transfer Protocol Alerts
Chapter 15: Basic Administration Protocols • Server IP Address – Specifies the IP address of a remote server which will be sent syslog messages. Web Interface To configure the logging of error messages to remote servers: 1. Click A > L >...
Page 380 SSE-G2252/SSE-G2252P Switches User’s Manual • Severity – Sets the syslog severity threshold level (see Table 15-1: "Logging Levels" on page 15-2) used to trigger alert messages. All events at this level or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0.
Page 381 Chapter 15: Basic Administration Protocols Figure 15-4. Configuring General Settings for SMTP Alert Messages To specify SMTP servers: 1. Click A > L > SMTP. DMINISTRATION 2. Select C from the S list. ONFIGURE ERVER 3. Select A from the A list.
Page 382: Link Layer Discovery Protocol
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-6. Showing Configured SMTP Servers 15-2 Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 383 Chapter 15: Basic Administration Protocols • Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below. (Range: 2-10; Default: 4) The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner.
Page 384: Configuring Lldp Interface Attributes
SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure LLDP timing attributes: 1. Click A > LLDP. DMINISTRATION 2. Select C from the S list. ONFIGURE LOBAL 3. Enable LLDP, and modify any of the timing parameters as required. 4. Click A PPLY Figure 15-7.
Page 385 Chapter 15: Basic Administration Protocols This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA-1057), or vendor-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Page 386 SSE-G2252/SSE-G2252P Switches User’s Manual • System Description – The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. •...
Page 387 Chapter 15: Basic Administration Protocols • Extended Power – This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Page 388: Configuring Lldp Interface Civic-Address
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-8. Configuring LLDP Interface Attributes Configuring LLDP Interface Civic-Address Use the A > LLDP (C – A CA-T ) page to DMINISTRATION ONFIGURE NTERFACE specify the physical location of the device attached to an interface.
Page 389 Chapter 15: Basic Administration Protocols Table 15-2. LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Group of streets below the neighborhood level Exchange Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519...
Page 390: Displaying Lldp Local Device Information
SSE-G2252/SSE-G2252P Switches User’s Manual To show the physical location of the attached device: 1. Click A > LLDP. DMINISTRATION 2. Select C from the S list. ONFIGURE NTERFACE 3. Select S CA-T from the A list. CTION 4. Select an interface from the P or T list.
Page 391 Chapter 15: Basic Administration Protocols Table 15-3. Chassis ID Subtype ID Basis Reference Interface name ifName (IETF RFC 2863) Locally assigned locally assigned • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. •...
Page 392 SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To display LLDP information for the local device: 1. Click A > LLDP. DMINISTRATION 2. Select S Information from the S list. OCAL EVICE 3. Select G , or T ENERAL RUNK Figure 15-11. Displaying Local Device Information for LLDP (General) Figure 15-12.
Page 393: Displaying Lldp Remote Port Information
Chapter 15: Basic Administration Protocols Displaying LLDP Remote Port Information Use the A > LLDP (S ) page to display DMINISTRATION EMOTE EVICE NFORMATION information about devices connected directly to the switch’s ports which are advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Page 394 SSE-G2252/SSE-G2252P Switches User’s Manual Table 15-5. Port ID Subtype (Continued) ID Basis Reference EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ Port component (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863)
Page 395 Chapter 15: Basic Administration Protocols • Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636) which is associated with a port on the remote system. Table 15-6. Remote Port Auto-Negotiation Advertised Capability Capability other or unknown 10BASE-T half duplex mode...
Page 396 SSE-G2252/SSE-G2252P Switches User’s Manual • Remote Power Pair Controlable – Indicates whether the pair selection can be controlled for sourcing power on the given port associated with the remote system. • Remote Power Classification – This classification is used to tag different terminals on the Power over LAN network according to their power consumption.
Page 397: Displaying Device Statistics
Chapter 15: Basic Administration Protocols Figure 15-14. Displaying Remote Device Information for LLDP (Port Details) Displaying Device Statistics Use the A > LLDP (S ) page to display statistics for DMINISTRATION EVICE TATISTICS LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Page 398 SSE-G2252/SSE-G2252P Switches User’s Manual Port/Trunk • Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV. • Frames Invalid – A count of all LLDPDUs received with one or more detectable errors.
Page 399: Power Over Ethernet
Chapter 15: Basic Administration Protocols Figure 15-16. Displaying LLDP Device Statistics (Port) 15-3 Power Over Ethernet Power over Ethernet (PoE) is a system for safely providing electrical power, along with data, over Ethernet cabling. IEEE standards 802.3af and 802.3at define the interfaces needed for providing up to 15.4 W (802.3af) or 25.5 W (802.3at) of DC power to compliant devices.
Page 400: Displaying The Switch's Overall Poe Power Budget
SSE-G2252/SSE-G2252P Switches User’s Manual NOTE: For more information on using the PoE provided by this switch refer to the Installation Guide. Displaying the Switch’s Overall PoE Power Budget Use the A > P E (C ) page to display the maximum PoE...
Page 401: Setting The Port Poe Power Budget
Chapter 15: Basic Administration Protocols Figure 15-17. Showing the Switch’s PoE Budget Setting The Port PoE Power Budget Use the A > P E (C ) page to set the maximum power DMINISTRATION ONFIGURE NTERFACE provided to a port. CLI References Chapter 29: "Power Over Ethernet Commands"...
Page 402 SSE-G2252/SSE-G2252P Switches User’s Manual • If a device is connected to a critical or high-priority port and would cause the switch to exceed its power budget as determined during bootup, power is provided to the port only if the switch can drop power to one or more lower-priority ports and thereby remain within its overall budget.
Page 403: Simple Network Management Protocol
Chapter 15: Basic Administration Protocols Figure 15-18. Setting a Port’s PoE Budget 15-4 Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 404 SSE-G2252/SSE-G2252P Switches User’s Manual The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels.
Page 405 Chapter 15: Basic Administration Protocols Command Usage Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: 1. Use the A > SNMP (C ) page to enable SNMP on DMINISTRATION ONFIGURE LOBAL the switch, and to enable trap messages.
Page 406: Configuring Global Settings For Snmp
SSE-G2252/SSE-G2252P Switches User’s Manual Configuring Global Settings for SNMP Use the A > SNMP (C ) page to enable SNMPv3 service DMINISTRATION ONFIGURE LOBAL for all management clients (i.e., versions 1, 2c, 3), and to enable trap messages. CLI References "snmp-server"...
Page 407: Setting The Local Engine Id
Chapter 15: Basic Administration Protocols Setting the Local Engine ID Use the A > SNMP (C ID) page to change DMINISTRATION ONFIGURE NGINE NGINE the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Page 408: Specifying A Remote Engine Id
SSE-G2252/SSE-G2252P Switches User’s Manual Specifying a Remote Engine ID Use the A > SNMP (C ) page to DMINISTRATION ONFIGURE NGINE EMOTE NGINE configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 409: Setting Snmpv3 Views
Chapter 15: Basic Administration Protocols Figure 15-21. Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click A > SNMP. DMINISTRATION 2. Select C from the S list. ONFIGURE NGINE 3. Select S from the A list.
Page 410 SSE-G2252/SSE-G2252P Switches User’s Manual Add OID Subtree • View Name – Lists the SNMP views configured in the Add View page. • OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
Page 411 Chapter 15: Basic Administration Protocols Figure 15-24. Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click A > SNMP. DMINISTRATION 2. Select C from the S list. ONFIGURE 3. Select A OID S from the A list.
Page 412: Configuring Snmpv3 Groups
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-26. Showing the OID Subtree Configured for SNMP Views Configuring SNMPv3 Groups Use the A > SNMP (C ) page to add an SNMPv3 group DMINISTRATION ONFIGURE ROUP which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views.
Page 413 Chapter 15: Basic Administration Protocols Table 15-8. Supported Notification Messages Model Level Group RFC 1493 Traps The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the newRoot 1.3.6.1.2.1.17.0.1 new root, e.g., upon expiration of the Topology...
Page 414 SSE-G2252/SSE-G2252P Switches User’s Manual Table 15-8. Supported Notification Messages (Continued) Model Level Group Private Traps swPowerStatusChangeTra 1.3.6.1.4.1.10876.101 This trap is sent when the power state changes. .202.2.1.0.1 1.3.6.1.4.1.10876.101 swFanFailureTrap This trap is sent when the fan fails. .202..2.1.0.17 1.3.6.1.4.1.10876.101 swFanRecoverTrap This trap is sent when fan failure has recovered.
Page 415 Chapter 15: Basic Administration Protocols Table 15-8. Supported Notification Messages (Continued) Model Level Group 1.3.6.1.4.1.10876.101 autoUpgradeTrap This trap is sent when auto upgrade is executed. .202.2.1.0.104 This notification indicates that the CPU utilization 1.3.6.1.4.1.10876.101 swCpuUtiRisingNotification has risen from cpuUtiFallingThreshold to .202.2.1.0.107 cpuUtiRisingThreshold.
Page 416 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-27. Creating an SNMP Group To show SNMP groups: 1. Click A > SNMP. DMINISTRATION 2. Select C from the S list. ONFIGURE ROUP 3. Select S from the A list. CTION Figure 15-28. Showing SNMP Groups...
Page 417: Setting Community Access Strings
Chapter 15: Basic Administration Protocols Setting Community Access Strings Use the Administration, SNMP (C ) page to configure ONFIGURE OMMUNITY up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings. CLI References "snmp-server community"...
Page 418: Configuring Local Snmpv3 Users
SSE-G2252/SSE-G2252P Switches User’s Manual To show the community access strings: 1. Click A > SNMP. DMINISTRATION 2. Select C from the S list. ONFIGURE 3. Select S from the A list. OMMUNITY CTION Figure 15-30. Showing Community Access Strings Configuring Local SNMPv3 Users Use the A >...
Page 419 Chapter 15: Basic Administration Protocols • AuthPriv – SNMP communications use both authentication and encryption. • Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) • Authentication Password – A minimum of eight plain text characters is required. •...
Page 420: Configuring Remote Snmpv3 Users
SSE-G2252/SSE-G2252P Switches User’s Manual 3. Select S SNMP from the A list. OCAL CTION Figure 15-32. Showing Local SNMPv3 Users Configuring Remote SNMPv3 Users Use the A > SNMP (C SNMP DMINISTRATION ONFIGURE EMOTE page to identify the source of SNMPv3 inform messages sent from the local switch.
Page 421 Chapter 15: Basic Administration Protocols Parameters These parameters are displayed in the web interface: • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) •...
Page 422 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-33. Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click A > SNMP. DMINISTRATION 2. Select C from the S list. ONFIGURE 3. Select S SNMP from the A list. EMOTE CTION Figure 15-34. Showing Remote SNMPv3 Users...
Page 423: Specifying Notification Managers
Chapter 15: Basic Administration Protocols Specifying Notification Managers Use the A > SNMP (C ) page to specify the host DMINISTRATION ONFIGURE OTIFICATION devices to be sent notifications and the types of notifications to send. Notifications indicating status changes are issued by the switch to the specified notification managers.
Page 424 SSE-G2252/SSE-G2252P Switches User’s Manual 4. Create a group that includes the required notify view (see "Configuring SNMPv3 Groups" on page 15-38). 5. Enable informs as described in the following pages. Parameters These parameters are displayed in the web interface: SNMP Version 1 •...
Page 425 Chapter 15: Basic Administration Protocols SNMP Version 3 • IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). • Version – Specifies whether to send notifications using SNMP v1, v2c, or v3. •...
Page 426 SSE-G2252/SSE-G2252P Switches User’s Manual 4. Fill in the required parameters based on the selected SNMP version. 5. Click A PPLY Figure 15-35. Configuring Notification Managers (SNMPv1) Figure 15-36. Configuring Notification Managers (SNMPv2c) Figure 15-37. Configuring Notification Managers (SNMPv3) 15-52...
Page 427: Remote Monitoring
Chapter 15: Basic Administration Protocols To show configured notification managers: 1. Click A > SNMP. DMINISTRATION 2. Select C from the S list. ONFIGURE OTIFICATION 3. Select S from the A list. CTION Figure 15-38. Showing Notification Managers 15-5 Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
Page 428 SSE-G2252/SSE-G2252P Switches User’s Manual CLI References Chapter 23: "Remote Monitoring Commands" on page 23-1 for CLI reference information. Command Usage • If an alarm is already defined for an index, the entry must be deleted before any changes can be made.
Page 429 Chapter 15: Basic Administration Protocols • Falling Event Index – The index of the event to use if an alarm is triggered by monitored variables reaching or crossing below the falling threshold. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 0-65535) •...
Page 430 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-40. Showing Configured RMON Alarms 15-56...
Page 431: Configuring Rmon Events
Chapter 15: Basic Administration Protocols Configuring RMON Events Use the A > RMON (C ) page to set the DMINISTRATION ONFIGURE LOBAL VENT action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Page 432 SSE-G2252/SSE-G2252P Switches User’s Manual • Owner – Name of the person who created this entry. (Range: 1-127 characters) Web Interface To configure an RMON event: 1. Click A > RMON. DMINISTRATION 2. Select C from the S list. ONFIGURE LOBAL 3.
Page 433 Chapter 15: Basic Administration Protocols Figure 15-42. Showing Configured RMON Events 15-59...
Page 434: Configuring Rmon History Samples
SSE-G2252/SSE-G2252P Switches User’s Manual Configuring RMON History Samples Use the A > RMON (C ) page to DMINISTRATION ONFIGURE NTERFACE ISTORY collect statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
Page 435 Chapter 15: Basic Administration Protocols 3. Select A from the A list. CTION 4. Click H ISTORY 5. Select a port from the list as the data source. 6. Enter an index number, the sampling interval, the number of buckets to use, and the name of the owner for this entry.
Page 436 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-44. Showing Configured RMON History Samples To show collected RMON history samples: 1. Click A > RMON. DMINISTRATION 2. Select C from the S list. ONFIGURE NTERFACE 3. Select S from the A list. ETAILS CTION 4.
Page 437: Configuring Rmon Statistical Samples
Chapter 15: Basic Administration Protocols Figure 15-45. Showing Collected RMON History Samples Configuring RMON Statistical Samples Use the A > RMON (C ) page to DMINISTRATION ONFIGURE NTERFACE TATISTICS collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates.
Page 438 SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To enable regular sampling of statistics on a port: 1. Click A > RMON. DMINISTRATION 2. Select C from the S list. ONFIGURE NTERFACE 3. Select A from the A list. CTION 4. Click S TATISTICS 5.
Page 439 Chapter 15: Basic Administration Protocols Figure 15-47. Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click A > RMON. DMINISTRATION 2. Select C from the S list. ONFIGURE NTERFACE 3. Select S from the A list. ETAILS CTION 4.
Page 440: Switch Clustering
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-48. Showing Collected RMON Statistical Samples 15-6 Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 441: Configuring General Settings For Clusters
Chapter 15: Basic Administration Protocols • The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see "Configuring VLAN Groups" on page 7-4). 2. Add the participating ports to this VLAN (see "Adding Static Members to VLANs"...
Page 442: Cluster Member Configuration
SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure a switch cluster: 1. Click A > C DMINISTRATION LUSTER 2. Select C from the S list. ONFIGURE LOBAL 3. Set the required attributes for a Commander or a managed candidate. 4. Click A PPLY Figure 15-49.
Page 443 Chapter 15: Basic Administration Protocols 3. Select A from the A list. CTION 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click A PPLY Figure 15-50. Configuring a Cluster Members To show the cluster members: 1.
Page 444 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 15-52. Showing Cluster Candidates Managing Cluster Members Use the A > C ) page to manage another switch in DMINISTRATION LUSTER EMBER the cluster. CLI References Section 21-10: "Switch Clustering" on page 21-64 for CLI reference information.
Page 445: Setting A Time Range
Chapter 15: Basic Administration Protocols Figure 15-53. Managing a Cluster Member 15-7 Setting A Time Range Use the A > T page to sets a time range during which various DMINISTRATION ANGE functions are applied, including applied ACLs or PoE. CLI References Section 21-9: "Time Range"...
Page 446 SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure a time range: 1. Click A > T DMINISTRATION ANGE 2. Select A from the A list. CTION 3. Enter the name of a time range. 4. Click A PPLY Figure 15-54. Setting the Name of a Time Range To show a list of time ranges: 1.
Page 447 Chapter 15: Basic Administration Protocols Figure 15-56. Add a Rule to a Time Range To show the rules configured for a time range: 1. Click A > T DMINISTRATION ANGE 2. Select S from the A list. CTION Figure 15-57. Showing the Rules Configured for a Time Range 15-73...
Page 448 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 15-74...
Page 449: Chapter 16 Ip Configuration
Chapter 16: IP Configuration Chapter 16 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 450 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage Use the ping command to see if another site on the network can be reached. The following are some results of the ping command: • Normal response – The normal response occurs in one to ten seconds, depending on network traffic.
Page 451: Address Resolution Protocol
Chapter 16: IP Configuration 16-2 Address Resolution Protocol Address Resolution Protocol (ARP) is used to map an IP address to a physical layer (i.e., MAC) address. When a device sends or receives a packet with an IP header, it must first resolve the destination IP address into a MAC address. When an IP frame is received by this switch, it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
Page 452: Displaying Arp Entries
SSE-G2252/SSE-G2252P Switches User’s Manual The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the switch may tie up resources by repeating ARP requests for addresses recently flushed from the table. When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address.
Page 453: Setting The Switch's Ip Address (Ip Version 4)
Chapter 16: IP Configuration Figure 16-3. Displaying ARP Entries 16-3 Setting the Switch’s IP Address (IP Version Use the S > IP page to configure an IPv4 address for management access over YSTEM the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Page 454 SSE-G2252/SSE-G2252P Switches User’s Manual • IP Address – Address of the VLAN to which the management station is attached. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 192.168.100.102) • Subnet Mask – This mask identifies the host address bits used for routing to specific subnets.
Page 455: Setting The Switch's Ip Address (Ip Version 6)
Chapter 16: IP Configuration Figure 16-5. Configuring a Dynamic IPv4 Address NOTE: The switch will also broadcast a request for IP configuration settings on each power reset. NOTE: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. NOTE: Renewing DHCP –...
Page 456: Configuring The Ipv6 Default Gateway
SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage IPv6 includes two distinct address types – link-local unicast and global unicast. A link-local address makes the switch accessible over IPv6 for all devices attached to the same local subnet. Management traffic using this kind of address cannot be passed by any router outside of the subnet.
Page 457: Configuring Ipv6 Interface Settings
Chapter 16: IP Configuration Figure 16-6. Configuring the IPv6 Default Gateway Configuring IPv6 Interface Settings Use the IP > IP ) page to configure general ONFIGURATION ONFIGURE NTERFACE IPv6 settings for the selected VLAN, including auto-configuration of a global unicast interface address, and explicit configuration of a link local interface address.
Page 458: Configuring An Ipv6 Address
SSE-G2252/SSE-G2252P Switches User’s Manual • If auto-configuration is not selected, then an address must be manually configured using the Add Interface page described below. • Enable IPv6 Explicitly – Enables IPv6 on an interface. Note that when an explicit address is assigned to an interface, IPv6 is automatically enabled, and cannot be disabled until all assigned addresses have been removed.
Page 459 Chapter 16: IP Configuration Command Usage • All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 460 SSE-G2252/SSE-G2252P Switches User’s Manual • Global – Configures an IPv6 global unicast address with a full IPv6 address including the network prefix and host address bits, followed by a forward slash, and a decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address).
Page 461: Showing Ipv6 Addresses
Chapter 16: IP Configuration 3. Specify the VLAN to configure, select the address type, and then enter an IPv6 address and prefix length. 4. Click A PPLY Figure 16-8. Configuring an IPv6 Address Showing IPv6 Addresses Use the IP > IP ) page to display the IPv6 ONFIGURATION DDRESS...
Page 462: Showing The Ipv6 Neighbor Cache
SSE-G2252/SSE-G2252P Switches User’s Manual A node is also required to compute and join the associated solicited-node multicast addresses for every unicast and anycast address it is assigned. IPv6 addresses that differ only in the high-order bits, e.g. due to multiple high-order prefixes associated with different aggregations, will map to the same solicited-node address, thereby reducing the number of multicast addresses a node must join.
Page 463 Chapter 16: IP Configuration Table 16-2. Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor The time since the address was verified as reachable (in seconds). A static entry is indicated by the value “Permanent.” Link-layer Addr Physical layer MAC address.
Page 464: Showing Ipv6 Statistics
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 16-10. Showing IPv6 Neighbors Showing IPv6 Statistics Use the IP > IP ) page to display statistics about ONFIGURATION TATISTICS IPv6 traffic passing through this switch. CLI References "show ipv6 traffic" on page 42-23 for CLI reference information.
Page 465 Chapter 16: IP Configuration • UDP – User Datagram Protocol provides a datagram mode of packet switched communications. It uses IP as the underlying transport mechanism, providing access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Page 466 SSE-G2252/SSE-G2252P Switches User’s Manual Table 16-3. Show IPv6 Statistics - Display Description (Continued) Field Description The number of IPv6 fragments received which needed to be reassembled at this interface. Note that this counter is increment ed Reassembly Request Datagrams at the interface to which these fragments were addressed which might not be necessarily the input interface for some of the fragments.
Page 467 Chapter 16: IP Configuration Table 16-3. Show IPv6 Statistics - Display Description (Continued) Field Description ICMPv6 Statistics ICMPv6 received The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this Input interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.
Page 468 SSE-G2252/SSE-G2252P Switches User’s Manual Table 16-3. Show IPv6 Statistics - Display Description (Continued) Field Description ICMPv6 Transmitted The total number of ICMP messages which this interface attempted Output to send. Note that this counter includes all those counted by icmpOutErrors.
Page 469 Chapter 16: IP Configuration Figure 16-11. Showing IPv6 Statistics (IPv6) Figure 16-12. Showing IPv6 Statistics (ICMPv6) 16-21...
Page 470 SSE-G2252/SSE-G2252P Switches User’s Manual Figure 16-13. Showing IPv6 Statistics (UDP) 16-22...
Page 471: Chapter 17 Ip Services
Chapter 17: IP Services Chapter 17 IP Services This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see Section 14-13: "DHCP Snooping" on page 14-89. DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network.
Page 472: Configuring A List Of Domain Names
SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure general settings for DNS: 1. Click IP S > DNS. ERVICE 2. Select C from the A list. ONFIGURE LOBAL CTION 3. Enable domain lookup, and set the default domain name. 4. Click A PPLY Figure 17-1.
Page 473 Chapter 17: IP Services Parameters These parameters are displayed in the web interface: • Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) Web Interface To create a list domain names: 1.
Page 474: Configuring A List Of Name Servers
SSE-G2252/SSE-G2252P Switches User’s Manual 17-3 Configuring a List of Name Servers Use the IP S > DNS - G ) page to configure a list of ERVICE ENERAL ERVER name servers to be tried in sequential order. CLI References "ip name-server" on page 40-6 "show dns"...
Page 475: Configuring Static Dns Host To Address Entries
Chapter 17: IP Services To show the list name servers: 1. Click IP S , DNS. ERVICE 2. Select S from the A list. ERVERS CTION Figure 17-5. Showing the List of Name Servers for DNS 17-4 Configuring Static DNS Host to Address Entries Use the IP S >...
Page 476: Displaying The Dns Cache
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 17-6. Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP S > DNS - S ERVICE TATIC ABLE 2. Select S from the A list. CTION Figure 17-7.
Page 477 Chapter 17: IP Services • Type – This field includes CNAME which specifies the host address for the owner, and ALIAS which specifies an alias. • IP – The IP address associated with this record. • TTL – The time to live reported by the name server. •...
Page 478 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 17-8...
Page 479: Chapter 18 Multicast Filtering
Chapter 18: Multicast Filtering Chapter 18 Multicast Filtering This chapter describes how to configure the following multicast services: • Layer 2 IGMP (Snooping and Query) – Configuring snooping and query parameters. • Filtering and Throttling IGMP Groups – Filtering specified multicast service, or throttling the maximum of multicast groups allowed on an interface.
Page 480: Layer 2 Igmp (Snooping And Query)
SSE-G2252/SSE-G2252P Switches User’s Manual This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router.
Page 481 Chapter 18: Multicast Filtering NOTE: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. NOTE: IGMP snooping will not function unless a multicast router port is enabled on the switch.
Page 482: Configuring Igmp Snooping And Query Parameters
SSE-G2252/SSE-G2252P Switches User’s Manual Configuring IGMP Snooping and Query Parameters Use the M > IGMP S > G page to configure the switch to ULTICAST NOOPING ENERAL forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards multicast traffic only to the ports that request it. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
Page 483 Chapter 18: Multicast Filtering When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. • Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting”...
Page 484 SSE-G2252/SSE-G2252P Switches User’s Manual • TCN Query Solicit – Sends out an IGMP general query solicitation when a spanning tree topology change notification (TCN) occurs. (Default: Disabled) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation).
Page 485 Chapter 18: Multicast Filtering This attribute configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
Page 486: Specifying Static Interfaces For A Multicast Router
SSE-G2252/SSE-G2252P Switches User’s Manual Specifying Static Interfaces for a Multicast Router Use the M > IGMP S > M ) page to statically ULTICAST NOOPING ULTICAST OUTER attach an interface to a multicast router/switch. Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 487 Chapter 18: Multicast Filtering Figure 18-3. Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router: 1. Click M > IGMP S > M ULTICAST NOOPING ULTICAST OUTER 2. Select S from the A list.
Page 488: Assigning Interfaces To Multicast Services
SSE-G2252/SSE-G2252P Switches User’s Manual Assigning Interfaces to Multicast Services Use the M > IGMP S > IGMP M ) page to ULTICAST NOOPING EMBER TATIC EMBER statically assign a multicast service to an interface. Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters"...
Page 489 Chapter 18: Multicast Filtering Figure 18-6. Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: 1. Click M > IGMP S > IGMP M ULTICAST NOOPING EMBER 2. Select S from the A list.
Page 490: Setting Igmp Snooping Status Per Interface
SSE-G2252/SSE-G2252P Switches User’s Manual Setting IGMP Snooping Status per Interface Use the M > IGMP S > I ) page to configure ULTICAST NOOPING NTERFACE ONFIGURE IGMP snooping attributes for a VLAN interface. To configure snooping globally, refer to "Configuring IGMP Snooping and Query Parameters" on page 18-4.
Page 491 Chapter 18: Multicast Filtering • Multicast Router Solicitation – Devices send Solicitation messages in order to solicit Advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link. Solicitation messages are also sent whenever a multicast forwarding interface is initialized or re-initialized. Upon receiving a solicitation on an interface with IP multicast forwarding and MRD enabled, a router will respond with an Advertisement.
Page 492 SSE-G2252/SSE-G2252P Switches User’s Manual If version exclusive is disabled on a VLAN, then this setting is based on the global setting configured on the Multicast > IGMP Snooping > General page. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
Page 493 Chapter 18: Multicast Filtering • Query Interval – The interval between sending IGMP general queries. (Range: 2-31744 seconds; Default: 125 seconds) An IGMP general query message is sent by the switch at the interval specified by this attribute. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
Page 494 SSE-G2252/SSE-G2252P Switches User’s Manual To resolve this problem, the source address in proxied IGMP query messages can be replaced with any valid unicast address (other than the router’s own address). Web Interface To configure IGMP snooping on a VLAN: 1. Click M >...
Page 495: Displaying Multicast Groups Discovered By Igmp Snooping
Chapter 18: Multicast Filtering Figure 18-10. Showing Interface Settings for IGMP Snooping Displaying Multicast Groups Discovered by IGMP Snooping Use the M > IGMP S > F page to display the ULTICAST NOOPING ORWARDING NTRY forwarding entries learned through IGMP Snooping. CLI References "show ip igmp snooping group"...
Page 496: Filtering And Throttling Igmp Groups
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 18-11. Showing Multicast Groups Learned by IGMP Snooping 18-3 Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 497: Configuring Igmp Filter Profiles
Chapter 18: Multicast Filtering Web Interface To enable IGMP filtering and throttling on the switch: 1. Click M > IGMP S > F ULTICAST NOOPING ILTER 2. Select C from the S list. ONFIGURE ENERAL 3. Enable IGMP F ILTER TATUS 4.
Page 498 SSE-G2252/SSE-G2252P Switches User’s Manual When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when the multicast group is not in the controlled range.
Page 499 Chapter 18: Multicast Filtering Figure 18-14. Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: 1. Click M > IGMP S > F ULTICAST NOOPING ILTER 2. Select C from the S list.
Page 500: Configuring Igmp Filtering And Throttling For Interfaces
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 18-16. Showing the Groups Assigned to an IGMP Filtering Profile Configuring IGMP Filtering and Throttling for Interfaces Use the M > IGMP S > F ) page to assign ULTICAST NOOPING ILTER ONFIGURE NTERFACE and IGMP filter profile to interfaces on the switch, or to throttle multicast traffic by limiting the maximum number of multicast groups an interface can join at the same time.
Page 501: Multicast Vlan Registration
Chapter 18: Multicast Filtering • Deny - The new multicast group join report is dropped. • Replace - The new multicast group replaces an existing group. • Throttling Status – Indicates if the throttling action has been implemented on the interface.
Page 502 SSE-G2252/SSE-G2252P Switches User’s Manual MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any...
Page 503: Configuring Global Mvr Settings
Chapter 18: Multicast Filtering Configuring Global MVR Settings Use the M > MVR (Configure General) page to enable MVR globally on the ULTICAST switch, select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assign the multicast group address for each of these services to the MVR VLAN.
Page 504: Configuring Mvr Interface Status
SSE-G2252/SSE-G2252P Switches User’s Manual Web Interface To configure global settings for MVR: 1. Click M > MVR. ULTICAST 2. Select C from the S list. ONFIGURE ENERAL 3. Enable MVR on the switch, select the MVR VLAN, and add the multicast GLOBALLY groups that will stream traffic to participating hosts.
Page 505 Chapter 18: Multicast Filtering Receiver ports should not be configured as a member of the MVR VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see "Adding Static Members to VLANs" on page 7-6).
Page 506: Assigning Static Multicast Groups To Interfaces
SSE-G2252/SSE-G2252P Switches User’s Manual • MVR Status – Shows the MVR status. MVR status for source ports is “Active” if MVR is globally enabled on the switch. MVR status for receiver ports is “Active” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Page 507 Chapter 18: Multicast Filtering CLI References "mvr vlan group" on page 38-39 for CLI reference information. Parameters These parameters are displayed in the web interface: • Port – Port identifier. • VLAN – VLAN identifier • Group IP Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR group range configured on the C ONFIGURE page.
Page 508: Showing Multicast Group Members
SSE-G2252/SSE-G2252P Switches User’s Manual Figure 18-22. Showing the Static MVR Groups Assigned to a Port Showing Multicast Group Members Use the M > MVR (S ) page to show the interfaces associated with ULTICAST EMBER multicast groups assigned to the MVR VLAN.
Page 509: Chapter 19 Using The Command Line Interface
“ADMIN” and “guest” with corresponding passwords of “ADMIN” and “guest.”) When the administrator user name and password is entered, the CLI displays the “SSE-G2252#” prompt and enters privileged access mode (i.e., Privileged Exec). But when the guest user name and password is entered, the CLI displays the “SSE-G2252>”...
Page 510: Telnet Connection
4. When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: ADMIN Password: CLI session with the SSE-G2252 is opened. To end the CLI session, enter [Exit]. Vty-0# 19-2...
Page 511: Entering Commands
To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter: SSE-G2252(config)#username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command.
Page 512: Showing Commands
SSE-G2252/SSE-G2252P Switches User’s Manual Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command. For example, the command “system ?” displays a list of possible...
Page 513 Shows virtual LAN settings voice Shows the voice VLAN information web-auth Shows web authentication configuration SSE-G2252#show The command “show interfaces ?” will display the following information: SSE-G2252#show interfaces ? counters Interface counters information protocol-vlan Protocol-VLAN information status Shows interface status...
Page 514: Partial Keyword Lookup
SSE-G2252/SSE-G2252P Switches User’s Manual Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...
Page 515: Exec Commands
When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “SSE-G2252>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode).
Page 516: Configuration Commands
VLAN Configuration - Includes the command to create VLAN groups. To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “SSE-G2252(config)#” which gives you access privilege to all Global Configuration commands.
Page 517: Command Line Processing
SSE-G2252(config-vlan) page 35-9 For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#exit SSE-G2252(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 518: Showing Status Information
For example, if a static router port is configured, the corresponding show command will not display any information unless IGMP snooping is enabled, and the link for the static router port is up. SSE-G2252#configure SSE-G2252(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 SSE-G2252(config)#end SSE-G2252#show ip igmp snooping mrouter VLAN M'cast Router Ports Type...
Page 519: Output Modifiers
The output modifiers include options which indicate a string that occurs at the beginning of a line, in lines that are to be excluded, or in lines that are to be included. SSE-G2252#show running-config | ? begin Begin with line that matches...
Page 520 SSE-G2252/SSE-G2252P Switches User’s Manual Table 19-4. Command Group Index (Continued) Command Group Description Page Configures the connection parameters for all Ethernet ports, Interface page 27-1 aggregated links, and VLANs Statically groups multiple ports into a single logical trunk; Link Aggregation...
Page 521 Chapter 19: Using the Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) IPC (IGMP Profile Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec)
Page 522 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 19-14...
Page 523: Chapter 20 General Commands
Chapter 20: General Commands Chapter 20 General Commands These commands are used to control the command access mode, configuration mode, and other basic functions. Table 20-1. General Commands Command Function Mode prompt Customizes the CLI prompt reload (Global Restarts the system at a specified time, after a specified delay, or at Configuration) a periodic interval enable...
Page 524: Reload (Global Configuration)
SSE-G2252/SSE-G2252P Switches User’s Manual Default Setting Console Command Mode Global Configuration Example SSE-G2252(config)#prompt RD2 RD2(config)# reload (Global Configuration) This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time.
Page 525: Enable
"copy" on page 21-15). Example This example shows how to reset the switch after 30 minutes: SSE-G2252(config)#reload in minute 30 *** --- Rebooting at January 1 02:10:43 2007 --- Are you sure to reboot the system at the specified time? <y/n>...
Page 526: Quit
SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
Page 527: Configure
The history buffer size is fixed at 10 Execution commands and 10 Configuration commands. Example In this example, the show history command lists the contents of the command history buffer: SSE-G2252#show history Execution command history: 2 config 1 show history Configuration command history:...
Page 528: Disable
SSE-G2252/SSE-G2252P Switches User’s Manual Command Mode Privileged Exec Example SSE-G2252#configure SSE-G2252(config)# Related Commands "end" on page 20-7 disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics.
Page 529: Show Reload
This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example SSE-G2252#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 530: Exit
SSE-G2252/SSE-G2252P Switches User’s Manual Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: SSE-G2252(config-if)#end SSE-G2252# exit This command returns to the previous configuration mode or exits the configuration program. Default Setting None...
Page 531: Chapter 21 System Management Commands
Chapter 21: System Management Commands Chapter 21 System Management Commands These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 21-1. System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status...
Page 532: Device Designation
SSE-G2252/SSE-G2252P Switches User’s Manual 21-1 Device Designation This section describes commands used to configure information that uniquely identifies the switch. Table 21-2. Device Designation Commands Command Function Mode hostname Specifies the host name for the switch snmp-server contact Sets the system contact string...
Page 533: System Status
Chapter 21: System Management Commands 21-2 System Status This section describes commands used to display system information. Table 21-3. System Status Commands Command Function Mode show access-list Shows utilization parameters for TCAM tcam-utilization show memory Shows memory utilization parameters NE, PE show process cpu Shows CPU utilization parameters NE, PE...
Page 534: Show Memory
SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252#show access-list tcam-utilization Total Policy Control Entries : 512 Free Policy Control Entries : 352 Entries Used by System : 160 Entries Used by User TCAM Utilization : 31.25% SSE-G2252# show memory This command shows memory utilization parameters.
Page 535: Command Mode
• Spanning tree settings • Interface settings • Any configured settings for the console port and Telnet Example SSE-G2252#show running-config Building startup configuration. Please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-e0-0c-00-00-fd_00</stackingMac> snmp-server community public ro snmp-server community private rw snmp-server enable traps authentication username admin access-level 15...
Page 536: Related Commands
SSE-G2252/SSE-G2252P Switches User’s Manual interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 qos map dscp-mutation 6 0 from 46 interface vlan 1 ip address 192.168.100.102 255.255.255.0 queue mode strict-wrr 0 0 0 1 line console...
Page 537: Show Startup-Config
Chapter 21: System Management Commands show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 538: Show System
Section 5-1: "Displaying System Information" on page 5-1. • The number of fans provided: SSE-G2252 - 1, SSE-G2252P - 3 • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example...
Page 539: Show Tech-Support
It is therefore advisable to direct the output to a file using any suitable output capture function provided with your terminal emulation program. Example Console#show tech-support Show System: System Description : SSE-G2252 Managed FE Switch System OID String : 1.3.6.1.4.1.572.17389.202 System Information System Up Time : 0 days, 1 hours, 28 minutes, and 51.70 seconds...
Page 540: Show Users
SSE-G2252/SSE-G2252P Switches User’s Manual show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 541: Show Version
Command Mode Normal Exec, Privileged Exec Command Usage Section 5-2: "Displaying Switch Hardware/Software Versions" on page 5-2 detailed information on the items displayed by this command. Example SSE-G2252#show version Unit 1 Serial Number : S123456 Hardware Version : R0A EPLD Version : 0.00...
Page 542: Frame Size
SSE-G2252/SSE-G2252P Switches User’s Manual 21-3 Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 21-4. Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames jumbo frame This command enables support for jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
Page 543: File Management
Chapter 21: System Management Commands 21-4 File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation.
Page 544: Boot System
SSE-G2252/SSE-G2252P Switches User’s Manual boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom - Boot ROM. config - Configuration file. opcode - Run-time operation code.
Page 545: Copy
Chapter 21: System Management Commands copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 546 SSE-G2252/SSE-G2252P Switches User’s Manual • The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • When logging into an FTP server, the interface prompts for a user name and password configured on the remote server.
Page 547 This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. SSE-G2252#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
Page 548: Delete
SSE-G2252/SSE-G2252P Switches User’s Manual delete This command deletes a file or image. Syntax delete filename filename - Name of configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted.
Page 549: Default Setting
Create Time The date and time the file was created. Size The length of the file in bytes. Example The following example shows how to display all file information: SSE-G2252#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------- Unit 1: SSE-G2252_Op_V0.0.1.0.bix...
Page 550: Whichboot
SSE-G2252/SSE-G2252P Switches User’s Manual whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Page 551 "show startup-config" on page 21-7 commands. Example SSE-G2252(config)#upgrade opcode auto SSE-G2252(config)#upgrade opcode path tftp://192.168.0.1/sm24/ SSE-G2252(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 0.0.1.0;...
Page 552: Upgrade Opcode Path
SSE-G2252/SSE-G2252P Switches User’s Manual upgrade opcode path This command specifies an TFTP server and directory in which the new opcode is stored. Use the no form of this command to clear the current setting. Syntax upgrade opcode path opcode-dir-url no upgrade opcode path opcode-dir-url - The location of the new code.
Page 553: Line
Chapter 21: System Management Commands 21-5 Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 21-7.
Page 554: Line
SSE-G2252/SSE-G2252P Switches User’s Manual line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Page 555: Databits
7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character. Example To specify 7 data bits, enter this command: SSE-G2252(config-line)#databits 7 SSE-G2252(config-line)# Related Commands "parity" on page 21-28...
Page 556: Exec-Timeout
SSE-G2252/SSE-G2252P Switches User’s Manual exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval. (Range: 0 - 65535 seconds; 0:...
Page 557: Login
This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. Example SSE-G2252(config-line)#login local SSE-G2252(config-line)# Related Commands "username" on page 24-3 "password"...
Page 558: Parity
SSE-G2252/SSE-G2252P Switches User’s Manual parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity...
Page 559: Password
(i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example SSE-G2252(config-line)#password 0 secret SSE-G2252(config-line)# Related Commands "login" on page 21-27 "password-thresh"...
Page 560: Password-Thresh
SSE-G2252/SSE-G2252P Switches User’s Manual password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no...
Page 561: Silent-Time
- The number of seconds to disable console response. (Range: 0-65535; 0: 30 seconds) Default Setting The default value is no silent-time. Command Mode Line Configuration Example To set the silent time to 60 seconds, enter this command: SSE-G2252(config-line)#silent-time 60 SSE-G2252(config-line)# Related Commands "password-thresh" on page 21-30 21-31...
Page 562: Speed
SSE-G2252/SSE-G2252P Switches User’s Manual speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Page 563: Stopbits
Syntax stopbits {1 | 2} no stopbits 1 - One stop bit 2 - Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: SSE-G2252(config-line)#stopbits 2 SSE-G2252(config-line)# 21-33...
Page 564: Timeout Login Response
SSE-G2252/SSE-G2252P Switches User’s Manual timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 565: Disconnect
Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example SSE-G2252#disconnect 1 SSE-G2252# Related Commands "show ssh" on page 24-44 "show users" on page 21-10...
Page 566: Show Line
SSE-G2252/SSE-G2252P Switches User’s Manual show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode...
Page 567: Event Logging
Chapter 21: System Management Commands 21-6 Event Logging This section describes commands used to configure event logging on the switch. Table 21-8. Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory based on severity Adds a syslog server host IP address that will receive logging...
Page 568: Logging History
SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252(config)#logging facility 19 SSE-G2252(config)# logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 569: Logging Host
Chapter 21: System Management Commands Example SSE-G2252(config)#logging history ram 0 SSE-G2252(config)# logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host-ip-address host-ip-address - The IP address of a syslog server.
Page 570: Logging On
SSE-G2252/SSE-G2252P Switches User’s Manual logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process. Syntax [no] logging on Default Setting None Command Mode Global Configuration...
Page 571: Logging Trap
Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. • Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. Example SSE-G2252(config)#logging trap 4 SSE-G2252(config)# 21-41...
Page 572: Clear Log
SSE-G2252/SSE-G2252P Switches User’s Manual clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 573: Show Log
(i.e., power is turned off and then on through the power source). Example The following example shows the event message stored in RAM. SSE-G2252#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port...
Page 574: Show Logging
SSE-G2252/SSE-G2252P Switches User’s Manual show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 575 Chapter 21: System Management Commands The following example displays settings for the trap function. SSE-G2252#show logging trap Syslog logging: Enable REMOTELOG Status: disable REMOTELOG Facility Type: Local use 7 REMOTELOG Level Type: Debugging messages REMOTELOG server IP Address: 1.2.3.4 REMOTELOG server IP Address: 0.0.0.0 REMOTELOG server IP Address: 0.0.0.0...
Page 576: Smtp Alerts
SSE-G2252/SSE-G2252P Switches User’s Manual 21-7 SMTP Alerts These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 21-12. Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling...
Page 577: Logging Sendmail Host
If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.) Example SSE-G2252(config)#logging sendmail host 192.168.1.19 SSE-G2252(config)# 21-47...
Page 578: Logging Sendmail Level
SSE-G2252/SSE-G2252P Switches User’s Manual logging sendmail level This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. Syntax logging sendmail level level no logging sendmail level level - One of the system message levels ("logging history"...
Page 579: Logging Sendmail Destination-Email
(Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example SSE-G2252(config)#logging sendmail destination-email ted@this-company.com SSE-G2252(config)# 21-49...
Page 580: Logging Sendmail Source-Email
SSE-G2252/SSE-G2252P Switches User’s Manual logging Sendmail Source-Email This command sets the email address used for the “From” field in alert messages. Use the no form to restore the default value. Syntax logging sendmail source-email email-address no logging sendmail source-email email-address - The source email address used in alert messages.
Page 581: Time
Chapter 21: System Management Commands Example SSE-G2252#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source Email Address: bill@this-company.com SMTP Status: Enabled SSE-G2252# 21-8 Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 582: Sntp Client
SSE-G2252/SSE-G2252P Switches User’s Manual sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. Syntax [no] sntp client...
Page 583: Sntp Poll
SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode Global Configuration Example SSE-G2252(config)#sntp poll 60 SSE-G2252# Related Commands "sntp client" on page 21-52 21-53...
Page 584: Sntp Server
SSE-G2252/SSE-G2252P Switches User’s Manual sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 585: Show Sntp
Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast). Example SSE-G2252#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval...
Page 586: Clock Timezone
To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. Example SSE-G2252(config)#clock timezone Japan hours 8 minute 0 after-UTC SSE-G2252(config)# Related Commands "show sntp" on page 21-55...
Page 587: Clock Timezone-Predefined
To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. Example SSE-G2252(config)#clock timezone-predefined GMT-0930-Taiohae SSE-G2252(config)# Related Commands "show sntp" on page 21-55...
Page 588: Calendar Set
Privileged Exec Command Usage Note that when SNTP is enabled, the system clock cannot be manually configured. Example This example shows how to set the system clock to 15:12:34, February 1st, 2002. SSE-G2252#calendar set 15:12:34 1 February 2002 SSE-G2252# 21-58...
Page 589: Show Calendar
Default Setting None Command Mode Normal Exec, Privileged Exec Example SSE-G2252#show calendar 15:12:34 February 1 2002 SSE-G2252# 21-9 Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Page 590: Time-Range
SSE-G2252/SSE-G2252P Switches User’s Manual time-range This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range. Syntax [no] time-range name name - Name of the time range. (Range: 1-16 characters)
Page 591: Absolute
Example This example configures the time for the single occurrence of an event. SSE-G2252(config)#time-range r&d SSE-G2252(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 SSE-G2252(config-time-range)# 21-61...
Page 592: Periodic
SSE-G2252/SSE-G2252P Switches User’s Manual periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range. Syntax [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday |...
Page 593: Show Time-Range
Chapter 21: System Management Commands Example This example configures a time range for the periodic occurrence of an event. SSE-G2252(config)#time-range sales SSE-G2252(config-time-range)#periodic daily 1 1 to 2 1 SSE-G2252(config-time-range)# show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Page 594: Switch Clustering
SSE-G2252/SSE-G2252P Switches User’s Manual 21-10Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 595: Cluster
There can be up to 100 candidates and 36 member switches in one cluster. • A switch can only be a Member of one cluster. • Configured switch clusters are maintained across power resets and network changes. Example SSE-G2252(config)#cluster SSE-G2252(config)# 21-65...
Page 596: Cluster Commander
SSE-G2252/SSE-G2252P Switches User’s Manual cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 597: Cluster Member
You cannot change the cluster IP pool when the switch is currently in Commander mode. Commander mode must first be disabled. Example SSE-G2252(config)#cluster ip-pool 10.2.3.4 SSE-G2252(config)# cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster.
Page 598: Rcommand
SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252(config)#cluster member mac-address 00-12-34-56-78-9a id 5 SSE-G2252(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch. (Range: 1-36) Command Mode...
Page 599: Show Cluster
Number of Candidates : 2 SSE-G2252# show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example SSE-G2252#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : SSE-G2252P Managed GE POE Switch...
Page 600: Show Cluster Candidates
SSE-G2252/SSE-G2252P Switches User’s Manual show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example SSE-G2252#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Active member 00-E0-0C-00-00-FE SSE-G2252P Managed GE POE Switch...
Page 601: Chapter 22 Snmp Commands
Chapter 22: SNMP Commands Chapter 22 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 602: Snmp-Server
SSE-G2252/SSE-G2252P Switches User’s Manual Table 22-1. SNMP Commands (Continued) Command Function Mode show snmp notify-filter Displays the configured notification logs ATC Trap Commands Sends a trap when broadcast traffic falls beneath the snmp-server enable port-traps lower threshold after a storm control response has been...
Page 603: Snmp-Server Community
Public - Read-only access. Authorized management stations are only able to retrieve MIB objects. • Private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example SSE-G2252(config)#snmp-server community alpha rw SSE-G2252(config)# 22-3...
Page 604: Snmp-Server Contact
SSE-G2252/SSE-G2252P Switches User’s Manual snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255...
Page 605: Snmp-Server Location
Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example SSE-G2252(config)#snmp-server location WC-19 SSE-G2252(config)# Related Commands "snmp-server contact" on page 22-4 22-5...
Page 606: Show Snmp
SSE-G2252/SSE-G2252P Switches User’s Manual show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 607: Snmp-Server Enable Traps
SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command. Example SSE-G2252(config)#snmp-server enable traps link-up-down SSE-G2252(config)# Related Commands "snmp-server host" on page 22-8 22-7...
Page 608: Snmp-Server Host
SSE-G2252/SSE-G2252P Switches User’s Manual snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr community-string [inform [retry retries | timeout seconds | version {1 | 2c | 3 {auth | noauth | priv}]]...
Page 609 Chapter 22: SNMP Commands Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
Page 610: Snmp-Server Engine-Id
SSE-G2252/SSE-G2252P Switches User’s Manual 6. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. • The switch can send SNMP Version 1, 2c or 3 notifications to a host IP address, depending on the SNMP version that the management station supports.
Page 611 ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users ("snmp-server user" on page 22-13). Example SSE-G2252(config)#snmp-server engine-id local 1234567890 SSE-G2252(config)#snmp-server engineID remote 9876543210 192.168.1.19 SSE-G2252(config)# Related Commands "snmp-server host" on page 22-8 22-11...
Page 612: Snmp-Server Group
SSE-G2252/SSE-G2252P Switches User’s Manual snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}...
Page 613: Snmp-Server User
Example SSE-G2252(config)#snmp-server group r&d v3 auth write daily SSE-G2252(config)# snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Page 614 SNMP engine ID before you can send proxy requests or informs to it. Example SSE-G2252(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien SSE-G2252(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien...
Page 615: Snmp-Server View
The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. SSE-G2252(config)#snmp-server view mib-2 1.3.6.1.2.1 included SSE-G2252(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table.
Page 616: Show Snmp Engine-Id
SSE-G2252/SSE-G2252P Switches User’s Manual show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. SSE-G2252#show snmp engine-id Local SNMP EngineID: 8000002a8000000000e8666672 Local SNMP EngineBoots: 1 Remote SNMP EngineID...
Page 617: Show Snmp User
The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example SSE-G2252#show snmp user 22-17...
Page 618: Show Snmp View
SSE-G2252/SSE-G2252P Switches User’s Manual EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SSE-G2252# Table 22-4.
Page 619: Nlm
Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification logs A1 and A2. SSE-G2252(config)#nlm A1 SSE-G2252(config)#nlm A2 SSE-G2252(config)# snmp-server notify-filter This command creates an SNMP notification log. Use the no form to remove this log.
Page 620 SSE-G2252/SSE-G2252P Switches User’s Manual Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - The Internet address of a remote device. The specified target host must already have been configured using the snmp-server host command.
Page 621: Show Nlm Oper-Status
This example first creates an entry for a remote host, and then instructs the switch to record this device as the remote host for the specified notification log. SSE-G2252(config)#snmp-server host 10.1.19.23 batman SSE-G2252(config)#snmp-server notify-filter A1 remote 10.1.19.23 SSE-G2252# show nlm oper-status This command shows the operational status of configured notification logs.
Page 622: Show Snmp Notify-Filter
SSE-G2252/SSE-G2252P Switches User’s Manual show snmp notify-filter This command displays the configured notification logs. Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts. Note that the last entry is a default filter created when a trap host is initially created.
Page 623: Chapter 23 Remote Monitoring Commands
Chapter 23: Remote Monitoring Commands Chapter 23 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 624: Rmon Alarm
SSE-G2252/SSE-G2252P Switches User’s Manual rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 625: Rmon Event
Example SSE-G2252(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.1 15 delta rising-threshold 100 1 falling-threshold 30 1 owner mike SSE-G2252(config)# rmon event This command creates a response event for an alarm.
Page 626: Rmon Collection History
The response to an alarm can include logging the alarm or sending a message to a trap manager. Example SSE-G2252(config)#rmon event 2 log description urgent owner mike SSE-G2252(config)# rmon collection history This command periodically samples statistics on a physical interface. Use the no form to disable periodic sampling.
Page 627: Rmon Collection Rmon1
CRC alignment errors, collisions, drop events, and network utilization. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike SSE-G2252(config-if)# rmon collection rmon1 This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection.
Page 628: Show Rmon Alarms
SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike SSE-G2252(config-if)# show rmon alarms This command shows the settings for all configured alarms. Command Mode Privileged Exec Example SSE-G2252#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds...
Page 629 Chapter 23: Remote Monitoring Commands Example SSE-G2252#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01...
Page 630: Show Rmon Statistics
SSE-G2252/SSE-G2252P Switches User’s Manual show rmon statistics This command shows the information collected for all configured entries in the statistics group. Command Mode Privileged Exec Example SSE-G2252#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has...
Page 631: Chapter 24 Authentication Commands
Chapter 24: Authentication Commands Chapter 24 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 632: User Accounts
SSE-G2252/SSE-G2252P Switches User’s Manual 24-1 User Accounts The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 21-24), user authentication via a remote authentication server (Section 24-2: "Authentication Sequence"...
Page 633: Username
Chapter 24: Authentication Commands Example SSE-G2252(config)#enable password level 15 0 admin SSE-G2252(config)# Related Commands "enable" on page 20-3 "authentication enable" on page 24-4 username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level.
Page 634: Authentication Sequence
Example This example shows how the set the access level and password for a user. SSE-G2252(config)#username bob access-level 15 SSE-G2252(config)#username bob password 0 smith SSE-G2252(config)# 24-2 Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access.
Page 635 RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked. Example SSE-G2252(config)#authentication enable radius SSE-G2252(config)# Related Commands "enable password" on page 24-2...
Page 636: Authentication Login
SSE-G2252/SSE-G2252P Switches User’s Manual authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password.
Page 637: Radius Client
This command sets the RADIUS server network port for accounting messages. Use the no form to restore the default. Syntax radius-server acct-port port-number no radius-server acct-port port-number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813 Command Mode Global Configuration Example SSE-G2252(config)#radius-server acct-port 181 SSE-G2252(config)# 24-7...
Page 638: Radius-Server Auth-Port
SSE-G2252/SSE-G2252P Switches User’s Manual radius-server auth-port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages. (Range: 1-65535)
Page 639: Radius-Server Host
- Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example SSE-G2252(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green SSE-G2252(config)# 24-9...
Page 640: Radius-Server Key
SSE-G2252/SSE-G2252P Switches User’s Manual radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Page 641: Radius-Server Timeout
RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting Command Mode Global Configuration Example SSE-G2252(config)#radius-server timeout 10 SSE-G2252(config)# 24-11...
Page 642: Show Radius-Server
SSE-G2252/SSE-G2252P Switches User’s Manual show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example SSE-G2252#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number...
Page 643: Tacacs+ Client
Chapter 24: Authentication Commands 24-4 TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 644: Tacacs-Server Key
SSE-G2252/SSE-G2252P Switches User’s Manual Command Mode Global Configuration Example SSE-G2252(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green SSE-G2252(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax...
Page 645: Tacacs-Server Port
- TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting Command Mode Global Configuration Example SSE-G2252(config)#tacacs-server port 181 SSE-G2252(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode...
Page 646: Aaa
SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252#show tacacs-server Remote TACACS+ server configuration: Global settings: Server Port Number : 49 Server 1: Server IP Address : 192.168.1.25 Server Port Number : 181 Server Time Out : 4 SSE-G2252# 24-5 AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch.
Page 647: Aaa Accounting Commands
Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use. Example SSE-G2252(config)#aaa accounting commands 15 default start-stop group tacacs+ SSE-G2252(config)# 24-17...
Page 648: Aaa Accounting Dot1X
Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use. Example SSE-G2252(config)#aaa accounting dot1x default start-stop group radius SSE-G2252(config)# 24-18...
Page 649: Aaa Accounting Exec
Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use. Example SSE-G2252(config)#aaa accounting exec default start-stop group tacacs+ SSE-G2252(config)# 24-19...
Page 650: Aaa Accounting Update
When accounting updates are enabled, the switch issues periodic interim accounting records for all users on the system. • Using the command without specifying an interim interval enables updates, but does not change the current interval setting. Example SSE-G2252(config)#aaa accounting update periodic 30 SSE-G2252(config)# 24-20...
Page 651: Aaa Authorization Exec
If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined. Example SSE-G2252(config)#aaa authorization exec default group tacacs+ SSE-G2252(config)# 24-21...
Page 652: Aaa Group Server
Default Setting None Command Mode Global Configuration Example SSE-G2252(config)#aaa group server radius tps SSE-G2252(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} index - Specifies the server index.
Page 653: Accounting Dot1X
When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command. Example SSE-G2252(config)#aaa group server radius tps SSE-G2252(config-sg-radius)#server 10.2.68.120 SSE-G2252(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface.
Page 654: Accounting Exec
SSE-G2252/SSE-G2252P Switches User’s Manual accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command.
Page 655: Authorization Exec
- Specifies the default method list created with the aaa authorization exec command. list-name - Specifies a method list created with the aaa authorization exec command. Default Setting None Command Mode Line Configuration Example SSE-G2252(config)#line console SSE-G2252(config-line)#authorization exec tps SSE-G2252(config-line)#exit SSE-G2252(config)#line vty SSE-G2252(config-line)#authorization exec default SSE-G2252(config-line)# 24-25...
Page 656: Show Accounting
SSE-G2252/SSE-G2252P Switches User’s Manual show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] level - Displays command accounting information for a specifiable command level.
Page 657: Web Server
- The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode Global Configuration Example SSE-G2252(config)#ip http port 769 SSE-G2252(config)# Related Commands "ip http server" on page 24-28 "show system" on page 21-8 24-27...
Page 658: Ip Http Server
SSE-G2252/SSE-G2252P Switches User’s Manual ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled Command Mode Global Configuration...
Page 659 • Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Example SSE-G2252(config)#ip http secure-server SSE-G2252(config)# Related Commands "ip http secure-port" on page 24-30 copy tftp https-certificate on page 21-15 "show system" on page 21-8...
Page 660: Ip Http Secure-Port
SSE-G2252/SSE-G2252P Switches User’s Manual ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...
Page 661: Telnet Server
4 sessions Command Mode Global Configuration Command Usage A maximum of four sessions can be concurrently opened for Telnet and Secure Shell (i.e., both Telnet and SSH share a maximum number or four sessions). Example SSE-G2252(config)#ip telnet max-sessions 1 SSE-G2252(config)# 24-31...
Page 662: Ip Telnet Port
SSE-G2252/SSE-G2252P Switches User’s Manual ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 663: Ip Telnet Server
Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example SSE-G2252(config)#ip telnet server SSE-G2252(config)# show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example SSE-G2252#show ip telnet...
Page 664: Secure Shell
SSE-G2252/SSE-G2252P Switches User’s Manual 24-8 Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 665 Chapter 24: Authentication Commands To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 666 SSE-G2252/SSE-G2252P Switches User’s Manual Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it...
Page 667: Ip Ssh Authentication-Retries
– The number of authentication attempts permitted after which the interface is reset. (Range: 1-5) Default Setting Command Mode Global Configuration Example SSE-G2252(config)#ip ssh authentication-retires 2 SSE-G2252(config)# Related Commands "show ip ssh" on page 24-43 24-37...
Page 668: Ip Ssh Server
DES (56-bit) or 3DES (168-bit) for data encryption. • You must generate DSA and RSA host keys before enabling the SSH server. Example SSE-G2252#ip ssh crypto host-key generate dsa SSE-G2252#configure SSE-G2252(config)#ip ssh server SSE-G2252(config)# Related Commands "ip ssh crypto host-key generate"...
Page 669: Ip Ssh Server-Key Size
Global Configuration Command Usage The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits. Example SSE-G2252(config)#ip ssh server-key size 512 SSE-G2252(config)# 24-39...
Page 670: Ip Ssh Timeout
SSE-G2252/SSE-G2252P Switches User’s Manual ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120)
Page 671: Ip Ssh Crypto Host-Key Generate
• The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it. Example SSE-G2252#ip ssh crypto host-key generate dsa SSE-G2252# 24-41...
Page 672: Ip Ssh Crypto Zeroize
• The SSH server must be disabled before you can execute this command. Example SSE-G2252#ip ssh crypto zeroize dsa SSE-G2252# Related Commands "ip ssh crypto host-key generate" on page 24-41 "ip ssh save host-key" on page 24-43 "ip ssh server"...
Page 673: Ip Ssh Save Host-Key
Default Setting Saves both the DSA and RSA key. Command Mode Privileged Exec Example SSE-G2252#ip ssh save host-key dsa SSE-G2252# Related Commands "ip ssh crypto host-key generate" on page 24-41 show ip ssh This command displays the connection settings used when authenticating client access to the SSH server.
Page 674: Show Public-Key
SSE-G2252/SSE-G2252P Switches User’s Manual show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys.
Page 675 Chapter 24: Authentication Commands Command Mode Privileged Exec Example SSE-G2252#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 SSE-G2252# Table 24-12. show ssh - Display Description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number.
Page 676: Port Authentication
SSE-G2252/SSE-G2252P Switches User’s Manual 24-9 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 677: Dot1X Default
This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example SSE-G2252(config)#dot1x default SSE-G2252(config)# dot1x eapol-pass-through This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the default.
Page 678: Dot1X System-Auth-Control
SSE-G2252/SSE-G2252P Switches User’s Manual Example This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. SSE-G2252(config)#dot1x eapol-pass-through SSE-G2252(config)# dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default.
Page 679: Dot1X Max-Req
VLAN for the port (see the network-access guest-vlan command). Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x intrusion-action guest-vlan SSE-G2252(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 680: Dot1X Operation-Mode
The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses). Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x operation-mode multi-host max-count 10 SSE-G2252(config-if)# 24-50...
Page 681: Dot1X Port-Control
– Configures the port to grant access to all clients, either dot1x-aware or otherwise. force-unauthorized – Configures the port to deny access to all clients, either dot1x-aware or otherwise. Default force-authorized Command Mode Interface Configuration Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x port-control auto SSE-G2252(config-if)# 24-51...
Page 682: Dot1X Re-Authentication
SSE-G2252/SSE-G2252P Switches User’s Manual dot1x re-authentication This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Page 683: Dot1X Timeout Quiet-Period
Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds. (Range: 1-65535) Default 60 seconds Command Mode Interface Configuration Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x timeout quiet-period 350 SSE-G2252(config-if)# 24-53...
Page 684: Dot1X Timeout Re-Authperiod
SSE-G2252/SSE-G2252P Switches User’s Manual dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Page 685: Dot1X Timeout Supp-Timeout
It may also send other EAP-request frames to the client during an active connection as required for reauthentication. Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x timeout supp-timeout 300 SSE-G2252(config-if)# 24-55...
Page 686: Dot1X Timeout Tx-Period
SSE-G2252/SSE-G2252P Switches User’s Manual dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Page 687: Dot1X Re-Authenticate
The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. Example SSE-G2252#dot1x re-authenticate SSE-G2252# 24-57...
Page 688: Dot1X Identity Profile
MD5 challenge from the authenticator. These parameters must be set when this switch passes client authentication requests to another authenticator on the network (see "dot1x pae supplicant" on page 24-60). Example SSE-G2252(config)#dot1x identity profile username steve SSE-G2252(config)#dot1x identity profile password excess SSE-G2252(config)# 24-58...
Page 689: Dot1X Max-Start
Syntax dot1x max-start count no dot1x max-start count - Specifies the maximum number of EAP start frames. (Range: 1-65535) Default Command Mode Interface Configuration Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x max-start 10 SSE-G2252(config-if)# 24-59...
Page 690: Dot1X Pae Supplicant
SSE-G2252/SSE-G2252P Switches User’s Manual dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port. Syntax [no] dot1x pae supplicant Default Disabled Command Mode Interface Configuration Command Usage •...
Page 691: Dot1X Timeout Auth-Period
- The number of seconds. (Range: 1-65535) Default 30 seconds Command Mode Interface Configuration Command Usage This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL-Start. Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x timeout auth-period 60 SSE-G2252(config-if)# 24-61...
Page 692: Dot1X Timeout Held-Period
SSE-G2252/SSE-G2252P Switches User’s Manual dot1x timeout held-period This command sets the time that a supplicant port waits before resending its credentials to find a new an authenticator. Use the no form to reset the default. Syntax dot1x timeout held-period seconds no dot1x timeout held-period seconds - The number of seconds.
Page 693: Dot1X Timeout Start-Period
Use the no form to restore the default setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds. (Range: 1-65535) Default 30 seconds Command Mode Interface Configuration Example SSE-G2252(config)#interface eth 1/2 SSE-G2252(config-if)#dot1x timeout start-period 60 SSE-G2252(config-if)# 24-63...
Page 694: Show Dot1X
SSE-G2252/SSE-G2252P Switches User’s Manual show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 695 Chapter 24: Authentication Commands • Reauth Period – Time after which a connected client must be re-authenticated ("dot1x timeout re-authperiod" on page 24-54). • Quiet Period – Time a port waits after Max Request Count is exceeded before attempting to acquire a new client ("Related Commands"...
Page 696 SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252#show dot1x Global 802.1X Parameters System Auth Control : Enabled Authenticator Parameters: EAPOL Pass Through : Disabled Supplicant Parameters: Identity Profile Username : steve 802.1X Port Summary Port Type Operation Mode Control Mode Authorized -------- ------------- -------------- ------------------ ----------...
Page 697: Management
Chapter 24: Authentication Commands State : Initialize SSE-G2252# 24-10Management IP Filter This section describes commands used to configure IP management access to the switch. Table 24-14. Management IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management access...
Page 698 SSE-G2252/SSE-G2252P Switches User’s Manual • IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges.
Page 699: Show Management
- Displays IP addresses for the web group. snmp-client - Displays IP addresses for the SNMP group. telnet-client - Displays IP addresses for the Telnet group. Command Mode Privileged Exec Example SSE-G2252#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1.
Page 700 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 24-70...
Page 701: Chapter 25 General Security Measures
Chapter 25: General Security Measures Chapter 25 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 702: Port Security
SSE-G2252/SSE-G2252P Switches User’s Manual 25-1 Port Security These commands can be used to configure the maximum number of device MAC addresses that can be learned by a switch port, and to enable port security on a port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 703 Cannot be a trunk port. Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#port security action trap Related Commands "show interfaces status" on page 27-15 25-3...
Page 704: Network Access (Mac Address Authentication)
SSE-G2252/SSE-G2252P Switches User’s Manual "shutdown" on page 27-10 "mac-address-table static" on page 33-2 25-2 Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 705: Network-Access Aging
MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 24-50). • The maximum number of secure MAC addresses supported for the switch system is 1024. Example SSE-G2252(config-if)#network-access aging SSE-G2252(config-if)# 25-5...
Page 706: Network-Access Mac-Filter
SSE-G2252/SSE-G2252P Switches User’s Manual network-access mac-filter Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address. Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table.
Page 707: Mac-Authentication Reauth-Time
The reauthentication time is a global setting and applies to all ports. • When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected. Example SSE-G2252(config)#mac-authentication reauth-time 300 SSE-G2252(config)# 25-7...
Page 708: Network-Access Dynamic-Qos
SSE-G2252/SSE-G2252P Switches User’s Manual network-access dynamic-qos Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode Interface Configuration Command Usage •...
Page 709: Network-Access Dynamic-Vlan
Chapter 25: General Security Measures Example The following example enables the dynamic QoS feature on port 1. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#network-access dynamic-qos SSE-G2252(config-if)# network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment.
Page 710: Network-Access Guest-Vlan
SSE-G2252/SSE-G2252P Switches User’s Manual network-access guest-vlan Use this command to assign all traffic on a port to a guest VLAN when 802.1x authentication is rejected. Use the no form of this command to disable guest VLAN assignment. Syntax network-access guest-vlan vlan-id...
Page 711: Network-Access Link-Detection Link-Down
- Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port. Default Setting Disabled Command Mode Interface Configuration Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#network-access link-detection link-down action trap SSE-G2252(config-if)# 25-11...
Page 712: Network-Access Link-Detection Link-Up
Command Mode Interface Configuration Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#network-access link-detection link-up action trap SSE-G2252(config-if)# network-access link-detection link-up-down Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Page 713: Network-Access Max-Mac-Count
Disabled Command Mode Interface Configuration Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#network-access link-detection link-up-down action trap SSE-G2252(config-if)# network-access max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default.
Page 714: Network-Access Mode Mac-Authentication
SSE-G2252/SSE-G2252P Switches User’s Manual network-access mode mac-authentication Use this command to enable network access authentication on a port. Use the no form of this command to disable network access authentication. Syntax [no] network-access mode mac-authentication Default Setting Disabled Command Mode...
Page 715: Network-Access Port-Mac-Filter
• Only one filter table can be assigned to a port. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#network-access port-mac-filter 1 SSE-G2252(config-if)# mac-authentication intrusion-action Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default.
Page 716: Mac-Authentication Max-Mac-Count
SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252(config-if)#mac-authentication intrusion-action block-traffic SSE-G2252(config-if)# mac-authentication max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication. Use the no form of this command to restore the default.
Page 717: Clear Network-Access
Chapter 25: General Security Measures clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
Page 718: Show Network-Access
- Unit identifier. (Range: 1) port - Port number. (Range: 1-52) Default Setting Displays the settings for all interfaces. Command Mode Privileged Exec Example SSE-G2252#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1...
Page 719: Show Network-Access Mac-Address-Table
“don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF-00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. Example SSE-G2252#show network-access mac-address-table ---- ----------------- --------------- --------- Port MAC-Address RADIUS-Server...
Page 720: Show Network-Access Mac-Filter
SSE-G2252/SSE-G2252P Switches User’s Manual show network-access mac-filter Use this command to display information for entries in the MAC filter tables. Syntax show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) Default Setting Displays all filters.
Page 721: Web-Auth Login-Attempts
Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts count - The limit of allowed failed login attempts. (Range: 1-3) Default Setting 3 login attempts Command Mode Global Configuration Example SSE-G2252(config)#web-auth login-attempts 2 SSE-G2252(config)# 25-21...
Page 722: Web-Auth Quiet-Period
SSE-G2252/SSE-G2252P Switches User’s Manual web-auth quiet-period This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Page 723: Web-Auth System-Auth-Control
Chapter 25: General Security Measures Example SSE-G2252(config)#web-auth session-timeout 1800 SSE-G2252(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration...
Page 724: Web-Auth
SSE-G2252/SSE-G2252P Switches User’s Manual web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Page 725: Web-Auth Re-Authenticate (Ip)
- This is unit 1. port - Port number. (Range: 1-52) ip - IPv4 formatted IP address Default Setting None Command Mode Privileged Exec Example SSE-G2252#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Failed to reauth port. SSE-G2252# 25-25...
Page 726: Show Web-Auth
- Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-52) Command Mode Privileged Exec Example SSE-G2252#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- 1.1.1.1...
Page 727: Show Web-Auth Summary
Chapter 25: General Security Measures show web-auth summary This command displays a summary of web authentication port parameters and statistics. Command Mode Privileged Exec Example SSE-G2252#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count...
Page 728: Dhcp Snooping
SSE-G2252/SSE-G2252P Switches User’s Manual 25-4 DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
Page 729 Chapter 25: General Security Measures Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall. When DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by ip dhcp snooping vlan command, DHCP messages received on an untrusted...
Page 730: Ip Dhcp Snooping Database Flash
These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid. Example SSE-G2252(config)#ip dhcp snooping database flash SSE-G2252(config)# 25-30...
Page 731: Ip Dhcp Snooping Information Option
• Use the ip dhcp snooping information option command to specify how to handle DHCP client request packets which already contain Option 82 information. Example This example enables the DHCP Snooping Information Option. SSE-G2252(config)#ip dhcp snooping information option SSE-G2252(config)# 25-31...
Page 732: Ip Dhcp Snooping Information Policy
82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information. Example SSE-G2252(config)#ip dhcp snooping information policy drop SSE-G2252(config)# 25-32...
Page 733: Ip Dhcp Snooping Verify Mac-Address
DHCP packet, the packet is dropped. Example This example enables MAC address verification. SSE-G2252(config)#ip dhcp snooping verify mac-address SSE-G2252(config)# Related Commands "ip dhcp snooping" on page 25-28 "ip dhcp snooping vlan"...
Page 734: Ip Dhcp Snooping Vlan
If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. Example This example enables DHCP snooping for VLAN 1. SSE-G2252(config)#ip dhcp snooping vlan 1 SSE-G2252(config)# Related Commands "ip dhcp snooping" on page 25-28 "ip dhcp snooping trust"...
Page 735: Ip Dhcp Snooping Trust
DHCP server must be configured as trusted. Example This example sets port 5 to untrusted. SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#no ip dhcp snooping trust SSE-G2252(config-if)# Related Commands "ip dhcp snooping" on page 25-28 "ip dhcp snooping vlan" on page 25-34...
Page 736: Clear Ip Dhcp Snooping Database Flash
This command removes all dynamically learned snooping entries from flash memory. Command Mode Privileged Exec Example SSE-G2252(config)#ip dhcp snooping database flash SSE-G2252(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode...
Page 737: Show Ip Dhcp Snooping Binding
Chapter 25: General Security Measures show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example SSE-G2252#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- ------ 11-22-33-44-55-66 192.168.0.99...
Page 738: Ip Source-Guard Binding
SSE-G2252/SSE-G2252P Switches User’s Manual ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/ port no ip source-guard binding mac-address vlan vlan-id mac-address - A valid unicast MAC address.
Page 739: Ip Source-Guard
Chapter 25: General Security Measures Example This example configures a static source-guard binding on port 5. SSE-G2252(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 SSE-G2252(config-if)# Related Commands "ip source-guard" on page 25-39 "ip dhcp snooping" on page 25-28 "ip dhcp snooping vlan"...
Page 740 SSE-G2252/SSE-G2252P Switches User’s Manual • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
Page 741: Ip Source-Guard Max-Binding
DHCP snooping and static entries set by the ip source-guard command. Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry. SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#ip source-guard max-binding 1 SSE-G2252(config-if)# 25-41...
Page 742: Show Ip Source-Guard
SSE-G2252/SSE-G2252P Switches User’s Manual show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example SSE-G2252#show ip source-guard Interface Filter-type Max-binding --------- ----------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED...
Page 743: Arp Inspection
Chapter 25: General Security Measures 25-6 ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.
Page 744: Ip Arp Inspection
SSE-G2252/SSE-G2252P Switches User’s Manual ip arp inspection This command enables ARP Inspection globally on the switch. Use the no form to disable this function. Syntax [no] ip arp inspection Default Setting Disabled Command Mode Global Configuration Command Usage • When ARP Inspection is enabled globally with this command, it becomes active only...
Page 745: Ip Arp Inspection Filter
If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database. Example SSE-G2252(config)#ip arp inspection filter sales vlan 1 SSE-G2252(config)# 25-45...
Page 746: Ip Arp Inspection Log-Buffer Logs
The switch generates a system message on a rate-controlled basis determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer. Example SSE-G2252(config)#ip arp inspection log-buffer logs 1 interval 10 SSE-G2252(config)# 25-46...
Page 747: Ip Arp Inspection Validate
No additional validation is performed Command Mode Global Configuration Command Usage By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database. Example SSE-G2252(config)#ip arp inspection validate dst-mac SSE-G2252(config)# 25-47...
Page 748: Ip Arp Inspection Vlan
• When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. Example SSE-G2252(config)#ip arp inspection vlan 1,2 SSE-G2252(config)# 25-48...
Page 749: Ip Arp Inspection Limit
This command only applies to untrusted ports. • When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#ip arp inspection limit 150 SSE-G2252(config-if)# 25-49...
Page 750: Ip Arp Inspection Trust
This command displays the global configuration settings for ARP Inspection. Command Mode Privileged Exec Example SSE-G2252#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s...
Page 751: Show Ip Arp Inspection Interface
[interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) Command Mode Privileged Exec Example SSE-G2252#show ip arp inspection interface ethernet 1/1 Port Number Trust Status Limit Rate (pps) ------------- -------------------- ------------------------------ Eth 1/1...
Page 752: Privileged Exec
SSE-G2252/SSE-G2252P Switches User’s Manual Command Mode Privileged Exec Example SSE-G2252#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address Dst MAC Address --- ---- ---- -------------- --------------...
Page 753: Show Ip Arp Inspection Vlan
- A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. Command Mode Privileged Exec Example SSE-G2252#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status...
Page 754 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 25-54...
Page 755: Chapter 26 Access Control Lists
Chapter 26: Access Control Lists Chapter 26 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header typeor any frames (based on MAC address or Ethernet type).
Page 756: Access-List Ip
SSE-G2252/SSE-G2252P Switches User’s Manual access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard –...
Page 757: Permit, Deny, Redirect-To (Standard Ip Acl)
Chapter 26: Access Control Lists permit, deny, redirect-to (Standard IP ACL) This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny | redirect-to interface} {any | source bitmask | host source}...
Page 758: Permit, Deny, Redirect-To (Extended Ipv4 Acl)
SSE-G2252/SSE-G2252P Switches User’s Manual Example This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. SSE-G2252(config-std-acl)#permit host 10.1.1.21 SSE-G2252(config-std-acl)#permit 168.92.16.0 255.255.240.0 SSE-G2252(config-std-acl)# Related Commands "access-list ip" on page 26-2 "time-range"...
Page 759 Chapter 26: Access Control Lists no {permit | deny | redirect-to interface} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [tos tos] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] [control-flag control-flags flag-bitmask] interface ethernet unit/port unit - Unit identifier.
Page 760 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • All new rules are appended to the end of the list. • Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 761 SSE-G2252(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 SSE-G2252(config-ext-acl)# This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” SSE-G2252(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 SSE-G2252(config-ext-acl)# Related Commands "access-list ip" on page 26-2 "time-range"...
Page 762: Ip Access-Group
SSE-G2252/SSE-G2252P Switches User’s Manual ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port. Syntax ip access-group acl-name in [time-range time-range-name] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
Page 763: Show Ip Access-List
– Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example SSE-G2252#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 SSE-G2252# Related Commands "permit, deny, redirect-to (Standard IP ACL)"...
Page 764: Ipv6 Acls
SSE-G2252/SSE-G2252P Switches User’s Manual 26-2 IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, and next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 765: Access-List Ipv6
Chapter 26: Access Control Lists access-list ipv6 This command adds an IP access list and enters configuration mode for standard or extended IPv6 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ipv6 {standard | extended} acl-name standard –...
Page 766: Permit, Deny, Redirect-To (Standard Ipv6 Acl)
SSE-G2252/SSE-G2252P Switches User’s Manual permit, deny, redirect-to (Standard IPv6 ACL) This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
Page 767: Permit, Deny, Redirect-To (Extended Ipv6 Acl)
Chapter 26: Access Control Lists Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands "access-list ipv6" on page 26-11 "time-range"...
Page 768 SSE-G2252/SSE-G2252P Switches User’s Manual destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 769: Show Ipv6 Access-List
Chapter 26: Access Control Lists Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# Related Commands...
Page 770: Ipv6 Access-Group
SSE-G2252/SSE-G2252P Switches User’s Manual ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax ipv6 access-group acl-name in [time-range time-range-name] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
Page 771: Show Ipv6 Access-Group
Chapter 26: Access Control Lists show ipv6 access-group This command shows the ports assigned to IPv6 ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands "ipv6 access-group" on page 26-16 26-3 MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
Page 772: Access-List Mac
SSE-G2252/SSE-G2252P Switches User’s Manual access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl-name acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other...
Page 773: Permit, Deny, Redirect-To (Mac Acl)
Chapter 26: Access Control Lists permit, deny, redirect-to (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax {permit | deny | redirect-to interface} {any | host source | source address-bitmask}...
Page 774 SSE-G2252/SSE-G2252P Switches User’s Manual no {permit | deny | redirect-to interface} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny | redirect-to interface} untagged-802.3 {any | host source | source address-bitmask}...
Page 775 8137 - IPX Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. SSE-G2252(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 SSE-G2252(config-mac-acl)# Related Commands "access-list mac" on page 26-18 "time-range" on page 21-60...
Page 776: Mac Access-Group
SSE-G2252/SSE-G2252P Switches User’s Manual mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port. Syntax mac access-group acl-name in [time-range time-range-name] acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
Page 777: Show Mac Access-Group
Chapter 26: Access Control Lists show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example SSE-G2252#show mac access-group Interface ethernet 1/5 MAC access-list M5 in SSE-G2252# Related Commands mac access-group show mac access-list This command displays the rules for configured MAC ACLs.
Page 778: Access-List Arp
SSE-G2252/SSE-G2252P Switches User’s Manual Table 26-6. ARP ACL Commands Command Function Mode access-list arp Creates a ARP ACL and enters configuration mode Filters packets matching a specified source or destination permit, deny (ARP ACL) ARP-ACL address in ARP messages show arp access-list...
Page 779: Permit, Deny (Arp Acl)
Chapter 26: Access Control Lists permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule. Syntax [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
Page 780: Show Arp Access-List
SSE-G2252/SSE-G2252P Switches User’s Manual Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. SSE-G2252(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any SSE-G2252(config-mac-acl)# Related Commands "access-list arp" on page 26-24 show arp access-list This command displays the rules for configured ARP ACLs.
Page 781: Acl Information
Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example SSE-G2252#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry SSE-G2252# 26-27...
Page 782: Show Access-List
SSE-G2252/SSE-G2252P Switches User’s Manual show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization]] arp – Shows ingress or egress rules for ARP ACLs.
Page 783: Chapter 27 Interface Commands
Chapter 27: Interface Commands Chapter 27 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 27-1. Interface Commands Command Function Mode Interface Configuration Configures an interface type and enters interface...
Page 784: Interface
SSE-G2252/SSE-G2252P Switches User’s Manual Table 27-1. Interface Commands (Continued) Command Function Mode Power Savings power-save Enables power savings mode on the specified port show power-save Shows the configuration settings for power savings Enabling hardware-level storm control with this command on a port will disable...
Page 785: Alias
Chapter 27: Interface Commands Example To specify port 4, enter the following command: SSE-G2252(config)#interface ethernet 1/4 SSE-G2252(config-if)# alias This command configures an alias name for the interface. Use the no form to remove the alias name. Syntax alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 786: Capabilities
SSE-G2252/SSE-G2252P Switches User’s Manual capabilities This command advertises the port capabilities of a given interface during auto-negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values. Syntax...
Page 787: Description
An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name. Example The following example adds a description to port 4. SSE-G2252(config)#interface ethernet 1/4 SSE-G2252(config-if)#description RD-SW#3 SSE-G2252(config-if)# 27-5...
Page 788: Flowcontrol
SSE-G2252/SSE-G2252P Switches User’s Manual flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 789: Giga-Phy-Mode
Chapter 27: Interface Commands giga-phy-mode This command forces two connected ports into a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports. Use the no form to restore the default mode. Syntax giga-phy-mode mode no giga-phy-mode mode master - Sets the selected port as master. slave - Sets the selected port as slave.
Page 790: Media-Type
SFP port has a valid link. Default Setting RJ-45: copper-forced Combination: sfp-preferred-auto Command Mode Interface Configuration (Ethernet - Ports 49-52 on the SSE-G2252/P) Example This forces the switch to use the built-in RJ-45 port for the combination port 50. SSE-G2252(config)#interface ethernet 1/50 SSE-G2252(config-if)#media-type copper-forced...
Page 791: Negotiation
• If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use auto-negotiation. SSE-G2252(config)#interface ethernet 1/11 SSE-G2252(config-if)#negotiation SSE-G2252(config-if)# Related Commands "capabilities" on page 27-4 "speed-duplex" on page 27-10...
Page 792: Shutdown
SSE-G2252/SSE-G2252P Switches User’s Manual shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved.
Page 793 To set the speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. Example The following example configures port 5 to 100 Mbps, half-duplex operation. SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#speed-duplex 100half SSE-G2252(config-if)#no negotiation SSE-G2252(config-if)# Related Commands "negotiation"...
Page 794: Switchport Packet-Rate
SSE-G2252/SSE-G2252P Switches User’s Manual switchport packet-rate This command configures broadcast, multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast | unicast} packet-rate rate no switchport {broadcast | multicast | unicast} broadcast - Specifies storm control for broadcast traffic.
Page 795: Clear Counters
Example The following shows how to configure broadcast storm control at 600 kilobits per second: SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#switchport broadcast packet-rate 600 SSE-G2252(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface...
Page 796: Show Interfaces Counters
If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" on page 6-13. Example SSE-G2252#show interfaces counters ethernet 1/17 Ethernet 1/ 17 ===== IF table Stats ===== 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input...
Page 797: Show Interfaces Status
0 Packets input per second 0.00 % Input utilization 0 Octets output per second 0 Packets output per second 0.00 % Output utilization SSE-G2252# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface]...
Page 798: Show Interfaces Switchport
If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Displaying Connection Status" on page 6-6. Example SSE-G2252#show interfaces status ethernet 1/21 Information of Eth 1/21 Basic Information: Port Type : 100TX...
Page 799 Chapter 27: Interface Commands Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-12) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Page 800 SSE-G2252/SSE-G2252P Switches User’s Manual Example This example shows the configuration setting for port 21. SSE-G2252#show interfaces switchport ethernet 1/21 Information of Eth 1/21 Broadcast Threshold : Enabled, 500 packets/second Multicast Threshold : Disabled Unknown Unicast Threshold : Disabled LACP Status...
Page 801: Show Interfaces Transceiver
Chapter 27: Interface Commands Table 27-2. show interfaces switchport - Display Description (Continued) Field Description Shows the VLANs this interface can not dynamically join via GVRP Forbidden VLAN (page 35-4). 802.1Q-tunnel Status Shows if 802.1Q tunnel is enabled on this interface (page 35-21).
Page 802: Test Cable-Diagnostics
SSE-G2252/SSE-G2252P Switches User’s Manual Example Console#show interfaces transceiver ethernet 1/25 SFP Information of Ethernet 1/25 Identifier : Unknown or unspecified Connector : LC Transceiver: Gigabit Ethernet Compliance Codes: 1000BASE-SX Fibre Channel link length: intermediate distance(I) Fibre Channel transmitter technology: Shortwave laser w/o OFC(SN)
Page 803 To ensure more accurate measurement of the length to a fault, first disable power-saving mode (using the no power-save command) on the link partner before running cable diagnostics. Example SSE-G2252#test cable-diagnostics interface ethernet 1/23 SSE-G2252#show cable-diagnostics interface ethernet 1/23 Port Type Link Status Pair A (meters) Pair B (meters) Last Update...
Page 804: Show Cable-Diagnostics
For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters. For link-up ports, the accuracy is +/- 10 meters. Example SSE-G2252#show cable-diagnostics interface ethernet 1/23 SSE-G2252#show cable-diagnostics interface e 1/23 Port Type Link Status Pair A (meters)
Page 805 NOTE: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#power-save SSE-G2252(config-if)# 27-23...
Page 806: Show Power-Save
This command shows the configuration settings for power savings. Syntax show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) Command Mode Privileged Exec Example SSE-G2252#show power-save interface ethernet 1/4 Power Saving Status : Enabled SSE-G2252# 27-24...
Page 807: Chapter 28 Link Aggregation Commands
Chapter 28: Link Aggregation Commands Chapter 28 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 808: Channel-Group
SSE-G2252/SSE-G2252P Switches User’s Manual • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Page 809: Lacp
Chapter 28: Link Aggregation Commands Example The following example creates trunk 1 and then adds port 11: SSE-G2252(config)#interface port-channel 1 SSE-G2252(config-if)#exit SSE-G2252(config)#interface ethernet 1/11 SSE-G2252(config-if)#channel-group 1 SSE-G2252(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Page 810 Trunk1 has been established. SSE-G2252(config)#interface ethernet 1/10 SSE-G2252(config-if)#lacp SSE-G2252(config-if)#interface ethernet 1/11 SSE-G2252(config-if)#lacp SSE-G2252(config-if)#interface ethernet 1/12 SSE-G2252(config-if)#lacp SSE-G2252(config-if)#end SSE-G2252#show interfaces status port-channel 1 Information of Trunk 1 Basic Information: Port Type : 100TX MAC Address : 12-34-12-34-12-3F Configuration:...
Page 811: Lacp Admin-Key (Ethernet Interface)
Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. Example SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#lacp actor admin-key 120 SSE-G2252(config-if)# 28-5...
Page 812: Lacp Port-Priority
SSE-G2252/SSE-G2252P Switches User’s Manual lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link.
Page 813: Lacp System-Priority
Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner. Example SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#lacp actor system-priority 3 SSE-G2252(config-if)# 28-7...
Page 814: Lacp Admin-Key (Port Channel)
SSE-G2252/SSE-G2252P Switches User’s Manual lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Page 815: Show Lacp
- Configuration settings and operational state for remote side. sys-id - Summary of system priority and MAC address for all channel groups. Default Setting Port Channel: all Command Mode Privileged Exec Example SSE-G2252#show lacp 1 counters Port Channel: 1 --------------------------------------------------------------- Eth 1/ 2 --------------------------------------------------------------- LACPDUs Sent : 12...
Page 816 SSE-G2252/SSE-G2252P Switches User’s Manual Table 28-2. show lacp counters - Display Description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Page 817 Chapter 28: Link Aggregation Commands Table 28-3. show lacp internal - Display Description Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information.
Page 818 SSE-G2252/SSE-G2252P Switches User’s Manual SSE-G2252#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-12-CF-61-24-2F Partner Admin Port Number : 1 Partner Oper Port Number...
Page 819 Chapter 28: Link Aggregation Commands SSE-G2252#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 Table 28-5.
Page 820 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 28-14...
Page 821: Chapter 29 Power Over Ethernet Commands
Chapter 29: Power Over Ethernet Commands Chapter 29 Power Over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-48 on the SSE-G2252P. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
Page 822 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Fast Ethernet or Gigabit Ethernet copper-media ports. When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device.
Page 823: Power Inline
Chapter 29: Power Over Ethernet Commands power inline This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly. Use the no form to turn off power for a port, or the no form with the time-range keyword to remove the time range settings.
Page 824: Power Inline Maximum Allocation
SSE-G2252/SSE-G2252P Switches User’s Manual power inline maximum allocation This command limits the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 34200...
Page 825 Chapter 29: Power Over Ethernet Commands Default Setting 3 (low) Command Mode Interface Configuration Command Usage • If the power demand from devices connected to the switch exceeds the power budget setting as determined during bootup, the switch uses port power priority settings to control the supplied power.
Page 826: Power Inline Time-Range
SSE-G2252/SSE-G2252P Switches User’s Manual power inline time-range This command binds a time-range to a port during which PoE is supplied to the attached device. Use the no form to remove this binding. Syntax power inline time-range time-range-name no power inline time-range time-range-name - Name of the time range.
Page 827 Chapter 29: Power Over Ethernet Commands Unit: 1 Compatible mode : Enabled Time Used Interface Admin Range Oper Power Power Priority --------- -------- -------- ---- -------- -------- -------- Eth 1/ 1 Enabled Off 34200 mW 0 mW Eth 1/ 2 Enabled Off 34200 mW 0 mW...
Page 828: Show Power Inline Time-Range
SSE-G2252/SSE-G2252P Switches User’s Manual show power inline time-range This command displays the time-range and current status for specific ports or for all ports. Syntax show power inline time-range time-range-name [interface] time-range-name - Name of the time range. (Range: 1-30 characters)
Page 829: Show Power Poe
Chapter 29: Power Over Ethernet Commands show power poe Use this command to display the current power status for the switch. Command Mode Privileged Exec Example SSE-G2252P#show power poe Unit 1 PoE Status PoE Maximum Available Power : 400 Watts System Operation Status : Off PoE Power Consumption...
Page 830 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 29-10...
Page 831: Chapter 30 Port Mirroring Commands
Chapter 30: Port Mirroring Commands Chapter 30 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe.
Page 832: Port Monitor
SSE-G2252/SSE-G2252P Switches User’s Manual port monitor This command configures a mirror session. Use the no form to clear a mirror session. Syntax port monitor [interface [rx | tx | both] | vlan vlan-id | mac-address mac-address] no port monitor interface...
Page 833 You can create multiple mirror sessions, but all sessions must share the same destination port. Example The following example configures the switch to mirror all packets from port 6 to 11: SSE-G2252(config)#interface ethernet 1/11 SSE-G2252(config-if)#port monitor ethernet 1/6 both SSE-G2252(config-if)# 30-3...
Page 834: Show Port Monitor
SSE-G2252/SSE-G2252P Switches User’s Manual show port monitor This command displays mirror information. Syntax show port monitor [interface | vlan vlan-id | mac-address mac-address] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 835: Rspan Mirroring Commands
Chapter 30: Port Mirroring Commands 30-2 RSPAN Mirroring Commands Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port. Table 30-3. RSPAN Commands Command Function Mode vlan rspan Creates a VLAN dedicated to carrying RSPAN traffic rspan source Specifies the source port and traffic type to be mirrored rspan destination...
Page 836: Rspan Source
SSE-G2252/SSE-G2252P Switches User’s Manual • Spanning Tree – If the spanning tree is disabled, BPDUs will not be flooded onto the RSPAN VLAN. MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports.
Page 837: Rspan Destination
The source port and destination port cannot be configured on the same switch. Example The following example configures the switch to mirror received packets from port 2 and SSE-G2252(config)#rspan session 1 source interface ethernet 1/2 SSE-G2252(config)#rspan session 1 source interface ethernet 1/3 SSE-G2252(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic.
Page 838: Rspan Remote Vlan
Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: SSE-G2252(config)#rspan session 1 destination interface ethernet 1/2 SSE-G2252(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Page 839 RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: SSE-G2252(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 SSE-G2252(config)# 30-9...
Page 840: No Rspan Session
SSE-G2252/SSE-G2252P Switches User’s Manual no rspan session Use this command to delete a configured RSPAN session. Syntax no rspan session session-id session-id – A number identifying this RSPAN session (Range: 1-2). Only two mirror sessions are allowed, including both local and remote mirroring. If local mirroring is...
Page 841: Show Rspan
RSPAN. Command Mode Privileged Exec Example SSE-G2252#show rspan session RSPAN Session ID Source Ports (mirrored ports) : None RX Only : None TX Only : None...
Page 842 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 30-12...
Page 843: Chapter 31 Rate Limit Commands
Chapter 31: Rate Limit Commands Chapter 31 Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 844 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • Using both rate limiting and storm control on the same interface may lead to unexpected results. For example, suppose broadcast storm control is set to 500 Kbps by the command “switchport broadcast packet-rate 500,” and the rate limit is set to 20000 Kbps by the command “rate-limit input 20000"...
Page 845: Chapter 32 Automatic Traffic Control Commands
Chapter 32: Automatic Traffic Control Commands Chapter 32 Automatic Traffic Control Commands Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 32-1. ATC Commands Command Function Mode...
Page 846: Auto-Traffic-Control Apply-Timer
SSE-G2252/SSE-G2252P Switches User’s Manual Table 32-1. ATC Commands (Continued) Command Function Mode Sends a trap when multicast traffic exceeds the upper snmp-server enable port-traps threshold for automatic storm control and the apply timer IC (Port) atc multicast-control-apply expires Sends a trap when multicast traffic falls beneath the...
Page 847: Auto-Traffic-Control Release-Timer
Chapter 32: Automatic Traffic Control Commands Example This example sets the apply timer to 200 seconds for all ports. SSE-G2252(config)#auto-traffic-control broadcast apply-timer 200 SSE-G2252(config)# auto-traffic-control release-timer This command sets the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Page 848: Auto-Traffic-Control Action
SSE-G2252/SSE-G2252P Switches User’s Manual Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Automatic storm control can be enabled for either broadcast or multicast traffic. It cannot be enabled for both of these traffic types at the same time.
Page 849 If a port has been shut down by a control response, it will not be re-enabled by automatic traffic control. It can only be manually re-enabled using the auto-traffic-control control-release command. Example This example sets the control response for broadcast traffic on port 1. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#auto-traffic-control broadcast action shutdown SSE-G2252(config-if)# 32-5...
Page 850: Auto-Traffic-Control Alarm-Clear-Threshold
SSE-G2252/SSE-G2252P Switches User’s Manual auto-traffic-control alarm-clear-threshold This command sets the lower threshold for ingress traffic beneath which a control response for rate limiting will be released after the Release Timer expires, if so configured by the auto-traffic-control auto-control-release command. Use the no form to restore the default setting.
Page 851: Auto-Traffic-Control Alarm-Fire-Threshold
Example This example sets the trigger threshold for automatic storm control for broadcast traffic on port 1. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#auto-traffic-control broadcast alarm-fire-threshold SSE-G2252(config-if)# 32-7...
Page 852: Auto-Traffic-Control Auto-Control-Release
SSE-G2252/SSE-G2252P Switches User’s Manual auto-traffic-control auto-control-release This command automatically releases a control response of rate-limiting after the time specified in the auto-traffic-control release-timer command has expired. Syntax auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic.
Page 853: Auto-Traffic-Control Control-Release
Interface Configuration (Ethernet) Command Usage This command can be used to manually stop a control response of rate-limiting or port shutdown any time after the specified action has been triggered. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#auto-traffic-control broadcast control-release interface ethernet 1/1 SSE-G2252#(config-if) 32-9...
Page 854: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Clear
SSE-G2252/SSE-G2252P Switches User’s Manual snmp-server enable port-traps atc broadcast-alarm-clear This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc broadcast-alarm-clear...
Page 855: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Fire
Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc broadcast-alarm-fire Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#snmp-server enable port-traps atc broadcast-alarm-fire SSE-G2252(config-if)# Related Commands "auto-traffic-control alarm-fire-threshold" on page 32-7 32-11...
Page 856: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Apply
SSE-G2252/SSE-G2252P Switches User’s Manual snmp-server enable port-traps atc broadcast-control-apply This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc broadcast-control-apply...
Page 857: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Release
[no] snmp-server enable port-traps atc broadcast-control-release Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#snmp-server enable port-traps atc broadcast-control-release SSE-G2252(config-if)# Related Commands "auto-traffic-control alarm-clear-threshold" on page 32-6 "auto-traffic-control action" on page 32-4 "auto-traffic-control release-timer" on page 32-3 32-13...
Page 858: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Clear
SSE-G2252/SSE-G2252P Switches User’s Manual snmp-server enable port-traps atc multicast-alarm-clear This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-alarm-clear...
Page 859: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Fire
Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-alarm-fire Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#snmp-server enable port-traps atc multicast-alarm-fire SSE-G2252(config-if)# Related Commands "auto-traffic-control alarm-fire-threshold" on page 32-7 32-15...
Page 860: Snmp-Server Enable Port-Traps Atc Multicast-Control-Apply
SSE-G2252/SSE-G2252P Switches User’s Manual snmp-server enable port-traps atc multicast-control-apply This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-control-apply...
Page 861: Snmp-Server Enable Port-Traps Atc Multicast-Control-Release
[no] snmp-server enable port-traps atc multicast-control-release Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#snmp-server enable port-traps atc multicast-control-release SSE-G2252(config-if)# Related Commands "auto-traffic-control alarm-clear-threshold" on page 32-6 "auto-traffic-control action" on page 32-4 "auto-traffic-control release-timer" on page 32-3 32-17...
Page 862: Show Auto-Traffic-Control
SSE-G2252/SSE-G2252P Switches User’s Manual show auto-traffic-control This command shows global configuration settings for automatic storm control. Command Mode Privileged Exec Example SSE-G2252#show auto-traffic-control Storm-control: Broadcast Apply-timer (sec) : 300 release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900...
Page 863 Chapter 32: Automatic Traffic Control Commands Example SSE-G2252#show auto-traffic-control interface ethernet 1/1 Eth 1/1 Information ------------------------------------------------------------------------ Storm Control: Broadcast Multicast State: Disabled Disabled Action: rate-control rate-control Auto Release Control: Disabled Disabled Alarm Fire Threshold(Kpps): 128 Alarm Clear Threshold(Kpps):128 Trap Storm Fire:...
Page 864 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 32-20...
Page 865: Chapter 33 Address Table Commands
Chapter 33: Address Table Commands Chapter 33 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 33-1. Address Table Commands Command Function Mode mac-address-table aging-time...
Page 866: Mac-Address-Table Aging-Time
SSE-G2252/SSE-G2252P Switches User’s Manual mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (10-672 seconds; 0 to disable aging)
Page 867 • A static address cannot be learned on another port until the address is removed with the no form of this command. Example SSE-G2252(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset SSE-G2252(config)# 33-3...
Page 868: Clear Mac-Address-Table Dynamic
SSE-G2252/SSE-G2252P Switches User’s Manual clear mac-address-table dynamic This command removes any learned entries from the forwarding database. Default Setting None Command Mode Privileged Exec Example SSE-G2252#clear mac-address-table dynamic SSE-G2252# show mac-address-table This command shows classes of entries in the bridge-forwarding database.
Page 869: Show Mac-Address-Table Aging-Time
Delete on Timeout SSE-G2252# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example SSE-G2252#show mac-address-table aging-time Aging Status : Enabled Aging Time: 300 sec. SSE-G2252# 33-5...
Page 870: Show Mac-Address-Table Count
- Port number. (Range: 1-52) port-channel channel-id (Range: 1-12) Default Setting None Command Mode Privileged Exec Example SSE-G2252#show mac-address-table count interface ethernet 1/1 MAC Entries for Port ID Dynamic Address Count Total MAC Addresses Total MAC Address Space Available : 8192 SSE-G2252# 33-6...
Page 871: Chapter 34 Spanning Tree Commands
Chapter 34: Spanning Tree Commands Chapter 34 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 34-1. Spanning Tree Commands Command Function Mode spanning-tree...
Page 872: Spanning-Tree
SSE-G2252/SSE-G2252P Switches User’s Manual Table 34-1. Spanning Tree Commands (Continued) Command Function Mode spanning-tree root-guard Prevents a designated port from passing superior BPDUs IC spanning-tree spanning-disabled Disables spanning tree for an interface spanning-tree loopback-detection Manually releases a port placed in discarding state by...
Page 873: Spanning-Tree Cisco-Prestandard
IEEE standard, causing some state machine procedures to function incorrectly. The command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions. Example SSE-G2252(config)#spanning-tree cisco-prestandard SSE-G2252(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch.
Page 874: Spanning-Tree Hello-Time
SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 875: Spanning-Tree Max-Age
STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. Example SSE-G2252(config)#spanning-tree max-age 40 SSE-G2252(config)# Related Commands "spanning-tree forward-time" on page 34-3 "spanning-tree hello-time"...
Page 876: Spanning-Tree Mode
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w)
Page 877: Spanning-Tree Pathcost Method
The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP. Example SSE-G2252(config)#spanning-tree pathcost method long SSE-G2252(config)# 34-7...
Page 878: Spanning-Tree Priority
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096,...
Page 879: Spanning-Tree Mst Configuration
No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address. Command Mode Global Configuration Example SSE-G2252(config)#spanning-tree mst configuration SSE-G2252(config-mstp)# Related Commands "mst vlan" on page 34-13 "mst priority" on page 34-12 "name" on page 34-14 "revision"...
Page 880: Spanning-Tree Transmission-Limit
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10)
Page 881: Max-Hops
BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example SSE-G2252(config-mstp)#max-hops 30 SSE-G2252(config-mstp)# 34-11...
Page 882: Mst Priority
SSE-G2252/SSE-G2252P Switches User’s Manual mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree.
Page 883: Mst Vlan
34-14) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example SSE-G2252(config-mstp)#mst 1 vlan 2-5 SSE-G2252(config-mstp)# 34-13...
Page 884: Name
SSE-G2252/SSE-G2252P Switches User’s Manual name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree.
Page 885: Revision
MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances. Example SSE-G2252(config-mstp)#revision 1 SSE-G2252(config-mstp)# Related Commands "name" on page 34-14...
Page 886: Spanning-Tree Bpdu-Filter
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree bpdu-filter This command filters all BPDUs received on an edge port. Use the no form to disable this feature. Syntax [no] spanning-tree bpdu-filter Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 887: Spanning-Tree Bpdu-Guard
Before enabling BPDU Guard, the interface must be configured as an edge port with spanning-tree edge-port command. Also note that if the edge port attribute is disabled on an interface, BPDU Guard will also be disabled on that interface. Example SSE-G2252(config)#interface Ethernet 1/5 SSE-G2252(config-if)#spanning-tree edge-port SSE-G2252(config-if)#spanning-tree bpdu-guard SSE-G2252(config-if)# Related Commands "spanning-tree edge-port"...
Page 888: Spanning-Tree Cost
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short...
Page 889: Spanning-Tree Edge-Port
("spanning-tree pathcost method" on page 34-7) is set to short, the maximum value for path cost is 65,535. Example SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#spanning-tree cost 50 SSE-G2252(config-if)# spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default.
Page 890: Spanning-Tree Link-Type
SSE-G2252/SSE-G2252P Switches User’s Manual SSE-G2252(config-if)#spanning-tree edge-port SSE-G2252(config-if)# spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Page 891 If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). • Port Loopback Detection will not be active if Spanning Tree is disabled on the switch. Example SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#spanning-tree loopback-detection 34-21...
Page 892: Spanning-Tree Loopback-Detection Release-Mode
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree loopback-detection release-mode This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore the default. Syntax spanning-tree loopback-detection release-mode...
Page 893: Spanning-Tree Loopback-Detection Trap
Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example SSE-G2252(config)#interface Ethernet 1/5 SSE-G2252(config-if)#spanning-tree loopback-detection trap spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode.
Page 894 • Use the no spanning-tree mst cost command to specify auto-configuration mode. • Path cost takes precedence over interface priority. Example SSE-G2252(config)#interface Ethernet 1/5 SSE-G2252(config-if)#spanning-tree mst 1 cost 50 SSE-G2252(config-if)# Related Commands "spanning-tree mst port-priority" on page 34-25 34-24...
Page 895: Spanning-Tree Mst Port-Priority
• Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled. Example SSE-G2252(config)#interface Ethernet 1/5 SSE-G2252(config-if)#spanning-tree mst 1 port-priority 0 SSE-G2252(config-if)# Related Commands "spanning-tree mst cost" on page 34-23 34-25...
Page 896: Spanning-Tree Port-Priority
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16)
Page 897: Spanning-Tree Root-Guard
When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard. Example SSE-G2252(config)#interface Ethernet 1/5 SSE-G2252(config-if)#spanning-tree edge-port SSE-G2252(config-if)#spanning-tree root-guard SSE-G2252(config-if)# See Port Role under Section 9-5: "Displaying Interface Settings for STA"...
Page 898: Spanning-Tree Spanning-Disabled
SSE-G2252/SSE-G2252P Switches User’s Manual spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the specified interface. Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode...
Page 899: Spanning-Tree Protocol-Migration
Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible). Example SSE-G2252#spanning-tree protocol-migration eth 1/5 SSE-G2252# 34-29...
Page 900: Show Spanning-Tree
SSE-G2252/SSE-G2252P Switches User’s Manual show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst [instance-id]]...
Page 901 Chapter 34: Spanning Tree Commands Example SSE-G2252#show spanning-tree Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance VLANs Configured : 1-4093 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.)
Page 902: Show Spanning-Tree Mst Configuration
SSE-G2252/SSE-G2252P Switches User’s Manual show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example SSE-G2252#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs --------------------------------------------------------------...
Page 903: Chapter 35 Vlan Commands
Chapter 35: VLAN Commands Chapter 35 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 904: Gvrp And Bridge Extension Commands
SSE-G2252/SSE-G2252P Switches User’s Manual 35-1 GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 905: Garp Timer
>= (2 x join) • leaveall > leave NOTE: Set GVRP timers on all Layer 2 devices connected in the same network to the same values. Otherwise, GVRP may not operate successfully. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#garp timer join 100 SSE-G2252(config-if)# 35-3...
Page 906: Switchport Forbidden Vlan
If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface. Example The following example shows how to prevent port 1 from being added to VLAN 3: SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport forbidden vlan add 3 SSE-G2252(config-if)# 35-4...
Page 907: Switchport Gvrp
This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport gvrp SSE-G2252(config-if)# 35-5...
Page 908: Show Bridge-Ext
SSE-G2252/SSE-G2252P Switches User’s Manual show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage Section 5-4: "Displaying Bridge Extension Capabilities" on page 5-4 for a description of the displayed items.
Page 909: Show Gvrp Configuration
Chapter 35: VLAN Commands Command Mode Normal Exec, Privileged Exec Example SSE-G2252#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join Timer: 20 centiseconds Leave Timer: 60 centiseconds Leaveall Timer: 1000 centiseconds SSE-G2252# Related Commands "garp timer" on page 35-3 show gvrp configuration This command shows if GVRP is enabled.
Page 910: Editing Vlan Groups
SSE-G2252/SSE-G2252P Switches User’s Manual 35-2 Editing VLAN Groups Table 35-3. Commands for Editing VLAN Groups Command Function Mode Enters VLAN database mode to add, change, and delete vlan database VLANs vlan Configures a VLAN, including VID, name and state vlan database This command enters VLAN database mode.
Page 911: Vlan
Chapter 35: VLAN Commands vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Page 912: Configuring Vlan Interfaces
Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. SSE-G2252(config)#vlan database SSE-G2252(config-vlan)#vlan 105 name RD5 media ethernet SSE-G2252(config-vlan)# Related Commands "show vlan" on page 35-18 35-3 Configuring VLAN Interfaces Table 35-4.
Page 913: Interface Vlan
Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: SSE-G2252(config)#interface vlan 1 SSE-G2252(config-if)#ip address 192.168.1.254 255.255.255.0 SSE-G2252(config-if)# Related Commands "shutdown" on page 27-10 "interface" on page 27-2 "vlan"...
Page 914: Switchport Acceptable-Frame-Types
SSE-G2252/SSE-G2252P Switches User’s Manual switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged.
Page 915: Switchport Allowed Vlan
Chapter 35: VLAN Commands switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add.
Page 916: Switchport Ingress-Filtering
The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport allowed vlan add 1,2,5,6 tagged SSE-G2252(config-if)# switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default.
Page 917 Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport mode hybrid SSE-G2252(config-if)# Related Commands "switchport acceptable-frame-types" on page 35-12...
Page 918: Switchport Native Vlan
SSE-G2252/SSE-G2252P Switches User’s Manual switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes)
Page 919: Vlan-Trunking
Chapter 35: VLAN Commands vlan-trunking This command allows unknown VLAN groups to pass through the specified interface. Use the no form to disable this feature. Syntax [no] vlan-trunking Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 920: Displaying Vlan Information
SSE-G2252/SSE-G2252P Switches User’s Manual • If both VLAN trunking and ingress filtering are disabled on an interface, packets with unknown VLAN tags will still be allowed to enter this interface and will be flooded to all other ports where VLAN trunking is enabled. (In other words, VLAN trunking will still be effectively enabled for the unknown VLAN).
Page 921 Chapter 35: VLAN Commands Example The following example shows how to display information for VLAN 1: SSE-G2252#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/...
Page 922: Configuring Ieee 802.1Q Tunneling
SSE-G2252/SSE-G2252P Switches User’s Manual 35-5 Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 923: Dot1Q-Tunnel System-Tunnel-Control
Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example SSE-G2252(config)#dot1q-tunnel system-tunnel-control SSE-G2252(config)# Related Commands "show dot1q-tunnel" on page 35-24 "show interfaces switchport" on page 27-16 35-21...
Page 924: Switchport Dot1Q-Tunnel Mode
SSE-G2252/SSE-G2252P Switches User’s Manual switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port.
Page 925: Switchport Dot1Q-Tunnel Tpid
VLAN of that port. • All ports on the switch will be set to the same ethertype. Example SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport dot1q-tunnel tpid 9100 SSE-G2252(config-if)# Related Commands "show interfaces switchport" on page 27-16 35-23...
Page 926: Show Dot1Q-Tunnel
SSE-G2252/SSE-G2252P Switches User’s Manual show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example SSE-G2252(config)#dot1q-tunnel system-tunnel-control SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport dot1q-tunnel mode access SSE-G2252(config-if)#interface ethernet 1/2 SSE-G2252(config-if)#switchport dot1q-tunnel mode uplink SSE-G2252(config-if)#end SSE-G2252#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
Page 927: Show Traffic-Segmentation
Example This example enables traffic segmentation, and then sets port 12 as the uplink and ports 5-8 as downlinks. SSE-G2252(config)#traffic-segmentation SSE-G2252(config)#traffic-segmentation uplink ethernet 1/12 downlink ethernet 1/5-8 SSE-G2252(config)# show traffic-segmentation This command displays the configured traffic segments.
Page 928: Configuring Protocol-Based Vlans
SSE-G2252/SSE-G2252P Switches User’s Manual Example SSE-G2252#show traffic-segmentation Private VLAN status: Disabled Up-link Port: Ethernet 1/12 Down-link Port: Ethernet 1/5 Ethernet 1/6 Ethernet 1/7 Ethernet 1/8 SSE-G2252# 35-7 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
Page 929: Protocol-Vlan Protocol-Group (Configuring Groups)
Command Mode Global Configuration Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: SSE-G2252(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip SSE-G2252(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp SSE-G2252(config)# SNAP frame types are not supported by this switch due to hardware limitations.
Page 930: Protocol-Vlan Protocol-Group (Configuring Interfaces)
VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#protocol-vlan protocol-group 1 vlan 2 SSE-G2252(config-if)# 35-28...
Page 931: Show Protocol-Vlan Protocol-Group
- Group identifier for a protocol group. (Range: 1-2147483647) Default Setting All protocol groups are displayed. Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet: SSE-G2252#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00...
Page 932: Show Interfaces Protocol-Vlan Protocol-Group
SSE-G2252/SSE-G2252P Switches User’s Manual show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52)
Page 933: Configuring Ip Subnet Vlans
Chapter 35: VLAN Commands 35-8 Configuring IP Subnet VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Page 934: Show Subnet-Vlan
VLANs last. Example The following example assigns traffic for the subnet 192.168.12.192, mask 255.255.255.224, to VLAN 4. SSE-G2252(config)#subnet-vlan subnet 192.168.12.192 255.255.255.224 vlan 4 SSE-G2252(config)# show subnet-vlan This command displays IP Subnet VLAN assignments.
Page 935: Configuring Mac Based Vlans
Chapter 35: VLAN Commands 35-9 Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Page 936: Show Mac-Vlan
VLANs last. Example The following example assigns traffic from source MAC address 00-00-00-11-22-33 to VLAN 10. SSE-G2252(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10 SSE-G2252(config)# show mac-vlan This command displays MAC address-to-VLAN assignments.
Page 937: Configuring Voice Vlans
Chapter 35: VLAN Commands 35-10Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.
Page 938: Voice Vlan
SSE-G2252/SSE-G2252P Switches User’s Manual voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID. (Range: 1-4093)
Page 939: Voice Vlan Aging
Alternatively, if you clear the MAC address table manually, then the switch will also start counting down the voice VLAN aging time. Example The following example configures the Voice VLAN aging time as 3000 minutes. SSE-G2252(config)#voice vlan aging 3000 SSE-G2252(config)# 35-37...
Page 940: Voice Vlan Mac-Address
(the first three octets). Other masks restrict the MAC address range. Selecting FF-FF-FF-FF-FF-FF specifies a single MAC address. Example The following example adds a MAC OUI to the OUI Telephony list. SSE-G2252(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00-00 description A new phone SSE-G2252(config)# 35-38...
Page 941: Switchport Voice Vlan
(by setting the VoIP mode to Auto or Manual as described below), first set the VLAN membership mode to hybrid using the switchport mode command. Example The following example sets port 1 to Voice VLAN auto mode. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport voice vlan auto SSE-G2252(config-if)# 35-39...
Page 942: Switchport Voice Vlan Priority
VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. Example The following example sets the CoS priority to 5 on port 1. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport voice vlan priority 5 SSE-G2252(config-if)# 35-40...
Page 943: Switchport Voice Vlan Rule
LLDP checks that the “telephone bit” in the system capability TLV is turned on. See Chapter 39: "LLDP Commands" on page 39-1 for more information on LLDP. Example The following example enables the OUI method on port 1 for detecting VoIP traffic. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#switchport voice vlan rule oui SSE-G2252(config-if)# 35-41...
Page 944: Switchport Voice Vlan Security
SSE-G2252/SSE-G2252P Switches User’s Manual switchport voice vlan security This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port. Syntax [no] switchport voice vlan security Default Setting Disabled Command Mode...
Page 945: Show Voice Vlan
- Displays the global and port Voice VLAN settings. Default Setting None Command Mode Privileged Exec Example SSE-G2252#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes...
Page 946 SSE-G2252/SSE-G2252P Switches User’s Manual Notes 35-44...
Page 947: Chapter 36 Class Of Service Commands
Chapter 36: Class of Service Commands Chapter 36 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 948: Queue Mode
SSE-G2252/SSE-G2252P Switches User’s Manual queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Page 949 • The specified queue mode applies to all interfaces. Example The following example sets the queue mode to strict priority service mode: SSE-G2252(config)#queue mode strict SSE-G2252(config)# Related Commands "queue weight" on page 36-4 "show queue mode" on page 36-6...
Page 950: Queue Weight
Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. SSE-G2252(config)#queue weight 1 2 3 4 SSE-G2252(config)# Related Commands "queue mode" on page 36-2 "show queue weight"...
Page 951: Switchport Priority Default
VLAN, these frames are stripped of all VLAN tags prior to transmission.) Example The following example shows how to set a default priority on port 3 to 5: SSE-G2252(config)#interface ethernet 1/3 SSE-G2252(config-if)#switchport priority default 5 SSE-G2252(config-if)# Related Commands "show interfaces switchport" on page 27-16 36-5...
Page 952: Show Queue Mode
SSE-G2252/SSE-G2252P Switches User’s Manual show queue mode This command shows the current queue mode. Command Mode Privileged Exec Example SSE-G2252#show queue mode Queue Mode : Weighted Round Robin Mode SSE-G2252# show queue weight This command displays the weights used for the weighted queues.
Page 953: Priority Commands (Layer 3 And 4)
Chapter 36: Class of Service Commands 36-2 Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 36-3. Priority Commands (Layer 3 and 4) Command Function Mode Maps CoS/CFI values in incoming packets to per-hop qos map cos-dscp...
Page 954 58 packets on ports 1-48 and 80 packets on ports 49-50/52. • The specified mapping applies to all interfaces. Example SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#qos map cos-dscp 0 0 from 0 1 36-8...
Page 955: Qos Map Dscp-Mutation
Chapter 36: Class of Service Commands SSE-G2252(config-if)# qos map dscp-mutation This command maps DSCP values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ...
Page 956: Qos Map Phb-Queue
36-9, note that the DSCP value for these packets is now set to 25 (3x2 +1) and passed on to the egress interface. SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#qos map dscp-mutation 3 1 from 1 SSE-G2252(config-if)# qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value.
Page 957 • Egress packets are placed into the hardware queues according to the mapping defined by this command. • The specified mapping applies to all interfaces. Example SSE-G2252(config)#interface ethernet 1/5 SSE-G2252(config-if)#qos map phb-queue 0 from 1 2 3 SSE-G2252(config-if)# 36-11...
Page 958: Qos Map Trust-Mode
SSE-G2252/SSE-G2252P Switches User’s Manual qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {dscp | cos} no qos map trust-mode dscp - Sets the QoS mapping mode to DSCP.
Page 959: Show Qos Map Dscp-Mutation
(least significant digit in the top row (in other words, ingress DSCP = d1 * 10 + d2); and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table. SSE-G2252#show qos map dscp-mutation interface ethernet 1/5 dscp mutation map.(x,y),x: phb,y: drop precedence: d1: d2 0...
Page 960: Show Qos Map Phb-Queue
- Unit identifier. (Range: 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec Example SSE-G2252#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 phb-queue map: phb: ------------------------------------------------------- queue: SSE-G2252#...
Page 961: Show Qos Map Cos-Dscp
- Unit identifier. (Range: 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec Example SSE-G2252#show qos map cos-dscp interface ethernet 1/5 cos-dscp map.(x,y),x: phb,y: drop precedence: : cfi --------------------------------- (0,0) (0,0) (1,0)
Page 962: Show Qos Map Trust-Mode
- Port number. (Range: 1-52) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec Example The following shows that the trust mode is set to CoS: SSE-G2252#show qos map trust-mode interface ethernet 1/5 Information of Eth 1/5 COS Map mode: cos mode SSE-G2252# 36-16...
Page 963: Chapter 37 Quality Of Service Commands
Chapter 37: Quality of Service Commands Chapter 37 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 964 SSE-G2252/SSE-G2252P Switches User’s Manual Creating a Service Policy for a Specific Category of Ingress Traffic 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the...
Page 965 This command specifies the description of a class map or policy map. Syntax description string string - Description of the class map or policy map. (Range: 1-64 characters) Command Mode Class Map Configuration Policy Map Configuration Example SSE-G2252(config)#class-map rd-class#1 SSE-G2252(config-cmap)#description matches packets marked for DSCP service value 3 SSE-G2252(config-cmap)# 37-3...
Page 966: Match
SSE-G2252/SSE-G2252P Switches User’s Manual match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Page 967: Rename
Chapter 37: Quality of Service Commands SSE-G2252(config)#class-map rd-class#2 match-any SSE-G2252(config-cmap)#match ip precedence 5 SSE-G2252(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1. SSE-G2252(config)#class-map rd-class#3 match-any SSE-G2252(config-cmap)#match vlan 1 SSE-G2252(config-cmap)# rename This command redefines the name of a class map or policy map.
Page 968: Policy-Map
100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets. SSE-G2252(config)#policy-map rd-policy SSE-G2252(config-pmap)#class rd-class SSE-G2252(config-pmap-c)#set ip dscp 3 SSE-G2252(config-pmap-c)#police flow 10000 4000 conform-action transmit violate-action drop SSE-G2252(config-pmap-c)# 37-6...
Page 969: Class
100,000 Kbps, the burst rate to 4,000 bytes, and configure the response to drop any violating packets. SSE-G2252(config)#policy-map rd-policy SSE-G2252(config-pmap)#class rd-class SSE-G2252(config-pmap-c)#set phb 3 SSE-G2252(config-pmap-c)#police flow 10000 4000 conform-action transmit violate-action drop SSE-G2252(config-pmap-c)# 37-7...
Page 970: Police Flow
SSE-G2252/SSE-G2252P Switches User’s Manual police flow This command defines an enforcer for classified traffic based on the metered flow rate. Use the no form to remove a policer. Syntax [no] police flow committed-rate committed-burst conform-action transmit violate-action {drop| new-dscp} committed-rate - Committed information rate (CIR) in kilobits per second.
Page 971: Police Srtcm-Color
100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets. SSE-G2252(config)#policy-map rd-policy SSE-G2252(config-pmap)#class rd-class SSE-G2252(config-pmap-c)#set phb 3 SSE-G2252(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop SSE-G2252(config-pmap-c)# police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM).
Page 972 SSE-G2252/SSE-G2252P Switches User’s Manual conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green). exceed-action - Action to take when rate exceeds the CIR and BC but is within the BE.
Page 973 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the excess burst size. SSE-G2252(config)#policy-map rd-policy SSE-G2252(config-pmap)#class rd-class SSE-G2252(config-pmap-c)#set phb 3 SSE-G2252(config-pmap-c)#police srtcm-color-blind 100000 4000 6000 conform-action transmit exceed-action 0 violate-action drop SSE-G2252(config-pmap-c)# 37-11...
Page 974: Police Trtcm-Color
SSE-G2252/SSE-G2252P Switches User’s Manual police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst...
Page 975 Chapter 37: Quality of Service Commands Command Usage • You can configure up to 16 policers (i.e., class maps) for ingress ports. • The committed-rate and peak-rate cannot exceed the configured interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes. •...
Page 976: Set Cos
SSE-G2252(config)#policy-map rd-policy SSE-G2252(config-pmap)#class rd-class SSE-G2252(config-pmap-c)#set phb 3 SSE-G2252(config-pmap-c)#police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action drop SSE-G2252(config-pmap-c)# set cos This command modifies the class of service (CoS) value for a matching packet (as...
Page 977: Set Ip Dscp
SSE-G2252(config)#policy-map rd-policy SSE-G2252(config-pmap)#class rd-class SSE-G2252(config-pmap-c)#set cos 3 SSE-G2252(config-pmap-c)#police flow 10000 4000 conform-action transmit violate-action drop SSE-G2252(config-pmap-c)# set ip dscp This command modifies the IP DSCP value in a matching packet (as specified by the match command).
Page 978 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets. SSE-G2252(config)#policy-map rd-policy SSE-G2252(config-pmap)#class rd-class SSE-G2252(config-pmap-c)#set phb 3 SSE-G2252(config-pmap-c)#police flow 10000 4000 conform-action transmit violate-action drop SSE-G2252(config-pmap-c)# 37-16...
Page 979: Service-Policy
• The switch does not allow a policy map to be bound to an interface for egress traffic. Example This example applies a service policy to an ingress interface. SSE-G2252(config)#interface ethernet 1/1 SSE-G2252(config-if)#service-policy input rd-policy SSE-G2252(config-if)# 37-17...
Page 980: Show Class-Map
SSE-G2252/SSE-G2252P Switches User’s Manual show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
Page 981: Show Policy-Map
Default Setting Displays all policy maps and all classes. Command Mode Privileged Exec Example SSE-G2252#show policy-map Policy Map rd-policy Description: class rd-class set phb 3 SSE-G2252#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 SSE-G2252# 37-19...
Page 982: Show Policy-Map Interface
This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec Example SSE-G2252#show policy-map interface 1/5 input Service-policy rd-policy SSE-G2252# 37-20...
Page 983: Chapter 38 Multicast Filtering Commands
Chapter 38: Multicast Filtering Commands Chapter 38 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 984 SSE-G2252/SSE-G2252P Switches User’s Manual Table 38-2. IGMP Snooping Commands (Continued) Command Function Mode Specifies how often the upstream interface should ip igmp snooping transmit unsolicited IGMP reports (when proxy reporting unsolicited-report-interval is enabled) ip igmp snooping version Configures the IGMP version for snooping...
Page 985: Ip Igmp Snooping
When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Example The following example enables IGMP snooping globally. SSE-G2252(config)#ip igmp snooping SSE-G2252(config)# 38-3...
Page 986: Ip Igmp Snooping Proxy-Reporting
SSE-G2252/SSE-G2252P Switches User’s Manual ip igmp snooping proxy-reporting This command enables IGMP Snooping with Proxy Reporting. Use the no form to restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable}...
Page 987: Ip Igmp Snooping Querier
IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example SSE-G2252(config)#ip igmp snooping querier SSE-G2252(config)# 38-5...
Page 988: Ip Igmp Snooping Router-Alert-Option-Check
SSE-G2252/SSE-G2252P Switches User’s Manual ip igmp snooping router-alert-option-check This command discards any IGMPv2/v3 packets that do not include the Router Alert option. Use the no form to ignore the Router Alert Option when receiving IGMP messages. Syntax [no] ip igmp snooping router-alert-option-check...
Page 989: Ip Igmp Snooping Router-Port-Expire-Time
Command Mode Global Configuration Example The following shows how to configure the time out to 400 seconds: SSE-G2252(config)#ip igmp snooping router-port-expire-time 400 SSE-G2252(config)# ip igmp snooping tcn-flood This command enables flooding of multicast traffic if a spanning tree topology change notification (TCN) occurs.
Page 990 SSE-G2252/SSE-G2252P Switches User’s Manual Command Usage • When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change.
Page 991: Ip Igmp Snooping Tcn-Query-Solicit
Example The following example instructs the switch to issue an IGMP general query whenever it receives a spanning tree topology change notification. SSE-G2252(config)#ip igmp snooping tcn query-solicit SSE-G2252(config)# 38-9...
Page 992: Ip Igmp Snooping Unregistered-Data-Flood
SSE-G2252/SSE-G2252P Switches User’s Manual ip igmp snooping unregistered-data-flood This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic. Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration...
Page 993: Ip Igmp Snooping Unsolicited-Report-Interval
• This command only applies when proxy reporting is enabled (see "ip igmp snooping proxy-reporting" on page 38-4). Example SSE-G2252(config)#ip igmp snooping unsolicited-report-interval 5 SSE-G2252(config)# 38-11...
Page 994: Ip Igmp Snooping Version
• If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration. Example The following configures the global setting for IGMP snooping to version 1. SSE-G2252(config)#ip igmp snooping version 1 SSE-G2252(config)# 38-12...
Page 995: Ip Igmp Snooping Version-Exclusive
If it is enabled on a VLAN, then this setting takes precedence over the global setting. • When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command. Example SSE-G2252(config)#ip igmp snooping version-exclusive SSE-G2252(config)# 38-13...
Page 996: Ip Igmp Snooping Vlan General-Query-Suppression
By default, general query messages are flooded to all ports, except for the multicast router through which they are received. • If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service. Example SSE-G2252(config)#ip igmp snooping vlan 1 general-query-suppression SSE-G2252(config)# 38-14...
Page 997: Ip Igmp Snooping Vlan Immediate-Leave
IGMP-enabled device, either a service host or a neighbor running IGMP snooping. • This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave. SSE-G2252(config)#ip igmp snooping vlan 1 immediate-leave SSE-G2252(config)# 38-15...
Page 998: Ip Igmp Snooping Vlan Last-Memb-Query-Count
Default Setting Command Mode Global Configuration Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled ("ip igmp snooping proxy-reporting" on page 38-4). Example SSE-G2252(config)#ip igmp snooping vlan 1 last-memb-query-count 7 SSE-G2252(config)# 38-16...
Page 999: Ip Igmp Snooping Vlan Last-Memb-Query-Intvl
• This command will take effect only if IGMP snooping proxy reporting is enabled ("ip igmp snooping proxy-reporting" on page 38-4). Example SSE-G2252(config)#ip igmp snooping vlan 1 last-memb-query-intvl 700 SSE-G2252(config)# 38-17...
Page 1000: Ip Igmp Snooping Vlan Mrd
MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN. Example This example disables sending of multicast router solicitation messages on VLAN 1. SSE-G2252(config)#no ip igmp snooping vlan 1 mrd SSE-G2252(config)# 38-18...

This manual is also suitable for:

Sse-g2252p