Digitalchina Networks DCS-3950 series Manual

Table of Contents

Quick Links

http://networks.digitalchina.com

Table of Contents

Troubleshooting

Need help?

Do you have a question about the DCS-3950 series and is the answer not in the manual?

Questions and answers

Summary of Contents for Digitalchina Networks DCS-3950 series

Page 2: Preface
Ethernet fiber/copper ports. We are providing this manual for your better understanding, using and maintenance of the DCS-3950 series. We strongly recommend you to read through this manual carefully before installation and configuration to avoid possible damage to the switch and malfunction.
Page 3: Table Of Contents
DCS-3950 series Ethernet switch manual Contents Preface________ _______________________________________________________ II Contents____ _________________________________________________________ III Chapter 1 Introduction of Products _______________________________________ 1 1.1 Brief Introduction _____________________________________________________ 1 1.1.1 Overview _______________________________________________________________ 3 1.1.2 Features and Benefits _____________________________________________________ 3 1.1.3 Main Features ___________________________________________________________ 5 ...
Page 4 DCS-3950 series Ethernet switch manual 3.3.5 Configuring SNMP ______________________________________________________ 21 3.3.6 Exiting Setup Configuration Mode _________________________________________ 22 Chapter 4 Switch Management __________________________________________ 23 4.1 Management Options _________________________________________________ 23 4.1.1 Out-of-band Management ________________________________________________ 23 4.1.2 In-band Management ____________________________________________________ 26 ...
Page 5 DCS-3950 series Ethernet switch manual 5.4.1 Introduction to SNMP ___________________________________________________ 63 5.4.2 Introduction to MIB _____________________________________________________ 65 5.4.3 Introduction to RMON __________________________________________________ 66 5.4.4 SNMP Configuration ____________________________________________________ 66 5.4.5 Typical SNMP Configuration Example _____________________________________ 73 ...
Page 6 DCS-3950 series Ethernet switch manual 8.1 Introduction to MAC Table ___________________________________________ 137 8.1.1 Obtaining MAC Table __________________________________________________ 137 8.1.2 Forward or Filter ______________________________________________________ 138 8.2 MAC address table configuration Command List _________________________ 139 8.2.1 mac-address-table aging-time ____________________________________________ 139 ...
Page 7 DCS-3950 series Ethernet switch manual 10.2.1 MSTP Configuration Task List __________________________________________ 172 10.2.2 MSTP Command List _________________________________________________ 175 10.3 MSTP Configuration Example _______________________________________ 185 10.4 MSTP Troubleshooting ______________________________________________ 190 10.4.1 Monitor and Debug Command List ______________________________________ 190 ...
Page 8 DCS-3950 series Ethernet switch manual 14.4 802.1x Troubleshooting______________________________________________ 241 14.4.1 802.1x Monitor and debug Command List ________________________________ 241 14.4.2 802.1x Troubleshooting ________________________________________________ 248 Chapter 15 ACL Configuration _________________________________________ 249 15.1 Introduction to ACL ________________________________________________ 249 15.2 Access-list _________________________________________________________ 249 ...
Page 9 DCS-3950 series Ethernet switch manual 18.2.1 DHCP Sever Configuration Task List _____________________________________ 302 18.2.2 DHCP Server Configuration Command List _______________________________ 304 18.2.3 DHCP Server Configuration Example ____________________________________ 312 18.3 DHCP Troubleshooting _____________________________________________ 313 18.3.1 Monitor and Debug Command List ______________________________________ 313 ...
Page 10 DCS-3950 series Ethernet switch manual Chapter 23 SNTP Configuration ________________________________________ 349 23.1 SNTP Introduction _________________________________________________ 349 23.2 SNTP Configuration ________________________________________________ 350 23.2.1 SNTP Configuration Task List __________________________________________ 350 23.2.2 SNTP Command List __________________________________________________ 350 23.3 SNTP Troubleshooting ______________________________________________ 351 ...
Page 11: Chapter 1 Introduction Of Products
DCS-3950 series Ethernet switch manual Chapter 1 Introduction of Products 1.1 Brief Introduction Fig 1-1 DCS-3950-26C switch Fig 1-2 DCS-3950-28CT switch...
Page 12 DCS-3950 series Ethernet switch manual Fig 1-3 DCS-3950-28C switch Fig 1-4 DCS-3950-52CT switch...
Page 13: Overview
Fig 1-5 DCS-3950-52C switch 1.1.1 Overview The DCS-3950 series Intelligent Stackable Secure Ethernet Access Switch can not only be utilized in large-scale enterprise networks， campus networks and m etropolitan area networks as access equipment, but also can meet the demand for network of medium-scale office environment.
Page 14 DCS-3950 series fully support QoS policy. Users can specify 4 priority queues on each port. WRR/SP/SWRR scheduling is also supported. DCS-3950 series also supports the port security. The traffic can be sorted by port, VLAN, DSCP, IP precedence and ACL table.
Page 15: Main Features
Digital China Limited. The DCS-3950 series also supports SSH protocol to farthest ensure the safety of configuration management. What’s more, the DCS-3950 series provide an unique function to manage and set the IP of workstations, enabling the switch to automatically filter invalid remote network management access and guaranteeing the efficiency, security and coherence of remote network management access.
Page 16: Technical Specifications
DCS-3950 series Ethernet switch manual Can be fixed in a standard 19-inch frame. 1.2 Technical specifications Protocols and Standards IEEE802.3 10BASE-T Ethernet IEEE802.3u 100BASE-TX/FX Fast Ethernet IEEE802.3x Flow control IEEE802.1x access control IEEE802.1d/w/s Spanning Tree IEEE802.1p Class of Service IEEE802.1q VLAN IEEE802.3ad Link Aggregation...
Page 17: Physical Specifications
100～240VAC，50～60Hz Power 30W Max Consumption Mean Time 80,000 Hours Between Failures Table1-1 DCS-3950 series switch physical specification 1.4 Product appearance 1.4.1 Product Front Panel View DCS-3950 series switch front panel view as follows： Fig 1-6 DCS-3950-26C switch front panel view...
Page 18: Product Back Panel View
DCS-3950 series back panel view as follows： Fig 1-11 DCS-3950-26C/28CT/28C back panel view Fig 1-12 DCS-3950-52CT/52C back panel view 1.4.3 Status LEDs The LEDs of DCS-3950 series switch include: PWR, DIAG, Link/Act and 1000M. Please refer to the following graph for meanings of the LED lights:...
Page 19 DCS-3950 series Ethernet switch manual Fig 1-13 DCS-3950-26C/28CT/28C switch LED indicator lamp Description of LEDs Sstate Description Link/ACT Blink The port is successfully linked and is sending /receiving data right now. The state of the port is down. Link succeeds...
Page 20: Chapter 2 Hardware Installation
2.1.1.1 Dust and Particles Dust is harmful to the safe operation of DCS-3950 series. Dust can lead to electrostatic adherence, especially likely under low relative humidity, causing poor contact of metal connectors or contacts. Electrostatic adherence will result in not only reduced product lifespan, but also increased chance of communication failures.
Page 21: Temperature And Humidity
DCS-3950 series Ethernet switch manual threshold value. Average (mg/m³) Max (mg/m³) 0.006 0.03 0.04 0.15 0.05 0.15 0.01 Table 2-2 Environmental Requirements: Particles 2.1.1.2 Temperature and Humidity As the switch is designed to no fan, it’s physical heat-away ,the site should still maintain a desirable temperature and humidity.
Page 22: Preventing Electrostatic Discharge Damage
DCS-3950 series Ethernet switch manual 2.1.1.3 Power Supply DCS-3950 series is designed to use modular switching power supplies. The power input specification is shown below: Nominal Input Voltage: AC: 100 ~ 240 VAC, Frequency: 50-60Hz Total power consumption: ≤30W Before powering on the power supply, please check the power input to ensure proper grounding of the power supply system.
Page 23: Installation Notice
DCS-3950 series Ethernet switch manual The dimensions of the switch designed to be mounted on a standard 19’’ rack, please ensure good ventilation for the rack Every device in the rack will generate heat during operation, therefore vent and fans must be provided for an enclosed rack, and devices should not be stacked closely.
Page 24: Installation Preparation
Antistatic uniform ESD wrist strap Antistatic glove Console cable and commutator Connecting cable Standard Twisted-pair RJ-45 pin Table 2-4 The required tools and utilities 2.3 Hardware Installation 2.3.1 Installing the Switch Please mount DCS-3950 series on the 19’’ rack as below...
Page 25: Connecting Console
DCS-3950 series Ethernet switch manual Fig 2-1 DCS-3950 series Rack-mounting 1. Attach the 2 brackets on the DCS-3950 series with screws provided in the accessory kit. 2. Put the bracket-mounted switch smoothly into a standard 19’’ rack. Fasten the DCS-3950 series to the rack with the screws provided. Leave enough space around the switch for good air circulation.
Page 26: Power Supply Connection
DCS-3950 series Ethernet switch manual DCS-3950 series provides a DB9 interface serial console port. The connection procedure is listed below Fig 2-2 Connecting Console to DCS-3950 series Please attach the console cable which is contained in the accessory kit to the Console port of the switch.
Page 27 2. Check the power status indicator in the front panel of the switch. The corresponding power indicator should light. DCS-3950 series is self-adjustable for the input voltage. As soon as the input voltage is in the range printed on the switch surface, the switch can operate correctly.
Page 28: Chapter 3 Setup Configuration
Setup configuration refers to the initial operation to the switch after the user purchases the switch. For first-time users of the DCS-3950 series, this chapter provides a very practical instruction. When using the CLI (command line interface), the user can type setup under admin mode to enter the Setup configuration interface.
Page 29: Configuring Vlan1 Interface
DCS-3950 series Ethernet switch manual Enter without input, the hostname will default to ‘switch’ 3.3.2 Configuring Vlan1 Interface Select ‘1’ in the Setup main menu and press Enter to start configuring the Vlan1 interface Config Interface-Vlan1 [0]: Config interface-Vlan1 IP address...
Page 30: Configuring Web Server
DCS-3950 series Ethernet switch manual Please input the new telnet user password: Notice: The valid length for the password should be between 1 and 8 characters. After user name and password are configured correctly, system configuration shell will be prompted.
Page 31: Configuring Snmp
DCS-3950 series Ethernet switch manual 3.3.5 Configuring SNMP Select ‘4’ in the Setup main menu and press Enter to start configuring SNMP, the following appears Configure SNMP [0]: Config SNMP-server read-write community string [1]: Config SNMP-server read-only community string [2]: Config traps-host and community string...
Page 32: Exiting Setup Configuration Mode
DCS-3950 series Ethernet switch manual Enable SNMP-server? (y/n) [y]: Type ‘y’ and press Enter, or just press Enter to enable SNMP service, type ‘n’ and press Enter to disable SNMP service. The SNMP configuration menu appears. Select ‘4’ in the SNMP configuration menu and press Enter, the following screen will...
Page 33: Chapter 4 Switch Management
Chapter 4 Switch Management 4.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. DCS-3950 series provides two management options: in-band management and out-of-band management. 4.1.1 Out-of-band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Page 34 DCS-3950 series Ethernet switch manual Step 2 Entering HyperTerminal. Open the HyperTerminal included in Windows after the connection established. 1) Click Start menu - All Programs – Accessories – Communication - HyperTerminal. 2）Type a name for opening HyperTerminal, such as ‘Switch_A’.
Page 35 DCS-3950 series Ethernet switch manual checksum’, ‘1’ for stop bit and ‘none’ for traffic control; or, you can also click ‘Revert to default’ and click ‘OK’. Fig 4-4 Opening HyperTerminal Step 3 Entering switch CLI interface: Power on the switch. The following appears in the HyperTerminal windows, that is the CLI configuration mode for Testing RAM...
Page 36: In-Band Management
3) If not 2), Telnet client can connect to an IP address of the switch via other devices, such as a router. DCS-3950 series are Layer 2 switch that can be configured with several IP addresses. The following example assumes the shipment status of the switch, where only VLAN1 exists in the system.
Page 37 10.1.128.251/24, and then a possible host IP address is 10.1.128.25/24. Run ‘ping 10.1.128.251’ from the host and verify the result, check for reasons if ping fails. The IP address configuration commands for VLAN1 interface DCS-3950 series are listed below. Before in-band management, the switch must be configured with an IP address by out-of-band management (i.e.
Page 38: Management Via Http
DCS-3950 series Ethernet switch manual telnet-user <user> password {0|7} <password> Assume a authorized user in the switch has a username of ‘test’, and password of ‘test’, the configuration procedure should be like the following: Switch >en Switch#config Switch(Config)#telnet-user test password 0 test Enter valid login name and password in the Telnet configuration interface, Telnet user will be able to enter the switch’s CLI configuration interface.
Page 39 DCS-3950 series Ethernet switch manual the relevant chapter. To enable the WEB configuration, users should type the CLI command ip http server in the global mode as below: Switch >en Switch#config Switch(Config)#ip http server Step 2: Run HTTP protocol on the host.
Page 40: Management Interface
Management via LinkManager, the host succeeds to ping an IP address of the switch, then run the switch, LinkManager network management software will be found by DCS-3950 series,and operate it with read-write permission ,For more details on how to configure the switch through LinkManager, please refer to the LinkManager Manual.
Page 41: Configuration Modes
User Mode Admin Mode Global Mode Fig 4-9 Shell Configuration Modes of DCS-3950 series 4.2.1.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is ‘Switch>‘, the symbol ‘>‘ is the prompt for User Mode.
Page 42: Interface Mode
Or, when exit command is run under Global Mode, it will also return to the Admin Mode. DCS-3950 series Switch also provides a shortcut key sequence ‘Ctrl+z’, this allows an easy way to exit to Admin Mode from any configuration mode (except User Mode).
Page 43: Vlan Mode
Global Mode. 4.2.1.2 Configuration Syntax DCS-3950 series Switch provides various configuration commands. Although all the commands are different, they all abide by the syntax for DCS-3950 series Switch configuration commands. The general commands format of DCS-3950 series Switch is...
Page 44: Shortcut Key Support
<string> 4.2.1.3 Shortcut Key Support DCS-3950 series switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and Blank Space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead.
Page 45: Help Function
Perform command of previous list,such as perform show command of admin mode under port config:Switch(Config-Port-Range)#//show clock. 4.2.1.4 Help Function There are two ways in DCS-3950 series Switch for the user to access help information: the ‘help’ command and the ‘?’. Access to Usage and function...
Page 46: Input Verification
Quotation marks are not used in pairs. end of command line! 4.2.1.6 Fuzzy Match Support DCS-3950 series switch shell support fuzzy match in searching command and keyword. Shell will recognize commands or keywords correctly if the entered string causes no conflict.
Page 47: Web Interface
The upper part is a picture of the front panel of a DCS-3950 series switch, which can show the connection state of each port via the LEDs on the panel. If users click the port on the picture of the front panel, the statistic traffic information of each port will be displayed at the bottom right part of the Web configuration interface.
Page 48 DCS-3950 series Ethernet switch manual new stuff from the server every time instead of the system cache. The following steps will show you how to realize this: Choose the Tools(T)->Internet Options from the menu of a Website or right click the IE browser on the desktop and choose Properities to enter the configuration interface.
Page 49: Chapter 5 Basic Switch Configuration
DCS-3950 series Ethernet switch manual Chapter 5 Basic Switch Configuration 5.1 Basic Switch Configuration Command List Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc.
Page 50: Exec Timeout
DCS-3950 series Ethernet switch manual 5.1.3 exec timeout Command: exec timeout <minutes > Function: Configure the overtime of quitting privileged configuration mode. Parameter: < minute >is time; the unit is minute(The range 0~300) Command mode: Global Mode Default: The default time is 5 minutes.
Page 51: Ip Host
Parameter:<hostname> is the string for the prompt, up to 30 characters are allowed. Command mode: Global Mode Default: The default prompt is related to DCS-3950 series switch type. Usage Guide: Shell prompt can be changed and customized through this command.
Page 52: Reload
DCS-3950 series Ethernet switch manual 5.1.9 reload Command: reload Function: Warm reset the switch. Command mode: Admin Mode Usage Guide: The switch can be rebooted through this command without resetting the power. 5.1.10 set default Command: set default Function: Reset the switch to factory settings.
Page 53: Web-User
DCS-3950 series Ethernet switch manual 5.1.13 web-user Command：web-user <username> password {0|7} <password> no web-user <username> Function：Set a username and its password for a Web client; the ‘no web-user <username>‘ command is used to delete this Web client. Parameters：<username>is an authorized username to do Web access, whose length should be no more than 16 characters;...
Page 54: Show Tech-Support
DCS-3950 series Ethernet switch manual 5.1.16 show tech-support Command：show tech-support Function： Collect tech-support information. Command mode: Admin Mode. Usage Guide: Information can be get through this command for determining the cause of any system failure. Example: Switch#show tech-support 5.1.17 vendorcontact Command：vendorcontact <information>...
Page 55: Monitor And Debug Command List
DCS-3950 series switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes.
Page 56: Telnet
Telnet employs the Client-Server mode, the local system is the Telnet client and the remote host is the Telnet server. DCS-3950 series switch can be either the Telnet Server or the Telnet client.
Page 57: Authentication Login
DCS-3950 series Ethernet switch manual switch: the ‘no telnet-server enable’ no telnet-server enable command disables the Telnet function. Configure the username and password to telnet-user <user-name> password login to the switch through Telnet: the no {0|7} <password> telnet-user <user-name> command no telnet-user <user-name>...
Page 58 DCS-3950 series Ethernet switch manual Example: Configure the authentication method for remote access to be radius. Switch(Config)#authentication login radius Relative Command：aaa enable，radius-server authentication host 5.2.2.3.2 monitor Command: monitor no monitor Function:Make Telnet clients display debug information, and disable Console clients to display debug information function.
Page 59 DCS-3950 series Ethernet switch manual Then telnet the remote host through the host name. Switch#config Switch（Config）#ip host aa 20.1.1.1 Switch（Config）#exit Switch#telnet aa 23 Trying 20.1.1.1... Service port is 23 Connected to 20.1.1.1 login:123 password:*** router> Relative Command：ip host 5.2.2.3.4 telnet-server enable Command:：telnet-server enable...
Page 60: Ssh
DCS-3950 series Ethernet switch manual 5.2.2.3.6 telnet-user Command：telnet-user <username> password {0|7} <password> no telnet-user <username> Function: Configure user names and passwords of Telnet clients. Use the ‘no telnet-user <username>‘ command to remove the Telnet users. Parameter: <username>is the Telnet client user name. The maximum length may not exceed 16 characters;...
Page 61 DCS-3950 series Ethernet switch manual Enable SSH function on the switch; the ssh-server enable ‘no ssh-server enable’ command no ssh-server enable disables SSH function. Configure the username and password of SSH client software for logging on the ssh-user <user-name> password {0|7} switch;...
Page 62 DCS-3950 series Ethernet switch manual no ssh-user <username> Function: Configure the username and password of SSH client software for logging on the switch; the ‘no ssh-user <user-name>‘ command deletes the username. Parameter: <username> is SSH client username. It can’t exceed 16 characters;...
Page 63: Ssh Server Configuration Example
DCS-3950 series Ethernet switch manual 5.2.3.3.5 ssh-server host-key create rsa Command：ssh-server host-key create rsa [modulus < modulus >] Function: Generate new RSA host key Parameter: modulus is the modulus which is used to compute the host key; valid range is 768 to 2048. The default value is 1024.
Page 64: Traceroute
DCS-3950 series Ethernet switch manual switch. Switch(Config)#interface vlan 1 Switch(Config-Vlan-1)#ip address 100.100.100.200 255.255.255.0 Switch(Config-Vlan-1)#exit Switch(Config)#ssh-user test password 0 test Switch(Config)#ssh-server enable 5.2.3.5 SSH Monitor and Debug Command List 5.2.3.5.1 show ssh-user Command：show ssh-user Function：Display all the configured SSH usernames. Command mode：Admin Mode.
Page 65: Show
DCS-3950 series Ethernet switch manual Command：traceroute {<ip-addr> | host <hostname> }[hops <hops>] [timeout <timeout> ] Function：This command is used to test the gateways passed by packets on their way from sending equipment to destination equipment, in order to check whether the network can be reached and to locate the fault of network.
Page 66: Show Debugging
DCS-3950 series Ethernet switch manual Example: Switch#show clock Current time is TUE AUG 22 11：00：01 2002 Relative Command: clock set 5.2.5.3 show debugging Command：show debugging Function： Display the debugging state Usage Guide: This command is used to show which debug options are enabled.
Page 67: Show Memory
DCS-3950 series Ethernet switch manual interface ethernet 0/0/3 enable show flash show ftp 5.2.5.6 show memory Command：show memory Function：Display the contents in the memory Command mode: Admin Mode Usage Guide: This command is used for debugging purpose. Base memory address and length can be entered through interactive way.
Page 68 DCS-3950 series Ethernet switch manual Command mode: Admin Mode Usage Guide: The ‘show running-config’ is used to verify whether the users had entered the configurations correctly. Example: Switch#show running-config 5.2.5.9 show startup-config Command: show startup-config Function: Display the switch parameter configurations written into the Flash memory at the current operation;...
Page 69: Show Tcp
DCS-3950 series Ethernet switch manual current interface is able to maintain. Mode :Access Vlan mode for the current interface. Port VID :1 The vlan id which the current interface belongs to. Trunk native Vlan :1 The PVID of native VLAN for the trunk.
Page 70: Show Version
DCS-3950 series Ethernet switch manual 5.2.5.13 show telnet login Command: show telnet login Function: Display Telnet user information that links with the switch Command mode: Admin Mode. Usage Guide: This command is used to retrieve information about remote telnet login sessions.
Page 71: Debug
5.3 Configure the IP Address of the Switch In theory, DCS-3950 series switch is a layer 2 （Data Link Layer） device, which should not have an IP address, because IP address is a concept belonged to layer 3（Network Layer）.But, as a device used in network, switch needs a network address to be its unique identifier, so that the network manager can identify and control it.
Page 72: Switch Ip Address Configuration Command List
DCS-3950 series Ethernet switch manual 2. BootP configuration Command Explanation Enable the switch to be a BootP client and ip bootp-client enable obtain IP address and gateway address no ip bootp-client enable through BootP negotiation; the no ip bootp-client enable’ command disables the BootP client function.
Page 73: Snmp Configuration
DCS-3950 series Ethernet switch manual no ip bootp-client enable Function: Configure the switch as a BootP client. The switch is able to get ip addressed for itself and the gateway through the BootP protocol. If no is put in front of the command, the BootP protocol will be disabled on the switch.
Page 74 DCS-3950 series Ethernet switch manual SNMP (Simple Network Management Protocol) is a standard network management protocol widely used in computer network management. SNMP is an evolving protocol. SNMP v1 [RFC1157] is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation;...
Page 75: Introduction To Mib
DCS-3950 series Ethernet switch manual 5.4.2 Introduction to MIB The network management information accessed by NMS is well defined and organized in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form.
Page 76: Introduction To Rmon
DCS-3950 series Ethernet switch manual as BRIDGE MIB. Besides, the switch supports self-defined private MIB. 5.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to define standard network monitor functions and interfaces, enabling the communication between SNMP management terminals and remote monitors.
Page 77 DCS-3950 series Ethernet switch manual 2. Configure SNMP community string Command Explanation snmp-server community {ro|rw} <string> Configure the community string for the no snmp-server community <string> switch; the ‘no snmp-server community <string>‘command deletes the configured community string. 3. Configure IP address of SNMP management base...
Page 78 DCS-3950 series Ethernet switch manual <oid-string> {include|exclude} command is used for SNMP v3. no snmp-server view <view-string> 8. Configuring TRAP Command Explanation snmp-server enable traps Enable the switch to send Trap message. no snmp-server enable traps This command is used for SNMP v1/v2/v3.
Page 79 DCS-3950 series Ethernet switch manual permission can be set through ro|rw. ro is for read only while rw for read/write. Usage Guide: Up to 4 community strings are supported by the switch. Example: Setup a community string as private with read/write permission.
Page 80 DCS-3950 series Ethernet switch manual 5.4.4.2.5 snmp-server user Command：snmp-server user <user-string> <group-string> [[encrypted] {auth {md5|sha} <password-string>}] no snmp-server user <user-string> <group-string> Function: Add a user to an existing group. the ‘no’ form of this command deletes this user Command mode: Global Mode.
Page 81 DCS-3950 series Ethernet switch manual Delete a group. Switch (Config)#no snmp-server group Group AuthPriv 5.4.4.2.7 snmp-server view Command: snmp-server view <view-string> <oid-string> {include|exclude} no snmp-server view <view-string> Function: View configurations can be updated with this command. If no is put in front of this command, corresponding view configuration will be removed.
Page 82 DCS-3950 series Ethernet switch manual Example: Configure the IP address of SNMP server to receive the Trap messages. Switch(config)#snmp-server host 1.1.1.5 v1 trap Remove the Trap meesage delivery configuration. Switch(config)#no snmp-server host 1.1.1.5 v1 trap 5.4.4.2.9 snmp-server securityip Command：snmp-server securityip <ip-address>...
Page 83: Typical Snmp Configuration Example
DCS-3950 series Ethernet switch manual Disable RMON. Switch(config)#no rmon enable 5.4.5 Typical SNMP Configuration Example The IP address of the NMS is 1.1.1.5; the IP address of the switch (Agent) is 1.1.1.9 Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from the switch.
Page 84: Show Snmp
DCS-3950 series Ethernet switch manual 5.4.6.1 Monitor and Debug Command List 5.4.6.1.1 show snmp Command: show snmp Function: Display all SNMP counter information. Command mode: Admin Mode Example : Switch#show snmp 0 SNMP packets input 0 Bad SNMP version errors...
Page 85 DCS-3950 series Ethernet switch manual set-request PDUs Number of packets received by ‘set’ requests. snmp packets output Total number of SNMP packet outputs. too big errors Number of ‘Too_ big’ error SNMP packets. maximum packet size Maximum length of SNMP packets.
Page 86: Show Snmp Engineid
DCS-3950 series Ethernet switch manual V3 Trap Host Information Receive V3 Trap Host Information 5.4.6.1.3 show snmp engineid Command: show snmp engineid Function: Display the engine ID commands Command mode: Admin Mode Example: Switch#show snmp engineid SNMP engineID: 18c3159876 Engine Boots is:1...
Page 87: Show Snmp View
DCS-3950 series Ethernet switch manual Write View: <no writeview specified> Notify View: one Displayed Information Explanation Group Name Group name Security level Security level Read View Read view name Write View Write view name Notify View Notify view name <no writeview specified>...
Page 88: Switch Upgrade
‘debug snmp packet’ to enable SNMP debug function and verify debug information. If users still can’t solve the SNMP problems, Please contact our technical and service center. 5.5 Switch Upgrade DCS-3950 series switch provides two ways for switch upgrade: BootROM upgrade and the TFTP/FTP upgrade under Shell 5.5.1 BootROM Upgrade...
Page 89 DCS-3950 series Ethernet switch manual There are two methods for BootROM upgrade: TFTP and FTP, which can be selected at BootROM command settings. The upgrade procedures are listed below: Step 1: A PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch.
Page 90: Ftp/Tftp Upgrade
DCS-3950 series Ethernet switch manual Host IP Address: 10.1.1.1 192.168.1.189 Server IP Address: 10.1.1.2 192.168.1.101 FTP(1) or TFTP(2): 1 2 Network interface configure OK. [Boot]: Step 4: Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program.
Page 91 FTP in Global Mode to be nos.img, other IMAGE system files will be rejected. Boot file: refers to the file initializes the switch, also referred to as the ROM upgrade file (Large size file can be compressed as IMAGE file). In DCS-3950 series switch, the boot...
Page 92 DCS-3950 series Ethernet switch manual file is allowed to save in ROM only. DCS-3950 series switch mandates the name of the boot file to be boot.rom. Configuration file: including start up configuration file and running configuration file. The distinction between start up configuration file and running configuration file can facilitate the backup and update of the configurations.
Page 93 DCS-3950 series Ethernet switch manual acknowledgement （4） Shut down TFTP server 1. FTP/TFTP configuration （1）FTP client upload/download file Command Explanation Admin Mode copy <source-url> FTP/TFTP client upload/download file <destination-url> [ascii | binary] Global Mode For FTP client, server file list can be checked.
Page 94 DCS-3950 series Ethernet switch manual Command Explanation Global Mode tftp-server transmission-timeout Set maximum retransmission time within <seconds> timeout interval. （3）Modify TFTP server connection retransmission time Command Explanation Global Mode Set maximum retransmission time within tftp-server timeout interval. retransmission-number <number> 5.5.2.2.2 FTP/TFTP Configuration Command List 5.5.2.2.2.1 copy（FTP）...
Page 95 DCS-3950 series Ethernet switch manual Switch,password is Password: Switch#copy nos.img ftp://Switch:Password@10.1.1.1/nos.img （2）Obtain system file nos.img from the FTP server 10.1.1.1, user name is Switch,password is Password: Switch#copy ftp://Switch:Password@10.1.1.1/nos.img nos.img （3）Save the running configuration files Switch#copy running-config startup-config Relative commands: write 5.5.2.2.2.2 dir <ftp-server-url>...
Page 96 DCS-3950 series Ethernet switch manual Default: The system default is 600 seconds. Command mode: Global mode Usage Guide: When FTP data connection idle time exceeds this limit, the FTP management connection will be disconnected. Example: Modify the idle threshold to 100 seconds.
Page 97 DCS-3950 series Ethernet switch manual Usage Guide: This command supports command line hints,namely if the user can enter commands in following forms: copy <filename> tftp:// or copy tftp:// <filename> and press Enter,following hints will be provided by the system： tftp server ip address>...
Page 98 DCS-3950 series Ethernet switch manual Parameters: <seconds> is the timeout value in seconds, which is limited between 5 and 3600 seconds. Default: The default timeout is set to 600s. Command mode: Global Mode. Example: Change the timeout to be 60s.
Page 99 DCS-3950 series Ethernet switch manual Start TFTP server software on the computer and place the ‘nos.img’ file to the appropriate TFTP server directory on the computer. DCS-3950: Switch (Config)#inter vlan 1 Switch (Config-If-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch (Config-If-Vlan1)#no shut Switch (Config-If-Vlan1)#exit Switch (Config)#exit Switch#copy tftp: //10.1.1.1/nos.img nos.img...
Page 100 DCS-3950 series Ethernet switch manual DCS-3950: Switch(Config)#inter vlan 1 Switch(Config-If-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-If-Vlan1)#no shut Switch(Config-If-Vlan1)#exit Switch(Config)#ftp-server enable Switch(Config)# ip ftp-server username Switch password 0 Password PC side: Start the FTP server software on the PC and set the username ‘Switch’, and the password ‘Password’,use the IS or DIR command:...
Page 101 DCS-3950 series Ethernet switch manual PC side: Start the FTP server software on the PC and set the username ‘Switch’, and the password ‘Password’. DCS-3950： Switch(Config)#inter vlan 1 Switch(Config-If-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-If-Vlan1)#no shut Switch(Config-If-Vlan1)#exit Switch(Config)#dir ftp://Switch:Password@10.1.1.1 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready...
Page 102 DCS-3950 series Ethernet switch manual timeout Time for the timeout timer. Retry Times Number of times to retries to retransmit data packets. 5.5.2.4.1.2 show tftp Command: show tftp Function: TShow configuration of TFTP server. Default: TFTP debug information is disabled by default.
Page 103: System Log
DCS-3950 series Ethernet switch manual write ok 150 Opening ASCII mode data connection for nos.img (1526037 bytes). 226 Transfer complete. If the switch is upgrading system file or system start up file through FTP, the switch must not be restarted until ‘close ftp client’ or ‘226 Transfer complete.’ is displayed, indicating upgrade is successful, otherwise the switch may be rendered unable to start.
Page 104 DCS-3950 series Ethernet switch manual filter the information because of its ability to do fine-grain classification. Its combination with Debug program provides a powerful support for the network managers and developers to monitor the operation of network and diagnose the problems of network.
Page 105: System Log Configuration
DCS-3950 series Ethernet switch manual Attention：By default the system log is disabled. When it is enabled, because of the classification and output of the information, especially when there is a large amount of information under processing, the system performance will be affected.
Page 106 DCS-3950 series Ethernet switch manual this function. 3. Set the output channel of the user’s terminal Command Description Privileged configuration mode Open the output channel of the user’s logging monitor terminal. Prefixing the command with a ‘no’ no logging monitor will disable this function.
Page 107: Clear Logging
DCS-3950 series Ethernet switch manual 5.6.2.2.1 clear logging Command: clear logging Function: Log in the log buffers can be cleared through this command. Command mode: Admin Mode Usage Guide: This command is used to clear all the information in the log buffer zone.
Page 108 DCS-3950 series Ethernet switch manual no logging <ip-addr> Function: This command is used to enable certern hosts to be output channel for logging information. If no is put in front of the command, logging host configurations will be removed. Parameters: <ip-addr> is the IP address for the host to receive the logs.
Page 109 DCS-3950 series Ethernet switch manual 5.6.2.2.7 logging source Command: logging source {default|m_shell|sys_event} channel {console|logbuff| loghost|monitor} [ level {critical|debugging|notifications|warnings} [state {on|off}]] no logging source {default|m_shell|sys_event} channel {console|logbuff| loghost|monitor } Function: This command is used to add or remove logging source path.
Page 110: System Log Configuration Example
DCS-3950 series Ethernet switch manual 5.6.3 System Log Configuration Example When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4 address of the remote log server is 100.100.100.5. It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1, Output the log information of a module shell if its Severity Level is warning or critical.
Page 111: Show Logging Buffered
DCS-3950 series Ethernet switch manual Filter Items: Module State Servirity shell debugging Relative Command：logging on 5.6.4.1.2 show logging buffered Command：show logging buffered [<buffersize>] Function：Display detailed information of the channel of the log buffer Parameters：<buffersize> is the number of the log message to display Command mode：Privileged configuration mode.
Page 112: Classified Configuration
DCS-3950 series Ethernet switch manual Command mode：Privileged configuration mode. Example: Switch# erase logging lastFailureInfo Relative Command：show logging lastFailureInfo 5.6.4.2 System Log troubleshooting Please check the following causes if any problem happens when using the system log： Check if the global log switch is on.
Page 113 DCS-3950 series Ethernet switch manual To set the password for logging to the enable password level {visitor|admin} configuration mode. 5.7.2.2 Classified Configuration Command list 5.7.2.2.1 Enable Command: Enable [level {visitor|admin} [<password>]] Function: Specify the security level for a user to access the switch, guest vistor or administrator.
Page 114: Port Isolation
DCS-3950 series Ethernet switch manual Function: Disable the passwords Command mode: Global Mode. Parameters: <enable_password> is the password to be removed. Default: None Usage Guide: if <enable_password> is not configured, and the password to be deleted is for the admin user, then interactive dialog will be entered. If the password to be deleted belongs to visitor, the <enabled_password>...
Page 115 DCS-3950 series Ethernet switch manual 1. Set the uplink port Command Explanation Enable or disable the port isolation isolate-port allowed ethernet function. A uplink port list is needed to <InterfaceList> enable it. This command can be called no isolate-port allowed [ethernet more than once to set or cancel uplink <InterfaceList>]...
Page 116: Chapter 6 Cluster Configuration
DCS-3950 series Ethernet switch manual Chapter 6 Cluster Configuration 6.1 Introduction to Cluster Network Management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch).
Page 117 DCS-3950 series Ethernet switch manual Enable or disable cluster function Create cluster 1) Create or delete cluster 2) Configure private IP address pool for member switches of the cluster 3) Add or remove a member switch Configure attributes of the cluster in the commander switch...
Page 118: Clustering Configuration Command List
DCS-3950 series Ethernet switch manual Enable or disable adding newly discovered cluster auto-add enable candidate switch to the cluster no cluster auto-add enable cluster holdtime < second> Set holdtime of heartbeat of the cluster no cluster holdtime Set interval of sending heartbeat packets cluster heartbeat <interval>...
Page 119 DCS-3950 series Ethernet switch manual Switch (Config)#no cluster run 6.2.2.2 cluser register timer Command: cluster register timer <time-value> no cluster register timer Function: Set interval of sending cluster register packet, the ‘no cluster register timer’ command restores the default setting.
Page 120: Cluster Member
DCS-3950 series Ethernet switch manual Default: There is no cluster by default. Command mode: Global Mode Usage Guide: This command sets the switch as a commander switch and creates a cluster. Before executing this command, users must configure a private IP address pool. If users executes this command again, the cluster’s name will be changed and this...
Page 121: Rcommand Member
DCS-3950 series Ethernet switch manual Command mode: Global Mode Usage Guide: When this command is executed in the commander switch and the commander switch receives the cluster register packets sent by the new switch, the commander switch adds the candidate switch to the cluster. If this command is executed in a non-commander switch, an error will be displayed.
Page 122: Cluster Holdtime
DCS-3950 series Ethernet switch manual Parameter: <mem-id> is the cluster ID of the member switch, valid rang is 1 to 23. Users can use ‘-’ or ‘;’ to input many <mem-id>. Default: None. Command mode: Admin Mode. Instructions: In the commander switch, users can use this command to reset a member switch.
Page 123 DCS-3950 series Ethernet switch manual Function: In the commander switch, set holdtime of heartbeat of the cluster; the ‘no cluster holdtime’ command restores the default setting. Parameter: <second> is the holdtime of heartbeat of the cluster, valid range is 20 to 65535.
Page 124: Cluster Configuration Example
DCS-3950 series Ethernet switch manual 6.3 Cluster configuration Example Master 网络工作站网络工作站 Switch n Switch 1 Switch 2 Switch 3 Switch 4 …... 2000E 2000E Switch 5 Switch 6 Switch 7 Switch 8 Personal Personal Personal Personal Personal Personal Computer...
Page 125: Cluster Administration Troubleshooting
DCS-3950 series Ethernet switch manual 6.4 Cluster Administration Troubleshooting 6.4.1 Monitor and Debug Command List 6.4.1.1 show cluster Command: show cluster Function: Display the basic information of the member or command switch Parameter: None Default: None. Command mode: Admin Mode Usage Guide: The system will process this command separately for command switch, member switch and candidate switch.
Page 126: Show Cluster Candidates
DCS-3950 series Ethernet switch manual number of members that are down. Time since last status change Time since last status change. Heartbeat interval Interval for heartbeat. Heartbeat hold-time Hold-time for heartbeat. For the member switch Description Member switch for cluster <clustername>...
Page 127: Show Cluster Members
DCS-3950 series Ethernet switch manual 6.4.1.3 show cluster members Command: show cluster members Function: Display the statistic information of the joined members on the switch. Parameters: None. Default: None. Command mode: Admin Mode. Usage Guide: Executing this command on the switch will display the information of the joined member switches If this command is not executed on the command switch, error will be returned.
Page 128: Cluster Administration Troubleshooting
DCS-3950 series Ethernet switch manual 6.4.1.5 debug cluster packets Command: debug cluster packets {register|build|heartbeat} {in|out} [detail] no debug cluster packets {register|build|heartbeat} {in|out} [detail] Function: Enable the debugging message of cluster admin receiving and sending packets; the ‘no’ form of this command disables the enabled debugging messages.
Page 129: Chapter 7 Port Configuration
7.1 Port Introduction Fig 7-1 Ports on DCS-3950-28CT The ports on DCS-3950 series are showed in the above picture (take DCS-3950-28CT as an example). DCS-3950-28CT provides 24＋2＋2 ports, 24 of which are 10/100Base-TX ethernet interfaces with fixed configuration, 2 of which are 1000Base-TX/1000Base-FX single/multi mode interfaces, the other 2 of which are 1000Base-TX stack interfaces.
Page 130 DCS-3950 series Ethernet switch manual （1） Configure combo mode for combo ports （2） Enable/Disable ports （3） Configure port names （4） Configure port cable types （5） Configure port speed and duplex mode （6） Configure bandwidth control （7） Configure traffic control （8） Enable/Disable port loopback function （9）...
Page 131 DCS-3950 series Ethernet switch manual combo-forced-mode {copper-forced | copper-prefered-auto | sfp-forced | Sets combo port mode sfp-prefered-auto } no combo-forced-mode 3. Set the packet suppression function Command Explanation Port configuration mode Enable the packet suppresntion function of the switch, and set the max data traffic packet-suppression <packets>...
Page 132 DCS-3950 series Ethernet switch manual multicasted flow. brmcdlf is for boradcasted or multicasted or DLF flow. all is for all types of flow. Command mode: Interface Mode Default: Frame is delivered at line speed by default. Usage Guide: With this command, bandwidth can be controlled for specific flow types. All ports in the switch belong to a same broadcast domain if no VLAN has been set.
Page 133 DCS-3950 series Ethernet switch manual sfp-prefered-auto } no combo-forced-mode Function: Set to combo port mode (combo ports only); the ‘no combo-forced-mode’ command restores to default combo mode for combo ports, i.e., fiber ports first. Parameters: copper-forced forces use of copper cable port; copper-preferred-auto for copper cable port first;...
Page 134: Flow Control
DCS-3950 series Ethernet switch manual Example: Set ports 0/1/1,0/2/1 to fiber-forced Switch(Config)#interface ethernet 0/1/1;0/2/1 Switch(Config-Port-Range)#combo-forced-mode sfp-forced 7.2.1.2.5 flow control Command: flow control no flow control Function: Enable the flow control function for the port: the ‘no flow control’ command disables the flow control function for the port.
Page 135 DCS-3950 series Ethernet switch manual normally. Example: Enable loopback test in Ethernet ports 0/0/1 -8. Switch(Config)#interface ethernet 0/0/1-8 Switch(Config-Port-Range)#loopback 7.2.1.2.8 mdi Command: mdi {auto|across|normal} no mdi Function: Set the cable types supported by the Ethernet port; the ‘no mdi’ command sets the cable type to auto-identification.
Page 136 DCS-3950 series Ethernet switch manual Function: Shut down the specified Ethernet port; the ‘no shutdown’ command opens the port. Command mode: Interface Mode . Default: Ethernet port is open by default. Usage Guide: When Ethernet port is shut down, no data frames are sent in the port, and the port status displayed when the user types the ‘show interface’...
Page 137: Vlan Interface Configuration
DCS-3950 series Ethernet switch manual 7.2.2 VLAN Interface Configuration 7.2.2.1 VLAN Interface Configuration Task List Enter VLAN Mode Configure the IP address for VLAN interface and enable VLAN interface. 1. Enter VLAN Mode Command Explanation Global Mode Enters VLAN Interface Mode; the ‘no interface vlan <vlan-id>...
Page 138: Port Mirroring Configuration
DCS-3950 series Ethernet switch manual 7.2.2.2.2 ip address Command: ip address <ip-address> <mask> [secondary] no ip address [<ip-address> <mask>] [secondary] Function: Set the IP address and mask for the switch; the ‘no ip address [<ip-address> <mask>][secondary]’ command deletes the specified IP address setting.
Page 139: Port Mirroring Configuration Task List
RMON monitoring instrument is often attached to the mirror destination port to monitor and manage the network and diagnostic. DCS-3950 series switch support one mirror destination port only. The number of mirror source ports are not limited, one or more may be used. Multiple source ports can be within the same VLAN or across several VLANs.
Page 140 DCS-3950 series Ethernet switch manual source port ;both refers to the flow both into and out from the mirror source Command mode: Global Mode Usage Guide：This command is for configuring the source port of the mirror. There is no limitation on the DCS-3950 to the mirror source port, which can be one port or many ports, and not only can the bilateral flow be sent out from or received into the mirror source port, but also the sent and received flows are available on single mirror source port.
Page 141: Show Monitor
DCS-3950 series Ethernet switch manual 7.2.3.5.1 show monitor Command：show monitor Function：Display the source and destination port information of the image. Command mode：Admin Mode Usage Guide: Information about source and destination port can be displayed by this command. Example: Switch#show monitor...
Page 142: Port Configuration Example
DCS-3950 series Ethernet switch manual only or choose a port with greater throughput as the destination port. 7.3 Port Configuration Example Fig 7-2 Port Configuration Example Use default VLAN1 since VLAN is not configured on all of the switches. Switch...
Page 143: Port Troubleshooting
DCS-3950 series Ethernet switch manual 7.4 Port Troubleshooting 7.4.1 Monitor and Debug Command List 7.4.1.1 clear counters ethernet Command: clear counters [ethernet <interface-list>] Function：Clear counters information on Ethernet interface Parameters：<interface-list>is the port ID of Ethernet Command mode：Admin Mode Default: Do not delete the counters information on Ethernet interface Usage Guide: If interface name is not specified, all the interface statistics will be cleared.
Page 144 DCS-3950 series Ethernet switch manual Interface Link/Protocol Speed Duplex Vlan Type Alias Name 0/0/1 UP/UP f-100M f-full G-TX 0/0/2 UP/UP a-100M a-full trunk G-TX 0/0/3 UP/DOWN auto auto G-TX 0/0/4 A-Down/DOWN auto auto G-TX information meaning showed Interface Detail port number, no Ethernet prefix.
Page 145 DCS-3950 series Ethernet switch manual 0/0/4 information meaning showed Interface detail port number, no Ethernet prefix. IN / OUT direction Unicast Quantity of uicast BroadCast Quantity of broadcast MultiCast Quantity of multicast 7.4.1.5 show interface ethernet counter rate Command：show interface ethernet counter rate Function：Show all Ethernet port rate counter information, for 5 minutes and 5 seconds...
Page 146 DCS-3950 series Ethernet switch manual Command：show interface ethernet counter Function：Show all Ethernet port packet and rate counter information. Parameters：None. Command mode：Admin Mode Usage Guide：first show packet counter information, and then rate counter information. Example：Show Ethernet port counter information. Switch#show interface ethernet counter...
Page 147: Chapter 8 Mac Table Configuration
DCS-3950 series Ethernet switch manual Chapter 8 MAC Table Configuration 8.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
Page 148: Forward Or Filter
PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 5 of DCS-3950 series switch; PC3 and PC4 belongs to the same physical segment that connects to port 12 of DCS-3950 series switch.
Page 149: Mac Address Table Configuration Command List
DCS-3950 series Ethernet switch manual If PC1 sends a message to PC3, the switch will forward the data received on port 5 from port 12. 2. Filter data according to the MAC table If PC1 sends a message to PC2, the switch, on checking the MAC table, will find PC2 and PC1 are in the same physical segment and filter the message (i.e.
Page 150: Mac-Address-Table
To be mentioned, the actual aging time for MAC address entries will be 1~1.5 times of the value set by this command for DCS-3950 series switch. If no packets are received from the MAC address in the table, the address will be aged, and its corresponding entry in the address table will be removed.
Page 151: Mac-Address-Table Blackhole
DCS-3950 series Ethernet switch manual ethernet 0/0/5 8.2.3 mac-address-table blackhole Command：mac-address-table blackhole address <mac-addr> vlan <vlan-id > no mac-address-table blackhole [address <mac-addr>] [vlan <vlan-id>] Function：Add or modify filtering address entries,the ‘no mac-address-table blackhole [address <mac-addr>] [vlan <vlan-id>]’ deletes filtering address entries.
Page 152: Troubleshooting
DCS-3950 series Ethernet switch manual Connect port 5 Connect port 11 Connect port 7 Connect port 9 Fig 8-2 MAC address table configuration example Scenario: Four PCs as shown in the above figure connect to port 5, 7, 9, 11 of switch, all the four PCs belong to the default VLAN1.
Page 153: Troubleshooting
DCS-3950 series Ethernet switch manual 8.4.1.1 show mac-address-table Command: show mac-address-table [static|aging-time|blackhole|count] [address <mac-addr>] [vlan <vlan-id>] [interface <interface-name>] Parameter: static entry; aging-time address aging time; blackhole filtering entry; count address counter; <mac-addr> entry’s MAC address; <vlan-id> entry’s VLAN number; <interface-name> entry’s interface name Command mode: Admin Mode Default: MAC address table is not displayed by default.
Page 154 DCS-3950 series Ethernet switch manual the data stream destined for that MAC address can flow in from the binding port, data stream destined for the other MAC addresses that not bound to the port will not be allowed to pass through the port.
Page 155 DCS-3950 series Ethernet switch manual Set the maximum number of secure switchport port-security maximum MAC addresses for a port; the ‘no <value> switchport port-security maximum no switchport port-security maximum <value>‘ command restores the default <value> value. Set the violation mode for the port; the switchport port-security violation ‘...
Page 156 DCS-3950 series Ethernet switch manual no switchport port-security lock Function: Lock down the specified port. If a port is locked, the MAC address learning of the port will be disabled. If no is put in front of this command, MAC address learning will be restored.
Page 157 DCS-3950 series Ethernet switch manual 8.5.1.2.2.6 clear port-security dynamic Command: clear port-security dynamic [address <mac-addr>|interface <interface-id>] Function: Clear the Dynamic MAC addresses of the specified port. Command mode: Admin Mode Parameters: <mac-addr> stands MAC address; <interface-id> for specified port number.
Page 158 DCS-3950 series Ethernet switch manual address binding function is enabled. when the port secure MAC address exceeds the security MAC limit, if the violation mode is protect, the port only disable the dynamic MAC address learning function; while the port will be shut if at shutdown mode. Users can manually open the port with no shutdown command.
Page 159 DCS-3950 series Ethernet switch manual 8.5.1.3.1.2 show port-security interface Command: show port-security interface <interface-id> Function: Display the secure MAC addresses of the port. Command mode: Admin Mode Parameter: <interface-id>stands for the port to be displayed Default: Configuration of Security Port is not be displayed Usage Guide: This command displays the detailed configuration information for the secure port.
Page 160 DCS-3950 series Ethernet switch manual ------------------------------------------------------------------------------------------------------- Total Addresses :1 Items Notes Vlan The VLAN ID for the secure MAC Address Mac Address Secure MAC address Type Secure MAC address type Ports The port that the secure MAC address belongs to Total Addresses Current secure MAC address number in the system.
Page 161: Chapter 9 Vlan Configuration
DCS-3950 series Ethernet switch manual Chapter 9 VLAN Configuration 9.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices.
Page 162: Vlan Configuration
DCS-3950 series Ethernet switch manual Enhancing network security VLAN and GVRP (GARP VLAN Registration Protocol) defined by 802.1Q are implemented in DCS-3950 series switch. The chapter will describe the use and configuration of VLAN and GVRP in details. 9.2 VLAN Configuration 9.2.1 VLAN Configuration Task List...
Page 163 DCS-3950 series Ethernet switch manual Command Explanation Interface Mode Set the current port as Trunk or Access switchport mode {trunk|access} port. 5. Set Trunk port Command Explanation Interface Mode Set/delete VLAN allowed to be crossed switchport trunk allowed vlan by Trunk. The ‘no’ command restores {<vlan-list>|all}...
Page 164: Vlan Configuration Command List
DCS-3950 series Ethernet switch manual private-vlan association Set/delete Private VLAN association <secondary-vlan-list> no private-vlan association 9.2.2 VLAN Configuration Command List 9.2.2.1 vlan Command: vlan <vlan-id> no vlan <vlan-id> Function: Create VLAN and enter the VLAN configuration mode. In VLAN mode, VLAN names can be set, and interface belonging to the VLAN can be specified.
Page 165: Switchport Mode
DCS-3950 series Ethernet switch manual front of the command, the specified port will be removed from the VLAN. Parameters: <vlan-id> is for the VLAN ID of the port to be added to the VLAN, which is limited between 1 and 4094.
Page 166: Switchport Trunk Allowed Vlan
DCS-3950 series Ethernet switch manual Switch(Config-ethernet0/0/5)#switchport mode trunk Switch(Config-ethernet0/0/5)#exit Switch(Config)#interface ethernet 0/0/8 Switch(Config-ethernet0/0/8)#switchport mode access Switch(Config-ethernet0/0/8)#exit 9.2.2.6 switchport trunk allowed vlan Command: switchport trunk allowed vlan {<vlan-list>|all} no switchport trunk allowed vlan Function: Configure VLAN lists that can go through the trunk port. If no is put in front of the command, default values will be recovered.
Page 167 DCS-3950 series Ethernet switch manual 9.2.2.8 vlan ingress enable Command: vlan ingress enable no vlan ingress enable Function: Enable the ingress rull for the VLAN, If no is put in front of the command, ingress rull well be disabled. Command mode: Port Mode.
Page 168: Typical Vlan Application
DCS-3950 series Ethernet switch manual Function: Set association of Private VLAN. If no is put in front of the command, Private VLAN association will be removed. Parameters: <secondary-vlan-list> is the list of Secondary VLANs which are associated with the Primary VLAN. There can be two kinds of Secondary VLAN, the Isolated VLAN and the Community VLAN.
Page 169 DCS-3950 series Ethernet switch manual VLAN100 VLAN200 VLAN2 Workstation Workstation IBM PC Desktop PC IBM PC Desktop PC Switch A Trunk Link Switch B VLAN200 Desktop PC VLAN100 Desktop PC VLAN2 Workstation Workstation IBM PC Fig 9-2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements.
Page 170: Dot1Q-Tunnel Configuration
DCS-3950 series Ethernet switch manual The configuration steps are listed below: Switch A: Switch(Config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 0/0/2-8 Switch(Config-Vlan2)#exit Switch(Config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 0/0/9-15 Switch(Config-Vlan100)#exit Switch(Config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 0/0/16-22 Switch(Config-Vlan200)#exit Switch(Config)#interface ethernet 0/0/23 Switch(Config-Ethernet0/0/23)#switchport mode trunk...
Page 171: Dot1Q-Tunnel Configuration Task List
DCS-3950 series Ethernet switch manual Figure 9-3Typical VLAN Application Topology As shown in Fig 9-3, after being enabled on the user port, dot1q-tunnel assigns each user a SPVLAN identification (SPVID). Here the identification of user is 3. Same SPVID should be assigned for the same network user on different PEs. When packet reaches PE1 from CE1, it carries the VLAN tag 200-300 of the user internal network.
Page 172: Dot1Q-Tunnel Command List
DCS-3950 series Ethernet switch manual Configure the dot1q-tunnel function on the ports Configure the type of protocol (TPID) on the ports Configure the dot1q-tunnel type of the port. 1. Configure the dot1q-tunnel function on the ports Command Explanation Port mode...
Page 173 DCS-3950 series Ethernet switch manual Function: Configure the type (TPID) of the protocol of switch trunk port. Parameter: None. Command mode: Global Mode. Default: TPID on the port is defaulted at 8100. Usage Guide: This function is to facilitate internetworking with equipments of other manufacturers.
Page 174: Typical Applications Of The Dot1Q-Tunnel
DCS-3950 series Ethernet switch manual 9.3.3.4 show dot1q-tunnel Command: show dot1q-tunnel Function: Display the information of all the ports at dot1q-tunnel state. Parameters: None. Command mode: Admin Mode. Usage Guide: This command is used for displaying the information of the ports at dot1q-tunnel state.
Page 175: Dot1Q-Tunnel Troubleshooting
DCS-3950 series Ethernet switch manual DCS-3950 (Config-Ethernet0/0/10)#exit DCS-3950 (Config)# PE2: DCS-3950 (Config)#vlan 3 DCS-3950 (Config-Vlan3)#switchport interface ethernet 0/0/1 DCS-3950 (Config-Vlan3)#exit DCS-3950 (Config)#dot1q-tunnel enable DCS-3950 (Config)#interface ethernet 0/0/1 DCS-3950 (Config-Ethernet0/0/1)#switchport dot1q-tunnel mode customer DCS-3950 (Config-Ethernet0/0/1)#exit DCS-3950 (Config)#interface ethernet 0/0/10 DCS-3950 (Config-Ethernet0/0/10)#switchport mode trunk...
Page 176: Protocol Vlan Configuration Task List
What’s more, this method does not need additional frame tag to identify VLANs, and thus can decrease the communication traffic of the network. In DCS-3950 series, 1000bps network ports can support Protocol VLAN fucntion unconditionally, while the 100bps Ethernet ports have to be set to trunk ports to use the function.
Page 177 DCS-3950 series Ethernet switch manual Command: protocol-vlan enable no protocol-vlan enable Function: Enable the protocol VLAN. If no is put in front of the command, the command will be disabled. Command mode: Global Mode Default: Protocol VLAN is disabled by default.
Page 178: Protocol Vlan Troubleshooting
DCS-3950 series Ethernet switch manual 9.4.3.3 show protocol-vlan Command: show portocol-vlan Function: Display the configuration of Protocol-based VLAN on the switch Parameter: None Command mode: Admin Mode Usage Guide: Display the configuration of the protocol based VLAN for the switch.
Page 179 DCS-3950 series Ethernet switch manual VLAN Name Type Status Ports ---- ------------ ---------- --------- ---------------------------------------- default Static Active Ethernet0/0/1 Ethernet0/0/2 Ethernet0/0/3 Ethernet0/0/4 Ethernet0/0/5 Ethernet0/0/6 Ethernet0/0/7 Ethernet0/0/8 Ethernet0/0/9 Ethernet0/0/10 Ethernet0/0/11 Ethernet0/0/12 Ethernet0/0/13 Ethernet0/0/14 Ethernet0/0/15 Ethernet0/0/16 Ethernet0/0/17 Ethernet0/0/18 Ethernet0/0/19 Ethernet0/0/20 Ethernet0/0/21 Ethernet0/0/22...
Page 180: Chapter 10 Mstp Configuration
DCS-3950 series Ethernet switch manual Chapter 10 MSTP Configuration 10.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP.
Page 181: Port Roles
DCS-3950 series Ethernet switch manual Fig 10-1 Understanding the CIST and MST Region In the above network, if the bridges are running the STP other the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge.
Page 182: Mstp Load Balance
DCS-3950 series Ethernet switch manual CIST port roles: root port, designated port, alternate port and backup port On top of those roles, each MSTI port has one new role: master port. The port roles in the CIST (root port, designated port, alternate port and backup port) are defined in the same ways as those in the RSTP.
Page 183 DCS-3950 series Ethernet switch manual no spanning-tree mst <instance-id> priority Interface Mode spanning-tree mst <instance-id> cost <cost> Set port path cost for specified instance no spanning-tree mst <instance-id> cost spanning-tree mst <instance-id> port-priority <port-priority> Set port priority for specified instance no spanning-tree mst <instance-id>...
Page 184 DCS-3950 series Ethernet switch manual spanning-tree maxage <time> Set Aging time for BPDU messages no spanning-tree maxage Set Maximum number of hops of BPDU spanning-tree max-hop <hop-count> messages in the MSTP region no spanning-tree max-hop 5. Configure the fast migrate feature for MSTP...
Page 185: Mstp Command List
DCS-3950 series Ethernet switch manual Enable: the spanning-tree flush once the topology changes. Disable:the spanning tree don’t flush spanning-tree tcflush enable when the topology changes. spanning-tree tcflush disable Protect: the spanning-tree flush every ten spanning-tree tcflush protect seconds no spanning-tree tcflush ‘no spanning-tree tcflush’...
Page 186: Instance Vlan
DCS-3950 series Ethernet switch manual 10.2.2.3 instance vlan Command: instance <instance-id> vlan <vlan-list> no instance <instance-id> [vlan <vlan-list>] Function: In MSTP region mode, create the instance and set the mappings between VLANs and instances; the command ‘no instance <instance-id> [vlan <vlan-list>]’...
Page 187 DCS-3950 series Ethernet switch manual no revision-level Function: In MSTP region mode, this command is to set revision level for MSTP configuration; the command ‘no revision-level’ restores the default setting to 0. Parameter: <level> is revision level. The valid range is from 0 to 65535.
Page 188 DCS-3950 series Ethernet switch manual Switch(Config)#spanning-tree forward-time 20 10.2.2.8 spanning-tree hello-time Command: spanning-tree hello-time <time> no spanning-tree hello-time Function: Set switch Hello time; The command ‘no spanning-tree hello-time’ restores the default setting. Parameter: <time> is Hello time in seconds. The valid range is from 1 to 10.
Page 189 DCS-3950 series Ethernet switch manual Usage Guide: The lifetime of BPDU is called max age time. The max age is co working with hello time and forward delay. The parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly.
Page 190 DCS-3950 series Ethernet switch manual Function: Set the spanning-tree mode in the switch; The command ‘no spanning-tree mode’ restores the default setting. Parameter: mstp sets the switch in IEEE802.1s MSTP mode; stp sets the switch in IEEE802.1D STP mode. Command mode: Global Mode Default: The switch is in the MSTP mode by default.
Page 191 DCS-3950 series Ethernet switch manual Command mode: Interface Mode Default: By default, the port cost is relevant to the port bandwidth. Port Type Default Path Cost Suggested Range 10Mbps 2000000 2000000~20000000 100Mbps 200000 200000~2000000 1Gbps 20000 20000~200000 10Gbps 2000 2000~20000...
Page 192 DCS-3950 series Ethernet switch manual Function: Set the bridge priority for the specified instance; The command ‘no spanning-tree mst <instance-id> priority’ restores the default setting. Parameters: <instance-id> sets instance ID. The valid range is from 0 to 48; <bridge-priority> sets the switch priority. The valid range is from 0 to 61440. The value should be the multiples of 4096, such as 0, 4096, 8192…61440.
Page 193 DCS-3950 series Ethernet switch manual Usage Guide: When a port is set to be a boundary port, the port converts its status from discarding to forwarding without bearing forward delay. Once the boundary port receives the BPDU, the port becomes a non-boundary port.
Page 194 DCS-3950 series Ethernet switch manual 10.2.2.21 spanning-tree digest-snooping Command: spanning-tree digest-snooping no spanning-tree digest-snooping Function: Configure the port to use the authentication string of partner port .the command ‘no spanning-tree digest-snooping’restores to use the port generated authentication string. Default: Don’t use the authentication string of partner port .
Page 195: Mstp Configuration Example
DCS-3950 series Ethernet switch manual Note: For the complicated network, especially need to switch from one spanning tree branch to another rapidly, the disable mode is not recommended. Example: Switch(Config)#spanning-tree tcflush disable Switch(Config)# 10.2.2.23 spanning-tree tcflush (port mode) Command: spanning-tree tcflush {enable| disable| protect} no spanning-tree tcflush Function: Configure the spanning-tree flush mode for port once the topology changes .
Page 196 DCS-3950 series Ethernet switch manual Figure 10-2 Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
Page 197 DCS-3950 series Ethernet switch manual By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with ‘x’ are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping: Create VLAN 20, 30, 40, 50 in SW2, SW3 and SW4.
Page 198 DCS-3950 series Ethernet switch manual SW3(Config)#vlan 40 SW3(Config-Vlan40)#exit SW3(Config)#vlan 50 SW3(Config-Vlan50)#exit SW3(Config)#spanning-tree mst configuration SW3(Config-Mstp-Region)#name mstp SW3(Config-Mstp-Region)#instance 3 vlan 20;30 SW3(Config-Mstp-Region)#instance 4 vlan 40;50 SW3(Config-Mstp-Region)#exit SW3(Config)#interface e 0/0/1-7 SW3(Config-Port-Range)#switchport mode trunk SW3(Config-Port-Range)#exit SW3(Config)#spanning-tree SW3(Config)#spanning-tree mst 3 priority 0 On SW4:...
Page 199 DCS-3950 series Ethernet switch manual discarding. The other ports are the status of forwarding. Because the instance 3 and the instance 4 are only valid in the MSTP region, the following figure only shows the topology of the MSTP region.
Page 200: Mstp Troubleshooting
DCS-3950 series Ethernet switch manual Figure 10-4 The Topology Of the Instance 3 after the MSTP Calculation Figure 10-5 The Topology Of the Instance 4 after the MSTP Calculation 10.4 MSTP Troubleshooting 10.4.1 Monitor and Debug Command List 10.4.1.1 show spanning-tree Command: show spanning-tree [mst [<instance-id>]] [interface <interface-list>]...
Page 201 DCS-3950 series Ethernet switch manual ########################### Instance 0 ########################### Self Bridge Id : 32768 - 00:03:0f:01:0e:30 Root Id : 16384.00:03:0f:01:0f:52 Ext.RootPathCost : 200000 Region Root Id : this switch Int.RootPathCost : 0 Root Port ID : 128.1 Current port list in Instance 0:...
Page 202 DCS-3950 series Ethernet switch manual Bridge MAC Bridge MAC address Bridge Times Max Age, Hello Time and Forward Delay of the bridge Force Version Version of STP Instance Information Self Bridge Id The priority and the MAC address of the current bridge for the...
Page 203 DCS-3950 series Ethernet switch manual ---------------------------------- 10.4.1.3 show mst-pending Command: show mst-pending Function: In the MSTP region mode, display the configuration of the current MSTP region. Command mode: MSTP region mode Usage Guide: In the MSTP region mode, display the configuration of the current MSTP region such as MSTP name, revision, VLAN and instance mapping.
Page 204: Mstp Troubleshooting
DCS-3950 series Ethernet switch manual 10.4.2 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co work with each other, so the parameters should meet the following conditions.
Page 205: Chapter 11 Igmp Snooping
DCS-3950 series switch provides IGMP Snooping and is able to send a query from the switch so that the user can use DCS-3950 series switch in IP multicast.
Page 206 DCS-3950 series Ethernet switch manual <vlan-id> ‘command will disalbe IGMP function on the sepcified vlan. Set the max number of the groups IGMP Ip igmp snooping vlan < vlan-id > limit snooping can join and the max number of {group <g_limit> | source <s_limit>} sources each group can have.’...
Page 207: Igmp Snooping Configuration Command List
DCS-3950 series Ethernet switch manual the ‘No ip igmp snooping vlan <vlan-id> tatic-group <multicast-IPAddress> tatic-group <multicast-IPAddress> interface interface {[ethernet|port-channel] {[ethernet|port-channel] <interfaceName> <interfaceName> command will cancel the configuration. No ip igmp snooping vlan <vlan-id> tatic-group <multicast-IPAddress> interface {[ethernet|port-channel] <interfaceName> 11.2.2 IGMP Snooping configuration Command List 11.2.2.1 ip igmp snooping...
Page 208: Ip Igmp Snooping Vlan Limit
DCS-3950 series Ethernet switch manual Command: ip igmp snooping vlan <vlan-id> immediate-leave no ip igmp snooping vlan <vlan-id> immediate-leave Function: Enable the IGMP fast leave function for the specified VLAN: the ‘no ip igmp snooping vlan <vlan-id> immediate-leave’ command disables the IGMP fast leave function.
Page 209: Ip Igmp Snooping Vlan Mrpt
DCS-3950 series Ethernet switch manual Command mode: Global Mode Default: IGMP Snooping is disabled by default. Usage Guide: When number of joined group reaches the limit, new group requesting for joining in will be rejected for preventing hostile attacks. To use this command, IGMP snooping must be enabled on vlan.
Page 210 DCS-3950 series Ethernet switch manual To use this command, IGMP Snooping of this vlan should be enabled previously. Example: Switch(config)#ip igmp snooping vlan 2 mrpt 100 Switch(config)#ip igmp snooping vlan 2 mrpt 100 11.2.2.8 ip igmp snooping vlan query-interval Command: ip igmp snooping vlan <vlan-id> query-interval <value>...
Page 211: Igmp Snooping Example
DCS-3950 series Ethernet switch manual Example: Switch(config)#ip igmp snooping vlan 2 query- robustness 3 11.2.2.11 ip igmp snooping vlan suppression-query-time Command: ip igmp snooping vlan <vlan-id> suppression-query-time <value> no ip igmp snooping vlan <vlan-id> suppression-query-time Function: Configure the suppression query time. The ‘no ip igmp snooping vlan <vlan-id>...
Page 212 DCS-3950 series Ethernet switch manual Fig 11-1 Enabling IGMP Snooping function Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10, 12 respectively and the multicast router is connected to port 1.
Page 213 DCS-3950 series Ethernet switch manual Scenario 2：IGMP L2-general-querier Fig 11-2 The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 6, 10 and 12.
Page 214: Igmp Snooping Troubleshooting
DCS-3950 series Ethernet switch manual Multicast Configuration The same as scenario 1. IGMP Snooping listening result: Similar to scenario 1. 11.4 IGMP Snooping Troubleshooting 11.4.1 IGMP Snooping Monitor and Debug Command List 11.4.1.1 debug igmp snooping all/packet/event/timer/mfc Command：debug igmp snooping all/packet/event/timer/mfc no debug igmp snooping all/packet/event/timer/mfc Function：Enable the IGMP Snooping debug switch of the switch;...
Page 215 DCS-3950 series Ethernet switch manual is enabled. Igmp snooping is turned on for Which vlans of the switch enable igmp snooping vlan 1(querier) function, and whether they are l2-general-queriers 2. Display the detailed information of IGMP Snooping of vlan1 Switch#show ip igmp snooping vlan 1...
Page 216: Igmp Snooping Troubleshooting
DCS-3950 series Ethernet switch manual Command: show mac-address-table multicast Function: Show the multicast MAC address table messages Parameter: None Command mode: Admin Mode Default: Not showing the multicast MAC address and port mapping by system default Usage Guide: This command shows multicast MAC address table messages of current...
Page 217: Chapter 12 Multicast Vlan Configuration
DCS-3950 series Ethernet switch manual Chapter 12 Multicast VLAN Configuration 12.1 Multicast VLAN Introduction Based on the current multicast program ordering method, when users in different VLANs order programs, each VLAN will copy a multicast stream within itself. This method will waste lots of bandwidth.
Page 218: Multicast Vlan Configuration Command List
DCS-3950 series Ethernet switch manual <vlan-id>‘ command will disable the IGMP Snooping function of the multicast vlan. Start the IGMP Snooping function. The ‘no ip igmp snooping ip igmp snooping‘ command will disable the no ip igmp snooping IGMP Snooping function globally.
Page 219: Multicast Vlan Example
DCS-3950 series Ethernet switch manual Switch(config)#vlan 2 Switch (Config-Vlan2)#multicast-vlan Switch (Config-Vlan2)# multicast-vlan association 3, 4 12.3 Multicast VLAN Example SWITCHB SWITCHA Work Station Fig 12-1 The function configuration of multicast VLAN As showed in the picture above, multicast server connects to a 3-layer switch switchA via port 0/0/1,and the port 0/0/1 belongs to the vlan10 of the switch.
Page 220 DCS-3950 series Ethernet switch manual SwitchB (config)#vlan 100 SwitchB (config-vlan100)#switchport access ethernet 0/0/15 SwitchB (config-vlan100)exit SwitchB#config SwitchB (config)#vlan 101 SwitchB (config-vlan101)#switchport access ethernet 0/0/20 SwitchB (config-vlan101)exit SwitchB (config)# interface ethernet 0/0/10 SwitchB (Config-Ethernet0/0/10)#switchport mode trunk SwitchB (Config-Ethernet0/0/10)#exit SwitchB (config)#vlan 20...
Page 221: Chapter 13 Dcscm Configuraion
DCS-3950 series Ethernet switch manual Chapter 13 DCSCM Configuraion 13.1 DCSCM Introduction DCSCM（security control multicast）technology includes three respects: multicast source controllabillity, multicast users controllabillity and the service-priority-oriented multicast policy. The DCSCM technology mainly uses the following methods to realize multicast...
Page 222 DCS-3950 series Ethernet switch manual Configuration of source control can be divided into three parts, the first is to enable the source control globally, the following is the command to do this: Command Explantation Global configuration mode Enable the source control globally, the ‘[no] ip multicast source-control’...
Page 223 DCS-3950 series Ethernet switch manual destination control, the switch will not broadcast the multicast data it receives. So, we should avoid connecting two or more other 3-layer switches to a switch with destination control enabled within one VLAN.The following is the command to configure:...
Page 224: Dcscm Command List
DCS-3950 series Ethernet switch manual 3. Configuration of mulicast policy Mulicast policy satisfies the demand of special users by designating priority for specified multicast data. What calls for attention is that multicast data can only be taken special care when it is transmitted on TRUNK . The following is the command to configure...
Page 225 DCS-3950 series Ethernet switch manual ACLs, and use wildcard character to configure address range, and also specify a host address or all address. Remarkable, ‘all address’ is 224.0.0.0/4 according to group IP address, not 0.0.0.0/0 in other access-list. Example: 0.0.0.255 Switch(Config)#access-list 5000 permit ip 10.1.1.0 0.0.0.255 232.0.0.0 0.0.0.255...
Page 226 DCS-3950 series Ethernet switch manual Command: ip multicast source-control no ip multicast source-control Function: Configure to globally enable multicast source control, the ‘no ip multicast source-control’ command restores global multicast source control disabled. Parameter: None Default: Disabled Command mode: Global Mode...
Page 227 DCS-3950 series Ethernet switch manual Command mode: Port Mode Usage Guide: The command is only working under global multicast destination-control enabled, after configuring the command, if IGMP-SPOOPING is enabled, for adding the interface to multicast group, and match configured access-list, such as matching: permit, the interface can be added, otherwise do not be added.
Page 228 DCS-3950 series Ethernet switch manual Default: None Command mode: Global Mode Usage Guide: The command is only working under global multicast destination-control enabled, after configuring the command, if IGMP-SPOOPING or IGMP is enabled, for adding the members to multicast group. If configuring multicast destination-control on specified net segment of transmitted igmp-report, and match configured access-list, such as matching permit, the interface can be added, otherwise do not be added.
Page 229: Dcscm Typical Example
DCS-3950 series Ethernet switch manual Command mode: Global Mode Usage Guide: The command configuration modifies to a specified value through the switch matching priority of specified range multicast data package, and the TOS is specified to the same value simultaneously. Carefully, the packet transmitted in UNTAG mode does not modify its priority.
Page 230: Dcscm Troubleshooting
DCS-3950 series Ethernet switch manual it will be at priority 4(usually it is a high priority, the higher might be protocol data, but if we set higher priority, when there is too much multicast data, may cause abnormal behavior of the switch protocol) 13.4 DCSCM Troubleshooting...
Page 231 DCS-3950 series Ethernet switch manual 13.4.1.3 show ip multicast policy Command: show ip multicast policy Function： Display the configured multicast policy. Parameters： None. Default：None. Command mode：Admin Mode Usage Guide: The command displays multicast policy of configuration Example: Switch#show ip multicast policy ip multicast-policy 10.1.1.0 0.0.0.255 225.0.0.0 0.255.255.255 cos 5...
Page 232: Dcscm Troubleshooting
DCS-3950 series Ethernet switch manual detail option, and access-list information applied in detail. Example: Switch (Config)#show ip multicast destination-control ip multicast destination-control is enabled ip multicast destination-control 11.0.0.0 0.255.255.255 access-group 6003 ip multicast destination-control 1 00-03-05-07-09-11 access-group 6001 multicast destination-control access-group 6000 used on interface Ethernet 0/0/1 13.4.2 DCSCM Troubleshooting...
Page 233: Chapter 14 802.1X Configuration
DCS-3950 series Ethernet switch manual Chapter 14 802.1x Configuration 14.1 Introduction to 802.1x IEEE 802.1x is a port-based network access management method, which authenticates and manages the accessing devices on the physical access level of the LAN device. The physical access level here is the ports of the switch. If the users’ devices connected to such ports can be authenticated, access to resources in the LAN is allowed;...
Page 234: Configuration
In the IEEE 802.1x application environment, DCS-3950 series is used as the access management unit, and the user connection device is the device with 802.1x client software.
Page 235 DCS-3950 series Ethernet switch manual Global Mode Enables the AAA authentication function in aaa enable the switch; the ‘no aaa enable’ command no aaa enable disables the AAA authentication function. Enables the accounting function in the aaa-accounting enable switch; the ‘no aaa-accounting enable’...
Page 236 DCS-3950 series Ethernet switch manual Sets the port access management method; dot1x port-method {macbased | the ‘no dot1x port-method’ command portbased | userbased { standard | restores MAC-based access management. advanced}} no dot1x port-method Sets the maximum number of access users dot1x max-user macbased for the specified port;...
Page 237 DCS-3950 series Ethernet switch manual disable the 802.1x freevlan function. 3. Supplicant related property configuration Command Explanation Global Mode Sets the number of EAP request/MD5 frame to be sent before the switch re-initials dot1x max-req <count> authentication on no supplicant response, the no dot1x max-req ‘no dot1x max-req’...
Page 238: Configuration Command List
DCS-3950 series Ethernet switch manual Specifies the IP address or IPv6 address and radius-server accounting host listening port number for RADIUS accounting <IPaddress> [[port {<portNum>}] server; the ‘no radius-server authentication [primary]] host <IPaddress>‘ command deletes the no radius-server accounting host RADIUS server <IPaddress>...
Page 239 DCS-3950 series Ethernet switch manual Command mode: Global Mode Default: AAA accounting is not enabled by default. Usage Guide: When accounting is enabled in the switch, accounting will be performed according to the traffic or online time for port the authenticated user is using. The switch will send an ‘accounting started’...
Page 240: Dot1X Eapor Enable
DCS-3950 series Ethernet switch manual Only the authentication request initialed by the users in the dot1x address filter table will be accepted, the rest will be rejected. Example: Add MAC address 00-01-34-34-2e-0a to the filter table of Ethernet 0/0/5. Switch(Config)#dot1x accept-mac 00-01-34-34-2e-0a interface ethernet 0/0/5 14.2.2.5 dot1x bpdu-forward enable...
Page 241: Dot1X Macfilter Enable
DCS-3950 series Ethernet switch manual Usage Guide: The 802.1x authentication for the switch must be enabled first to enable 802.1x authentication for the respective ports. If Spanning Tree or MAC binding is enabled on the port, or the port is a Trunk port or member of port aggregation group, 802.1x function cannot be enabled for that port unless such conditions are removed.
Page 242 DCS-3950 series Ethernet switch manual Command: dot1x macfilter enable no dot1x macfilter enable Function: Enables the dot1x address filter function in the switch; the ‘no dot1x macfilter enable’ command disables the dot1x address filter function. Command mode: Global Mode Default: dot1x address filter is disabled by default.
Page 243 DCS-3950 series Ethernet switch manual 14.2.2.12 dot1x max-user userbased Command: dot1x max-user userbased <number> no dot1x max-user userbased Function：Set the upper limit of the number of users allowed to access the specified port when using user-based access control mode; the ‘no dot1x max-user userbased’...
Page 244 14.2.2.15 dot1x privateclient enable Command: dot1x privateclient enable no dot1x privateclient enable Function: Enable private 802.1x messages for 802.1x client for DCS-3950 series switches. If no is put in front of the command, the private messages will be disabled. Command mode: Global Mode.
Page 245 DCS-3950 series Ethernet switch manual Usage Guide: This command is an Admin Mode command. It makes the switch to re-authenticate the client at once without waiting for re-authentication timer timeout. This command is no longer valid after authentication. Example: Enable real-time re-authentication on port 0/0/8.
Page 246 DCS-3950 series Ethernet switch manual Usage Guide: dot1x re-authentication must be enabled first before supplicant re-authentication interval can be modified. If authentication is not enabled for the switch, the supplicant re-authentication interval set will not take effect. Example: Set the re-authentication time to 1200 seconds.
Page 247 DCS-3950 series Ethernet switch manual <mask>is the subnet mask in dotted decimal notation. Command mode: Globle Mode. Default: no free resource set. Usage guide: The command is used only for dot1x port-methods user-based access management. For dot1x port-methods userbased access management, the unauthorized user can access the free-resource set by the command.
Page 248 DCS-3950 series Ethernet switch manual Command: radius-server authentication host <ip-address > [port <port-number>] [primary] no radius-server authentication host ip-address > Function: Specify the IP address and listening port number for the RADIUS server; the ‘no radius-server authentication host <IPaddress>‘ command deletes the RADIUS authentication server Parameters: <ip-address >...
Page 249 DCS-3950 series Ethernet switch manual no radius-server key Function: Specify the key for the RADIUS server (authentication and accounting); the ‘no radius-server key’ command deletes the key for RADIUS server. Parameters: <string> is a key string for RADIUS server, up to 16 characters are allowed.
Page 250: Application Example
DCS-3950 series Ethernet switch manual waiting time, the switch resends the request packet or sets the server as invalid according to the current conditions. Example: Set the RADIUS authentication timeout timer value to 30 seconds. Switch(Config)# radius-server timeout 30 14.2.2.29 radius-server realtime-accounting timer Command：radius-server realtime-accounting timer <minute>...
Page 251: Troubleshooting
DCS-3950 series Ethernet switch manual port 1812 and port 1813. The Digital China IEEE802.1x authentication client software is installed on the computer to implement IEEE802.1x authentication。 The following is the procedure of configuration: Switch(Config)#interface vlan 1↵ Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0↵...
Page 252 DCS-3950 series Ethernet switch manual .Is Server Dead = 0 .Socket No = 0 authentication server[1].Host IP = 192.168.1.218 .Udp Port = 1812 .Is Primary = 0 .Is Server Dead = 0 .Socket No = 0 accounting server sum = 2 accounting server[0].Host IP = 30.1.1.30...
Page 253 DCS-3950 series Ethernet switch manual server. Retransmit Displays the retransmission times for RADIUS server authentication packets. Dead Time Displays the down-restoration time for RADIUS server. Account Time Interval Displays accounting time interval. 14.4.1.2 show aaa authenticated-user Command: show aaa authenticated-user Function: Display the authenticated users online.
Page 254: Show Dot1X
DCS-3950 series Ethernet switch manual Parameters: authencated-user displays the authenticated users online; authencating-user displays the authenticating users. Command mode: Admin Mode Usage Guide: The statistics for RADIUS authentication users can be displayed with the ‘show radius count’ command. Example: 1. Display the statistics for RADIUS authenticated users.
Page 255 DCS-3950 series Ethernet switch manual Notify DCBI is 0 Displayed information Explanation Global 802.1x Parameters Global 802.1x parameter information free-resource Free resource reauth-enabled Whether re-authentication is enabled or not reauth-period Re-authentication interval quiet-period Silent interval tx-period EAP retransmission interval max-req...
Page 256 DCS-3950 series Ethernet switch manual no debug aaa packet {send|receive|all} interface {[ethernet] <InterfaceName>} Function：Enable the information on receiving/sending packets of aaa; the ‘no debug aaa packet {send|receive|all} interface {[ethernet] <InterfaceName>}’ command is used to disable the information on receiving/sending packets of aaa.
Page 257 DCS-3950 series Ethernet switch manual <InterfaceName>} no debug dot1x packet {send|receive|all} interface {[ethernet] <InterfaceName>} Function：Enable the information on receiving/sending packets of dot1x; the ‘ no debug dot1x packet {send|receive|all} interface {[ethernet] <InterfaceName>} ‘ command is to disable the information on receiving/sending packets of dot1x.
Page 258: Troubleshooting
DCS-3950 series Ethernet switch manual authentication state machine information； all represents all the state machine information； <InterfaceName> is the name of interface. Usage Guide: None. Example: Enable debugging for dot1x state machines. Switch#debug dot1x fsm asm interface 0/0/1 14.4.2 802.1x Troubleshooting It is possible that 802.1x be congfigured on ports and 802.1x authentication be setted...
Page 259: Chapter 15 Acl Configuration
DCS-3950 series Ethernet switch manual Chapter 15 ACL Configuration 15.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access through the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: ‘permit’...
Page 260: Acl Configuration
DCS-3950 series Ethernet switch manual The following rules apply: An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed.
Page 261 DCS-3950 series Ethernet switch manual Exit MAC-IP Configuration Mode 2. Configuring the packet filtering function Enable global packet filtering function Configure default action. 3. Configuring time range function Create the name of the time range Configure periodic time range Configure absolute time range 4.
Page 262 DCS-3950 series Ethernet switch manual access-list <num> {deny | permit} tcp {{<sIpAddr> <sMask>} | any-source | Creates a numbered TCP extended IP {host-source <sIpAddr>}} [s-port access rule; if the numbered extended <sPort>] {{<dIpAddr> <dMask>} | access-list of specified number does not...
Page 263 DCS-3950 series Ethernet switch manual Command Explanation Standard IP ACL Mode Exits name-based standard IP ACL Exit configuration mode （4）Configuring an name-based extended IP access-list Create an extended IP access-list basing on nomenclature Command Explanation Global Mode Creates an extended IP access-list basing on nomenclature;...
Page 264 DCS-3950 series Ethernet switch manual [no] {deny | permit} udp {{<sIpAddr> <sMask>} | any-source | {host-source Creates an extended name-based UDP <sIpAddr>}} [sPort <s-port>] IP access rule; the ‘no’ form command {{<dIpAddr> <dMask>} | deletes this name-based extended IP any-destination | {host-destination access rule <dIpAddr>}} [d-port <dPort>]...
Page 265 DCS-3950 series Ethernet switch manual access-list <num> {deny|permit} {any-source-mac| {host-source-mac<host_smac>}|{<sm ac><smac-mask>}}{any-destination-m Creates a numbered MAC extended ac|{host-destination-mac access-list, if the access-list already <host_dmac>}|{<dmac><dmac-mask>} exists, then a rule will add to the current }[{untagged-eth2|tagged-eth2|untagge access-list; the ‘no access-list d-802.3|tagged-802.3} [<offset1> <num>‘ command deletes a numbered <length1>...
Page 266 DCS-3950 series Ethernet switch manual [no]{deny|permit}{any-source-mac|{ho st-source-mac <host_smac>}|{<smac><smac-mask>} Creates an MAC access rule matching 802.3 frame; the ‘no’ form command {any-destination-mac|{host-destinatio deletes this MAC access rule n-mac <host_dmac>}|{<dmac><dmac-mask>} } [untagged-802.3] [no]{deny|permit}{any-source-mac|{ho st-source-mac<host_smac>}|{<smac> <smac-mask>}}{any-destination-mac|{ Creates an MAC access rule matching host-destination-mac<host_dmac>}|{<...
Page 267 DCS-3950 series Ethernet switch manual access-list<num>{deny|permit}{any-s ource-mac| {host-source-mac<host_smac>}|{<sm ac><smac-mask>}} {any-destination-mac|{host-destinatio n-mac Creates a numbered mac-icmp extended <host_dmac>}|{<dmac><dmac-mask>} mac-ip access rule; if the numbered }icmp extended access-list of specified number {{<source><source-wildcard>}|any-so does not exist, then an access-list will be urce| created using this number.
Page 268 DCS-3950 series Ethernet switch manual access-list<num>{deny|permit}{any-s ource-mac| {host-source-mac<host_smac>}|{<sm ac><smac-mask>}}{any-destination-m ac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>} Creates a numbered extended mac-tcp }tcp access rule for other specific mac-tcp {{<source><source-wildcard>}|any-so protocol or all mac-tcp protocols; if the urce| numbered extended access-list of {host-source<source-host-ip>}}[s-port specified number <port1>] {{<destination><destination-wildcard>...
Page 269 DCS-3950 series Ethernet switch manual access-list<num>{deny|permit}{any-s ource-mac| {host-source-mac<host_smac>}|{<sm ac><smac-mask>}} {any-destination-mac|{host-destinatio n-mac Creates a numbered extended mac-ip <host_dmac>}|{<dmac><dmac-mask>} access rule for other specific mac-ip protocol or all mac-ip protocols; if the {eigrp|gre|igrp|ip|ipinip|ospf|{<protoco numbered extended access-list of l-num>}} specified number does not exist, then an {{<source><source-wildcard>}|any-so...
Page 270 DCS-3950 series Ethernet switch manual [no] {deny|permit} {any-source-mac|{host-source-mac <host_smac>}|{<smac><smac-mask>} {any-destination-mac|{host-destinatio n-mac <host_dmac>}|{<dmac><dmac-mask>} Creates an extended name-based }icmp MAC-ICMP access rule; the ‘no’ form {{<source><source-wildcard>}|any-so command deletes this name-based urce| extended MAC-ICMP access rule {host-source<source-host-ip>}} {{<destination><destination-wildcard> }|any-destination| {host-destination <destination-host-ip>}} [<icmp-type> [<icmp-code>]] [precedence <precedence>] [tos...
Page 271 DCS-3950 series Ethernet switch manual [no]{deny|permit}{any-source-mac|{ho st-source-mac <host_smac>}|{<smac><smac-mask>} {any-destination-mac|{host-destinatio n-mac <host_dmac>}|{<dmac><dmac-mask>} Creates an extended name-based }tcp MAC-TCP access rule; the ‘no’ form {{<source><source-wildcard>}|any-so command deletes this name-based urce| extended MAC-TCP access rule {host-source<source-host-ip>}}[s-port <port1>] {{<destination><destination-wildcard> }|any-destination| {host-destination <destination-host-ip>}} [d-port <port3>] [ack+fin+psh+rst+urg+syn] [precedence <precedence>] [tos...
Page 272 DCS-3950 series Ethernet switch manual [no]{deny|permit}{any-source-mac|{ho st-source-mac <host_smac>}|{<smac><smac-mask>} {any-destination-mac|{host-destinatio n-mac <host_dmac>}|{<dmac><dmac-mask>} Creates an extended name-based mac-ip access rule for the other IP {eigrp|gre|igrp|ip|ipinip|ospf|{<protoco protocol; the ‘no’ form command deletes l-num>}} this name-based mac-ip extended {{<source><source-wildcard>}|any-so access rule urce| {host-source<source-host-ip>}} {{<destination><destination-wildcard>...
Page 273 DCS-3950 series Ethernet switch manual Global Mode Create a time range named time-range <time_range_name> time_range_name Stop the time range function named no time-range <time_range_name> time_range_name （2）Configure periodic time range Command Explanation Time range Mode absolute-periodic{Monday|Tuesday|W ednesday|Thursday|Friday|Saturday|S unday}<start_time>to {Monday|Tuesday|Wednesday|Thursd Configure the time range for the request...
Page 274: Aclcommand List
DCS-3950 series Ethernet switch manual Applies an access-list to the specified {ip|mac|mac-ip} access-group direction on the port; the ‘no <acl-name> {in|out} {ip|mac|mac-ip} access-group no {ip|mac|mac-ip} access-group <acl-name> {in|out}’ command deletes <acl-name> {in|out} the access-list bound to the port. 5. Clear the filtering information of the specificed port...
Page 275 DCS-3950 series Ethernet switch manual such a access-list. Parameters: <num> is the No. of access-list, 100-199; <protocol> is the No. of upper-layer protocol of ip, 0-255; <sIpAddr> is the source IP address, the format is dotted decimal notation; <sMask > is the reverse mask of source IP, the format is dotted decimal notation;...
Page 276: Firewall Default
DCS-3950 series Ethernet switch manual Command: firewall { enable | disable} Functions: Enable or disable firewall Parameters: enable means to enable of firewall; disable means to disable firewall. Default: It is no use if default is firewall Command mode: Global Mode Usage Guide: Whether enabling or disabling firewall, access rules can be configured.
Page 277 DCS-3950 series Ethernet switch manual standard<name>‘command deletes the name-based standard IPv6 access list (including all entries). Parameters: <name> is the name for access list, the character string length is from 1 to 16, And the string should contain at least one non-numeric character..
Page 278 DCS-3950 series Ethernet switch manual Command: [no] {deny | permit} icmp {{<sIpAddr> <sMask>} | any | {host <sIpAddr>}} {{<dIpAddr> <dMask>} | any-destination | {host-destination <dIpAddr>}} [<icmp-type> [<icmp-code>]] [precedence <prec>] [tos <tos>][time-range<time-range-name>] [no] {deny | permit} igmp {{<sIpAddr> <sMask>} | any | {host <sIpAddr>}} {{<dIpAddr>...
Page 279 DCS-3950 series Ethernet switch manual no access-list <num> Functions: Define a standard numeric MAC ACL rule, ‘no access-list <num>’ command deletes a standard numeric MAC ACL access-list rule Parameters: <num> is the access-list No. which is a decimal’s No. from 700-799; deny if rules are matching, deny access;...
Page 280 DCS-3950 series Ethernet switch manual For Offset(x), different types of data frames are with different value ranges: for untagged-eth2 type frame: <12～51> for untagged-802.2 type frame: <12～55> for untagged-eth2 type frame: <12～59> for untagged-eth2 type frame: <12～63> Command mode: Global Mode Default:No access-list configured Usage Guide: When the user assign specific <num>...
Page 281 DCS-3950 series Ethernet switch manual {any-destination-mac|{host-destination-mac<host_dmac>}|{<dmac><dmac-mask>}} [untagged-802-3] [no]{deny|permit} {any-source-mac|{host-source-mac<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host_dmac>}|{<dmac><dmac-mask>}} [tagged-eth2 [cos <cos-val> [<cos-bitmask>]] [vlanId <vid-value> [<vid-mask>]] [ethertype<protocol> [<protocol-mask>]]] [no]{deny|permit} {any-source-mac|{host-source-mac<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host_dmac>}|{<dmac><dmac-mask>}} [tagged-802-3 [cos <cos-val> [<cos-bitmask>]] [vlanId <vid-value> [<vid-mask>]]] Functions: Define an expansion name MAC ACL rule, and ‘no’ for this command deletes this expansion name IP access rule.
Page 282 DCS-3950 series Ethernet switch manual {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<icmp-type> [<icmp-code>]] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit} {any-source-mac|{host-source-mac<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host_dmac>}|{<dmac><dmac-mask>}} igmp{{<source><source-wildcard>}|any| {host<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-mac<host_smac>}| {<smac><smac-mask>}}{any-destination-mac|{host-destination-mac<host_dmac>}| {<dmac><dmac-mask>}}tcp{{<source><source-wildcard>}|any| {host<source-host-ip>}}[s-port<port1>]{{<destination> <destination-wildcard>}|any-destination| {host-destination <destination-host-ip>}} [d-port <port3>] [ack＋fin＋psh＋rst＋urg＋syn] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-mac<host_smac>}|{<smac>...
Page 283 DCS-3950 series Ethernet switch manual the IP address of network; source-wildcard: reverse of source IP. Numbers of 32-bit binary system expressed by decimal’s numbers with four-point separated, reverse mask; destination-host-ip, destination No. of destination network or host to which packets are delivered.
Page 284 DCS-3950 series Ethernet switch manual Switch(Config-MacIp-Ext-Nacl-macip_acl)# 15.3.2.15 permit | deny(mac-ip extended) Command:[no] {deny|permit}{any-source-mac|{host-source-mac<host_smac>}|{<smac><smac-ma sk>}} {any-destination-mac|{host-destination-mac<host_dmac>}|{<dmac><dmac-mask>}} icmp{{<source><source-wildcard>}|any|{host<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<icmp-type> [<icmp-code>]] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit} {any-source-mac|{host-source-mac<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac<host_dmac>}|{<dmac><dmac-mask>}} igmp{{<source><source-wildcard>}|any| {host<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-mac<host_smac>}| {<smac><smac-mask>}}{any-destination-mac|{host-destination-mac<host_dmac>}| {<dmac><dmac-mask>}}tcp{{<source><source-wildcard>}|any| {host<source-host-ip>}}[s-port<port1>]{{<destination>...
Page 285 DCS-3950 series Ethernet switch manual any-source-mac: any source MAC address; any-destination-mac: any destination MAC address; host_smac , smac: source MAC address; smac-mask: mask (reverse mask) of source MAC address ; host_dmac , dmas destination MAC address; dmac-mask mask (reverse mask) of destination MAC address; protocol No. of name or IP protocol. It can be a key word: eigrp, gre, icmp, igmp, igrp, ip, ipinip, ospf, tcp, or udp, or an integer from 0-255 of list No.
Page 286 DCS-3950 series Ethernet switch manual cannot exceed 16-character long. Command mode: Global Mode Default: No time-range configuration Usage Guide: None. Example: Create a time-range named dc timer. Switch(Config)#timer-range dc_timer 15.3.2.17 absolute-periodic/periodic Command: [no] absolute-periodic{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday| Sunday}<start_time>to{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday| Sunday} <end_time> [no]periodic{{Monday+Tuesday+Wednesday+Thursday+Friday+Saturday+Sunday}| daily| weekdays | weekend} <start_time> to <end_time>...
Page 287: Acl Example
DCS-3950 series Ethernet switch manual Wednesday, Friday and Sunday. Switch(Config-Time-Range)#periodic monday wednesday friday sunday 14:30:00 to 16:45:00 15.3.2.18 absolute start Command: [no]absolute start <start_time> <start_data> [end <end_time> <end_data>] Functions: Define an absolute time-range, this time-range operates subject to the clock of this equipment.
Page 288 DCS-3950 series Ethernet switch manual Switch(Config-Ethernet0/0/10)#exit Switch(Config)#exit Configuration result: Switch#show firewall Firewall is enabled. Firewall default rule is to permit any packet. Switch#show access-lists access-list 110(used 1 time(s)) access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch#show access-group interface ethernet 0/0/10 interface name:Ethernet0/0/10 the ingress acl use in firewall is 110.
Page 289: Acl Troubleshooting
DCS-3950 series Ethernet switch manual Switch #show access-group interface name:Ethernet0/0/10 MAC Ingress access-list used is 1100. Scenario 3: The user has the following configuration requirement: port 1/10 of the switch connects to 00-12-11-23-XX-XX segment, IP is 10.0.0.0/24 segment , ftp is not desired for the user.
Page 290 DCS-3950 series Ethernet switch manual Command: show access-lists [<num>|<acl-name>] Functions: Reveal ACL of configuration Parameters: <acl-name>, specific ACL name character string; <num>, specific ACL No. Default: None Command mode:Admin Mode Usage Guide: When not assigning names of ACL, all ACL will be revealed, used x time （s）indicates the times of ACL to be used.
Page 291 DCS-3950 series Ethernet switch manual Functions: Reveal tying situation of ACL on port Parameters: <name>,Interface name Default: None Command Mode: Admin mode Usage Guide: When not assigning interface names, all ACL tied to port will be revealed Example: Switch#show access-group interface name:Ethernet0/0/2 IP Ingress access-list used is 111.
Page 292: Acl Troubleshooting
DCS-3950 series Ethernet switch manual Switch#show time-range time-range timer1 (inactive) absolute-periodic Saturday 0:0:0 to Sunday 23:59:59 time-range timer2 (active) absolute-periodic Monday 0:0:0 to Friday 23:59:59 15.5.2 ACL Troubleshooting The check of list entris in ACL is a top-down behavior, once one entry is mached, the check will be finished immediately;...
Page 293: Chapter 16 Am Configuration
DCS-3950 series Ethernet switch manual Chapter 16 AM Configuration 16.1 AM Introduction AM（access management） compares the information of the received data message ( source IP address or source IP + source MAC ) with the configured hardware address pool, if founds a match, forwards the message, if not, dumps it.
Page 294: Am Command List
DCS-3950 series Ethernet switch manual Command Explanation Physical interface configuration mode am port Enable or disable the AM function of a physical interface. no am port Configure IP address on a physical am ip-pool <start_ip_address> interface. The ‘no am ip-pool [<num>]...
Page 295 DCS-3950 series Ethernet switch manual 16.3.2.2 am port Command: am port no am port Function: Enable the AM function for the physical ports. Parameters: None. Command mode: Port Mode. Default: The AM function is enabled by default. Usage Guide: Users can disable the AM function for physical ports. This command is usually used on uplink ports.
Page 296: Am Example
DCS-3950 series Ethernet switch manual Default: The MAC-IP pool is empty by default. Usage Guide: This command is used to configure MAC-IP address mapping pool. Only if the packets with source address that comply with the rule can be forwarded.
Page 297: Am Troubleshooting
DCS-3950 series Ethernet switch manual Global AM is enabled Interface Ethernet0/0/1 am is enable Interface Ethernet0/0/1 am ip-pool 10.1.1.1 8 USER_CONFIG Scenario 2 The configuration demand of the user is that the port 10 of the switch connects to the 10.1.1.0/8 segment, the administrator hopes the binding relationships between users and...
Page 298: Am Troubleshooting
DCS-3950 series Ethernet switch manual Switch#show am Global AM is enabled Interface Ethernet0/0/10 am mac-ip-pool 00-00-00-00-00-13 100.1.1.2 USER_CONFIG am mac-ip-pool 00-00-00-00-01-12 100.1.1.1 USER_CONFIG Interface Ethernet0/0/1 am ip-pool 10.1.1.1 8 USER_CONFIG Displayed information Explanation Global AM is enabled AM is enabled Only the users whose source MAC＝...
Page 299: Chapter 17 Port Channel Configuration
This algorithm is carried out by the hardware. DCS-3950 series switch offers 2 methods for configuring port aggregation: manual Port Channel creation and LACP (Link Aggregation Control Protocol) dynamic Port Channel creation.
Page 300: Port Channel Configuration
8 port groups and 8 ports in each port group are supported. Once ports are aggregated, they can be used as a normal port. DCS-3950 series switch have a built-in aggregation interface configuration mode, the user can perform related configuration in this mode just like in the VLAN and physical port configuration mode.
Page 301: Port Channelconfiguration Command List
DCS-3950 series Ethernet switch manual Interface Mode port-group <port-group-number> mode Adds ports to the port group and sets {active|passive|on} their mode. no port-group <port-group-number> 3. Enter port-channel configuration mode. Command Explanation Global Mode Enters port-channel configuration interface port-channel mode. <port-channel-number>...
Page 302: Port Channel Example
DCS-3950 series Ethernet switch manual Parameters: <port-group-number> is the group number of port channel, from 1 to 8; active enables LACP on the port and sets it in Active mode; passive enables LACP on the port and sets it in Passive mode; on forces the port to join a port channel without enabling LACP.
Page 303 DCS-3950 series Ethernet switch manual Fig 17-2 Configuring Port Channel in LACP Example: The switches in the description below are all DCS-3950 series switch and as shown in the figure, ports 1, 2, 3 of Switch1 are access ports that belong to vlan1. Add those three ports to group1 in active mode.
Page 304 DCS-3950 series Ethernet switch manual Fig 17-3 Configuring Port Channel in ON mode Example: As shown in the figure, ports 1, 2, 3 of Switch1 are access ports that belong to vlan1. Add those three port to group1 in ‘on’ mode. Ports 6, 7, 8 of Switch2 are trunk ports that also belong to vlan1, and allow all,and add the these four ports to group2 in ‘on’...
Page 305: Port Channel Troubleshooting
DCS-3950 series Ethernet switch manual to port-group 1 is entered, port 1 and port 2 aggregate to be port-channel 1, when port 3 joins port-group 1, port-channel 1 of port 1 and 2 are ungrouped and re-aggregate with port 3 to form port-channel 1. (It should be noted that whenever a new port joins in an aggregated port group, the group will be ungrouped first and re-aggregated to form a new group.) Now all four ports in both SwitchA and SwitchB are aggregated in ‘on’...
Page 306 DCS-3950 series Ethernet switch manual the general information of the port are as follows: portnumber: 1 actor_port_agg_id:0 partner_oper_sys:0x000000000000 partner_oper_key: 0x0001 actor_oper_port_key: 0x0101 mode of the port: ACTIVE lacp_aware: enable begin: FALSE port_enabled: FALSE lacp_ena: FALSE ready_n: TRUE the attributes of the port are as follows:...
Page 307 DCS-3950 series Ethernet switch manual speed_type Port speed type: 10Mbps, 100Mbps duplex_type Port duplex mode: full-duplex and half-duplex port_type Port VLAN property: access port or trunk port mux_state Status of port binding status machine rcvm_state Status of port receiving status machine...
Page 308 DCS-3950 series Ethernet switch manual LACP timeout Aggregation Synchronization Collecting Distributing Defaulted Expired Selected Unselected Displayed information Explanation portnumber Port number port priority Port Priority system System ID system priority System Priority LACP activety Whether port is added to the group in ‘active’ mode, 1 for yes.
Page 309: Port Channel Channel Troubleshooting
DCS-3950 series Ethernet switch manual Displayed information Explanation Port channels in the If port-channel does not exist, the above information will not group be displayed. Number of port Port number in the port-channel. Standby port Port that is in ‘standby’ status, which means the port is qualified to join the channel but cannot join the channel due to the maximum port limit, thus the port status is ‘standby’...
Page 310 DCS-3950 series Ethernet switch manual be in ACTIVE mode, otherwise LACP packet won’t be initiated. LACP cannot be used on ports with Security and IEEE 802.1x enabled. Once the port-channel created, all the configuration of the ports can only be applied to port-channel ports LACP should be mutually exclusive to Security and 802.1X ports, if a port has been...
Page 311: Chapter 18 Dhcp Configuration
DCS-3950 series Ethernet switch manual Chapter 18 DHCP Configuration 18.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network.
Page 312: Dhcp Server Configuration
DHCP packets so that the DHCP packets exchange can be completed between the DHCP client and server. DCS-3950 series switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e.
Page 313 DCS-3950 series Ethernet switch manual network-address <network-number> Configures the address scope that can be [mask | prefix-length] allocated to the address pool no network-address default-router Configures default gateway for DHCP [address1[address2[…address8]]] clients no default-router dns-server Configures DNS server for DHCP clients [address1[address2[…address8]]]...
Page 314: Dhcp Server Configuration Command List
DCS-3950 series Ethernet switch manual Specifies the IP address to be assigned to host <address> [<mask> | the specified client when binding address <prefix-length> ] manually no host Specifies the unique ID of the user when client-identifier <unique-identifier> binding address manually...
Page 315 DCS-3950 series Ethernet switch manual 18.2.2.2 client-identifier Command: client-identifier <unique-identifier> no client-identifier Function: Specify the unique ID of the user when binding an address manually; the ‘no client-identifier’ command deletes the identifier. Parameters: <unique-identifier> is the user identifier, in dotted Hex format.
Page 316 DCS-3950 series Ethernet switch manual 10.1.128.100. Switch(dhcp-1-config)#default-router 10.1.128.2 10.1.128.100 18.2.2.5 dns-server Command: dns-server <address1>[<address2>[…<address8>]] no dns-server Function: Configure DNS servers for DHCP clients; the ‘no dns-server’ command deletes the default gateway. Parameters: address1…address8 are IP addresses, in decimal format. Default: No DNS server is configured for DHCP clients by default.
Page 317 DCS-3950 series Ethernet switch manual DHCP server assigns the IP address defined in ‘host’ command to the client. Example: Specify IP address 10.1.128.160 to be bound to the user with hardware address 00-00-e2-3a-26-04 in manual address binding. Switch(dhcp-1-config)#hardware-address 00-00-e2-3a-26-04 Switch(dhcp-1-config)#host 10.1.128.160 24 Related Command：host...
Page 318: Ip Dhcp Pool
DCS-3950 series Ethernet switch manual Related commands：clear ip dhcp conflict 18.2.2.10 ip dhcp excluded-address Command: ip dhcp excluded-address <low-address>[<high-address>] no ip dhcp excluded-address <low-address> [<high-address>] Function: Specify addresses excluding from dynamic assignment; the ‘no ip dhcp excluded-address <low-address> [<high-address>]’ command cancels the setting.
Page 319 DCS-3950 series Ethernet switch manual Usage Guide: To configure the number of ping packets to be sent. The default is two packets. Example: Configure number of ping packets to be 5. Switch(Config)#ip dhcp ping packets 5 Releated Commands: ip dhcp ping timeout 18.2.2.13 ip dhcp ping timeout...
Page 320 DCS-3950 series Ethernet switch manual Function: Set the lease time for addresses in the address pool; the ‘no lease’ command restores the default setting. Parameters: <days> is number of days from 0 to 365; <hours> is number of hours from 0 to 23;...
Page 321 DCS-3950 series Ethernet switch manual 18.2.2.18 network-address Command: network-address <network-number> [<mask> | <prefix-length>] no network-address Function: Set the scope for assignment for addresses in the pool; the ‘no network-address’ command cancels the setting. Parameters: <network-number> is the network number; <mask> is the subnet mask in the decimal format;...
Page 322: Dhcp Server Configuration Example
To save configuration efforts of network administrators and users, a company is using DCS-3950 series switch as a DHCP server. The Admin VLAN IP address is 10.16.1.2/24. The local area network for the company is divided into network A and B according to the office locations.
Page 323: Dhcp Troubleshooting
DCS-3950 series Ethernet switch manual Switch(Config)#ip dhcp pool A Switch(dhcp-A-config)#network-address 10.16.1.0 24 Switch(dhcp-A-config)#lease 3 Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201 Switch(dhcp-A-config)#dns-server 10.16.1.202 Switch(dhcp-A-config)#netbios-name-server 10.16.1.209 Switch(dhcp-A-config)#netbios-node-type H-node Switch(dhcp-A-config)#exit Switch(Config)#ip dhcp excluded-address 10.16.1.200 10.16.1.210 Switch(Config)#ip dhcp pool B Switch(dhcp-B-config)#network-address 10.16.2.0 24 Switch(dhcp-B-config)#lease 1 Switch(dhcp-B-config)#default-route 10.16.2.200 10.16.2.201 Switch(dhcp-B-config)#dns-server 10.16.2.202...
Page 324 DCS-3950 series Ethernet switch manual Parameters: <address> is the IP address that has a binding record in decimal format. all refers to all IP addresses that have a binding record. Command mode: Admin Mode Usage Guide: ‘show ip dhcp binding’ command can be used to view binding information for IP addresses and corresponding DHCP client hardware addresses.
Page 325 DCS-3950 series Ethernet switch manual 18.3.1.4 show ip dhcp binding Command：show ip dhcp binding Function: Display IP-MAC binding information. Command mode: Admin Mode Example: Switch#sh ip dhcp binding IP address Hardware adress Lease expiration Type 10.1.1.233 00-00-E2-3A-26-04 Infinite Manual 10.1.1.254...
Page 326 DCS-3950 series Ethernet switch manual Automatic bindings Manual bindings Conflict bindings Expiried bindings Malformed message Message Recieved BOOTREQUEST 3814 DHCPDISCOVER 1899 DHCPREQUEST DHCPDECLINE DHCPRELEASE DHCPINFORM Message Send BOOTREPLY 1911 DHCPOFFER DHCPACK DHCPNAK DHCPRELAY 1907 DHCPFORWARD Switch# Displayed information Explanation Memory usage...
Page 327: Dhcp Troubleshooting
In such case, DHCP server should be examined for an address pool that is in the same segment of the switch VLAN, such a pool should be added if not present, and (This does not indicate DCS-3950 series switch cannot assign IP address for different segments, see solution 2 for details.) In DHCP service, pools for dynamic IP allocation and manual binding are conflicting, i.e., if command ‘network-address’...
Page 328: Chapter 19 Dhcp Snooping Configuration
DCS-3950 series Ethernet switch manual Chapter 19 DHCP Snooping Configuration 19.1 DHCP Snooping Introduction DHCP Snooping can effectively block attacks from fake DHCP servers. Defense against Fake DHCP Server：once the switch intercepts the DHCP server reply packets from un-trusted ports（including DHCPOFFER, DHCPACK, and DHCPNAK）, it will alarm the users and respond according to the situation（shutdown the port or send...
Page 329 DCS-3950 series Ethernet switch manual 6. Enable dot1x binding for DHCP snooping. 7. Enable user binding for DHCP snooping. 8. Add static binding entries 9. Configure defense action 10. Enable DHCP Snooping option 82 function 11. Enable debugging. 12. Set log record 1.
Page 330 DCS-3950 series Ethernet switch manual Commands Explanation Port Mode. Enable/Disable the dot1x binding for Ip dhcp snooping binding dot1x DHCP snooping. no Ip dhcp snooping binding dot1x 7. Enable user binding for DHCP snooping. Command Explanation Port Mode Enable/Disable user binding for Ip dhcp snooping binding user-control DHCP snooping.
Page 331: Dhcp Snooping Command List
DCS-3950 series Ethernet switch manual Debug ip dhcp snooping packet Please refer to the system debugging Debug ip dhcp snooping event chapter. Debug ip dhcp snooping update Debug ip dhcp snooping binding 12. Set log record Command Explanation Admin Mode...
Page 332 DCS-3950 series Ethernet switch manual Switch(Config)#ip dhcp snooping binding enable Related Commands: ip dhcp snooping enable 19.2.2.3 ip dhcp snooping binding user Command：ip dhcp snooping binding user <mac> address <ipAddr> <mask> vlan <vid> interface [Ethernet] <ifname> no Ip dhcp snooping binding user <mac> interface [Ethernet] <ifname>...
Page 333 DCS-3950 series Ethernet switch manual prevent these lists entried from being attacked by ARP cheating. At the same time, these static list entries need no reauthenticaiton, which can prenvent the switch from the failing to reauthenticate ARP when it is being attacked by ARP scanning. Only after the DHCP SNOOPING binding function is enabled, the binding ARP function can be set.
Page 334: Ip Dhcp Snooping Trust
DCS-3950 series Ethernet switch manual 19.2.2.7 ip dhcp snooping trust Command：ip dhcp snooping trust no ip dhcp snooping trust Function： Set or delete the DHCP Snooping trust attributes of a port. Parameters：None Command mode：Port Mode Default：By default, all ports are non-trusted ports Usage Guide：Only when DHCP Snooping is globally enabled, can this command be set.
Page 335 DCS-3950 series Ethernet switch manual Parameters： <maxNum>: the number of defense action on each port, the range of which is 1-200, and the value of which is 10 by default default：recover to the default value. Command mode：Globe Mode. Default：The default value is 10.
Page 336: Dhcp Snooping Typical Applications
DCS-3950 series Ethernet switch manual udp_port：the UDP port of HELPER SERVER, the range of which is1－65535, and its default value is 9119. src_addr：the local management IP address of the switch, in dotted-decimal notation sencondary：whether it is a secondary SERVER address.
Page 337: Dhcp Snooping Troubleshooting
DCS-3950 series Ethernet switch manual un-trusted port 0/0/1 of the DCN switch. It acts as DHCP Client, and its IP is 1.1.1.5;DHCP Server and GateWay connect to the trusted ports 0/0/11 and 0/0/12 of the DCN switch; malicious user Mac-BB connects to the un-trusted port 0/0/10, trying to fake a DHCP Server （...
Page 338 DCS-3950 series Ethernet switch manual expired binding: 0, request binding: 0 interface trust action recovery alarm num bind num --------------- --------- --------- ---------- --------- ---------- Ethernet0/0/1 trust none 0second Ethernet0/0/2 untrust none 0second Ethernet0/0/3 untrust none 0second Ethernet0/0/4 untrust none...
Page 339 DCS-3950 series Ethernet switch manual DHCP Snooping alarm count: The number of alarm information. interface Name of the port trust Trust attributes of the port action Automatic defense action of the port recovery The recovery interval of the automatic defense action...
Page 340: Dhcp Snoopingtroubleshooting
DCS-3950 series Ethernet switch manual Command: logging source {default| m_shell|sys_event|anti_attack} channel { console | logbuff | loghost | monitor } [ level { critical | debugging | notifications | warnings } [state { on | off } ] ] Function： The details about this command are covered in the chapter on system log; the...
Page 341: Debug Ip Dhcp Snooping Event
DCS-3950 series Ethernet switch manual 19.3.2.2 debug ip dhcp snooping event Command：debug ip dhcp snooping event no debug ip dhcp snooping event Function： This command is used to enable the DHCP SNOOPING debug switch to debug the state of DHCP SNOOPING tasks.
Page 342: Chapter 20 Arp Guard Configuration
DCS-3950 series Ethernet switch manual Chapter 20 ARP Guard Configuration 20.1 ARP Guard introduction There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address.
Page 343: Arp Guard Configuration
DCS-3950 series Ethernet switch manual 20.2 ARP Guard Configuration 20.2.1 ARP GuardConfiguration Task List 1) Configure the protected IP address Command Notes Port Mode Configure/Remove the ARP Guard arp-guard ip <addr> address. no arp-guard ip <addr> 20.2.2 ARP Guard Command List 20.2.2.1 arp-guard ip...
Page 344: Chapter 21 Arp Scanning Prevention
DCS-3950 series Ethernet switch manual Chapter 21 ARP Scanning Prevention 21.1 Introduction ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Page 345 DCS-3950 series Ethernet switch manual Command Notes Global Mode Enable or disable the ARP Scanning anti-arpscan enable Prevention function globally no anti-arpscan enable 2) Configure the threshold of the port-based and IP-based ARP Scanning Prevention Command Notes Global Mode anti-arpscan port-based threshold <t Set the threshold of the hreshold-value>...
Page 346: Arp Scanning Prevention Command List
DCS-3950 series Ethernet switch manual Global Mode Enable or disable the log function of ARP anti-arpscan log enable scanning prevention no anti-arpscan log enable Enable or disable the SNMP Trap anti-arpscan trap enable function of ARP scanning prevention no anti-arpscan trap enable...
Page 347 DCS-3950 series Ethernet switch manual 21.2.2.3 anti-arpscan ip-based threshold <threshold-value> Command：anti-arpscan ip-based threshold <threshold-value> no anti-arpscan ip-based threshold Function：Set the threshold of received messages of the IP-based ARP scanning prevention. If the rate of received ARP messages exceeds the threshold, the IP messages from this IP will be blocked.
Page 348 DCS-3950 series Ethernet switch manual Default：By default all the IP are non-trustful. Default mask is 255.255.255.255 Command mode：Global Mode User Guide：If a port is configured as a trusted port, then the ARP scanning prevention function will not deal with this port, even if the rate of received ARP messages exceeds the set threshold, this port will not be closed.
Page 349: Arp Scanning Prevention Troubleshooting
DCS-3950 series Ethernet switch manual Command mode：Global Mode User Guide: After enabling ARP scanning prevention log function, users can check the detailed information of ports being closed or automatically recovered by ARP scanning prevention or IP being disabled and recovered by ARP scanning prevention. The level of the log is ‘Warning’.
Page 350 DCS-3950 series Ethernet switch manual Function：Display the operation information of ARP scanning prevention function Parameters：None. Default: Display every port to tell whether it is a trusted port and whether it is closed. If the port is closed, then display how long it has been closed. Display all the trusted IP and disabled IP.
Page 351: Arp Scanning Prevention Typical Example
DCS-3950 series Ethernet switch manual 192.168.99.7 255.255.0.0 21.3.1.2 debug anti-arpscan [port|ip] Command：debug anti-arpscan <port | ip> no debug anti-arpscan <port | ip> Function：Enable the debug switch of ARP scanning prevention;’ no debug anti-arpscan <port | ip>‘ command disables the switch.
Page 352 DCS-3950 series Ethernet switch manual 192.168.1.100), and all the other ports of SWITCH A are connected to common PC. The following configuration can prevent ARP scanning effectively without affecting the normal operation of the system. SWITCH A configuration task sequence:...
Page 353: Chapter 22 Port Loopback Detection
DCS-3950 series Ethernet switch manual Chapter 22 Port Loopback Detection 22.1 Introduction to Port Loopback Detection With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
Page 354: Port Loopback Detection Command List
DCS-3950 series Ethernet switch manual 4．Display and debug the relevant information of port loopback detection 1) Configure the time interval of loopback detection Commands Notes Global Mode Configure the time interval of loopback loopback-detection interval-time detection <loopback> <no-loopback> 2) Enable the function of port loopback detection...
Page 355 DCS-3950 series Ethernet switch manual no loopback-detection control Function：Enable the function of loopback detection control on a port, the no operation of this command will disable the function. Parameters：shutdown set the control method as shutdown, which means to close down the port if a port loopback is found.
Page 356: Port Loopback Detection Example
DCS-3950 series Ethernet switch manual Switch(Config-Ethernet0/0/2)#loopback-detection specified-vlan 1;3;5-20 22.2.2.3 loopback-detection interval-time Command：loopback-detection interval-time <loopback> <no-loopback> Function：Set the loopback detection interval. Parameters：<loopback > the detection interval if any loopback is found, ranging from 5 to 300, in seconds. <no-loopback > the detection interval if no loopback is found, ranging from 1 to 30, in seconds.
Page 357: Port Loopback Detection Troubleshooting
DCS-3950 series Ethernet switch manual Switch (config)#interface ethernet 0/0/1 Switch (Config-If-Ethernet0/0/1)#loopback-detection special-vlan 1-3 Switch (Config-If-Ethernet0/0/1)#loopback-detection control block 22.4 Port Loopback Detection Troubleshooting 22.4.1 Port Loopback Debugging Command List 22.4.1.1 show loopback-detection Command：show loopback-detection [interface <interface-list>] Function：Display the state of loopback detection on all ports if no parameter is provided, or the state and result of the specified ports according to the parameters.
Page 358: Port Loopback Dection Troubleshooting
DCS-3950 series Ethernet switch manual 22.4.2 Port Loopback Dection Troubleshooting The function of port loopback detection is disabled by default and should only be enabled if required, or it might affect the performance of the system because that the loopback detection messages are broadcast messages.
Page 359: Chapter 23 Sntp Configuration
SNTP (1 to 50 ms) is usually sufficient for those services. Fig 23-1 NTP/SNTP work environment DCS-3950 series switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030; SNTP client multicast and unicast are not supported, nor is the...
Page 360: Sntp Configuration
DCS-3950 series Ethernet switch manual SNTP server function. 23.2 SNTP Configuration 23.2.1 SNTP Configuration Task List 1. Configuration of the time server address. 2. Configuration of the SNTP poll interval.. 3. Configuration of the time zone. 1. Configuration of the time server address...
Page 361: Sntp Troubleshooting
DCS-3950 series Ethernet switch manual Parameter：<server_address> is the IPv4 unicast address of the SNTP/NTP server, <version_no> is the version No. of the SNTP on current server,ranging between 1-4 and defaulted at 1. Default: No sntp/ntp configured by default. Command mode: Global Mode Example: Configure the address of a SNTP/NTP server.
Page 362: Show Sntp
DCS-3950 series Ethernet switch manual 23.3.1.1 show sntp Command：show sntp Function：Display the current configuration of SNTP client and the server state. Parameters：None Command mode：Admin Mode. Example: Display current SNTP configuration. Switch#show sntp server address version last receive 2.1.0.2 never Displayed Information...
Page 363: Typical Sntp Configuration Example
23.4 Typical SNTP Configuration Example Fig 23-2 Typical SNTP Configuration All DCS-3950 series switch in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any DCS-3950 series switch and the two SNTP/NTP servers.
Page 364: Chapter 24 Qos Configuration
DCS-3950 series Ethernet switch manual Chapter 24 QoS Configuration 24.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic.
Page 365: Qos Implementation
DCS-3950 series Ethernet switch manual Classification: The entry action of QoS, classifying packet traffic according to the classification information carried in the packet and ACLs. Policing: Ingress action of QoS that lays down the policing policy and manages the classified packets.
Page 366 DCS-3950 series Ethernet switch manual Scheduling, where classification, policing and remark are sequential ingress actions, and Queuing and Scheduling are QoS egress actions. Fig 24-3 Basic QoS Model Classification: Classify traffic according to packet classification information and generate internal DSCP value based on the classification information. For different packet types and switch configurations, classification is performed differently;...
Page 367 DCS-3950 series Ethernet switch manual Fig 24-4 Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal DSCP value and can be policed and remarked. Policing can be performed based on DSCP value to configure different policies that allocate bandwidth to classified traffic.
Page 368 DCS-3950 series Ethernet switch manual Fig 24-5 Policing and Remarking process Queuing and scheduling: Packets at the egress will re-map the internal DSCP value to CoS value, the queuing operation assigns packets to appropriate queues of priority according to the CoS value; while the scheduling operation performs packet forwarding according to the prioritized queue weight.
Page 369: Qos Configuration
DCS-3950 series Ethernet switch manual Fig 24-6 Queuing and Scheduling process 24.2 QoS Configuration 24.2.1 QoS Configuration Task List 1． Enable QoS QoS can be enabled or disabled in Global Mode. QoS must be enabled first in Global Mode to configure the other QoS commands.
Page 370 DCS-3950 series Ethernet switch manual the data stream. Different classes of data streams will be processed with different policies. 3． Configure a policy map. After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode. Then different policies (such as bandwidth limit, priority degrading, assigning new DSCP value) can be applied to different data streams.
Page 371 DCS-3950 series Ethernet switch manual <policy-map-name>‘ command deletes the specified policy map. After a policy map is created, it can be class <class-map-name> associated to a class. Different policy or no class <class-map-name> new DSCP value can be applied to different data streams in class mode;...
Page 372: Qos Command List
DCS-3950 series Ethernet switch manual the specified policy map applied to the <policy-map-name> | output port. Egress policy map is not supported <policy-map-name>} yet. Apply DSCP mutation mapping to the port; mls qos dscp-mutation the ‘no mls qos dscp-mutation no mls qos dscp-mutation command restores the DSCP mutation mapping default.
Page 373 DCS-3950 series Ethernet switch manual Command mode: Global Mode Default: QoS is disabled by default. Usage Guide: QoS provides 8 queues to handle traffics of 8 priorities. This function cannot be used with the traffic control function. Example: Enable and then disabling the QoS function.
Page 374 DCS-3950 series Ethernet switch manual Switch(config-ClassMap)#match ip precedence 0 1 Switch(config-ClassMap)#exit 24.2.2.4 policy-map Command: policy-map <policy-map-name> no policy-map <policy-map-name> Function: Create a policy map and enters the policy map mode; the ‘no policy-map <policy-map-name>‘ command deletes the specified policy map.
Page 375 DCS-3950 series Ethernet switch manual Default: Not assigning by default Command mode: Policy Class-map Mode Usage Guide: Only the classified traffic which matches the matching standard will be assigned with the new values. Example: Set the IP Precedence of the packets matching the c1 class rule to 3.
Page 376: Police Aggregate
DCS-3950 series Ethernet switch manual Function: Define a policy set that can be used in one policy map by several classes; the ‘no mls qos aggregate-policer <aggregate-policer-name>‘ command deletes the specified policy set. Parameters: <aggregate-policer-name> is the name of the policy set; <rate-kbps> is the average baud rate (in kb/s) of classified traffic, range from 1 to 10,000,000;...
Page 377 DCS-3950 series Ethernet switch manual trust DSCP value; port priority <cos> assigns a priority to the physical port, cos is the priority to be assigned. Default: No trust. Command mode: Interface Mode Example: Configure Ethernet port 0/0/1 to trust CoS value, i.e., classifying the packets awitch(ccording to CoS value, DSCP value should not be changed.
Page 378 DCS-3950 series Ethernet switch manual Command: mls qos dscp-mutation <dscp-mutation-name> no mls qos dscp-mutation <dscp-mutation-name> Function: Apply DSCP mutation mapping to the port; the ‘no mls qos dscp-mutation <dscp-mutation-name>‘ command restores the DSCP mutation mapping default. Parameters: <dscp-mutation-name> is the name of DSCP mutation mapping.
Page 379 DCS-3950 series Ethernet switch manual Command mode: Global Mode. Usage Guide: When this command is configured, packets will not be forwarded through the WRR algorithm, but be forworded queue by queue. Example: Configure enable the prioritized queue. Switch(config)#priority-queue out 24.2.2.16 wrr-queue cos-map Command: wrr-queue cos-map <queue-id>...
Page 380: Qos Example
DCS-3950 series Ethernet switch manual supported, each DSCP value is delimited with space, ranging from 0 to 63, <out-dscp> is the sole outgoing DSCP value, the 8 values defined in incoming DSCP will be converted to outgoing DSCP values; ip-prec-dscp <dscp1...dscp8> defines the conversion from IP precedence to DSCP value, <dscp1...dscp8>...
Page 381 DCS-3950 series Ethernet switch manual Configuration result: When QoS enabled in Global Mode, the egress queue bandwidth proportion of port ethernet 0/0/1 is 1: 2: 4: 8. When packets have CoS value coming in through port ethernet 0/0/1, it will be map to the queue out according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 1, 2, 2, 3,3,4, 4, respectively.
Page 382 DCS-3950 series Ethernet switch manual Fig 24-7 Typical QoS topology As shown in the figure, inside the block is a QoS domain, SwitchA classifies different traffics and assigns different IP precedences. For example, set IP precedence for packets from segment 192.168.1.0 to 5 on port ethernet 1/1. The port connecting to switch2 is a trunk port.
Page 383: Qos Troubleshooting
DCS-3950 series Ethernet switch manual Switch(config)#interface ethernet 0/0/1 Switch(config-Ethernet0/0/1)#mls qos trust cos 24.4 QoS Troubleshooting 24.4.1 QoS Monitor and Debug Command List 24.4.1.1 show mls-qos Command: show mls-qos Function: Display global configuration information for QoS. Parameters: N/A. Default: N/A Command mode: Admin Mode...
Page 384: Show Mls Qos Maps
DCS-3950 series Ethernet switch manual Command mode: Admin Mode Displayed information Explanation Ethernet1/2 Port name default cos:0 Default CoS value of the port. DSCP Mutation Map: Default DSCP Port DSCP map name Mutation Map Attached policy-map for Ingress: p1 Policy name bound to port.
Page 385: Qos Troubleshooting
DCS-3950 series Ethernet switch manual dscp-mutation for DSCP-DSCP mutation, policed-dscp is DSCP mark down mapping Default: N/A. Command mode: Admin Mode 24.4.1.5 show class-map Command: show class-map [<class-map-name>] Function: Display class map of QoS. Parameter: < class-map-name> is the class map name.
Page 386 DCS-3950 series Ethernet switch manual packets (such as BPDU). Choose an array according to the Cos value when QoS is shut down When QoS is enabled in Global Mode,. QoS is enabled on all ports with 4 traffic queues. The default CoS value of the port is 0; port is in not Trusted state by default;...
Page 387: Chapter 25 Layer 3 Configuration
25.1 Layer 3 Interface 25.1.1 Introduction to Layer 3 Interface Layer3 interface can be created on DCS-3950 series. Layer3 interface is not physical interface but a virtual interface. Layer3 interface is built on VLAN. Layer3 interface can contain one or more layer2 interface of the same VLAN, or no layer2 interfaces. At least one of Layer2 interfaces contained in Layer3 interface should be in UP state for Layer3 interface in the UP state, otherwise, Layer3 interface will be in the DOWN state.
Page 388: Interface Vlan
DCS-3950 series Ethernet switch manual delete the default gateway address. 25.1.2.2 Layer 3 Interface Command List 25.1.2.2.1 interface vlan Command: interface vlan <vlan-id> no interface vlan <vlan-id> Function: Create a VLAN interface (a Layer 3 interface); the ‘no interface vlan <vlan-id>‘...
Page 389: Show Ip Traffic
DCS-3950 series Ethernet switch manual 25.1.2.3.1 show ip traffic Command: show ip traffic Function: Display statistics for IP packets. Command mode: Admin Mode Usage Guide: Display statistics for IP and ICMP packets received/sent. Example: Switch #show ip traffic IP statistics:...
Page 390 DCS-3950 series Ethernet switch manual packets dropped. Frags： 0 reassembled, 0 timeouts Fragmentation statistics: number of packets 0 fragment rcvd, 0 fragment reassembled, timeouts, fragments dropped received, fragments discarded, packets that 0 fragmented, 0 couldn't cannot be fragmented, number of fragment, 0 fragment sent fragments sent, etc.
Page 391: Show Ip Route
DCS-3950 series Ethernet switch manual UdpOutDatagrams unreachable being received, number of UDP packets being sent. 25.1.2.3.2 debug ip packet Command: debug ip packet no debug ip packet Function: Enable the IP packet debug function: the ‘no debug IP packet’ command disables this debug function.
Page 392: Arp
25.2 ARP 25.2.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used in IP address to Ethernet MAC address resolution. DCS-3950 series supports static configuration. 25.2.2 ARP Configuration 25.2.2.1 ARP Configuration Task List 1. Configure static ARP 1.
Page 393: Arp Forwarding Troubleshooting
DCS-3950 series Ethernet switch manual 25.2.2.2 ARP Forwarding Command List 25.2.2.2.1 arp Command: arp <ip_address> <mac_address> {[ethernet] <portName>} no arp <ip_address> Function: Configure a static ARP entry; the ‘no arp <ip_address>‘ command deletes a static ARP entry. Parameters: <ip_address> is the IP address; <mac_address> is the MAC address;...
Page 394: Debug Arp
DCS-3950 series Ethernet switch manual 00-10-00-00-00-C5 Interface Layer3 interface corresponding to the ARP entry. Port Physical (Layer2) interface corresponding to the ARP entry. Flag Describes whether ARP entry is dynamic or static. 25.2.3.1.2 debug arp Command: debug arp no debug arp Function: Enable the ARP debug function: the ‘no debug arp’...

Digitalchina Networks DCS-3950 series Manual

Chapter 1 Introduction of Products

Chapter 2 Hardware Installation

Chapter 3 Setup Configuration

Chapter 4 Switch Management

Chapter 5 Basic Switch Configuration

Chapter 6 Cluster Configuration

Chapter 7 Port Configuration

Chapter 8 MAC Table Configuration

Chapter 9 VLAN Configuration

Chapter 10 MSTP Configuration

Chapter 11 IGMP Snooping

Chapter 12 Multicast VLAN Configuration

Chapter 13 DCSCM Configuraion

Chapter 14 802.1X Configuration

Chapter 15 ACL Configuration

Chapter 16 AM Configuration

Chapter 17 Port Channel Configuration

Chapter 18 DHCP Configuration

Chapter 19 DHCP Snooping Configuration

Chapter 20 ARP Guard Configuration

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Digitalchina Networks DCS-3950 series