LevelOne FGL-2870 User Manual
  1. Manuals
  2. Brands
  3. LevelOne Manuals
  4. Switch
  5. FGL-2870
  6. User manual

LevelOne FGL-2870 User Manual

24fe + 4ge combo sfp l2 snmp switch
Hide thumbs Also See for FGL-2870:
1
2
3
4
5
6
Table Of Contents
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
Table of Contents

Advertisement

Quick Links

Download this manual
LevelOne
FGL-2870
24FE + 4GE Combo SFP
L2 SNMP Switch

User Manual

Installation Guide
Installationsanleitung
Version 1.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FGL-2870 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for LevelOne FGL-2870

Summary of Contents for LevelOne FGL-2870

  • Page 1: User Manual

    LevelOne FGL-2870 Installation Guide Installationsanleitung 24FE + 4GE Combo SFP L2 SNMP Switch User Manual Version 1.0...
  • Page 3 Management Guide Fast Ethernet Switch Combo Layer 2 SNMP Switch with 24 10/100BASE-T (RJ-45) Ports, and 4 Combination Gigabit (RJ-45/SFP) Ports...
  • Page 4 FGL-2870 E122009-WM-R01 149100000059A...

  • Page 5: About This Guide

    About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).

  • Page 7: Table Of Contents

    Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
  • Page 8 Contents Downloading System Software from a Server 3-26 Saving or Restoring Configuration Settings 3-28 Downloading Configuration Settings from a Server 3-29 Uploading and Downloading Files Using HTTP 3-30 Console Port Settings 3-32 Telnet Settings 3-34 Configuring Event Logging 3-36 System Log Configuration 3-36 Remote Log Configuration 3-37...
  • Page 9 Contents Authorization Settings 3-85 Authorization EXEC Settings 3-86 Authorization Summary 3-87 Configuring HTTPS 3-88 Replacing the Default Secure-site Certificate 3-89 Configuring the Secure Shell 3-90 Generating the Host Key Pair 3-93 Importing User Public Keys 3-95 Configuring the SSH Server 3-97 Configuring 802.1X Port Authentication 3-99...
  • Page 10 Contents Displaying DHCP Snooping Binding Information 3-149 IP Source Guard 3-150 Configuring Ports for IP Source Guard 3-150 Configuring Static Binding for IP Source Guard 3-152 Displaying Information for Dynamic IP Source Guard Bindings 3-154 Port Configuration 3-155 Displaying Connection Status 3-155 Configuring Interface Connections 3-157...
  • Page 11 Contents Enabling QinQ Tunneling on the Switch 3-223 Adding an Interface to a QinQ Tunnel 3-224 Traffic Segmentation 3-226 Configuring Global Settings for Traffic Segmentation 3-226 Configuring Traffic Segmentation Sessions 3-227 Private VLANs 3-228 Displaying Current Private VLANs 3-228 Configuring Private VLANs 3-229 Associating VLANs 3-230...
  • Page 12 Contents Layer 2 IGMP (Snooping and Query) 3-275 Configuring IGMP Snooping and Query Parameters 3-276 Enabling IGMP Immediate Leave 3-278 Displaying Interfaces Attached to a Multicast Router 3-280 Specifying Static Interfaces for a Multicast Router 3-281 Displaying Port Members of Multicast Services 3-282 Assigning Ports to Multicast Services 3-283...
  • Page 13 Contents Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups 4-10 General Commands 4-11 enable 4-12 disable 4-12 configure 4-13 show history 4-13 reload (Privileged Exec) 4-14 reload (Global Configuration) 4-14 show reload 4-16...
  • Page 14 Contents delete 4-40 4-40 whichboot 4-41 boot system 4-42 upgrade opcode auto 4-42 upgrade opcode path 4-43 Line Commands 4-44 line 4-45 login 4-46 password 4-47 timeout login response 4-48 exec-timeout 4-48 password-thresh 4-49 silent-time 4-50 databits 4-50 parity 4-51 speed 4-52 stopbits...
  • Page 15 Contents show sntp 4-70 ntp client 4-70 ntp server 4-71 ntp authenticate 4-72 ntp authentication-key 4-73 show ntp 4-74 clock timezone-predefined 4-74 clock timezone 4-75 clock summer-time (date) 4-76 clock summer-time (predefined) 4-77 clock summer-time (recurring) 4-78 calendar set 4-79 show calendar 4-80 Switch Cluster Commands...
  • Page 16 Contents sflow source 4-103 sflow sample 4-104 sflow polling-interval 4-104 sflow owner 4-105 sflow timeout 4-105 sflow destination 4-106 sflow max-header-size 4-106 sflow max-datagram-size 4-107 show sflow 4-107 Authentication Commands 4-108 User Account and Privilege Level Commands 4-109 username 4-109 enable password 4-110 privilege...
  • Page 17 Contents authorization exec 4-131 show accounting 4-131 Web Server Commands 4-132 ip http port 4-132 ip http server 4-133 ip http secure-server 4-133 ip http secure-port 4-134 Telnet Server Commands 4-135 ip telnet server 4-135 Secure Shell Commands 4-136 ip ssh server 4-138 ip ssh timeout 4-139...
  • Page 18 Contents network-access max-mac-count 4-162 network-access mode 4-163 mac-authentication reauth-time 4-164 mac-authentication intrusion-action 4-165 mac-authentication max-mac-count 4-165 network-access dynamic-vlan 4-166 network-access guest-vlan 4-166 network-access dynamic-qos 4-167 network-access link-detection 4-168 network-access link-detection link-down 4-168 network-access link-detection link-up 4-169 network-access link-detection link-up-down 4-169 clear network-access 4-170 show network-access...
  • Page 19 Contents ip arp inspection vlan 4-191 ip arp inspection filter 4-192 ip arp inspection validate 4-193 ip arp inspection log-buffer logs 4-194 ip arp inspection trust 4-195 ip arp inspection limit 4-195 show ip arp inspection configuration 4-196 show ip arp inspection interface 4-196 show ip arp inspection vlan 4-197...
  • Page 20 Contents capabilities 4-223 flowcontrol 4-224 media-type 4-225 giga-phy-mode 4-225 shutdown 4-226 switchport packet-rate 4-227 clear counters 4-228 show interfaces brief 4-228 show interfaces status 4-229 show interfaces counters 4-230 show interfaces switchport 4-231 Automatic Traffic Control Commands 4-233 auto-traffic-control apply-timer 4-236 auto-traffic-control release-timer 4-237...
  • Page 21 Contents mac-address-table static 4-264 clear mac-address-table dynamic 4-265 show mac-address-table 4-266 mac-address-table aging-time 4-267 show mac-address-table aging-time 4-267 Spanning Tree Commands 4-268 spanning-tree 4-269 spanning-tree mode 4-270 spanning-tree forward-time 4-271 spanning-tree hello-time 4-271 spanning-tree max-age 4-272 spanning-tree priority 4-273 spanning-tree system-bpdu-flooding 4-273 spanning-tree pathcost method 4-274...
  • Page 22 Contents garp timer 4-296 show garp timer 4-297 Editing VLAN Groups 4-298 vlan database 4-298 vlan 4-299 Configuring VLAN Interfaces 4-300 interface vlan 4-300 switchport mode 4-301 switchport acceptable-frame-types 4-302 switchport ingress-filtering 4-302 switchport native vlan 4-303 switchport allowed vlan 4-304 switchport forbidden vlan 4-305...
  • Page 23 Contents Configuring Voice VLANs 4-328 voice vlan 4-328 voice vlan aging 4-329 voice vlan mac-address 4-330 switchport voice vlan 4-331 switchport voice vlan rule 4-331 switchport voice vlan security 4-332 switchport voice vlan priority 4-333 show voice vlan 4-333 LLDP Commands 4-335 lldp 4-337...
  • Page 24 Contents switchport priority default 4-358 queue cos-map 4-359 show queue mode 4-360 show queue bandwidth 4-360 show queue cos-map 4-361 Priority Commands (Layer 3 and 4) 4-362 map ip dscp (Global Configuration) 4-362 map ip dscp (Interface Configuration) 4-362 show map ip dscp 4-364 Quality of Service Commands 4-365...
  • Page 25 Contents ip igmp filter (Interface Configuration) 4-387 ip igmp max-groups 4-388 ip igmp max-groups action 4-389 show ip igmp filter 4-389 show ip igmp profile 4-390 show ip igmp throttle interface 4-390 Multicast VLAN Registration Commands 4-391 mvr (Global Configuration) 4-392 mvr (Interface Configuration) 4-394...
  • Page 26 Contents xxvi...
  • Page 27 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-36 Table 3-4 Supported Notification Messages 3-61 Table 3-5 HTTPS System Support 3-88 Table 3-6 802.1X Statistics 3-105 Table 3-7 Dynamic QoS Profiles 3-116 Table 3-8...
  • Page 28 Tables Table 4-21 SNMP Commands 4-87 Table 4-22 show snmp engine-id - display description 4-96 Table 4-23 show snmp view - display description 4-97 Table 4-24 show snmp group - display description 4-100 Table 4-26 sFlow Commands 4-102 Table 4-25 show snmp user - display description 4-102 Table 4-27...
  • Page 29 Tables Table 4-70 VLAN Command Groups 4-293 Table 4-71 GVRP and Bridge Extension Commands 4-294 Table 4-72 Editing VLAN Groups 4-298 Table 4-73 Configuring VLAN Interfaces 4-300 Table 4-74 Show VLAN Commands 4-307 Table 4-75 IEEE 802.1Q Tunneling Commands 4-308 Table 4-76 Traffic Segmentation Commands 4-312...
  • Page 30 Tables...
  • Page 31 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-14 Figure 3-4 Switch Information 3-15 Figure 3-5 Bridge Extension Configuration 3-17 Figure 3-6 Manual IP Configuration 3-19 Figure 3-7 DHCP IP Configuration 3-20 Figure 3-8 Jumbo Frames Configuration 3-21 Figure 3-9 Configuring Automatic Code Upgrade...
  • Page 32 Figures Figure 3-43 AAA Radius Group Settings 3-77 Figure 3-44 AAA TACACS+ Group Settings 3-78 Figure 3-45 AAA Accounting Settings 3-79 Figure 3-46 AAA Accounting Update 3-80 Figure 3-47 AAA Accounting 802.1X Port Settings 3-81 Figure 3-48 AAA Accounting Exec Command Privileges 3-82 Figure 3-49 AAA Accounting Exec Settings...
  • Page 33 Figures Figure 3-88 DHCP Snooping Binding Information 3-149 Figure 3-89 IP Source Guard Port Configuration 3-151 Figure 3-90 Static IP Source Guard Binding Configuration 3-153 Figure 3-91 Dynamic IP Source Guard Binding Information 3-154 Figure 3-92 Displaying Port/Trunk Information 3-155 Figure 3-93 Port/Trunk Configuration 3-159...
  • Page 34 Figures Figure 3-133 Protocol VLAN Configuration 3-234 Figure 3-134 Protocol VLAN System Configuration 3-235 Figure 3-135 VLAN Mirror Configuration 3-236 Figure 3-136 IP Subnet VLAN Configuration 3-238 Figure 3-137 MAC-based VLAN Configuration 3-239 Figure 3-138 LLDP Configuration 3-241 Figure 3-139 LLDP Port Configuration 3-243 Figure 3-140...
  • Page 35 Figures Figure 3-178 Cluster Configuration 3-306 Figure 3-179 Cluster Member Configuration 3-307 Figure 3-180 Cluster Member Information 3-308 Figure 3-181 Cluster Candidate Information 3-309 Figure 3-182 UPnP Configuration 3-311 xxxv...
  • Page 36 Figures xxxvi...

  • Page 37: Chapter 1: Introduction

    Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.

  • Page 38: Description Of Software Features

    Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, and private VLANs Traffic Prioritization Default port priority, traffic class map, queue scheduling, or Differentiated Services Code Point (DSCP) Quality of Service Supports Differentiated Services (DiffServ) Link Layer Discovery Protocol Used to discover basic information about neighboring devices Multicast Filtering...
  • Page 39 Description of Software Features Access Control Lists – ACLs provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type).
  • Page 40 Introduction forwarding traffic based on this information. The address table supports up to 8K addresses. Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC).
  • Page 41 Description of Software Features • Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured. •...

  • Page 42: System Defaults

    Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-28). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
  • Page 43 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled Auto-negotiation...
  • Page 44 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default IP Settings IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled Client/Proxy service: Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Enabled Multicast VLAN Registration Disabled System Log Status...

  • Page 45: Chapter 2: Initial Configuration

    Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9), and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

  • Page 46: Required Connections

    Initial Configuration • Configure up to 8 static or LACP trunks • Enable port mirroring • Set broadcast, multicast or unknown unicast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.

  • Page 47: Remote Connections

    Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see "Setting an IP Address"...

  • Page 48: Setting Passwords

    Press <Enter>. Note: ‘0’ specifies a password in plain text, ‘7’ specifies a password in encrypted form. Username: admin Password: CLI session with the FGL-2870 is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password]...

  • Page 49: Dynamic Configuration

    Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1”...

  • Page 50: Enabling Snmp Management Access

    Initial Configuration If network connections are normaly slow, type “ip dhcp restart” to re-start broadcasting service requests. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.”...

  • Page 51: Trap Receivers

    Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read/write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.

  • Page 52: Configuring Access For Snmp Version 3 Clients

    Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...

  • Page 53: Saving Configuration Settings

    Managing System Files • Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.
  • Page 54 Initial Configuration Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config 4-37 Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Console# 2-10...

  • Page 55: Chapter 3: Configuring The Switch

    Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).

  • Page 56: Navigating The Web Browser Interface

    Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.

  • Page 57: Configuration Options

    Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.

  • Page 58: Main Menu

    Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...

  • Page 59: Table 3-2 Main Menu

    Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Time Zone Sets the local time zone for the system clock 3-46 Summer Time Configures summer time settings 3-47 SNMP Simple Network Management Protocol 3-49 Configuration Configures community strings and related trap functions 3-51 Agent Status Enables or disables SNMP Agent Status...
  • Page 60 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Authorization 3-85 Settings Configures authorization of requested services 3-85 EXEC Settings Specifies console or Telnet authorization method 3-86 Summary Displays authorization information 3-87 HTTPS Settings Configures secure HTTP settings 3-88 Secure Shell 3-90...
  • Page 61 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page ARP Inspection Validates the MAC-to-IP address bindings in ARP packets 3-136 Configuration Enables inspection globally and per VLAN, specifies ACL filter 3-124 containing address bindings, configures validation of additional address components, sets trust mode for ports, and sets rate limit for packet inspection Information Displays information on results of inspection process...
  • Page 62 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Output Trunk Configuration Sets the output rate limit for trunks 3-179 Port Statistics Lists Ethernet and RMON port statistics 3-180 Address Table 3-185 Static Addresses Displays entries for interface, address or VLAN 3-185 Dynamic Addresses Displays or edits static entries in the Address Table...
  • Page 63 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Tunnel Port Configuration Sets the tunnel mode for an interface 3-224 Tunnel Trunk Configuration Sets the tunnel mode for an interface 3-224 Traffic Segmentation Configures traffic segmentation for different client sessions 3-226 based on specified downlink and uplink ports Status...
  • Page 64 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Remote Trunk Information Displays LLDP information about a remote device connected to 3-247 a trunk on this switch Remote Information Details Displays detailed LLDP information about a remote device 3-248 connected to this switch Device Statistics...
  • Page 65 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page IP Multicast Registration Displays all multicast groups active on this switch, including 3-282 Table multicast IP addresses and VLAN ID IGMP Member Port Table Indicates multicast addresses associated with the selected 3-283 VLAN IGMP Filter Profile...
  • Page 66 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Port Configuration Selects the DHCP Snooping Information Option policy 3-147 Binding Information Displays the DHCP Snooping binding information 3-149 IP Source Guard 3-150 Port Configuration Enables IP source guard and selects filter type per port 3-150 Static Configuration Adds a static addresses to the source-guard binding table...

  • Page 67: Basic Configuration

    Basic Configuration Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.

  • Page 68: Figure 3-3 System Information

    Console(config)#snmp-server location WC 9 4-91 Console(config)#snmp-server contact Ted 4-90 Console(config)#exit Console#show system 4-33 System Description: FGL-2870 System OID String: 1.3.6.1.4.1.22426.1.4.6 System Information System Up Time: 0 days, 1 hours, 21 minutes, and 58.30 seconds System Name: Level One System Location:...

  • Page 69: Displaying Switch Hardware/Software Versions

    Basic Configuration Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
  • Page 70 Configuring the Switch CLI – Use the following command to display version information. Console#show version 4-34 Serial Number: A842024475 Hardware Version: Chip Device ID: Marvell 98DX106-B0, 88E6095[F] EPLD Version: 0.07 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (Master) Unit ID: Loader Version:...

  • Page 71: Displaying Bridge Extension Capabilities

    Basic Configuration Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).

  • Page 72: Setting The Switch's Ip Address

    Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-295 Max support VLAN numbers: Max support VLAN ID: 4092 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...

  • Page 73: Manual Configuration

    Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...

  • Page 74: Using Dhcp/Bootp

    Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.

  • Page 75: Enabling Jumbo Frames

    Basic Configuration Renewing DHCP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.

  • Page 76: Managing Firmware

    Configuring the Switch Managing Firmware You can upload/download firmware to or from an FTP or TFTP server. Just specify the method of file transfer, along with the file type and file names as required. By saving run-time code to a file on an FTP or TFTP server, that file can later be downloaded to the switch to restore operation.
  • Page 77 • The file name must not be included in the upgrade file location URL. The file name of the code stored on the remote server must be FGL-2870-OP-V1.3.4.0.bix (using upper case and lower case letters exactly as indicated here).
  • Page 78 • Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The FGL-2870-OP-V1.3.4.0.bix filename must not be included since it is automatically appended by the switch. (Options: ftp, tftp)

  • Page 79: Figure 3-9 Configuring Automatic Code Upgrade

    Basic Configuration - tftp://192.168.0.1/switches/opcode/ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. • The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: - ftp://192.168.0.1/ The user name and password are empty, so “anonymous”...

  • Page 80: Downloading System Software From A Server

    Configuring the Switch If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1..1.0; new version 1.3.4.0 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image...

  • Page 81: Figure 3-11 Setting The Startup Code

    4-37 TFTP server ip address: 192.168.1.23 Choose file type: 1. config: 2. opcode: 4. diag: 5. loader: <1,2,4,5>: 2 Source file name: FGL-2870-OP-V1.3.4.1.bix Destination file name: V1341.F \Write to FLASH Programming. -Write to FLASH finish. Success. Console#config Console(config)#boot system opcode:V1341.F...

  • Page 82: Saving Or Restoring Configuration Settings

    Configuring the Switch Saving or Restoring Configuration Settings You can upload/download configuration settings to/from an FTP/TFTP server. The configuration files can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The configuration copy operation includes these options: - file to file –...

  • Page 83: Downloading Configuration Settings From A Server

    Basic Configuration Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.

  • Page 84: Uploading And Downloading Files Using Http

    Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-37 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.

  • Page 85: Figure 3-15 Uploading Files Using Http

    Basic Configuration Web – To upload files using HTTP: Click System, File Management, HTTP Upgrade. Select “opcode” or “config” as the file type and then use the Browse button to locate the file on the local web management station. Specify the name of a file on the switch to overwrite or specify a new file name, then click Apply.

  • Page 86: Console Port Settings

    Configuring the Switch Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings.

  • Page 87: Figure 3-17 Console Port Settings

    Basic Configuration Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply. Figure 3-17 Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.

  • Page 88: Telnet Settings

    Configuring the Switch Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password.

  • Page 89: Figure 3-18 Enabling Telnet

    Basic Configuration Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 3-18 Enabling Telnet CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.

  • Page 90: Configuring Event Logging

    Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.

  • Page 91: Remote Log Configuration

    Basic Configuration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-19 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.

  • Page 92: Figure 3-20 Remote Logs

    Configuring the Switch Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-20 Remote Logs CLI –...

  • Page 93: Displaying Log Messages

    Basic Configuration Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.

  • Page 94: Figure 3-22 Enabling And Configuring Smtp

    Configuring the Switch • Severity – Sets the syslog severity threshold level (see table on page 3-36) used to trigger alert messages. All events at this level or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0.

  • Page 95: Resetting The System

    Basic Configuration CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.

  • Page 96: Setting The System Clock

    Configuring the Switch Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset. If prompted, confirm that you want reset the switch or cancel a configured reset.

  • Page 97: Setting The Time Manually

    Basic Configuration Setting the Time Manually You can set the system time on the switch manually without using SNTP. Command Attributes • Hours – Sets the hour. (Range: 0-23; Default: 0) • Minutes – Sets the minute value. (Range: 0-59; Default: 0) •...

  • Page 98: Configuring Ntp

    Configuring the Switch Web – Select SNTP, Configuration. Modify any of the required SNTP parameters, and click Apply. Figure 3-25 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-69 Console(config)#sntp poll 60...

  • Page 99: Figure 3-26 Ntp Client Configuration

    Basic Configuration • Version – Specifies the NTP version supported by the server. (Range: 1-3; Default: 3) • Authenticate Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. The authentication key must match the key configured on the NTP server.

  • Page 100: Setting The Time Zone

    Configuring the Switch CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 4-73 Console(config)#ntp authentication-key 30 md5 ntpkey30 Console(config)#ntp server 192.168.3.20 4-71 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)#ntp client...

  • Page 101: Configuring Summer Time

    Basic Configuration Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC using either a predefined or custom definition, and click Apply. Figure 3-27 Setting the System Clock CLI - This example shows how to set the time zone for the system clock using one of the predefined time zone configurations.
  • Page 102 Configuring the Switch Date Mode – Sets the start, end, and offset times of summer time for the switch on a one-time basis. This mode sets the summer-time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time zone deviates from your regular time zone.

  • Page 103: Simple Network Management Protocol

    Simple Network Management Protocol Web – Select SNTP, Summer Time. Select one of the configuration modes, configure the relevant attributes, enable summer time status, and click Apply. Figure 3-28 Summer Time CLI - This example configures summer time to take effect for a predefined zone. Console(config)#clock summer-time MESZ predefined usa 4-77 Console#...
  • Page 104 Configuring the Switch the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports.

  • Page 105: Enabling The Snmp Agent

    Simple Network Management Protocol Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply.

  • Page 106: Specifying Trap Managers And Trap Types

    Configuring the Switch Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-30 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw 4-90 Console(config)#...
  • Page 107 Simple Network Management Protocol To send an inform to a SNMPv2c host, complete these steps: 1. Enable the SNMP agent (page 3-51). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 3-64). 4.

  • Page 108: Figure 3-31 Configuring Ip Trap Managers

    Configuring the Switch • Enable Authentication Traps – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) • Enable Link-up and Link-down Traps – Issues a notification message whenever a port link is established or broken.

  • Page 109: Configuring Snmpv3 Management Access

    Simple Network Management Protocol Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.

  • Page 110: Specifying A Remote Engine Id

    Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.

  • Page 111: Configuring Snmpv3 Users

    Simple Network Management Protocol Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes •...

  • Page 112: Figure 3-34 Configuring Snmpv3 Users

    Configuring the Switch Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.

  • Page 113: Configuring Remote Snmpv3 Users

    Simple Network Management Protocol Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.

  • Page 114: Figure 3-35 Configuring Remote Snmpv3 Users

    Configuring the Switch Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.

  • Page 115: Configuring Snmpv3 Groups

    Simple Network Management Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
  • Page 116 Configuring the Switch Table 3-4 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, linkDown acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).

  • Page 117: Figure 3-36 Configuring Snmpv3 Groups

    Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list.

  • Page 118: Setting Snmpv3 Views

    Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...

  • Page 119: Sampling Traffic Flows

    Sampling Traffic Flows CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-96 Console(config)#exit Console#show snmp view 4-97 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...

  • Page 120: Configuring Sflow Global Parameters

    Table 3-5 sFlow Groups and Port Members Port Members Group FGL-2870 1, 2, 3, 4, 5, 6, 7, 8 9, 10, 11, 12, 13, 14, 15, 16 17, 18, 19, 20, 21, 22, 23, 24 • Status – Enables sFlow on the ports in the indicated group.

  • Page 121: Figure 3-38 Sflow Global Configuration

    Sampling Traffic Flows Web – Click sFlow, Configuration. Set the global status for flow sampling, the ports or port groups to be sampled, the sampling rate, and then click Apply. Figure 3-38 sFlow Global Configuration CLI – This example enables sFlow globally, and then enables sampling and sets the sampling rate for Port 1 (which effectively configures the same sFlow settings for all port members in Group 1).

  • Page 122: Configuring Sflow Port Parameters

    Configuring the Switch Configuring sFlow Port Parameters Use the sFlow Port Configuration page to set the destination parameters for the sampled data, payload parameters, and sampling interval. Command Usage • Port – Choose the port to configure. (Range: 1-28/52; Default: 1) •...

  • Page 123: Figure 3-39 Sflow Port Configuration

    Sampling Traffic Flows Web – Click sFlow, Port Configuration. Set the parameters for flow Collector, the reset timeout, the payload, and flow interval. Then click Apply. Figure 3-39 sFlow Port Configuration CLI – This example enables sFlow globally, and then enables sampling and sets the sampling rate for Port 1 (which effectively configures the same sFlow settings for all port members in Group 1).

  • Page 124: User Authentication

    Configuring the Switch User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: •...

  • Page 125: Figure 3-40 Access Levels

    User Authentication • Add/Remove – Adds or removes an account from the list. Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List.

  • Page 126: Configuring Local/Remote Logon Authentication

    Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
  • Page 127 User Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...

  • Page 128: Figure 3-41 Authentication Settings

    Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-41 Authentication Settings CLI –...

  • Page 129: Configuring Encryption Keys

    User Authentication Console#configure Console(config)#authentication login tacacs 4-113 Console(config)#tacacs-server 1 host 10.20.30.40 4-120 Console(config)#tacacs-server port 200 4-120 Console(config)#tacacs-server retransmit 5 4-121 Console(config)#tacacs-server timeout 10 4-122 Console(config)#tacacs-server key green 4-121 Console#show tacacs-server 4-122 Remote TACACS+ server configuration: Global Settings: Server Port Number: Retransmit Times Request Times Server 1:...

  • Page 130: Aaa Authorization And Accounting

    Configuring the Switch - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. Web –...

  • Page 131: Configuring Aaa Radius Group Settings

    User Authentication • Accounting for users that access management interfaces on the switch through the console and Telnet. • Accounting for commands that users enter at specific CLI privilege levels. • Authorization of users that access management interfaces on the switch through the console and Telnet.

  • Page 132: Configuring Aaa Tacacs+ Group Settings

    Configuring the Switch CLI – Specify the group name for a list of RADIUS servers, and then specify the index number of a RADIUS server to add it to the group. Console(config)#aaa group server radius tps-radius 4-123 Console(config-sg-radius)#server 1 4-124 Console(config-sg-radius)#server 2 4-124 Console(config-sg-radius)#...

  • Page 133: Figure 3-45 Aaa Accounting Settings

    User Authentication The method name is only used to describe the accounting method(s) configured on the specified accounting servers, and do not actually send any information to the servers about the methods to use. • Service Request – Specifies the service as either 802.1X (user accounting) or Exec (administrative accounting for local console, Telnet, or SSH connections).

  • Page 134: Aaa Accounting Update

    Configuring the Switch CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius 4-125 Console(config)# AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers.

  • Page 135: Aaa Accounting 802.1X Port Settings

    User Authentication AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-77).

  • Page 136: Aaa Accounting Exec Command Privileges

    Configuring the Switch AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level.

  • Page 137: Aaa Accounting Exec Settings

    User Authentication AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.

  • Page 138: Figure 3-50 Aaa Accounting Summary

    Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-50 AAA Accounting Summary 3-84...

  • Page 139: Authorization Settings

    User Authentication CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-131 Accounting Type : dot1x Method List : default Group List : radius Interface Method List : tps-method Group List : tps-radius Interface Accounting Type : Exec...

  • Page 140: Authorization Exec Settings

    Configuring the Switch Web – Click Security, AAA, Authorization, Settings. To configure a new authorization method, specify a method name and a group name, select the service, then click Add. Figure 3-51 AAA Authorization Settings CLI – Specify the authorization method required and the server group. Console(config)#aaa authorization exec default group tacacs+ 4-130 Console(config)#...

  • Page 141: Authorization Summary

    User Authentication CLI – Specify the authorization method to use for Console and Telnet interfaces. Console(config)#line console 4-45 Console(config-line)#authorization exec tps-auth 4-131 Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec tps-auth Console(config-line)# Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied.

  • Page 142: Configuring Https

    Configuring the Switch Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.

  • Page 143: Replacing The Default Secure-Site Certificate

    User Authentication Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-54 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-133 Console(config)#ip http secure-port 443 4-134 Console(config)#...

  • Page 144: Configuring The Secure Shell

    Configuring the Switch • Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. Web – Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private file name details, then click Copy Certificate.
  • Page 145 User Authentication Notes: 1. You need to install an SSH client on the management station to access the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
  • Page 146 Configuring the Switch 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.

  • Page 147: Generating The Host Key Pair

    User Authentication Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public Keys"...

  • Page 148: Figure 3-56 Ssh Host-Key Settings

    Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-56 SSH Host-Key Settings CLI –...

  • Page 149: Importing User Public Keys

    User Authentication Importing User Public Keys A user’s Public Key must be uploaded to the switch in order for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.

  • Page 150: Figure 3-57 Ssh User Public-Key Settings

    Configuring the Switch Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key. Figure 3-57 SSH User Public-Key Settings 3-96...

  • Page 151: Configuring The Ssh Server

    User Authentication CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. 4-37 Console#copy tftp public-key TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2. DSA: <1-2>: 2 Source file name: admin-ssh2-dsa-pub.key Username: admin TFTP Download...

  • Page 152: Figure 3-58 Ssh Server Settings

    Configuring the Switch • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;...

  • Page 153: Configuring 802.1X Port Authentication

    User Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.

  • Page 154: Displaying 802.1X Global Settings

    Configuring the Switch • Each switch port that will be used must be set to dot1X “Auto” mode. • Each client that needs to be authenticated must have dot1X client software installed and properly configured. • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) •...

  • Page 155: Configuring 802.1X Global Settings

    User Authentication Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
  • Page 156 Configuring the Switch • Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.

  • Page 157: Figure 3-61 802.1X Port Configuration

    User Authentication Web – Click Security, 802.1X, Port Configuration. Modify the parameters required, and click Apply. Figure 3-61 802.1X Port Configuration 3-103...
  • Page 158 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see "show dot1x" on page 4-152. Console(config)#interface ethernet 1/2 4-220 Console(config-if)#dot1x port-control auto 4-146 Console(config-if)#dot1x re-authentication 4-149 Console(config-if)#dot1x max-req 5 4-146...

  • Page 159: Displaying 802.1X Statistics

    User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-6 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.

  • Page 160: Figure 3-62 Displaying 802.1X Port Statistics

    Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-62 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-152 Eth 1/4...

  • Page 161: Filtering Ip Addresses For Management Access

    User Authentication Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage •...

  • Page 162: Figure 3-63 Creating An Ip Filter List

    Configuring the Switch Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-63 Creating an IP Filter List CLI –...

  • Page 163: General Security Measures

    General Security Measures General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.

  • Page 164: Configuring Port Security

    Configuring the Switch Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.

  • Page 165: Web Authentication

    General Security Measures Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-64 Configuring Port Security CLI –...

  • Page 166: Configuring Web Authentication

    Configuring the Switch Configuring Web Authentication Web authentication is configured on a per-port basis, however there are four configurable parameters that apply globally to all ports on the switch. Command Attributes • System Authentication Control – Enables Web Authentication for the switch. (Default: Disabled) •...

  • Page 167: Configuring Web Authentication For Ports

    General Security Measures Configuring Web Authentication for Ports Web authentication is configured on a per-port basis. The following parameters are associated with each port. Command Attributes • Port – Indicates the port being configured • Status – Configures the web authentication status for the port. •...

  • Page 168: Displaying Web Authentication Port Information

    Configuring the Switch Displaying Web Authentication Port Information This switch can display web authentication information for all ports and connected hosts. Command Attributes • Interface – Indicates the ethernet port to query. • IP Address – Indicates the IP address of each connected host. •...

  • Page 169: Network Access ( Mac Address Authentication)

    General Security Measures Web – Click Security, Web Authentication, Re-authentication. Figure 3-68 Web Authentication Port Re-authentication CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 4-176 Failed to reauth. Console# Network Access MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X...

  • Page 170: Table 3-7 Dynamic Qos Profiles

    Configuring the Switch • Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. •...

  • Page 171: Configuring The Mac Authentication Reauthentication Time

    General Security Measures - The Filter-ID attribute is empty. - The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize the whole Filter-ID attribute). • Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur: - Illegal characters found in a profile value (for example, a non-digital character in an 802.1p profile value).

  • Page 172: Configuring Mac Authentication For Ports

    Configuring the Switch Web – Click Security, Network Access, Configuration. Figure 3-69 Network Access Configuration CLI – This example sets and displays the reauthentication time. Console(config)#mac-authentication reauth-time 3000 4-164 Console(config)#exit Console#show network-access interface ethernet 1/1 4-170 Global secure port information Reauthentication Time : 1800 --------------------------------------------------...

  • Page 173: Figure 3-70 Network Access Port Configuration

    General Security Measures • Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server are applied to the port, providing the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.

  • Page 174: Configuring Port Link Detection

    Configuring the Switch CLI – This example configures MAC authentication for port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access mode mac-authentication 4-163 Console(config-if)#network-access max-mac-count 10 4-162 Console(config-if)#mac-authentication max-mac-count 24 4-165 Console(config-if)#network-access dynamic-vlan 4-166 Console(config-if)#network-access dynamic-qos 4-167 Console(config-if)#network-access guest-vlan 4-166 Console(config-if)#network-access link-detection 4-168 Console(config-if)#network-access link-detection link-up action trap4-169 Console(config-if)#end Console#show network-access interface ethernet 1/1...

  • Page 175: Displaying Secure Mac Address Information

    General Security Measures Web – Click Security, Network Access, Port Link Detection Configuration. Modify the Status, Condition and Action. Click Apply. Figure 3-71 Network Access Port Link Detection Configuration CLI – This example configures Port Link Detection to send an SNMP trap for all link events on port 1.

  • Page 176: Mac Filter Configuration

    Configuring the Switch • Attribute – Indicates a static or dynamic address. • Remove – Click the Remove button to remove selected MAC addresses from the secure MAC address table. Web – Click Security, Network Access, MAC Address Information. Restrict the displayed addresses by port, MAC Address, or attribute, then select the method of sorting the displayed addresses.

  • Page 177: Figure 3-73 Network Access Mac Filter Configuration

    General Security Measures Command Attributes • Filter ID (1-64) - top - ALL – Displays all configured MAC filter tables. - Filter ID – Displays all entries associated with the specified MAC Filter ID. - Query – Displays all entries in the specified table(s). •...

  • Page 178: Access Control Lists

    Configuring the Switch CLI – This example adds Filter ID 22 and configures it to block traffic from MAC address 11-22-33-44-55-66. Console(config)#network-access mac-filter 22 mac-address 11-22-33-44-55-66 4-161 Console(config)#exit Console#show network-access mac-filter 22 Filter ID MAC Address MAC Mask --------- ----------------- ----------------- 22 11-22-33-44-55-66 FF-FF-FF-FF-FF-FF Console# Access Control Lists...

  • Page 179: Setting The Acl Name And Type

    General Security Measures Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 15 characters) • Type – The following filter modes are supported: - IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.

  • Page 180: Configuring A Standard Ipv4 Acl

    Configuring the Switch Configuring a Standard IPv4 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.

  • Page 181: Configuring An Extended Ipv4 Acl

    General Security Measures Configuring an Extended IPv4 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...

  • Page 182: Figure 3-76 Acl Configuration - Extended Ipv4

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.

  • Page 183: Configuring A Standard Ipv6 Acl

    General Security Measures Configuring a Standard IPv6 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-prefix”...

  • Page 184: Configuring An Extended Ipv6 Acl

    Configuring the Switch Configuring an Extended IPv6 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Source IPv6 Address field, or “IPv6-prefix”...

  • Page 185: Configuring A Mac Acl

    General Security Measures CLI – This example adds three rules: (1) Accepts any incoming packets for the destination 2009:DB9:2229::79/8. (2) Allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 4-208 Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# Configuring a MAC ACL Use this page to configure ACLs based on hardware addresses, packet format, and Ethernet type.

  • Page 186: Figure 3-79 Acl Configuration - Mac

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.

  • Page 187: Configuring An Arp Acl

    General Security Measures Configuring an ARP ACL Use this page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring ARP Inspection" on page 3-136). Command Attributes • Action – An ACL can contain any combination of permit or deny rules. •...

  • Page 188: Figure 3-80 Acl Configuration - Arp

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the packet type, the address type (Any, Host, or MAC), the source and/or destination addresses. If you select “Host,” enter a specific address. If you select “IP” or “MAC,” enter a base address and a hexadecimal bitmask for an address range.

  • Page 189: Binding A Port To An Access Control List

    General Security Measures Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP/IPv6 access list and one MAC access list to any port.

  • Page 190: Arp Inspection

    Configuring the Switch CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-220 Console(config-if)#ip access-group david in 4-204 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for...
  • Page 191 General Security Measures - When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. - Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
  • Page 192 Configuring the Switch ARP Inspection Logging • By default, logging is active for ARP Inspection, and cannot be disabled. • The administrator can configure the log facility rate. • When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis.
  • Page 193 General Security Measures • ARP Inspection Validation – Enables extended ARP Inspection Validation if any of the following options are enabled. (Default: Disabled) - Dst-MAC – Validates the destination MAC address in the Ethernet header against the target MAC address in the body of ARP responses. - IP –...

  • Page 194: Figure 3-82 Configuring Arp Inspection

    Configuring the Switch Web – Click Security, ARP Inspection, Configuration. Enable inspection both globally and for the required VLANs, select an ARP ACL filter to check for statically configured addresses, select any required additional validation, adjust the logging parameters if required, specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate.

  • Page 195: Displaying Arp Inspection Port Information

    General Security Measures Displaying ARP Inspection Port Information Use the ARP Inspection Port Information page to display a list of trusted ports and statistics about the number of ARP packets processed, or dropped for various reasons. Command Attributes • Trusted Port List – Displays all ports configured as trusted. •...

  • Page 196: Figure 3-83 Displaying Statistics For Arp Inspection

    Configuring the Switch Web – Click Security, ARP Inspection, Information. Figure 3-83 Displaying Statistics for ARP Inspection CLI – This example displays statistics for ARP Inspection. Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address Dst MAC Address...

  • Page 197: Dhcp Snooping

    General Security Measures DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.

  • Page 198: Dhcp Snooping Configuration

    Configuring the Switch - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. - If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN.

  • Page 199: Dhcp Snooping Vlan Configuration

    General Security Measures DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific VLANs. Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.

  • Page 200: Dhcp Snooping Information Option Configuration

    Configuring the Switch DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.

  • Page 201: Configuring Ports For Dhcp Snooping

    General Security Measures Web – Click DHCP Snooping, Information Option Configuration. Figure 3-86 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-183 Console(config)#ip dhcp snooping information policy replace 4-184 Console(config)#exit Console#show ip dhcp snooping...

  • Page 202: Figure 3-87 Dhcp Snooping Port Configuration

    Configuring the Switch Command Attributes • Trust Status – Enables or disables a port as trusted. Web – Click DHCP Snooping, Port Configuration. Set any ports within the local network or firewall to trusted, and click Apply. Figure 3-87 DHCP Snooping Port Configuration CLI –...

  • Page 203: Displaying Dhcp Snooping Binding Information

    General Security Measures Displaying DHCP Snooping Binding Information Binding table entries can be displayed on the Binding Information page. Command Attributes • Store DHCP snooping binding entries to flash. – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory.

  • Page 204: Ip Source Guard

    Configuring the Switch IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping" on page 3-143).

  • Page 205: Figure 3-89 Ip Source Guard Port Configuration

    General Security Measures Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) • None – Disables IP source guard filtering on the port. •...

  • Page 206: Configuring Static Binding For Ip Source Guard

    Configuring the Switch Configuring Static Binding for IP Source Guard Use the IP Source Guard Static Configuration page to bind a static address to a port. Table entries include a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.

  • Page 207: Figure 3-90 Static Ip Source Guard Binding Configuration

    General Security Measures Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to which the entry will be bound, enter the MAC address and associated IP address, then click Add. Figure 3-90 Static IP Source Guard Binding Configuration CLI –...

  • Page 208: Displaying Information For Dynamic Ip Source Guard Bindings

    Configuring the Switch Displaying Information for Dynamic IP Source Guard Bindings Use the Dynamic Information page to display the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding. (Options: Port, VLAN, MAC Address, or IP Address) •...

  • Page 209: Port Configuration

    Port Configuration Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
  • Page 210 Configuring the Switch Field Attributes (CLI) Basic Information: • Port Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC Address – The physical layer address for this port. (To access this item on the web, see "Setting the Switch’s IP Address" on page 3-18.) Configuration: •...

  • Page 211: Configuring Interface Connections

    Port Configuration Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation Speed-duplex – Shows the current speed and duplex mode. •...
  • Page 212 Configuring the Switch trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. However, this switch does provide a means of safely forcing a link to operate at 1000 Mbps, full-duplex using the Giga Phy Mode attribute described below.

  • Page 213: Figure 3-93 Port/Trunk Configuration

    Port Configuration Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. (Default: Autonegotiation enabled; Advertised capabilities for 100BASE-TX – 10half, 10full, 100half, 100full;...

  • Page 214: Creating Trunk Groups

    Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.

  • Page 215: Statically Configuring A Trunk

    Port Configuration Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be statically able to link switches of different types, configured depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.

  • Page 216: Enabling Lacp On Selected Ports

    Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-220 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-220 Console(config-if)#channel-group 2 4-249 Console(config-if)#exit...

  • Page 217: Figure 3-95 Lacp Trunk Configuration

    Port Configuration • Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu (see page 3-161). Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port –...

  • Page 218: Configuring Parameters For Lacp Group Members

    Configuring the Switch Console#show interfaces status port-channel 1 4-229 Information of Trunk 1 Basic Information: Port Type: 100TX MAC Address: 00-12-CF-BE-21-DE Configuration: Name: Port Admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow Control: Disabled VLAN Trunking: Disabled Port Security: Disabled Max MAC Count: Giga PHY Mode:...

  • Page 219: Figure 3-96 Lacp Port Configuration

    Port Configuration • Port Priority – If a link goes down, LACP port priority is used to select a backup link. (Range: 0-65535; Default: 32768) Set Port Partner – This menu sets the remote side of an aggregate link; i.e., the ports on the attached device.

  • Page 220: Configuring Parameters For Lacp Groups

    Configuring the Switch Console#show lacp sysid 4-255 Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-12-CF-BE-21-DE 32768 00-12-CF-BE-21-DE 32768 00-12-CF-BE-21-DE 32768 00-12-CF-BE-21-DE Console#show lacp 1 internal 4-255 Port Channel: 1 ------------------------------------------------------------------------- Oper Key: 120 Admin Key: 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal: 30 sec...

  • Page 221: Displaying Lacp Port Counters

    Port Configuration Web – Click Port, LACP, Aggregator. Set the Admin Key for the required LACP group, and click Apply. Figure 3-97 LACP Aggregation Group Configuration CLI – The following example sets the LACP admin key for port channel 1. Console(config)#interface port-channel 1 4-220 Console(config-if)#lacp actor admin-key 3...

  • Page 222: Displaying Lacp Settings And Status For The Local Side

    Configuring the Switch Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-98 LACP - Port Counters Information CLI – The following example displays LACP counters. Console#show lacp counters 4-255 Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 -------------------------------------------------------------------------...

  • Page 223: Figure 3-99 Lacp - Port Internal Information

    Port Configuration Table 3-9 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.

  • Page 224: Displaying Lacp Settings And Status For The Remote Side

    Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-255 Port channel : 1 ------------------------------------------------------------------------- Oper Key : 120 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal:...

  • Page 225: Figure 3-100 Lacp - Port Neighbors Information

    Port Configuration Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-100 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-255 Port channel 1 neighbors...

  • Page 226: Setting Broadcast Storm Thresholds

    Configuring the Switch Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.

  • Page 227: Figure 3-101 Port Broadcast Control

    Port Configuration Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-101 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.

  • Page 228: Setting Multicast Storm Thresholds

    Configuring the Switch Setting Multicast Storm Thresholds You can protect your network from excess multicast traffic by setting thresholds for each port. Any multicast packets exceeding the specified threshold will then be dropped. Command Usage • Multicast Storm Control is disabled by default. •...

  • Page 229: Setting Unknown Unicast Storm Thresholds

    Port Configuration Web – Click Configuration, Port, Port Multicast Control or Trunk Multicast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 3-102 Port Multicast Control CLI – Specify any interface, and then enter the threshold. The following example sets the multicast threshold at 600 packets per second for port 1.

  • Page 230: Figure 3-103 Port Unknown Unicast Control

    Configuring the Switch automatic storm control which triggers various control responses. This control type is only supported by the Command Line Interface as described under "Automatic Traffic Control Commands" on page 4-233. However, note that only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.

  • Page 231: Configuring Port Mirroring

    Port Configuration Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.

  • Page 232: Configuring Mac Address Mirroring

    Configuring the Switch Configuring MAC Address Mirroring You can mirror traffic matching a specified source address from any port on the switch, except for the target port, to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.

  • Page 233: Configuring Rate Limits

    Port Configuration Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped.

  • Page 234: Showing Port Statistics

    Configuring the Switch Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
  • Page 235 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
  • Page 236 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.

  • Page 237: Figure 3-107 Port Statistics

    Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-107 Port Statistics 3-183...
  • Page 238 Configuring the Switch CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-230 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...

  • Page 239: Address Table Settings

    Address Table Settings Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.

  • Page 240: Displaying The Address Table

    Configuring the Switch CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-12-cf-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 4-264 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.

  • Page 241: Changing The Aging Time

    Address Table Settings CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-266 Interface MAC Address VLAN Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-23-54-EF-1D-AF 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# Changing the Aging Time...

  • Page 242: Spanning Tree Algorithm Configuration

    Configuring the Switch Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
  • Page 243 Spanning Tree Algorithm Configuration MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.

  • Page 244: Configuring Port And Trunk Loopback Detection

    Configuring the Switch Once you specify the VLANs to include in a Multiple Spanning Tree Instance (MSTI), the protocol will automatically build an MSTI tree to maintain connectivity among each of the VLANs. MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree (CST).

  • Page 245: Displaying Global Settings For Sta

    Spanning Tree Algorithm Configuration Web – Click Spanning Tree, Port Loopback Detection or Trunk Loopback Detection. Modify the required attributes, then click Apply. Figure 3-111 Configuring Port Loopback Detection CLI – This command enables loopback detection for port 1/5, configures automatic release-mode, and enables SNMP trap notification for detected loopback BPDUs.
  • Page 246 Configuring the Switch • Forward Delay – The maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.

  • Page 247: Figure 3-112 Displaying Spanning Tree Information

    Spanning Tree Algorithm Configuration • Remaining Hops – The remaining number of hop counts for the MST instance. • Transmission Limit – The minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. • Path Cost Method – The path cost is used to determine the best path between devices.

  • Page 248: Configuring Global Settings For Sta

    Configuring the Switch Configuring Global Settings for STA Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
  • Page 249 Spanning Tree Algorithm Configuration • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
  • Page 250 Configuring the Switch Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface.

  • Page 251: Figure 3-113 Configuring Spanning Tree

    Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-113 Configuring Spanning Tree 3-197...

  • Page 252: Displaying Interface Settings For Sta

    Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-269 Console(config)#spanning-tree mode mstp 4-270 Console(config)#spanning-tree priority 45056 4-273 Console(config)#spanning-tree hello-time 5 4-271 Console(config)#spanning-tree max-age 38 4-272 Console(config)#spanning-tree forward-time 20 4-271...
  • Page 253 Spanning Tree Algorithm Configuration • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port.

  • Page 254: Figure 3-114 Displaying Spanning Tree Port Information

    Configuring the Switch • Admin Status – Shows if this interface is enabled. • External Admin Path Cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

  • Page 255: Configuring Interface Settings For Sta

    Spanning Tree Algorithm Configuration CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-291 1/ 5 information -------------------------------------------------------------- Admin Status: Enabled Role: Disabled State: Discarding Admin Path Cost: Oper Path Cost: 100000 Priority: Designated Cost: 100000 Designated Port: 128.5...

  • Page 256: Table 3-12 Recommended Sta Path Cost Range

    Configuring the Switch The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 3-194) or when spanning tree is disabled on specific port.

  • Page 257: Table 3-14 Default Sta Path Costs

    Spanning Tree Algorithm Configuration Table 3-13 Recommended STA Path Costs Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000 Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001...

  • Page 258: Spanning Tree Edge Port Configuration

    Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-115 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-220 Console(config-if)#no spanning-tree port-bpdu-flooding 4-284...

  • Page 259: Figure 3-116 Configuring Edge Port Parameters

    Spanning Tree Algorithm Configuration link type is point-to-point; otherwise it equals the spanning-tree’s maximum age (see "Configuring Global Settings for STA" on page 3-194). An interface cannot function as an edge port under the following conditions: - If spanning tree mode is set to STP (page 3-194), edge-port mode can be manually enabled or set to auto, but will have no effect.

  • Page 260: Vlan Configuration

    Configuring the Switch CLI – This example sets edge port attributes for port 5. Console(config)#interface ethernet 1/5 4-220 4-281 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-guard 4-284 Console(config-if)#spanning-tree bpdu-filter 4-283 Console(config-if)# VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains.
  • Page 261 VLAN Configuration more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs. Then assign ports on the other VLAN-aware network devices along the path that will carry this traffic to the same VLAN(s), either manually or dynamically using GVRP.
  • Page 262 Configuring the Switch receiving port in the specified VLANs, and pass the message on to all other ports. VLAN requirements are propagated in this way throughout the network. This allows GVRP-compliant devices to be automatically configured for VLAN groups based solely on endstation requests.

  • Page 263: Enabling Or Disabling Gvrp (Global Setting)

    VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.

  • Page 264: Displaying Basic Vlan Information

    Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard.

  • Page 265: Displaying Current Vlans

    VLAN Configuration Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.

  • Page 266: Creating Vlans

    Configuring the Switch • Name – Name of the VLAN (1-100 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Port channel – Shows the VLAN interface members. CLI –...

  • Page 267: Figure 3-120 Configuring A Vlan Static List

    VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-120 Configuring a VLAN Static List CLI –...

  • Page 268: Adding Static Members To Vlans (Vlan Index)

    Configuring the Switch Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.

  • Page 269: Figure 3-121 Configuring A Vlan Static Table

    VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.

  • Page 270: Adding Static Members To Vlans (Port Index)

    Configuring the Switch Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...

  • Page 271: Configuring Vlan Behavior For Interfaces

    VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.

  • Page 272: Figure 3-123 Configuring Vlans Per Port

    Configuring the Switch • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.

  • Page 273: Configuring Ieee 802.1Q Tunneling

    VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-220 Console(config-if)#switchport acceptable-frame-types tagged 4-302 Console(config-if)#switchport ingress-filtering...
  • Page 274 Configuring the Switch processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
  • Page 275 VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: •...
  • Page 276 Configuring the Switch Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.

  • Page 277: Enabling Qinq Tunneling On The Switch

    VLAN Configuration Enabling QinQ Tunneling on the Switch The switch can be configured to operate in normal VLAN mode or IEEE 802.1Q (QinQ) tunneling mode which is used for passing Layer 2 traffic across a service provider’s metropolitan area network. You can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.

  • Page 278: Adding An Interface To A Qinq Tunnel

    Configuring the Switch CLI – This example sets the switch to operate in QinQ mode. 4-309 Console(config)#dot1q-tunnel system-tunnel-control 4-310 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config)#exit 4-311 Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x9100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x9100.

  • Page 279: Figure 3-125 Tunnel Port Configuration

    VLAN Configuration Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-125 Tunnel Port Configuration CLI –...

  • Page 280: Traffic Segmentation

    Configuring the Switch Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions. Traffic belonging to each client is isolated to the allocated downlink ports.

  • Page 281: Configuring Traffic Segmentation Sessions

    VLAN Configuration Configuring Traffic Segmentation Sessions Use the Traffic Segmentation Session Configuration page to create a client session, and assign the downlink and uplink ports to service the traffic associated with each session. Command Attributes • Session ID – Traffic segmentation session. (Range: 1-15) •...

  • Page 282: Private Vlans

    Configuring the Switch Private VLANs Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other hosts within the community VLAN and with any of the promiscuous ports in the associated primary VLAN.

  • Page 283: Configuring Private Vlans

    VLAN Configuration Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-128 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.

  • Page 284: Associating Vlans

    Configuring the Switch Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.

  • Page 285: Displaying Private Vlan Interface Information

    VLAN Configuration CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database 4-298 Console(config-vlan)#private-vlan 5 association 6 4-318 Console(config-vlan)#private-vlan 5 association 7 4-318 Console(config)# Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs.

  • Page 286: Configuring Private Vlan Interfaces

    Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.

  • Page 287: Protocol Vlans

    VLAN Configuration Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.

  • Page 288: Configuring Protocol Vlan Groups

    Configuring the Switch Command Usage • To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-212). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.

  • Page 289: Mapping Protocols To Vlans

    VLAN Configuration CLI – This example creates protocol group 1 for Ethernet frames using the IP protocol, and group 2 for Ethernet frames using the ARP protocol. Console(config)#protocol-vlan protocol-group 1 4-322 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 2 add frame-type ethernet protocol-type arp Console(config)# Mapping Protocols to VLANs Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group...

  • Page 290: Configuring Vlan Mirroring

    Configuring the Switch CLI – This example shows the switch configured with Protocol Group 2 mapped to VLAN 2. Console(config)#protocol-vlan protocol-group 2 vlan 2 4-322 Console(config)# Configuring VLAN Mirroring You can mirror traffic from one or more source VLANs to a target port for real-time analysis.

  • Page 291: Configuring Ip Subnet Vlans

    VLAN Configuration CLI – This example mirrors all traffic entering VLAN 1 to port 28. Console(config)#interface ethernet 1/1 4-220 Console(config-if)#port monitor vlan 1 4-260 Console(config-if)# Configuring IP Subnet VLANs When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.

  • Page 292: Configuring Mac-Based Vlans

    Configuring the Switch Web – Click VLAN, IP Subnet VLAN, Configuration. Enter the IP address, subnet mask, and the VLAN to which matching frames will be forwarded. Then click Apply. Figure 3-136 IP Subnet VLAN Configuration CLI – This example maps all traffic from the IP subnet of 192.168.2.0 to VLAN 2. Console(config)#subnet-vlan subnet 192.168.1.0 255.255.255.0 vlan 2 4-325 Console(config)#...

  • Page 293: Link Layer Discovery Protocol

    Link Layer Discovery Protocol Web – Click VLAN, MAC-based VLAN, Configuration. Enter the MAC address, the VLAN to which matching frames will be forwarded, and then click Apply. Figure 3-137 MAC-based VLAN Configuration CLI – This example maps all traffic matching the specified address to VLAN 2. Console(config)#mac-vlan mac-address 00-ab-cd-11-22-33 vlan 2 4-326 Console(config)#...
  • Page 294 Configuring the Switch Command Attributes • LLDP – Enables LLDP globally on the switch. (Default: Enabled) • Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) This attribute must comply with the following rule: (Transmission Interval * Hold Time Multiplier) ≤...

  • Page 295: Configuring Lldp Interface Attributes

    Link Layer Discovery Protocol The MED Fast Start Count parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port. LLDP-MED Fast Start is critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service.
  • Page 296 Configuring the Switch Command Attributes • Admin Status – Enables LLDP message transmit and receive modes for LLDP Protocol Data Units. (Options: Tx only, Rx only, TxRx, Disabled; Default: TxRx) • SNMP Notification – Enables the transmission of SNMP trap notifications about LLDP and LLDP-MED changes.

  • Page 297: Figure 3-139 Lldp Port Configuration

    Link Layer Discovery Protocol configure the system name, see "Displaying System Information" on page 3-13. - System Capabilities – The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. •...

  • Page 298: Displaying Lldp Local Device Information

    Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise. Console(config)#interface ethernet 1/1 4-220 Console(config-if)#lldp admin-status tx-rx 4-341 Console(config-if)#lldp notification 4-341...
  • Page 299 Link Layer Discovery Protocol • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • System Name – An string that indicates the system’s administratively assigned name (see "Displaying System Information" on page 3-13). •...

  • Page 300: Table 3-16 System Capabilities

    4-354 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : FGL-2870 System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information Interface |PortID Type...

  • Page 301: Displaying Lldp Remote Port Information

    Link Layer Discovery Protocol This example displays detailed information for a specific port on the local switch. Console#show lldp info local-device ethernet 1/1 4-354 LLDP Port Information Detail Port : Eth 1/1 Port Type : MAC Address Port ID : 00-01-02-03-04-06 Port Desc : Ethernet Port on unit 1, port 1 Console# Displaying LLDP Remote Port Information...

  • Page 302: Displaying Lldp Remote Information Details

    Configuring the Switch Displaying LLDP Remote Information Details Use the LLDP Remote Information Details screen to display detailed information about an LLDP-enabled device connected to a specific port on the local switch. Field Attributes • Local Port – The local port to which a remote LLDP-capable device is attached. •...

  • Page 303: Figure 3-142 Lldp Remote Information Details

    : MAC Address Chassis Id : 00-01-02-03-04-05 PortID Type : MAC Address PortID : 00-01-02-03-04-06 SysName SysDescr : FGL-2870 PortDescr : Ethernet Port on unit 1, port 1 SystemCapSupported : Bridge SystemCapEnabled : Bridge Remote Management Address : 00-01-02-03-04-05 (MAC Address) Console#...

  • Page 304: Displaying Device Statistics

    Configuring the Switch Displaying Device Statistics Use the LLDP Device Statistics screen to display general statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. Field Attributes General Statistics on Remote Devices •...

  • Page 305: Displaying Detailed Device Statistics

    Link Layer Discovery Protocol CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-356 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count...

  • Page 306: Figure 3-144 Lldp Device Statistics Details

    Configuring the Switch Web – Click LLDP, Device Statistics Details. Figure 3-144 LLDP Device Statistics Details CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-356 LLDP Port Statistics Detail PortName...

  • Page 307: Class Of Service Configuration

    Class of Service Configuration Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 308: Figure 3-145 Port Priority Configuration

    Configuring the Switch Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-145 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-220 Console(config-if)#switchport priority default 5...

  • Page 309: Mapping Cos Values To Egress Queues

    Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.

  • Page 310: Selecting The Queue Mode

    Configuring the Switch Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-146 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-220 Console(config-if)#queue cos-map 0 0 4-359...

  • Page 311: Displaying The Service Weight For Traffic Classes

    Class of Service Configuration Command Attributes • WRR - Weighted Round-Robin shares bandwidth at the egress ports by using scheduling weights with default values of 1, 2, 4, 8 for queues 0 through 3, respectively. (This is the default selection.) •...

  • Page 312: Figure 3-148 Displaying Queue Scheduling

    Configuring the Switch Web – Click Priority, Queue Scheduling. Figure 3-148 Displaying Queue Scheduling CLI – The following example shows how to display the WRR weights assigned to each of the priority queues. Console#show queue bandwidth 4-360 Queue ID Weight -------- ------ Console...

  • Page 313: Layer 3/4 Priority Settings

    Class of Service Configuration Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports one method of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP/UDP port.

  • Page 314: Mapping Dscp Priority

    Configuring the Switch CLI – The following example globally enables DSCP Priority service on the switch. Console(config)#map ip dscp 4-362 Console(config)#end Console#show map ip dscp 4-364 dscp Mapping Status: Enabled DSCP COS ---- --- Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors.

  • Page 315: Figure 3-150 Mapping Ip Dscp Priority Values

    Class of Service Configuration Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 3-150 Mapping IP DSCP Priority Values CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.

  • Page 316: Quality Of Service

    Configuring the Switch Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.

  • Page 317: Configuring A Class Map

    Quality of Service Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name”...

  • Page 318: Figure 3-151 Configuring Class Maps

    Configuring the Switch • VLAN – A VLAN. (Range:1-4094) • Add – Adds specified criteria to the class. Up to 16 items are permitted per class. • Remove – Deletes the selected criteria from the class. Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.

  • Page 319: Creating Qos Policies

    Quality of Service CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3. 4-366 Console(config)#class-map rd_class match-any 4-367 Console(config-cmap)#match ip dscp 3 Console(config-cmap)# Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage •...
  • Page 320 Configuring the Switch Policy Configuration • Policy Name – Name of policy map. (Range: 1-16 characters) • Description – A brief description of a policy map. (Range: 1-64 characters) • Add – Adds the specified policy. • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings - •...

  • Page 321: Figure 3-152 Configuring Policy Maps

    Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-152 Configuring Policy Maps 3-267...

  • Page 322: Attaching A Policy Map To Ingress Queues

    Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. 4-369 Console(config)#policy-map rd_policy#3 4-369 Console(config-pmap)#class rd_class#3...

  • Page 323: Voip Traffic Configuration

    Quality of Service VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation can provide higher voice quality by preventing excessive packet delays, packet loss, and jitter.

  • Page 324: Configuring Voip Traffic Ports

    Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-154 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.

  • Page 325: Figure 3-155 Voip Traffic Port Configuration

    Quality of Service address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...

  • Page 326: Configuring Telephony Oui

    Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 4-331 Console(config-if)#switchport voice vlan auto 4-332 Console(config-if)#switchport voice vlan security 4-331 Console(config-if)#switchport voice vlan rule oui 4-333 Console(config-if)#switchport voice vlan priority 5 Console(config-if)#exit...

  • Page 327: Figure 3-156 Telephony Oui List

    Quality of Service Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.

  • Page 328: Multicast Filtering

    Configuring the Switch Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.

  • Page 329: Layer 2 Igmp (Snooping And Query)

    Multicast Filtering Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-276) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.

  • Page 330: Configuring Igmp Snooping And Query Parameters

    Configuring the Switch Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-283). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.

  • Page 331: Figure 3-157 Igmp Configuration

    Multicast Filtering Command Attributes • IGMP Status — When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.

  • Page 332: Enabling Igmp Immediate Leave

    Configuring the Switch CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 4-375 Console(config)#ip igmp snooping querier 4-380 Console(config)#ip igmp snooping leave-proxy 4-377 Console(config)#ip igmp snooping query-count 10 4-380 Console(config)#ip igmp snooping query-interval 100 4-381 Console(config)#ip igmp snooping query-max-response-time 20 4-381...

  • Page 333: Figure 3-158 Igmp Immediate Leave

    Multicast Filtering Command Attributes • VLAN ID – VLAN Identifier. (Range: 1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply.

  • Page 334: Displaying Interfaces Attached To A Multicast Router

    Configuring the Switch Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.

  • Page 335: Specifying Static Interfaces For A Multicast Router

    Multicast Filtering Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.

  • Page 336: Displaying Port Members Of Multicast Services

    Configuring the Switch Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094) •...

  • Page 337: Assigning Ports To Multicast Services

    Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP snooping and Query Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.

  • Page 338: Igmp Filtering And Throttling

    Configuring the Switch CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 4-375 Console(config)#exit Console#show mac-address-table multicast vlan 1 4-379 VLAN M'cast IP addr.

  • Page 339: Configuring Igmp Filter Profiles

    Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile group by entering a number in the text box and clicking Add. Enable the IGMP filter status, then click Apply. Figure 3-163 Enabling IGMP Filtering and Throttling CLI –...

  • Page 340: Figure 3-164 Igmp Profile Configuration

    Configuring the Switch • New Multicast Address Range List – Specifies multicast groups to include in the profile. Specify a multicast group range by entering a start and end IP address. Specify a single multicast group by entering the same IP address for the start and end of the range.

  • Page 341: Configuring Igmp Filtering And Throttling For Interfaces

    Multicast Filtering Configuring IGMP Filtering and Throttling for Interfaces Once you have configured IGMP profiles, you can assign them to interfaces on the switch. Also you can set the IGMP throttling number to limit the number of multicast groups an interface can join at the same time. Command Usage •...

  • Page 342: Figure 3-165 Igmp Filter And Throttling Port Configuration

    Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-165 IGMP Filter and Throttling Port Configuration CLI –...

  • Page 343: Multicast Vlan Registration

    Multicast VLAN Registration Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.

  • Page 344: Configuring Global Mvr Settings

    Configuring the Switch Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.

  • Page 345: Figure 3-166 Mvr Global Configuration

    Multicast VLAN Registration Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-166 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.

  • Page 346: Displaying Mvr Interface Status

    Configuring the Switch Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.

  • Page 347: Displaying Port Members Of Multicast Groups

    Multicast VLAN Registration Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...

  • Page 348: Configuring Mvr Interface Status

    Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...

  • Page 349: Figure 3-169 Mvr Port Configuration

    Multicast VLAN Registration - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) •...

  • Page 350: Assigning Static Multicast Groups To Interfaces

    Configuring the Switch Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...

  • Page 351: Configuring Mvr Receiver Vlan And Group Addresses

    Multicast VLAN Registration Configuring MVR Receiver VLAN and Group Addresses Multicast traffic forwarded to subscribers is normally stripped of frame tags to prevent hosts from discovering the identity of the MVR VLAN. An MVR Receiver VLAN and the multicast services supported by this VLAN can be configured to hide the MVR VLAN, while allowing multicast traffic with frame tags to be forwarded to subscribers.

  • Page 352: Displaying Mvr Receiver Groups

    Configuring the Switch Displaying MVR Receiver Groups Interfaces assigned to the MVR receiver groups can be displayed using the Receiver Group IP Information page. Field Attributes • Group IP Address – Multicast groups assigned to the MVR Receiver VLAN. • Group Port List – Interfaces with subscribers for multicast services provided through the MVR Receiver VLAN.

  • Page 353: Configuring Static Mvr Receiver Group Members

    Multicast VLAN Registration Configuring Static MVR Receiver Group Members You can statically assign a multicast reciever group to the selected interface using the Receiver Group Member Configuration page. Field Attributes • Interface – Indicates a port or trunk. • Group Address List – Multicast receiver groups assigned to the selected interface.

  • Page 354: Domain Name Service

    Configuring the Switch Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.

  • Page 355: Figure 3-174 Dns General Configuration

    Domain Name Service Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-174 DNS General Configuration CLI - This example sets a default domain name and a domain list.

  • Page 356: Configuring Static Dns Host To Address Entries

    Configuring the Switch Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.

  • Page 357: Figure 3-175 Dns Static Host Table

    Domain Name Service Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-175 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.

  • Page 358: Displaying The Dns Cache

    Configuring the Switch Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...

  • Page 359: Switch Clustering

    Switch Clustering Switch Clustering IP Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
  • Page 360 Configuring the Switch • Role – Indicates the current role of the switch in the cluster; either Commander, Member, or Candidate. (Default: Candidate) • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster.

  • Page 361: Cluster Member Configuration

    CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-83 Console(config)#end Console#show cluster candidates 4-84 Cluster Candidates: Role Description --------------- ----------------- ------------------------------------ ACTIVE MEMBER 00-12-cf-23-49-c0 FGL-2870 CANDIDATE 00-12-cf-0b-47-a0 FGL-2870 Console# 3-307...

  • Page 362: Displaying Information On Cluster Members

    Web – Click Cluster, Member Information. FGL-2870 Figure 3-180 Cluster Member Information CLI – This example shows information about cluster Member switches. Vty-0#show cluster members 4-84 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: FGL-2870 Vty-0# 3-308...

  • Page 363: Cluster Candidate Information

    Web – Click Cluster, Candidate Information. FGL-2870 FGL-2870 Figure 3-181 Cluster Candidate Information CLI – This example shows information about cluster Candidate switches. 4-84 Vty-0#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 FGL-2870 CANDIDATE 00-12-cf-0b-47-a0 FGL-2870 Vty-0# 3-309...

  • Page 364: Upnp

    UPnP under Windows XP, open My Network Places in the Explore file manager. An entry for “FGL-2870” will appear in the list of discovered devices. Double-click on this entry to access the switch’s web management interface. Or right-click on the entry and select “Properties”...

  • Page 365: Upnp Configuration

    UPnP UPnP Configuration Use the UPnP Configuration page to enable or disable UPnP, and to set advertisement and time out values. Command Attributes • UPNP Status – Enables/disables UPnP on the device. (Default: Disabled) • Advertising Duration – This sets the duration of which a device will advertise its status to the control point.
  • Page 366 Configuring the Switch 3-312...

  • Page 367: Chapter 4: Command Line Interface

    When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the FGL-2870 is opened. To end the CLI session, enter [Exit]. Console#...

  • Page 368: Telnet Connection

    When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the FGL-2870 is opened. To end the CLI session, enter [Exit]. Vty-0# Note: You can open up to four sessions to the device via Telnet.

  • Page 369: Entering Commands

    Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.

  • Page 370: Showing Commands

    Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.

  • Page 371: Partial Keyword Lookup

    Entering Commands startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system System information tacacs-server TACACS server settings tech-support Technical information upnp UPnP settings users Information about terminal lines version System hardware and software versions vlan Virtual LAN settings voice Shows the voice VLAN information web-auth Shows web authentication configuration...

  • Page 372: Understanding Command Modes

    “super” (page 4-110). To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the FGL-2870 is opened. To end the CLI session, enter [Exit]. Console#...

  • Page 373: Configuration Commands

    Entering Commands Username: guest Password: [guest login password] CLI session with the FGL-2870 is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.

  • Page 374: Table 4-2 Configuration Modes

    Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 4-2 Configuration Modes Mode Command Prompt Page Line line {console | vty} Console(config-line) 4-44...

  • Page 375: Command Line Processing

    Entering Commands Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...

  • Page 376: Command Groups

    Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page General Basic commands for entering privileged access mode, restarting the 4-11 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation, 4-18...

  • Page 377: General Commands

    General Commands Table 4-4 Command Groups (Continued) Command Group Description Page Quality of Service Configures Differentiated Services classification criteria and service 4-365 policies Multicast Filtering Configures IGMP multicast filtering, query parameters, specifies ports 4-374 attached to a multicast router, and enables multicast VLAN registration Domain Name Service Configures DNS services 4-399...

  • Page 378: Enable

    Command Line Interface enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See ’Understanding Command Modes" on page 4-6. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.

  • Page 379: Configure

    General Commands Example Console#disable Console> Related Commands enable (4-12) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration, and Multiple Spanning Tree Configuration.

  • Page 380: Reload (Privileged Exec)

    Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.
  • Page 381 General Commands • reload in - An interval after which to reload the switch. - hours - The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) - minutes - The number of minutes, combined with the hours, before the switch resets.

  • Page 382: Show Reload

    Command Line Interface show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.

  • Page 383: Exit

    General Commands exit This command returns to the previous configuration mode or exit the configuration program. Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...

  • Page 384: System Management Commands

    Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-6 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-18 Banner Information...

  • Page 385: Banner Information Commands

    System Management Commands Example Console(config)#hostname RD#1 Console(config)# Banner Information Commands These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager.

  • Page 386: Banner Configure

    Command Line Interface banner configure This command is used to interactively specify administrative information for this device. Syntax banner configure Default Setting None Command Mode Global Configuration Command Usage The administrator can batch-input all details for the switch with one command. When the administrator finishes typing the company name and presses the enter key, the script prompts for the next piece of information, and so on, until all information has been entered.

  • Page 387: Banner Configure Company

    System Management Commands Example Console(config)#banner configure Company: LevelOne Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment.

  • Page 388: Banner Configure Dc-Power-Info

    Command Line Interface Example Console(config)#banner configure company LevelOne Console(config)# banner configure dc-power-info This command is use to configure DC power information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id...

  • Page 389: Banner Configure Equipment-Info

    System Management Commands Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.

  • Page 390: Banner Configure Equipment-Location

    Command Line Interface Example Console(config)#banner configure equipment-info manufacturer-id FGL-2870 floor 3 row 10 rack 15 shelf-rack 12 manufacturer LevelOne Console(config)# banner configure equipment-location This command is used to configure the equipment location information displayed in the banner. Use the no form to restore the default setting.

  • Page 391: Banner Configure Lp-Number

    System Management Commands Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.

  • Page 392: Banner Configure Manager-Info

    Command Line Interface banner configure manager-info This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] •...

  • Page 393: Banner Configure Note

    System Management Commands Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.

  • Page 394: Show Banner

    Steve - 123-555-9876 Lamar - 123-555-3322 Station's information: 710_Network_Path,Indianapolis LevelOne - FGL-2870 Floor / Row / Rack / Sub-Rack 7 / 10 / 15 / 6 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3 / 15 / 24 / 48V-id_3.15.24.2...

  • Page 395: System Status Commands

    System Management Commands System Status Commands This section describes commands used to display system information. Table 4-9 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 4-29 memory) that is used to start up the system show running-config Displays the configuration data currently in use 4-30...

  • Page 396: Show Running-Config

    Command Line Interface Example Console#show startup-config !<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-12-34-56_01</stackingMac> phymap 00-12-cf-12-34-56 sntp server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active...
  • Page 397 System Management Commands • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - Switch’s MAC address - SNTP server settings - SNMP community strings - Users (names and access levels) - VLAN database (VLAN ID, name and state)
  • Page 398 Command Line Interface Example Console#show running-config !<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-12-34-56_01</stackingMac> phymap 00-12-cf-12-34-56 sntp server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active...

  • Page 399: Show System

    • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: FGL-2870 System OID String: 1.3.6.1.4.1.22426.1.4.6 System Information System Up Time: 0 days, 2 hours, 52 minutes, and 32.16 seconds...

  • Page 400: Show Version

    Command Line Interface Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14 VTY 0 admin 0:00:00 192.168.1.19 SSH 1 steve...

  • Page 401: Frame Size Commands

    System Management Commands Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 4-10 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames 4-35 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting...

  • Page 402: File Management Commands

    Command Line Interface File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving run-time code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.

  • Page 403: Copy

    System Management Commands copy This command moves (uploads/downloads) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. It can also download a diagnostics file or loader file from an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
  • Page 404 Command Line Interface • The maximum number of user-defined configuration files depends on available memory. • You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. • To replace the startup configuration, you must use startup-config as the destination.
  • Page 405 System Management Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.

  • Page 406: Delete

    Command Line Interface delete This command deletes a file or image. Syntax delete filename filename - Name of the configuration file or image name. Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. •...

  • Page 407: Whichboot

    File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: FGL-2870_diag_V1.0.0.8.bix Boot-Rom Image 1383604 FGL-2870_diag_V1.2.0.1.bix Boot-Rom Image 1406420 FGL-2870-OP-V1.3.4.0.bix Operation Code 4417488 Factory_Default_Config.cfg Config File startup1.cfg Config File 3993 --------------------------------------------------------------------------- Total free space: 7995392 Console# whichboot This command displays which files were booted when the system powered up.

  • Page 408: Boot System

    Command Line Interface boot system This command specifies the image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. •...

  • Page 409: Upgrade Opcode Path

    1. It will search for a new version of the image at the location specified by upgrade opcode path command (page 4-43). The name for the new image stored on the FTP/TFTP server must be FGL-2870.bix. If the switch detects a code version newer than the one currently in use, it will download the new image.

  • Page 410: Line Commands

    • The name for the new image stored on the FTP/TFTP server must be FGL-2870.bix. However, note that file name is not to be included in this command. • When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/...

  • Page 411: Line

    System Management Commands Table 4-13 Line Commands (Continued) Command Function Mode Page exec-timeout Sets the interval that the command interpreter waits until user 4-48 input is detected password-thresh Sets the password intrusion threshold, which limits the number 4-49 of failed logon attempts silent-time* Sets the amount of time the management console is 4-50...

  • Page 412: Login

    Command Line Interface Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands show line (4-56) show users (4-33) login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login...

  • Page 413: Password

    System Management Commands Related Commands username (4-109) password (4-47) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...

  • Page 414: Timeout Login Response

    Command Line Interface timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.

  • Page 415: Password-Thresh

    System Management Commands Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. •...

  • Page 416: Silent-Time

    Command Line Interface Related Commands silent-time (4-50) timeout login response (4-13) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...

  • Page 417: Parity

    System Management Commands Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.

  • Page 418: Speed

    Command Line Interface speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400 bps) Default Setting 9600...

  • Page 419: Terminal Length

    System Management Commands terminal length This command sets the number of lines displayed on a terminal. Use the no form to restore the default setting. Syntax terminal length screen-length no terminal length screen-length – The number of lines displayed on a terminal. (Range: 0-512, where 0 means no pause for output displays) Default Setting Command Mode...

  • Page 420: Terminal Escape-Character

    Command Line Interface terminal escape-character This command sets the escape character used to break display output. Use the no form to restore the default setting. Syntax terminal escape-character {character | ASCII-number ASCII-number} no terminal escape-character • characters – The escape character. •...

  • Page 421: Terminal History

    System Management Commands Example Console#terminal terminal-type vt-102 Console# terminal history This command configures parameters for storing previously entered commands. Use the no form to restore the default setting. Syntax terminal history [size number-of-lines] no terminal history [size] Default Setting Enabled 10 lines Command Mode Privileged Exec...

  • Page 422: Show Line

    Command Line Interface Example Console#disconnect 1 Console# Related Commands show ssh (4-143) show users (4-33) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode...

  • Page 423: Event Logging Commands

    System Management Commands Event Logging Commands Table 4-14 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-57 logging history Limits syslog messages saved to switch memory based on 4-58 severity logging host Adds a syslog server host IP address that will receive logging 4-59 messages logging facility...

  • Page 424: Logging History

    Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...

  • Page 425: Logging Host

    System Management Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host-ip-address host-ip-address - The IP address of a syslog server. Default Setting None Command Mode...

  • Page 426: Logging Trap

    Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.

  • Page 427: Show Logging

    System Management Commands Related Commands show log (4-62) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail} •...

  • Page 428: Show Log

    Command Line Interface show log This command displays the system and event messages stored in memory. Syntax show log {flash | ram} [login] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).

  • Page 429: Smtp Alert Commands

    System Management Commands SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 4-17 SMTP Alert Commands Command Function Mode Page logging sendmail host SMTP servers to receive alert messages 4-63 logging sendmail level Severity threshold used to trigger alert messages...

  • Page 430: Logging Sendmail Level

    Command Line Interface logging sendmail level This command sets the severity threshold used to trigger alert messages. Syntax logging sendmail level level level - One of the system message levels (page 4-58). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7) Default Setting Level 7 Command Mode...

  • Page 431: Logging Sendmail Destination-Email

    System Management Commands logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode...
  • Page 432 Command Line Interface Example Console#show logging sendmail SMTP servers ----------------------------------------------- 1. 192.168.1.200 SMTP Minimum Severity Level: 4 SMTP destination email addresses ----------------------------------------------- 1. geoff@acme.com SMTP Source Email Address: john@acme.com SMTP status: Enabled Console# 4-66...

  • Page 433: Time Commands

    System Management Commands Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

  • Page 434: Sntp Client

    Command Line Interface sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration...

  • Page 435: Sntp Server

    System Management Commands sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).

  • Page 436: Show Sntp

    Command Line Interface Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-68) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...

  • Page 437: Ntp Server

    System Management Commands • This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. Example Console(config)#ntp client Console(config)# Related Commands sntp client (4-68) ntp poll (4-72) ntp server (4-71)

  • Page 438: Ntp Authenticate

    Command Line Interface Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)# Related Commands ntp client (4-70) ntp poll (4-72) show ntp (4-74) ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.

  • Page 439: Ntp Authentication-Key

    System Management Commands ntp authentication-key This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number]...

  • Page 440: Show Ntp

    Command Line Interface show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).

  • Page 441: Clock Timezone

    System Management Commands Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.

  • Page 442: Clock Summer-Time (Date)

    Command Line Interface clock summer-time (date) This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time. Syntax clock summer-time name date b-month b-day b-year b-hour b-minute e-month e-day e-year e-hour e-minute offset no clock summer-time •...

  • Page 443: Clock Summer-Time (Predefined)

    System Management Commands Example Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console(config)# Related Commands show sntp (4-70) clock summer-time (predefined) This command configures the summer time (daylight savings time) status and settings for the switch using predefined configurations for several major regions of the world.

  • Page 444: Clock Summer-Time (Recurring)

    Command Line Interface Table 4-19 Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Rel. Offset New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March 60 min 02:00:00, Sunday, Week 2 of March 02:00:00, Sunday, Week 1 of November 60 min Example...

  • Page 445: Calendar Set

    System Management Commands Command Mode Global Configuration Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.

  • Page 446: Show Calendar

    Command Line Interface Example Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar 15:12:43 April 1 2004 Console# Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit.

  • Page 447: Cluster

    System Management Commands switches only become cluster Members when manually selected by the administrator through the management station. Note: Cluster Member switches can be managed either through a Telnet connection to the Commander, or through a web management connection to the Commander. When using a console connection, from the Commander CLI prompt, use the rcommand (see page 4-83) to connect to the Member switch.

  • Page 448: Cluster Ip-Pool

    Command Line Interface Command Mode Global Configuration Command Usage • Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.

  • Page 449: Cluster Member

    Commander is not supported. There is no need to enter the username and password for access to the • Member switch CLI Example Vty-0#rcommand id 1 CLI session with the FGL-2870 is opened. To end the CLI session, enter [Exit]. Vty-0# 4-83...

  • Page 450: Show Cluster

    Console#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- --------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 FGL-2870 CANDIDATE 00-12-cf-0b-47-a0 FGL-2870 Console# UPnP Commands Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards.

  • Page 451: Upnp Device

    System Management Commands The commands described in this section allow the switch to advertise itself as a UPnP compliant device. When discovered by a host device, basic information about this switch can be displayed, and the web management interface accessed. Table 4-1.

  • Page 452: Upnp Device Advertise Duration

    Command Line Interface discarded. (Range:1-255) Default Setting Command Mode Global Configuration Command Usage UPnP devices and control points must be within the local network, that is within the TTL value for multicast messages. Example In the following example, the TTL is set to 6. Console(config)#upnp device ttl 6 Console(config)# upnp device advertise duration...

  • Page 453: Snmp Commands

    SNMP Commands Example Console#show upnp UPnP global settings: Status: Enabled Advertise duration: TTL: Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...

  • Page 454: Snmp-Server

    Command Line Interface Table 4-21 SNMP Commands (Continued) Command Function Mode Page ATC Trap Commands snmp-server Sends a trap when broadcast traffic exceeds the upper IC (Port) 4-242 enable port-traps atc threshold for automatic storm control broadcast-alarm-fire snmp-server Sends a trap when multicast traffic exceeds the upper IC (Port) 4-243 enable port-traps atc...

  • Page 455: Show Snmp

    SNMP Commands show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.

  • Page 456: Snmp-Server Community

    Command Line Interface snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.

  • Page 457: Snmp-Server Location

    SNMP Commands Related Commands snmp-server location (4-91) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None...

  • Page 458: Snmp-Server Host

    Command Line Interface snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr •...
  • Page 459 SNMP Commands • The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.

  • Page 460: Snmp-Server Enable Traps

    Command Line Interface Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (4-94) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.

  • Page 461: Snmp-Server Engine-Id

    SNMP Commands snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} • local - Specifies the SNMP engine on this switch. •...

  • Page 462: Show Snmp Engine-Id

    Command Line Interface Related Commands snmp-server host (4-92) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID IP address 80000000030004e2b316c54321...

  • Page 463: Show Snmp View

    SNMP Commands Command Usage Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.

  • Page 464: Snmp-Server Group

    Command Line Interface snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...

  • Page 465: Show Snmp Group

    SNMP Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...

  • Page 466: Snmp-Server User

    Command Line Interface Table 4-24 show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry.

  • Page 467: Show Snmp User

    SNMP Commands Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-95) to specify the engine ID for the remote device where the user resides.

  • Page 468: Flow Sampling Commands

    Command Line Interface Table 4-25 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.

  • Page 469: Sflow

    Flow Sampling Commands sflow This command enables sFlow globally for the switch. Use the no form to disable this feature. Syntax [no] sflow Default Setting Disabled Command Mode Global Configuration Command Usage Flow sampling must be enabled globally on the switch, as well as for those ports where it is required (see the sflow source command on page 4-103).

  • Page 470: Sflow Sample

    Command Line Interface sflow sample This command configures the packet sampling rate. Use the no form to restore the default rate. Syntax sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken.

  • Page 471: Sflow Owner

    Flow Sampling Commands sflow owner This command configures the name of the receiver (i.e., sFlow Collector). Use the no form to remove this name. Syntax sflow owner name no sflow owner name - The name of the receiver. (Range: 1-256 characters) Default Setting None Command Mode...

  • Page 472: Sflow Destination

    Command Line Interface Example This example sets the time out to 1000 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow timeout 10000 Console(config-if)# sflow destination This command configures the IP address and UDP port used by the Collector. Use the no form to restore the default settings. Syntax sflow destination ipv4 ip-address [destination-udp-port] no sflow destination...

  • Page 473: Sflow Max-Datagram-Size

    Flow Sampling Commands Example Console(config)#interface ethernet 1/9 Console(config-if)#sflow max-header-size 256 Console(config-if)# sflow max-datagram-size This command configures the maximum size of the sFlow datagram payload. Use the no form to restore the default setting. Syntax sflow max-datagram-size max-datagram-size no max-datagram-size max-datagram-size - The maximum size of the sFlow datagram payload. (Range: 200-1500 bytes) Default Setting 1400 bytes...

  • Page 474: Authentication Commands

    Command Line Interface Example Console#show sflow sFlow global status : Enabled Console#sh sf int e 1/9 Interface of Ethernet Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.4 Owner socket port : 6343 Time out : 10000 Maximum header size : 256 Maximum datagram size : 1500...

  • Page 475: User Account And Privilege Level Commands

    Authentication Commands User Account and Privilege Level Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-44), user authentication via a remote authentication server (page 4-108), and host access authentication for specific ports (page 4-145).

  • Page 476: Enable Password

    Command Line Interface Command Mode Global Configuration Command Usage • Privilege level 0 provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions. Level 8 provides access to all display status and configuration commands, except for those controlling various authentication and security features.

  • Page 477: Privilege

    Authentication Commands settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/ TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (4-12)

  • Page 478: Privilege Rerun

    Command Line Interface privilege rerun This command updates all privilege commands entered during the current session to the running configuration. Command Mode Privileged Exec Command Usage Due to system limitations in the current software, privilege commands (page 4-111) entered during the current switch session will not be stored properly in the running-config file (see show running-config on page 4-30).

  • Page 479: Authentication Sequence

    Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 4-30 Authentication Sequence Command Function Mode Page...

  • Page 480: Authentication Enable

    Command Line Interface Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-109) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-12).

  • Page 481: Radius Client

    Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.

  • Page 482: Radius-Server Acct-Port

    Command Line Interface Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server acct-port This command sets the RADIUS server network port for accounting messages. Use the no form to restore the default. Syntax radius-server acct-port port-number no radius-server acct-port...

  • Page 483: Radius-Server Key

    Authentication Commands radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Default Setting None Command Mode...

  • Page 484: Radius-Server Timeout

    Command Line Interface radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.

  • Page 485: Show Radius-Server

    Authentication Commands show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port : 1812 Accounting Port : 1813 Retransmit Times Request Timeout : 5 seconds Attributes:...

  • Page 486: Tacacs-Server Host

    Command Line Interface tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host {host-ip-address} [port port-number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...

  • Page 487: Tacacs-Server Key

    Authentication Commands Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.

  • Page 488: Tacacs-Server Timeout

    Command Line Interface tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.

  • Page 489: Aaa Commands

    Authentication Commands AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-33 AAA Commands Command Function Mode...

  • Page 490: Server

    Command Line Interface Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} •...

  • Page 491: Aaa Accounting Dot1X

    Authentication Commands aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} •...

  • Page 492: Aaa Accounting Exec

    Command Line Interface aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} •...

  • Page 493: Aaa Accounting Commands

    Authentication Commands aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} •...

  • Page 494: Aaa Accounting Update

    Command Line Interface aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...

  • Page 495: Accounting Exec

    Authentication Commands Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec •...

  • Page 496: Aaa Authorization Exec

    Command Line Interface Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} •...

  • Page 497: Authorization Exec

    Authentication Commands authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-130).

  • Page 498: Web Server Commands

    Command Line Interface Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management...

  • Page 499: Ip Http Server

    Authentication Commands Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-133) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled Command Mode...

  • Page 500: Ip Http Secure-Port

    Command Line Interface • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.

  • Page 501: Telnet Server Commands

    Authentication Commands Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port-number Example Console(config)#ip http secure-port 1000...

  • Page 502: Secure Shell Commands

    Command Line Interface Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0.
  • Page 503 Authentication Commands Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206...

  • Page 504: Ip Ssh Server

    Command Line Interface d) The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e) The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.

  • Page 505: Ip Ssh Timeout

    Authentication Commands Related Commands ip ssh crypto host-key generate (4-141) show ssh (4-143) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds –...

  • Page 506: Ip Ssh Server-Key Size

    Command Line Interface Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-142) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size...

  • Page 507: Ip Ssh Crypto Host-Key Generate

    Authentication Commands Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...

  • Page 508: Ip Ssh Save Host-Key

    Command Line Interface Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. •...

  • Page 509: Show Ssh

    Authentication Commands Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption...

  • Page 510: Show Public-Key

    Command Line Interface show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...

  • Page 511: 802.1X Port Authentication

    Authentication Commands 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-39 802.1X Port Authentication Command Function...

  • Page 512: Dot1X Default

    Command Line Interface dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.

  • Page 513: Dot1X Operation-Mode

    Authentication Commands Default force-authorized Command Mode Interface Configuration Command Usage • 802.1X port authentication and port security cannot be configured together on the same port. Only one of these security mechanisms can be applied. • 802.1X port authentication cannot be configured on trunk ports. In other words, a static trunk or dynamically configured trunk cannot be set to auto or force-unauthorized mode.

  • Page 514: Dot1X Re-Authenticate

    Command Line Interface Command Mode Interface Configuration Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-146). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.

  • Page 515: Dot1X Re-Authentication

    Authentication Commands dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.

  • Page 516: Dot1X Timeout Re-Authperiod

    Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod...

  • Page 517: Dot1X Timeout Supp-Timeout

    Authentication Commands dot1x timeout supp-timeout This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout...

  • Page 518: Show Dot1X

    Command Line Interface For guest VLAN assignment to be successful, the VLAN must be configured and set as active ("vlan database" on page 4-298) and assigned as the guest VLAN for the port ("network-access guest-vlan" on page 4-166). Example Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# show dot1x...
  • Page 519 Authentication Commands - server-timeout – Server timeout. - reauth-max – Maximum number of reauthentication attempts. - max-req – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 4-146).
  • Page 520 Command Line Interface Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/28 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period:...

  • Page 521: Management Ip Filter Commands

    Authentication Commands Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 4-40 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-155 show management Displays the switch to be monitored or configured from a 4-156 browser...

  • Page 522: Show Management

    Command Line Interface Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...

  • Page 523: General Security Measures

    General Security Measures General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.

  • Page 524: Port Security Commands

    Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
  • Page 525 General Security Measures Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.

  • Page 526: Network Access (Mac Address Authentication)

    Command Line Interface Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.

  • Page 527: Network-Access Aging

    General Security Measures network-access aging Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to disable address aging. Syntax [no] network-access aging Default Setting Disabled Command Mode Global Configuration Command Usage...

  • Page 528: Network-Access Port-Mac-Filter

    Command Line Interface • This command is different from configuring static addresses with the mac-address-table static command (page 4-264) in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command (page 4-162).

  • Page 529: Network-Access Mode

    General Security Measures Default Setting 2048 Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.

  • Page 530: Mac-Authentication Reauth-Time

    Command Line Interface • When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. • The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,”...

  • Page 531: Mac-Authentication Intrusion-Action

    General Security Measures mac-authentication intrusion-action Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default. Syntax mac-authentication intrusion-action [block traffic | pass traffic] no mac-authentication intrusion-action Default Setting Block Traffic Command Mode...

  • Page 532: Network-Access Dynamic-Vlan

    Command Line Interface network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage • When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have already been created on the switch.

  • Page 533: Network-Access Dynamic-Qos

    General Security Measures Command Mode Interface Configuration Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active ("vlan database" on page 4-298). • When used with 802.1X authentication, the intrusion-action must be set for ‘guest-vlan’...

  • Page 534: Network-Access Link-Detection

    Command Line Interface Note: Any configuration changes for dynamic QoS are not saved to the switch configuration file. Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access link-detection Use this command to enable link detection for the selected port. Use the no form of this command to restore the default.

  • Page 535: Network-Access Link-Detection Link-Up

    General Security Measures Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access link-detection link-up Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.

  • Page 536: Clear Network-Access

    Command Line Interface clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • static - Specifies static address entries. • dynamic - Specifies dynamic address entries. •...

  • Page 537: Show Network-Access Mac-Address-Table

    General Security Measures Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment...

  • Page 538: Show Network-Access Mac-Filter

    Command Line Interface Example Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 2001y01m00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 2001y01m00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 2001y01m00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 2001y01m00d06h34m20s Console# show network-access mac-filter Use this command to display information for entries in the MAC filter tables.

  • Page 539: Web Authentication

    General Security Measures Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.

  • Page 540: Web-Auth Quiet-Period

    Command Line Interface Default Setting 3 login attempts Command Mode Global Configuration Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth quiet-period This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.

  • Page 541: Web-Auth System-Auth-Control

    General Security Measures Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an...

  • Page 542: Web-Auth Re-Authenticate (Port)

    Command Line Interface web-auth re-authenticate (Port) This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port • unit - This is unit 1. •...

  • Page 543: Show Web-Auth

    General Security Measures show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# show web-auth interface This command displays interface-specific web authentication parameters and statistics.

  • Page 544: Show Web-Auth Summary

    Command Line Interface show web-auth summary This command displays a summary of web authentication port parameters and statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------ 1/ 1...

  • Page 545: Ip Dhcp Snooping

    General Security Measures ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source.

  • Page 546: Ip Dhcp Snooping Vlan

    Command Line Interface MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header. * If the DHCP packet is not a recognizable type, it is dropped. - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.

  • Page 547: Ip Dhcp Snooping Trust

    General Security Measures packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command (page 4-181). • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.

  • Page 548: Ip Dhcp Snooping Verify Mac-Address

    Command Line Interface • Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)#...

  • Page 549: Ip Dhcp Snooping Information Option

    General Security Measures ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage •...

  • Page 550: Ip Dhcp Snooping Information Policy

    Command Line Interface ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} • drop - Drops the client’s request packet instead of relaying it. •...

  • Page 551: Clear Ip Dhcp Snooping Database Flash

    General Security Measures clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory. Command Mode Privileged Exec Example Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example...

  • Page 552: Ip Source Guard Commands

    Command Line Interface IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see ’DHCP Snooping Commands"...
  • Page 553 General Security Measures • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.

  • Page 554: Ip Source-Guard Binding

    Command Line Interface ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id •...

  • Page 555: Show Ip Source-Guard

    General Security Measures Related Commands ip source-guard (4-186) ip dhcp snooping (4-179) ip dhcp snooping vlan (4-180) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ---------...

  • Page 556: Arp Inspection Commands

    Command Line Interface ARP Inspection Commands ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.

  • Page 557: Ip Arp Inspection Vlan

    General Security Measures Command Mode Global Configuration Command Usage • When ARP Inspection is enabled globally with this command, it becomes active only on those VLANs where it has been enabled with the ip arp inspection vlan command (page 4-191). •...

  • Page 558: Ip Arp Inspection Filter

    Command Line Interface • When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine. • When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.

  • Page 559: Ip Arp Inspection Validate

    General Security Measures • If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database. Example Console(config)#ip arp inspection filter sales vlan 1 Console(config)#...

  • Page 560: Ip Arp Inspection Log-Buffer Logs

    Command Line Interface ip arp inspection log-buffer logs This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs •...

  • Page 561: Ip Arp Inspection Trust

    General Security Measures ip arp inspection trust This command sets a port as trusted, and thus exempted from ARP Inspection. Use the no form to restore the default setting. Syntax [no] ip arp inspection trust Default Setting Untrusted Command Mode Interface Configuration (Port) Command Usage Packets arriving on untrusted ports are subject to any configured ARP...

  • Page 562: Show Ip Arp Inspection Configuration

    Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150 Console(config-if)# show ip arp inspection configuration This command displays the global configuration settings for ARP Inspection. Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s...

  • Page 563: Show Ip Arp Inspection Vlan

    General Security Measures show ip arp inspection vlan This command shows the configuration settings for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed. Syntax show ip arp inspection vlan [vlan-id | vlan-range] •...

  • Page 564: Show Ip Arp Inspection Statistics

    Command Line Interface show ip arp inspection statistics This command shows statistics about the number of ARP packets processed, or dropped for various reasons. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...

  • Page 565: Ipv4 Acls

    Access Control List Commands IPv4 ACLs The commands in this section configure ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP control code. To configure IP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.

  • Page 566: Access-List Ip

    Command Line Interface • When using mixed rule mode, either standard or extended rules can be used. However, the rules used in the same ACL must either be all standard or all extended rules. If standard rules are used for all ACLs, the maximum number of rules permitted by the system can be used.

  • Page 567: Permit, Deny (Standard Ipv4 Acl)

    Access Control List Commands Related Commands permit, deny 4-201 ip access-group (4-204) show ip access-list (4-204) permit, deny (Standard IPv4 ACL) This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...

  • Page 568: Permit, Deny (Extended Ipv4 Acl)

    Command Line Interface permit, deny (Extended IPv4 ACL) This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
  • Page 569 Access Control List Commands Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...

  • Page 570: Show Ip Access-List

    Command Line Interface Related Commands access-list ip (4-200) show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. •...

  • Page 571: Show Ip Access-Group

    Access Control List Commands Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-204) show ip access-group This command shows the ports assigned to IPv4 ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands...

  • Page 572: Access-List Ipv6

    Command Line Interface access-list ipv6 This command adds an IP access list and enters configuration mode for standard or extended IPv6 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ipv6 {standard | extended} acl-name • standard – Specifies an ACL that filters packets based on the source IP address.

  • Page 573: Permit, Deny (Standard Ipv6 Acl)

    Access Control List Commands permit, deny (Standard IPv6 ACL) This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source-ipv6-address | source-ipv6-address[/prefix-length]}...

  • Page 574: Permit, Deny (Extended Ipv6 Acl)

    Command Line Interface permit, deny (Extended IPv6 ACL) This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific destination IP addresses, next header type, or flow label. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source-ipv6-address | source-ipv6-address[/prefix-lengLth]}...

  • Page 575: Show Ipv6 Access-List

    Access Control List Commands Related Commands access-list ipv6 (4-206) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ip access-list {standard | extended} [acl-name] • standard – Specifies a standard IPv6 ACL. • extended – Specifies an extended IPv6 ACL. •...

  • Page 576: Show Ipv6 Access-Group

    Command Line Interface Example Console(config)#int eth 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (4-209) show ipv6 access-group This command shows the ports assigned to IPv6 ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands...

  • Page 577: Access-List Arp

    Access Control List Commands access-list arp This command adds an ARP access list and enters ARP ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list arp acl-name acl-name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...

  • Page 578: Permit, Deny (Arp Acl)

    Command Line Interface permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule. Syntax [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-ip | source-ip ip-address-bitmask} [log] Note:...

  • Page 579: Show Arp Access-List

    Access Control List Commands Related Commands access-list arp (4-211) show arp access-list This command displays the rules for configured ARP ACLs. Syntax show arp access-list [acl-name] acl-name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show arp access-list ARP access-list factory:...

  • Page 580: Mac Acls

    Command Line Interface MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.

  • Page 581: Permit, Deny (Mac Acl)

    Access Control List Commands permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...

  • Page 582: Show Mac Access-List

    Command Line Interface • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. •...

  • Page 583: Mac Access-Group

    Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl-name in • acl-name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...

  • Page 584: Acl Information

    Command Line Interface ACL Information Table 4-54 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-218 show access-group Shows the ACLs assigned to each port 4-218 show access-list This command shows all ACLs and associated rules. Command Mode Privileged Exec Example...

  • Page 585: Interface Commands

    Interface Commands Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-55 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-220 mode description Adds a description to an interface configuration...

  • Page 586: Interface

    Command Line Interface interface This command configures an interface type and enters interface configuration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channel-id interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.

  • Page 587: Speed-Duplex

    Interface Commands Command Usage The description is displayed by the show interfaces status command (page 4-229) and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.

  • Page 588: Negotiation

    Command Line Interface speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. Example The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-222) capabilities (4-223)

  • Page 589: Capabilities

    Interface Commands capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values. Syntax [no] capabilities {1000full | 100full | 100half | 10full | 10half | flowcontrol | symmetric} •...

  • Page 590: Flowcontrol

    Command Line Interface Related Commands negotiation (4-222) speed-duplex (4-221) flowcontrol (4-224) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...

  • Page 591: Media-Type

    Console(config)#interface ethernet 1/25 Console(config-if)#media-type copper-forced Console(config-if)# giga-phy-mode This command forces two connected ports in to a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports 25-28 (FGL-2870). Use the no form to restore the default mode. Syntax giga-phy-mode mode no giga-phy-mode mode •...

  • Page 592: Shutdown

    Command Line Interface Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.

  • Page 593: Switchport Packet-Rate

    Interface Commands switchport packet-rate This command configures broadcast, multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast | unicast} packet-rate rate no switchport {broadcast | multicast | unicast} • broadcast - Specifies storm control for broadcast traffic. •...

  • Page 594: Clear Counters

    Command Line Interface Example The following shows how to configure broadcast storm control at 500 kilobits per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 500 Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface •...

  • Page 595: Show Interfaces Status

    Interface Commands Example Console#show interfaces brief Console#sh interfaces brief Interface Name Status PVID Pri Speed/Duplex Type Trunk --------- ------------------ -------- ---- --- ------------- ------------ ----- Eth 1/ 1 0 Auto-100full 100TX None Eth 1/ 2 Down 0 Auto 100TX None Eth 1/ 3 Down 0 Auto...

  • Page 596: Show Interfaces Counters

    Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic Information: Port Type: 100TX Mac Address: 00-12-CF-12-34-57 Configuration: Name: Port Admin: Speed-duplex: 100full Capabilities: 100full Broadcast Storm: Enabled Broadcast Storm Limit: 64 Kbits/second Multicast Storm: Disabled Multicast Storm Limit: 64 Kbits/second UnknownUnicast Storm:...

  • Page 597: Show Interfaces Switchport

    Interface Commands Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port Statistics" on page 3-180. Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable Stats: Octets Input: 335955, Octets Output: 359180 Unicast Input: 0, Unicast Output: 0...

  • Page 598: Command Mode

    Command Line Interface Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast Threshold: Enabled, 64 Kbits/second Multicast Threshold: Disabled Unknown-unicast Threshold:...

  • Page 599: Automatic Traffic Control Commands

    Automatic Traffic Control Commands Table 4-56 Interfaces Switchport Statistics (Continued) Field Description Priority for untagged traffic Indicates the default priority for untagged frames (page 4-357). GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-295). Allowed VLAN Shows the VLANs this interface has joined, where “(u)”...
  • Page 600 Command Line Interface Table 4-57 ATC Commands (Continued) Command Function Mode Page SNMP Trap Commands snmp-server Sends a trap when broadcast traffic exceeds the upper IC (Port) 4-242 enable port-traps atc threshold for automatic storm control broadcast-alarm-fire snmp-server Sends a trap when multicast traffic exceeds the upper IC (Port) 4-243 enable port-traps atc...
  • Page 601 Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams. Storm control by limiting the traffic rate: Traffic without storm control Traffic without storm control TrafficControl...

  • Page 602: Auto-Traffic-Control Apply-Timer

    Command Line Interface Storm control by shutting down a port: The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.

  • Page 603: Auto-Traffic-Control Release-Timer

    Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command (page 4-240) and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command (page 4-244) or snmp-server enable port-traps atc multicast-control-apply command (page 4-245).

  • Page 604: Auto-Traffic-Control

    Command Line Interface auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} • broadcast - Specifies automatic storm control for broadcast traffic. • multicast - Specifies automatic storm control for multicast traffic. Default Setting Disabled Command Mode...

  • Page 605: Auto-Traffic-Control Alarm-Clear-Threshold

    Automatic Traffic Control Commands Default Setting 128 kilo-packets per seconds Command Mode Interface Configuration (Ethernet) Command Usage • Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command (page 4-242) or snmp-server enable port-traps atc multicast-alarm-fire command (page 4-243).

  • Page 606: Auto-Traffic-Control Action

    Command Line Interface broadcast-alarm-clear command (page 4-243) or snmp-server enable port-traps atc multicast-alarm-clear command (page 4-244). • If rate limiting has been configured as a control response, it will discontinued after the traffic rate has fallen beneath the lower threshold, and the release timer has expired.

  • Page 607: Auto-Traffic-Control Control-Release

    Automatic Traffic Control Commands Command Usage • When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command. • When the control response is set to rate limiting by this command, the rate limits are determined by the auto-traffic-control alarm-clear-threshold command (page 4-239).

  • Page 608: Auto-Traffic-Control Auto-Control-Release

    Command Line Interface auto-traffic-control auto-control-release This command automatically releases a control response after the time specified in the auto-traffic-control release-timer command (page 4-237) has expired. Syntax auto-traffic-control {broadcast | multicast} auto-control-release • broadcast - Specifies automatic storm control for broadcast traffic. •...

  • Page 609: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Fire

    Automatic Traffic Control Commands snmp-server enable port-traps atc multicast-alarm-fire This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-alarm-fire Default Setting Disabled Command Mode...

  • Page 610: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Clear

    Command Line Interface snmp-server enable port-traps atc multicast-alarm-clear This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-alarm-clear Default Setting Disabled Command Mode...

  • Page 611: Snmp-Server Enable Port-Traps Atc Multicast-Control-Apply

    Automatic Traffic Control Commands snmp-server enable port-traps atc multicast-control-apply This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-control-apply Default Setting Disabled Command Mode...

  • Page 612: Snmp-Server Enable Port-Traps Atc Multicast-Control-Release

    Command Line Interface Related Commands auto-traffic-control alarm-clear-threshold (4-239) auto-traffic-control action (4-240) auto-traffic-control release-timer (4-237) snmp-server enable port-traps atc multicast-control-release This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires. Use the no form to disable this trap.

  • Page 613: Show Auto-Traffic-Control Interface

    Automatic Traffic Control Commands show auto-traffic-control interface This command shows interface configuration settings and storm control status for the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example...

  • Page 614: Link Aggregation Commands

    Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.

  • Page 615: Channel-Group

    Link Aggregation Commands • STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel. Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. •...

  • Page 616: Lacp

    Command Line Interface lacp This command enables Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.

  • Page 617: Lacp System-Priority

    Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...

  • Page 618: Lacp Admin-Key (Ethernet Interface)

    Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.

  • Page 619: Lacp Admin-Key (Port Channel)

    Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.

  • Page 620: Lacp Port-Priority

    Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...

  • Page 621: Lacp Active/Passive

    Link Aggregation Commands lacp active/passive This command configures active or passive LACP initiation mode. Use the no form to restore the default setting. Syntax lacp {actor | partner} {active | passive} no lacp {actor | partner} • actor - The local side of an aggregate link. •...

  • Page 622: Table 4-59 Show Lacp Counters - Display Description

    Command Line Interface Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-59 show lacp counters - display description...
  • Page 623 Link Aggregation Commands Console#show lacp 1 internal Port channel : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation,...

  • Page 624: Table 4-61 Show Lacp Neighbors - Display Description

    Command Line Interface Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...
  • Page 625 Link Aggregation Commands Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 Console# Table 4-62 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group.

  • Page 626: Mirror Port Commands

    Command Line Interface Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-63 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-260 show port monitor Shows the configuration for a mirror port 4-261 port monitor...

  • Page 627: Show Port Monitor

    Mirror Port Commands • When mirroring traffic from a port, the mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. When mirroring traffic from a VLAN, traffic may also be dropped under heavy loads. •...
  • Page 628 Command Line Interface Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode Console# 4-262...

  • Page 629: Rate Limit Commands

    Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.

  • Page 630: Address Table Commands

    Command Line Interface Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 4-65 Address Table Commands Command Function Mode Page mac-address-table static Maps a static address to a port in a VLAN 4-264 clear mac-address-table...

  • Page 631: Clear Mac-Address-Table Dynamic

    Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...

  • Page 632: Show Mac-Address-Table

    Command Line Interface show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...

  • Page 633: Mac-Address-Table Aging-Time

    Address Table Commands mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-30000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...

  • Page 634: Spanning Tree Commands

    Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-66 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-269 spanning-tree mode...

  • Page 635: Spanning-Tree

    Spanning Tree Commands Table 4-66 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Configures loopback release mode for a port 4-287 loopback-detection release-mode spanning-tree Enables BPDU loopback SNMP trap notification for a port IC 4-288 loopback-detection trap spanning-tree mst cost Configures the path cost of an instance in the MST 4-288 spanning-tree mst...

  • Page 636: Spanning-Tree Mode

    Command Line Interface spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) •...

  • Page 637: Spanning-Tree Forward-Time

    Spanning Tree Commands Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...

  • Page 638: Spanning-Tree Max-Age

    Command Line Interface Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-271) spanning-tree max-age (4-272) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch.

  • Page 639: Spanning-Tree Priority

    Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) Default Setting...

  • Page 640: Spanning-Tree Pathcost Method

    Command Line Interface Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command, page 4-284). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree.

  • Page 641: Spanning-Tree Mst-Configuration

    Spanning Tree Commands Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# spanning-tree mst-configuration This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. •...

  • Page 642: Mst Priority

    Command Line Interface Command Usage • Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.

  • Page 643: Name

    Spanning Tree Commands Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode...

  • Page 644: Max-Hops

    Command Line Interface Command Usage The MST region name (page 4-277) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.

  • Page 645: Spanning-Tree Cost

    Spanning Tree Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default.

  • Page 646: Spanning-Tree Port-Priority

    Command Line Interface Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.

  • Page 647: Spanning-Tree Edge-Port

    Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.

  • Page 648: Spanning-Tree Portfast

    Command Line Interface edge delay time expires without receiving any RSTP or MSTP BPDUs. Note that edge delay time (802.1D-2004 17.20.4) equals the protocol migration time if a port's link type is point-to-point; otherwise it equals the spanning-tree’s maximum age (page 4-272). An interface cannot function as an edge port under the following conditions: - If spanning tree mode is set to STP (page 4-270), edge-port mode can be manually enabled or set to auto, but will have no effect.

  • Page 649: Spanning-Tree Bpdu-Filter

    Spanning Tree Commands • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time. Fast forwarding can achieve quicker convergence for end-node workstations and servers, and also overcome other STA related timeout problems.

  • Page 650: Spanning-Tree Bpdu-Guard

    Command Line Interface Related Commands spanning-tree edge-port (4-281) spanning-tree portfast (4-282) spanning-tree bpdu-guard This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form to disable this feature. Syntax [no] spanning-tree bpdu-guard Default Setting...

  • Page 651: Spanning-Tree Root-Guard

    Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command (page 4-273).

  • Page 652: Spanning-Tree Link-Type

    Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type •...

  • Page 653: Spanning-Tree Loopback-Detection Release-Mode

    Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). •...

  • Page 654: Spanning-Tree Loopback-Detection Trap

    Command Line Interface Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual spanning-tree loopback-detection trap This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default. Syntax spanning-tree loopback-detection trap no spanning-tree loopback-detection trap Default Setting Disabled Command Mode...

  • Page 655: Spanning-Tree Mst Port-Priority

    Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.

  • Page 656: Spanning-Tree Protocol-Migration

    Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (4-288) spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface •...

  • Page 657: Show Spanning-Tree

    Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance-id] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.

  • Page 658: Command Line Interface

    Command Line Interface Example Console#show spanning-tree Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.): Max Hops: Remaining Hops:...

  • Page 659: Show Spanning-Tree Mst Configuration

    VLAN Commands show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- 1,3-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.

  • Page 660: Gvrp And Bridge Extension Commands

    Command Line Interface GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.

  • Page 661: Show Bridge-Ext

    VLAN Commands show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See "Displaying Basic VLAN Information" on page 3-210 and "Displaying Bridge Extension Capabilities" on page 3-17 for a description of the displayed items.

  • Page 662: Show Gvrp Configuration

    Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) • port-channel channel-id (Range: 1-8) Default Setting Shows both global and interface-specific configuration.

  • Page 663: Show Garp Timer

    VLAN Commands Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.

  • Page 664: Editing Vlan Groups

    Command Line Interface Related Commands garp timer (4-296) Editing VLAN Groups Table 4-72 Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete 4-298 VLANs vlan Configures a VLAN, including VID, name and state 4-299 vlan database This command enters VLAN database mode.

  • Page 665: Vlan

    VLAN Commands vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) •...

  • Page 666: Configuring Vlan Interfaces

    Command Line Interface Configuring VLAN Interfaces Table 4-73 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN 4-300 switchport mode Configures VLAN membership mode for an interface 4-301 switchport Configures frame types to be accepted by an interface 4-302 acceptable-frame-types switchport ingress-filtering...

  • Page 667: Switchport Mode

    VLAN Commands switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk | private-vlan} no switchport mode • access - Specifies an access VLAN interface. The port transmits and receives untagged frames only.

  • Page 668: Switchport Acceptable-Frame-Types

    Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...

  • Page 669: Switchport Native Vlan

    VLAN Commands • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). •...

  • Page 670: Switchport Allowed Vlan

    Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...

  • Page 671: Switchport Forbidden Vlan

    VLAN Commands switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
  • Page 672 Command Line Interface Command Usage • Use this command to configure a tunnel across one or more intermdiate switches which pass traffic for VLAN groups to which they do not belong. The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E.

  • Page 673: Displaying Vlan Information

    VLAN Commands Displaying VLAN Information Table 4-74 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-307 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-229 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-231 interface...

  • Page 674: Configuring Ieee 802.1Q Tunneling

    Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.

  • Page 675: Dot1Q-Tunnel System-Tunnel-Control

    VLAN Commands reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting...

  • Page 676: Switchport Dot1Q-Tunnel Tpid

    Command Line Interface • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. •...

  • Page 677: Show Dot1Q-Tunnel

    VLAN Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (4-231) show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end...

  • Page 678: Configuring Port-Based Traffic Segmentation

    Command Line Interface Configuring Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions.

  • Page 679: Pvlan Uplink/Downlink

    VLAN Commands Command Usage • When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below. Table 4-77 Traffic Segmentation Forwarding Destination Session #1 Session #1 Session #2 Session #2 Normal Downlinks Uplinks...

  • Page 680: Pvlan Session

    Command Line Interface Command Usage • A port cannot be configured in both an uplink and downlink list. • A port can only be assigned to one traffic-segmentation session. • A downlink port can only communicate with an uplink port in the same session.

  • Page 681: Pvlan Up-To-Up

    VLAN Commands pvlan up-to-up This command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Use the no form to restore the default. Syntax [no] pvlan up-to-up {blocking | forwarding} • blocking – Blocks traffic between uplink ports assigned to different sessions.

  • Page 682: Configuring Private Vlans

    Command Line Interface Configuring Private VLANs Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other hosts within the community VLAN and with any of the...

  • Page 683: Private-Vlan

    VLAN Commands Use the show vlan private-vlan command to verify your configuration settings. private-vlan Use this command to create a primary or community private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary} no private-vlan vlan-id •...

  • Page 684: Private Vlan Association

    Command Line Interface private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...

  • Page 685: Switchport Private-Vlan Host-Association

    VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. Example Console(config)#interface ethernet 1/2 Console(config-if)#switchport mode private-vlan promiscuous...

  • Page 686: Switchport Private-Vlan Mapping

    Command Line Interface switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode...

  • Page 687: Configuring Protocol-Based Vlans

    VLAN Commands Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.

  • Page 688: Protocol-Vlan Protocol-Group (Configuring Groups)

    Command Line Interface protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or adds specific protocols to a group. Only one frame type and protocol type can be added to a protocol group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol]...

  • Page 689: Show Protocol-Vlan Protocol-Group

    VLAN Commands Command Usage • When creating a protocol-based VLAN, do not assign interfaces to the protocol VLAN via any of the standard VLAN commands. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-299), the switch will admit traffic of any protocol type into the associated VLAN.

  • Page 690: Show Protocol-Vlan Protocol-Group-Vid

    Command Line Interface show protocol-vlan protocol-group-vid This command shows the mapping from protocol groups to VLANs. Syntax show protocol-vlan protocol-group-vid Default Setting The mapping for all protocol groups is displayed. Command Mode Privileged Exec Example This shows that traffic matching the specifications for protocol group 2 will be mapped to VLAN 2: Console#show protocol-vlan protocol-group-vid ProtocolGroup ID...

  • Page 691: Subnet-Vlan

    VLAN Commands subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. Syntax subnet-vlan subnet ip-address mask vlan vlan-id no subnet-vlan subnet {ip-address mask | all} • ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.

  • Page 692: Configuring Mac Based Vlans

    Command Line Interface Example The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP address Mask VLAN ID ----------------- ----------------- --------- 192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.12.192 255.255.255.224 192.168.12.224 255.255.255.240 192.168.12.240 255.255.255.248 192.168.12.248 255.255.255.252 192.168.12.252 255.255.255.254 192.168.12.254 255.255.255.255 192.168.12.255 255.255.255.255 Console# Configuring MAC Based VLANs...

  • Page 693: Show Mac-Vlan

    VLAN Commands Command Mode Global Configuration Command Usage • The MAC-to-VLAN mapping applies to all ports on the switch. • Source MAC addresses can be mapped to only one VLAN ID. • Configured MAC addresses cannot be broadcast or multicast addresses. •...

  • Page 694: Configuring Voice Vlans

    Command Line Interface Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.

  • Page 695: Voice Vlan Aging

    VLAN Commands devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. • Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.

  • Page 696: Voice Vlan Mac-Address

    Command Line Interface voice vlan mac-address This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list. Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address •...

  • Page 697: Switchport Voice Vlan

    VLAN Commands switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan • manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.

  • Page 698: Switchport Voice Vlan Security

    Command Line Interface Command Mode Interface Configuration Command Usage • When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command on page 4-330). MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.

  • Page 699: Switchport Voice Vlan Priority

    VLAN Commands switchport voice vlan priority This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority •...
  • Page 700 Command Line Interface Example Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority -------- -------- -------- --------- -------- Eth 1/ 1 Auto Enabled Eth 1/ 2 Disabled Disabled OUI...

  • Page 701: Lldp Commands

    LLDP Commands LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
  • Page 702 Command Line Interface Table 4-83 LLDP Commands (Continued) Command Function Mode Page lldp basic-tlv Configures an LLDP-enabled port to advertise its system 4-345 system-name name lldp dot1-tlv Configures an LLDP-enabled port to advertise the supported 4-345 proto-ident* protocols lldp dot1-tlv Configures an LLDP-enabled port to advertise port related 4-346 proto-vid*...

  • Page 703: Lldp

    LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.

  • Page 704: Lldp Medfaststartcount

    Command Line Interface lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp medfaststartcount packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode...

  • Page 705: Lldp Refresh-Interval

    LLDP Commands notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting.

  • Page 706: Lldp Tx-Delay

    Command Line Interface Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.

  • Page 707: Lldp Admin-Status

    LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. •...

  • Page 708: Lldp Mednotification

    Command Line Interface therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# lldp mednotification This command enables the transmission of SNMP trap notifications about LLDP-MED changes.

  • Page 709: Lldp Basic-Tlv Management-Ip-Address

    LLDP Commands lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...

  • Page 710: Lldp Basic-Tlv System-Capabilities

    Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description...

  • Page 711: Lldp Basic-Tlv System-Name

    LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description...

  • Page 712: Lldp Dot1-Tlv Proto-Vid

    Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-related VLAN information.

  • Page 713: Lldp Dot1-Tlv Vlan-Name

    LLDP Commands Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see "switchport native vlan" on page 4-303). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name.

  • Page 714: Lldp Dot3-Tlv Mac-Phy

    Command Line Interface Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the IEEE 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical...

  • Page 715: Lldp Dot3-Tlv Poe

    LLDP Commands Command Usage Refer to "Frame Size Commands" on page 4-35 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities.

  • Page 716: Lldp Medtlv Inventory

    Command Line Interface Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).

  • Page 717: Lldp Medtlv Med-Cap

    LLDP Commands Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature. Syntax [no] lldp medtlv med-cap...

  • Page 718: Show Lldp Config

    Command Line Interface Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv network-policy Console(config-if)#...
  • Page 719 LLDP Commands Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...

  • Page 720: Show Lldp Info Local-Device

    Console#show lldp info local-device LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : LevelOne FGL-2870 System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information...

  • Page 721: Show Lldp Info Remote-Device

    : MAC Address Chassis Id : 00-01-02-03-04-05 PortID Type : MAC Address PortID : 00-01-02-03-04-06 SysName SysDescr : FGL-2870 PortDescr : Ethernet Port on unit 1, port 1 SystemCapSupported : Bridge SystemCapEnabled : Bridge Remote Management Address : 00-01-02-03-04-05 (MAC Address) Console#...

  • Page 722: Show Lldp Info Statistics

    Command Line Interface show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.

  • Page 723: Class Of Service Commands

    Class of Service Commands Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 724: Switchport Priority Default

    Command Line Interface Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.

  • Page 725: Queue Cos-Map

    Class of Service Commands frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin by default, which can be viewed with the show queue bandwidth command.

  • Page 726: Show Queue Mode

    Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to change the CoS assignments: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1...

  • Page 727: Show Queue Cos-Map

    Class of Service Commands Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.

  • Page 728: Priority Commands (Layer 3 And 4)

    Command Line Interface Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 4-87 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping 4-362 map ip dscp...

  • Page 729: Table 4-88 Ip Dscp To Cos Vales

    Class of Service Commands Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-88 IP DSCP to CoS Vales IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24...

  • Page 730: Show Map Ip Dscp

    Command Line Interface show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode...

  • Page 731: Quality Of Service Commands

    Quality of Service Commands Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.

  • Page 732: Class-Map

    Command Line Interface any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate. Use the service-policy command to assign a policy map to a specific interface. Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map.

  • Page 733: Match

    Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.

  • Page 734: Rename

    Command Line Interface This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1: Console(config)#class-map rd-class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.

  • Page 735: Policy-Map

    Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map. (Range: 1-16 characters) Default Setting None Command Mode...

  • Page 736: Set

    Command Line Interface Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.

  • Page 737: Police

    Quality of Service Commands average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# police This command defines an policer for classified traffic based on the metered flow rate.

  • Page 738: Service-Policy

    Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name •...

  • Page 739: Show Policy-Map

    Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Match ip dscp 3 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.

  • Page 740: Multicast Filtering Commands

    Command Line Interface Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd-policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.

  • Page 741: Ip Igmp Snooping

    Multicast Filtering Commands Table 4-91 IGMP Snooping Commands (Continued) Command Function Mode Page show ip igmp snooping Shows the IGMP snooping and query configuration 4-377 show mac-address-table Shows the IGMP snooping MAC multicast list 4-379 multicast ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting...

  • Page 742: Ip Igmp Snooping Version

    Command Line Interface • When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version...

  • Page 743: Ip Igmp Snooping Leave-Proxy

    Multicast Filtering Commands ip igmp snooping leave-proxy This command enables IGMP leave proxy on the switch. Use the no form to disable the feature. Syntax [no] ip igmp snooping leave-proxy Default Setting Disabled Command Mode Global Configuration Command Usage • This function is only effective if IGMP snooping is enabled. •...

  • Page 744: Show Ip Igmp Snooping

    Command Line Interface Command Usage • If immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period.

  • Page 745: Show Mac-Address-Table Multicast

    Multicast Filtering Commands show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] • vlan-id - VLAN ID (1 to 4092) • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping. Default Setting None Command Mode...

  • Page 746: Ip Igmp Snooping Querier

    Command Line Interface ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 4-376).

  • Page 747: Ip Igmp Snooping Query-Interval

    Multicast Filtering Commands Example The following shows how to configure the query count to 10: Console(config)#ip igmp snooping query-count 10 Console(config)# Related Commands ip igmp snooping query-max-response-time (4-381) ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval...

  • Page 748: Ip Igmp Snooping Router-Port-Expire-Time

    Command Line Interface Command Usage • The switch must be using IGMPv2/v3 snooping for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.

  • Page 749: Static Multicast Routing Commands

    Multicast Filtering Commands Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 4-93 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port 4-383 show ip igmp snooping mrouter Shows multicast router ports 4-384...

  • Page 750: Show Ip Igmp Snooping Mrouter

    Command Line Interface show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...

  • Page 751: Igmp Filtering And Throttling Commands

    Multicast Filtering Commands IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.

  • Page 752: Ip Igmp Profile

    Command Line Interface • The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic. Example Console(config)#ip igmp filter Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode.

  • Page 753: Range

    Multicast Filtering Commands mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile.

  • Page 754: Ip Igmp Max-Groups

    Command Line Interface Command Usage • The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. • Only one profile can be assigned to an interface. • A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.

  • Page 755: Ip Igmp Max-Groups Action

    Multicast Filtering Commands ip igmp max-groups action This command sets the IGMP throttling action for an interface on the switch. Syntax ip igmp max-groups action {replace | deny} • replace - The new multicast group replaces an existing group. • deny - The new multicast group join report is dropped. Default Setting Deny Command Mode...

  • Page 756: Show Ip Igmp Profile

    Command Line Interface Example Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number.

  • Page 757: Multicast Vlan Registration Commands

    Multicast Filtering Commands Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands...

  • Page 758: Mvr (Global Configuration)

    Command Line Interface mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, specifies the MVR VLAN identifier using the vlan keyword, or permits the use of tagged multicast traffic using the receiver-group and receiver-vlan attributes.
  • Page 759 Multicast Filtering Commands vlan command (page 4-303), but MVR receiver ports should not be statically configured as members of this VLAN. • IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group (see ip igmp snooping on page 4-375). Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages.

  • Page 760: Mvr (Interface Configuration)

    Command Line Interface mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, configures an interface as a static member of the MVR VLAN using the group keyword, or as a static member of the MVR Receiver VLAN using the static-receiver-group keyword.

  • Page 761: Mvr Immediate

    Multicast Filtering Commands • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. • IGMP snooping must be enabled to allow a subscriber to dynamically join or leave an MVR group (see ip igmp snooping on page 4-375).

  • Page 762: Show Mvr

    Command Line Interface • Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface. • Immediate leave does not apply to multicast groups which have been statically assigned to a port.

  • Page 763: Table 4-96 Show Mvr - Display Description

    Multicast Filtering Commands Example The following shows the global MVR settings: Console#show mvr MVR Status:enable MVR running status:TRUE MVR multicast vlan:1 MVR Max Multicast Groups:255 MVR Current multicast groups:10 MVR Receiver VLAN:3 MVR Supported Receiver Multicast Groups:5 MVR Used Receiver Multicast Groups:1 Console# Table 4-96 show mvr - display description...

  • Page 764: Table 4-98 Show Mvr Members - Display Description

    Command Line Interface Table 4-97 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE”...

  • Page 765: Domain Name Service Commands

    Domain Name Service Commands Table 4-99 show mvr receiver members - display description Field Description MVR Group IP Multicast groups assigned to the MVR Receiver VLAN. Status Shows whether or not the there are active subscribers for this multicast group. Note that this field will also display “ACTIVE”...

  • Page 766: Clear Host

    Command Line Interface Default Setting No static entries Command Mode Global Configuration Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device.

  • Page 767: Ip Domain-Name

    Domain Name Service Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...

  • Page 768: Ip Name-Server

    Command Line Interface Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.

  • Page 769: Ip Domain-Lookup

    Domain Name Service Commands Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55...

  • Page 770: Show Hosts

    Command Line Interface Related Commands ip domain-name (4-401) ip name-server (4-402) show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.

  • Page 771: Show Dns Cache

    Domain Name Service Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache FLAG TYPE DOMAIN Address www.times.com 199.239.136.200 Address a1116.x.akamai.net 61.213.189.120 Address a1116.x.akamai.net 61.213.189.104 CNAME graphics8.nytimes.com POINTER TO:2 CNAME graphics478.nytimes.com.edgesui 19 POINTER TO:2 Console#...

  • Page 772: Ip Interface Commands

    Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.

  • Page 773: Ip Default-Gateway

    IP Interface Commands • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).

  • Page 774: Ip Dhcp Restart

    Command Line Interface Related Commands show ip redirects (4-409) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command.

  • Page 775: Show Ip Redirects

    IP Interface Commands Related Commands show ip redirects (4-409) show ip redirects This command shows the default gateway configured for this device. Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-407) show arp This command displays the Address Resolution Protocol cache.
  • Page 776 Command Line Interface • count - Number of packets to send. (Range: 1-16) • size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the router adds header information. Default Setting count: 5 size: 32...

  • Page 777: Appendix A: Software Specifications

    Appendix A: Software Specifications Software Features Authentication and General Security Measures Local, RADIUS, TACACS, Port (802.1X, MAC Authentication, Web Authentication), AAA, HTTPS, SSH, Port Security, IP Filter, ARP Inspection, DHCP Snooping, IP Source Guard Access Control Lists IP, MAC; 1000 rules per system DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps at half/full duplex...

  • Page 778: Management Features

    Software Specifications Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard...

  • Page 779: Management Information Bases

    Management Information Bases IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging DHCP Client (RFC 2131) DHCP Options (RFC 2132) FTP (RFC 959) HTTPS IGMP (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9)
  • Page 780 Software Specifications SNMPv2 IP MIB (RFC 2011) SNMP Community MIB (RFC 3584) SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215)

  • Page 781: Appendix B: Troubleshooting

    Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...

  • Page 782: Using System Logs

    Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.

  • Page 783: Glossary

    Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
  • Page 784 Glossary DHCP Option 82 A relay option for sending information about the requesting client (or an intermediate relay agent) in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server. This information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients.
  • Page 785 Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
  • Page 786 Glossary Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
  • Page 787 Glossary one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group.
  • Page 788 Glossary Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. QinQ Tunneling QinQ is designed for service providers carrying traffic for multiple customers across their networks.
  • Page 789 Glossary Simple Network Time Protocol (SNTP) allows a device to set its internal clock based on periodic updates from a SNTP Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. Spanning Tree Algorithm (STA) A technology that checks your network for any loops.
  • Page 790 Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected. Glossary-8...

  • Page 791: Index

    Index IPv4 Extended 3-125, 3-127, 4-199, Numerics 4-202 802.1Q tunnel 3-219, 4-308 IPv4 Standard 3-125, 3-126, 4-199, access 3-224, 4-309 4-201 configuration, guidelines 3-222 IPv6 Extended 3-125, 3-130, 4-205, configuration, limitations 3-222 4-208 description 3-219 IPv6 Standard 3-125, 3-129, 4-205, ethernet type 3-223, 4-310 4-207 interface configuration 3-224,...
  • Page 792 Index flooding when STA globally information option 3-146, 4-183 disabled 3-195, 4-273 information option policy 3-146, ignoring superior BPDUs 3-203, 4-184 4-285 information option, enabling 3-146, selecting protocol based on message 4-183 format 3-203, 4-290 policy selection 3-146, 4-184 shut down port on receipt 3-205, specifying trusted interfaces 3-147, 4-284 4-181...
  • Page 793 Index RSA 3-93, 3-95, 4-141 filtering & throttling 3-284, 4-385 event logging 3-36, 4-57 filtering & throttling, configuring exec command privileges, profile 4-386, 4-387 accounting 3-82, 4-129 filtering & throttling, creating exec settings profile 3-284, 4-386 accounting 3-83, 4-129 filtering & throttling, enabling 3-284, authorization 3-86, 4-130 4-385 filtering &...
  • Page 794 Index group attributes, configuring 3-166, logging 4-253 syslog traps 3-37, 4-60 group members, configuring 3-164 to syslog servers 3-37, 4-59 local parameters 3-168, 4-255 log-in, web interface 3-2 partner parameters 3-168, 4-255 logon authentication 3-70, 4-108 protocol message statistics 3-168, encryption keys 3-75, 4-117, 4-121 4-255 RADIUS client 3-73, 4-115...
  • Page 795 Index multicast storm, threshold 3-174, STA 3-200, 4-280 4-227 port security, configuring 3-110, 4-158 multicast, filtering and throttling 3-284, port, statistics 3-180, 4-230 4-385 ports multicast, static router port 3-281, autonegotiation 3-158, 4-222 4-383 broadcast storm threshold 3-172, 4-227 configuring 3-290, 4-391 capabilities 3-158, 4-223 description 3-289 configuring 3-155, 4-219...
  • Page 796 Index SNMP 3-49, 4-87 community string 3-51, 4-90 QinQ Tunneling See 802.1Q tunnel enabling traps 3-52, 4-94 QoS 3-262, 4-365 engine identifier, local 3-55, 4-95 configuring 3-262, 4-365 engine identifier, remote 3-56, 4-95 dynamic assignment 3-119, 4-167 filtering IP addresses 3-107, 4-155 Quality of Service See QoS groups 3-61, 4-98 queue weights 3-257, 4-360...
  • Page 797 Index standards, IEEE A-2 troubleshooting B-1 startup files trunk creating 3-29, 4-41 configuration 3-160, 4-248 displaying 3-26, 4-29 LACP 3-162, 4-250 setting 3-26, 4-42 static 3-161, 4-249 static addresses, setting 3-185, 4-264 tunneling unknown VLANs, VLAN statistics, port 3-180, 4-230 trunking 4-305 STP 3-194, 4-270 Type Length Value...
  • Page 798 Index protocol, system configuration 3-235, 4-322 web authentication 3-111, 4-175 PVID 3-217, 4-303 address, re-authenticating 3-114, system mode, QinQ 3-223, 4-309 4-176 tunneling unknown groups 4-305 configuring 3-112, 4-175 voice 3-269, 4-328 port information, displaying 3-114, voice VLANs 3-269, 4-328 4-177 detecting VoIP devices 3-269, 4-328 ports, configuring 3-113, 4-175...
  • Page 800 149100000059A E122009-MW-R01 149100000059A...

Table of Contents