Page 1: User Manual
Korenix JetNet 5228G Series Rackmount Managed Ethernet Switch User Manual Version 1.1, Apr., 2009 www.korenix.com...
Page 2 Korenix JetNet 5228G Series Rackmount Managed Ethernet Switch User’s Manual Copyright Notice Copyright ¤ 2006-2009 Korenix Technology Co., Ltd. All rights reserved. Reproduction in any form or by any means without permission is prohibited.
Page 3 24FE+4G Layer 2/4 Ethernet Switch Management Guide V1.1 www.edge-core.com...
Page 4 Management Guide 24FE+4G Fast Ethernet Switch Standalone Layer 2 Switch with 24 100BASE-TX (RJ-45) Ports, and 4 Gigabit Combination Ports (RJ-45/SFP)
Page 5: Table Of Contents
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 6 Contents Saving or Restoring Configuration Settings 3-24 Downloading Configuration Settings from a Server 3-25 Console Port Settings 3-26 Telnet Settings 3-28 Configuring Event Logging 3-30 System Log Configuration 3-30 Remote Log Configuration 3-31 Displaying Log Messages 3-33 Sending Simple Mail Transfer Protocol Alerts 3-33 Resetting the System 3-35...
Page 7 Contents Configuring 802.1X Port Authentication 3-80 Displaying 802.1X Global Settings 3-81 Configuring 802.1X Global Settings 3-82 Configuring Port Settings for 802.1X 3-83 Displaying 802.1X Statistics 3-86 Filtering IP Addresses for Management Access 3-88 Client Security 3-90 Configuring Port Security 3-91 Web Authentication 3-93 Configuring Web Authentication...
Page 8 Contents Rate Limit Configuration 3-138 Showing Port Statistics 3-139 Address Table Settings 3-143 Setting Static Addresses 3-143 Displaying the Address Table 3-144 Changing the Aging Time 3-146 Spanning Tree Algorithm Configuration 3-147 Displaying Global Settings 3-149 Configuring Global Settings 3-152 Displaying Interface Settings 3-156 Configuring Interface Settings...
Page 9 Contents Displaying LLDP Device Statistics 3-212 Displaying Detailed LLDP Device Statistics 3-214 Class of Service Configuration 3-215 Layer 2 Queue Settings 3-215 Setting the Default Priority for Interfaces 3-215 Mapping CoS Values to Egress Queues 3-217 Selecting the Queue Mode 3-219 Setting the Service Weight for Traffic Classes 3-220...
Page 10 Contents Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 11 Contents show banner 4-25 System Status Commands 4-25 show startup-config 4-26 show running-config 4-28 show system 4-30 show users 4-30 show version 4-31 Frame Size Commands 4-32 jumbo frame 4-32 File Management Commands 4-33 copy 4-34 delete 4-36 4-37 whichboot 4-38 boot system 4-38...
Page 12 Contents Time Commands 4-58 sntp client 4-59 sntp server 4-60 sntp poll 4-60 show sntp 4-61 clock timezone 4-61 calendar set 4-62 show calendar 4-62 Switch Cluster Commands 4-63 cluster 4-64 cluster commander 4-64 cluster ip-pool 4-65 cluster member 4-66 rcommand 4-66 show cluster...
Page 13 Contents radius-server retransmit 4-90 radius-server timeout 4-91 show radius-server 4-92 TACACS+ Client 4-92 tacacs-server host 4-93 tacacs-server port 4-93 tacacs-server key 4-94 tacacs-server retransmit 4-94 tacacs-server timeout 4-95 show tacacs-server 4-96 AAA Commands 4-96 aaa group server 4-97 server 4-97 aaa accounting dot1x 4-98 aaa accounting exec...
Page 14 Contents dot1x max-req 4-119 dot1x port-control 4-120 dot1x operation-mode 4-120 dot1x re-authenticate 4-121 dot1x re-authentication 4-122 dot1x timeout quiet-period 4-122 dot1x timeout re-authperiod 4-123 dot1x timeout tx-period 4-123 dot1x intrusion-action 4-124 show dot1x 4-124 Management IP Filter Commands 4-128 management 4-128 show management 4-129...
Page 15 Contents show ip dhcp snooping 4-152 show ip dhcp snooping binding 4-153 IP Source Guard Commands 4-153 ip source-guard 4-153 ip source-guard binding 4-155 show ip source-guard 4-156 show ip source-guard binding 4-156 Access Control List Commands 4-157 IP ACLs 4-157 access-list ip 4-158...
Page 16 Contents lacp system-priority 4-187 lacp admin-key (Ethernet Interface) 4-188 lacp admin-key (Port Channel) 4-189 lacp port-priority 4-190 show lacp 4-191 Mirror Port Commands 4-194 port monitor 4-194 show port monitor 4-195 Rate Limit Commands 4-196 rate-limit 4-196 Address Table Commands 4-197 mac-address-table static 4-197...
Page 17 Contents show bridge-ext 4-222 switchport gvrp 4-222 show gvrp configuration 4-223 garp timer 4-223 show garp timer 4-224 Editing VLAN Groups 4-225 vlan database 4-225 vlan 4-226 Configuring VLAN Interfaces 4-227 interface vlan 4-227 switchport mode 4-228 switchport acceptable-frame-types 4-228 switchport ingress-filtering 4-229 switchport native vlan...
Page 18 Contents LLDP Commands 4-254 lldp 4-256 lldp holdtime-multiplier 4-256 lldp medFastStartCount 4-257 lldp notification-interval 4-257 lldp refresh-interval 4-258 lldp reinit-delay 4-258 lldp tx-delay 4-259 lldp admin-status 4-260 lldp notification 4-260 lldp mednotification 4-261 lldp basic-tlv management-ip-address 4-262 lldp basic-tlv port-description 4-263 lldp basic-tlv system-capabilities 4-263...
Page 19 Contents map ip precedence 4-284 map ip tos 4-285 map access-list ip 4-286 map access-list mac 4-286 show map ip dscp 4-287 show map ip port 4-287 show map ip precedence 4-288 show map ip tos 4-288 show map access-list 4-289 Quality of Service Commands 4-290...
Page 20 Contents ip igmp max-groups action 4-312 show ip igmp filter 4-313 show ip igmp profile 4-314 show ip igmp throttle interface 4-314 Multicast VLAN Registration Commands 4-315 mvr (Global Configuration) 4-315 mvr (Interface Configuration) 4-317 show mvr 4-318 IP Interface Commands 4-321 ip address 4-321...
Page 21 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-30 Table 3-4 SNMPv3 Security Models and Levels 3-40 Table 3-5 Supported Notification Messages 3-51 Table 3-6 HTTPS System Support 3-73 Table 3-7 802.1X Statistics...
Page 22 Tables Table 4-19 Time Commands 4-58 Table 4-20 Switch Cluster Commands 4-63 Table 4-21 SNMP Commands 4-68 Table 4-22 show snmp engine-id - display description 4-77 Table 4-23 show snmp view - display description 4-78 Table 4-24 show snmp group - display description 4-81 Table 4-26 Authentication Commands...
Page 23 Tables Table 4-65 Default STA Path Costs 4-212 Table 4-64 Recommended STA Path Cost 4-212 Table 4-66 VLAN Command Groups 4-220 Table 4-67 GVRP and Bridge Extension Commands 4-221 Table 4-68 Editing VLAN Groups 4-225 Table 4-69 Configuring VLAN Interfaces 4-227 Table 4-70 Show VLAN Commands...
Page 24 Tables...
Page 25 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-13 Figure 3-4 Switch Information 3-14 Figure 3-5 Bridge Extension Configuration 3-16 Figure 3-6 Manual IP Configuration 3-18 Figure 3-7 DHCP IP Configuration 3-19 Figure 3-8 Jumbo Frames Configuration 3-20 Figure 3-9 Copy Firmware...
Page 26 Figures Figure 3-42 AAA Authorization Settings 3-71 Figure 3-43 AAA Authorization Exec Settings 3-72 Figure 3-44 AAA Authorization Summary 3-73 Figure 3-45 HTTPS Settings 3-74 Figure 3-46 SSH Host-Key Settings 3-78 Figure 3-47 SSH Server Settings 3-79 Figure 3-48 802.1X Global Information 3-81 Figure 3-49 802.1X Global Configuration...
Page 27 Figures Figure 3-87 Setting the Address Aging Time 3-146 Figure 3-88 Displaying Spanning Tree Information 3-150 Figure 3-89 Configuring Spanning Tree 3-155 Figure 3-90 Displaying Spanning Tree Port Information 3-158 Figure 3-91 Configuring Spanning Tree per Port 3-162 Figure 3-92 Configuring Multiple Spanning Trees 3-163 Figure 3-93...
Page 28 Figures Figure 3-132 Globally Enabling the IP TOS Priority Status 3-227 Figure 3-133 Mapping IP TOS to Class of Service Queues 3-228 Figure 3-134 Mapping CoS Values to ACLs 3-229 Figure 3-135 Configuring Class Maps 3-232 Figure 3-136 Configuring Policy Maps 3-235 Figure 3-137 Service Policy Settings 3-236...
Page 29: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 30: Description Of Software Features
Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, private VLANs, voice VLANs, and QinQ tunnel Traffic Prioritization Default port priority, traffic class map, queue scheduling, or Differentiated Services Code Point (DSCP), IP Precedence, IP TOS, and TCP/UDP Port Quality of Service Supports Differentiated Services (DiffServ) Link Layer Discovery Protocol Used to discover basic information about neighboring devices...
Page 31 Description of Software Features Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access. Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, or TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type).
Page 32 Introduction Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 2 Mbits for frame buffering.
Page 33 Description of Software Features Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093) is reserved for switch clustering. Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using four priority queues with strict priority, Weighted Round Robin, or hybrid queuing.
Page 34: System Defaults
Introduction that advertises information about the sending device and collects information gathered from neighboring network nodes it discovers. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 35 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Port Number SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview...
Page 36 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP DSCP Priority Disabled IP Precedence Priority Disabled IP TOS Priority Disabled IP Port Priority Disabled...
Page 37: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 38: Required Connections
Initial Configuration • Configure up to 12 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 39: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 40: Setting Passwords
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Page 41: Dynamic Configuration
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Page 42: Enabling Snmp Management Access
Initial Configuration Type “end” to return to the Privileged Exec mode. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.”...
Page 43: Trap Receivers
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 44: Configuring Access For Snmp Version 3 Clients
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Page 45: Saving Configuration Settings
Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Page 46: Rack Mounting Installation
Rack Mounting Installation The Rack Mount Kit is attached inside the package. 2.1.1 Attach the brackets to the device using the screws provided in the Rack Mount kit. 2.2.2 Mount the device in the 19’ rack, using four rack-mounting screws provided by the rack manufacturer.
Page 47: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 48: Navigating The Web Browser Interface
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Page 49: Configuration Options
Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 50: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 51: Table 3-2 Main Menu
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page SNMPv3 Simple Network Management Protocol (Version 3) 3-45 Engine ID Sets the SNMP v3 engine ID on this switch 3-45 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-46 Users Configures SNMP v3 users on this switch...
Page 52 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page 802.1X 3-80 Information Displays global configuration settings 3-81 Configuration Configures the global configuration settings 3-82 Port Configuration Sets parameters for individual ports 3-83 Statistics Displays protocol statistics for the selected port 3-86 Web Authentication 3-93...
Page 53 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Mirror Port Configuration Sets the source and target ports for mirroring 3-137 Rate Limit 3-138 Input Port Configuration Sets the input rate limit for each port 3-138 Output Port Configuration Sets the output rate limit for ports 3-138 Port Statistics...
Page 54 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Static Membership by Port Configures membership type for interfaces, including tagged, 3-178 untagged or forbidden Port Configuration Specifies default PVID and VLAN attributes 3-179 Trunk Configuration Specifies default trunk VID and VLAN attributes 3-179 Tunnel Port Configuration Adds an interface to a QinQ Tunnel...
Page 55 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Priority 3-215 Default Port Priority Sets the default priority for each port 3-215 Default Trunk Priority Sets the default priority for each trunk 3-215 Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-217 Queue Mode Sets queue mode to strict, Weighted Round-Robin, or hybrid...
Page 56 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Multicast Router Displays the ports that are attached to a neighboring multicast 3-242 Port Information router for each VLAN ID Static Multicast Router Port Assigns ports that are attached to a neighboring multicast router 3-243 Configuration IP Multicast Registration...
Page 57 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Cluster 3-259 Configuration Globally enables clustering for the switch 3-260 Member Configuration Adds switch Members to the cluster 3-261 Member Information Displays cluster Member switch information 3-262 Candidate Information Displays network Candidate switch information 3-263 3-11...
Page 58: Basic Confisfguration
Configuring the Switch Basic Confisfguration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Page 59: Figure 3-3 System Information
Basic Confisfguration Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information CLI –...
Page 60: Displaying Switch Hardware/Software Versions
Configuring the Switch Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 61 Basic Confisfguration CLI – Use the following command to display version information. Console#show version 4-31 Serial Number: 0012CF422DC0 Service Tag: Hardware Version: EPLD Version: 0.00 Number of Ports: Main Power Status: Loader Version: 1.0.0.2 Boot ROM Version: 0.0.1.1 Operation Code Version: 0.0.3.5 Console# 3-15...
Page 62: Displaying Bridge Extension Capabilities
Configuring the Switch Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 63: Setting The Switch's Ip Address
Basic Confisfguration CLI – Enter the following command. Console#show bridge-ext 4-222 Max Support VLAN Numbers: Max Support VLAN ID: 4094 Extended Multicast Filtering Services: No Static Entry Individual Port: VLAN Learning: Configurable PVID Tagging: Local VLAN Capable: Traffic Classes: Enabled Global GVRP Status: Disabled GMRP:...
Page 64: Manual Configuration
Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Page 65: Using Dhcp/Bootp
Basic Confisfguration Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Page 66: Enabling Jumbo Frames
Configuring the Switch Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Page 67: Managing Firmware
Basic Confisfguration Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version.
Page 68: Downloading System Software From A Server
Configuring the Switch Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web –Click System, File Management, Copy Operation.
Page 69: Figure 3-11 Deleting Files
Basic Confisfguration To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI –...
Page 70: Saving Or Restoring Configuration Settings
Configuring the Switch Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server. The configuration files can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The configuration copy operation includes these options: - file to file –...
Page 71: Downloading Configuration Settings From A Server
Basic Confisfguration Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.
Page 72: Console Port Settings
Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-34 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Page 73: Figure 3-14 Console Port Settings
Basic Confisfguration • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 bps) •...
Page 74: Telnet Settings
Configuring the Switch CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-40 Console(config-line)#login local 4-40 Console(config-line)#password 0 secret 4-41...
Page 75: Figure 3-15 Enabling Telnet
Basic Confisfguration • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) •...
Page 76: Configuring Event Logging
Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Page 77: Remote Log Configuration
Basic Confisfguration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Page 78: Figure 3-17 Remote Logs
Configuring the Switch Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-17 Remote Logs CLI –...
Page 79: Displaying Log Messages
Basic Confisfguration Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 80: Figure 3-19 Enabling And Configuring Smtp
Configuring the Switch • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list. Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type the new IP address in the Server IP Address box, and then click Add.
Page 81: Resetting The System
Basic Confisfguration CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.4 4-55 Console(config)#logging sendmail level 3 4-56...
Page 82: Setting The System Clock
Configuring the Switch Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 83: Setting The Time Zone
Basic Confisfguration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-60 Console(config)#sntp poll 60 4-60 Console(config)#sntp client 4-59 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 60...
Page 84: Setting The Time Manually
Configuring the Switch Setting the Time Manually You can set the system time on the switch manually without using SNTP. Web – Select System, Calendar. Set the current date and time using the fields provided. Click Apply to start using the configured time. Figure 3-23 Setting the Current Date and Time CLI –...
Page 85: Simple Network Management Protocol
Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 86: Enabling The Snmp Agent
Configuring the Switch Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write) noAuthNoPriv user defined user defined user defined user defined Community string only noAuthNoPriv public defaultview none...
Page 87: Setting Community Access Strings
Simple Network Management Protocol Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Page 88: Specifying Trap Managers And Trap Types
Configuring the Switch Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 89 Simple Network Management Protocol Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) •...
Page 90: Figure 3-25 Configuring Ip Trap Managers
Configuring the Switch Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add.
Page 91: Configuring Snmpv3 Management Access
Simple Network Management Protocol Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Page 92: Specifying A Remote Engine Id
Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 93: Configuring Snmpv3 Users
Simple Network Management Protocol Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes •...
Page 94: Figure 3-28 Configuring Snmpv3 Users
Configuring the Switch Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 95: Configuring Remote Snmpv3 Users
Simple Network Management Protocol Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 96: Figure 3-29 Configuring Remote Snmpv3 Users
Configuring the Switch Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 97: Configuring Snmpv3 Groups
Simple Network Management Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 98 Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, linkDown acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
Page 99: Figure 3-30 Configuring Snmpv3 Groups
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Page 100: Setting Snmpv3 Views
Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...
Page 101 Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-77 Console(config)#exit Console#show snmp view 4-78 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 102: Authentication
Configuring the Switch Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: •...
Page 103: Figure 3-32 Access Levels
Authentication Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 104: Configuring Local/Remote Logon Authentication
Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 105 Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Page 106: Figure 3-33 Authentication Settings
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings 3-60...
Page 107 Authentication CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-86 Console(config)#radius-server auth-port 181 4-89 Console(config)#radius-server key green 4-90 Console(config)#radius-server retransmit 5 4-90 Console(config)#radius-server timeout 10 4-91 Console(config)#radius-server 1 host 192.168.1.25 4-88 Console(config)#end Console#show radius-server 4-92 Global Settings: Communication Key with RADIUS Server:...
Page 108: Aaa Authorization And Accounting
Configuring the Switch AAA Authorization and Accounting Authentication, authorization, and accounting (AAA) provides a framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. •...
Page 109: Aaa Radius Group Settings
Authentication AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) • Server Index - Specifies a RADIUS server and the sequence to use for the group. (Range: 1-5) When specifying the index for a RADIUS sever, the server index must already be defined (see “Configuring Local/Remote Logon Authentication”...
Page 110: Aaa Tacacs+ Group Settings
Configuring the Switch AAA TACACS+ Group Settings The AAA TACACS+ Group Settings screen defines the configured TACACS+ servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the TACACS+ server group. (1-255 characters) •...
Page 111: Figure 3-36 Aaa Accounting Settings
Authentication • Group Name - Specifes the accounting server group. (Range: 1-255 characters) The group names “radius” and “tacacs+” specifies all configured RADIUS and TACACS+ hosts (see “Configuring Local/Remote Logon Authentication” on page 3-58). Any other group name refers to a server group configured on the RADIUS or TACACS+ Group Settings pages.
Page 112: Aaa Accounting Update
Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web –...
Page 113: Aaa Accounting Exec Command Privileges
Authentication Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply. Figure 3-38 AAA Accounting 802.1X Port Settings CLI – Specify the accounting method to apply to the selected interface. Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps-method 4-101 Console(config-if)#...
Page 114: Figure 3-39 Aaa Accounting Exec Command Privileges
Configuring the Switch Web – Click Security, AAA, Accounting, Command Privilges. Enter a defined method name for console and Telnet privilege levels. Click Apply. Figure 3-39 AAA Accounting Exec Command Privileges CLI – Specify the accounting method to use for console and Telnet privilege levels. Console(config)#line console 4-40 Console(config-line)#accounting commands 15 tps-method...
Page 115: Aaa Accounting Exec Settings
Authentication AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 116: Figure 3-41 Aaa Accounting Summary
Configuring the Switch Web – Click Security, AAA, Accounting, Summary. Figure 3-41 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-104 Accounting Type : dot1x Method List : default Group List : radius...
Page 117: Authorization Settings
Authentication Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type : exec Username : admin Interface : vty 0 Time elapsed since connected: 00:25:09 Console# Authorization Settings AAA authorization is used to verify that a user has access to specific services.
Page 118: Authorization Exec Settings
Configuring the Switch Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 119: Configuring Https
Authentication Web – Click Security, AAA, Authorization, Summary. Figure 3-44 AAA Authorization Summary Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage •...
Page 120: Replacing The Default Secure-Site Certificate
Configuring the Switch Command Attributes • HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/ SSL connection to the switch’s web interface. (Default: Port 443) Web –...
Page 121: Configuring Secure Shell
Authentication Note: The switch must be reset for the new certificate to be activated. To reset the switch, type: Console#reload Configuring Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments.
Page 122 Configuring the Switch 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-34) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-56.) The clients are subsequently authenticated using these keys.
Page 123: Generating The Host Key Pair
Authentication Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process.
Page 124: Figure 3-46 Ssh Host-Key Settings
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-46 SSH Host-Key Settings CLI –...
Page 125: Configuring The Ssh Server
Authentication Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Page 126: Configuring 802.1X Port Authentication
Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-111 Console(config)#ip ssh timeout 100 4-112 Console(config)#ip ssh authentication-retries 5 4-113...
Page 127: Displaying 802.1X Global Settings
Authentication TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet.
Page 128: Configuring 802.1X Global Settings
Configuring the Switch CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-124 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 1/28 Console#...
Page 129: Configuring Port Settings For 802.1X
Authentication Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 130: Figure 3-50 802.1X Port Configuration
Configuring the Switch • Supplicant – Indicates the MAC address of a connected client. • Trunk – Indicates if the port is configured as a trunk port. Web – Click Security, 802.1X, Port Configuration. Modify the parameters required, and click Apply. Figure 3-50 802.1X Port Configuration 3-84...
Page 131 Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-124. Console(config)#interface ethernet 1/2 4-172 Console(config-if)#dot1x port-control auto 4-120 Console(config-if)#dot1x re-authentication 4-122 Console(config-if)#dot1x max-req 5 4-119 Console(config-if)#dot1x timeout quiet-period 30...
Page 132: Displaying 802.1X Statistics
Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 133: Figure 3-51 Displaying 802.1X Port Statistics
Authentication Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-51 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-124 Eth 1/4 Rx: EAPOL...
Page 134: Filtering Ip Addresses For Management Access
Configuring the Switch Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage •...
Page 135: Figure 3-52 Creating An Ip Filter List
Authentication Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-52 Creating an IP Filter List CLI –...
Page 136: Client Security
Configuring the Switch Client Security This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 137: Configuring Port Security
Client Security Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 138: Figure 3-53 Configuring Port Security
Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-53 Configuring Port Security CLI –...
Page 139: Web Authentication
Client Security Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Page 140: Configuring Web Authentication For Ports
Configuring the Switch CLI – This example globally enables system authentication control, configures the session timeout, quiet period and login attempts, and then displays the configured global parameters. Console(config)#mac-authentication reauth-time 3000 4-137 Console(config)#web-auth system-auth-control 4-142 Console(config)#web-auth session-timeout 1800 4-142 Console(config)#web-auth quiet-period 20 4-141 Console(config)#web-auth login-attempts 2 4-141...
Page 141: Displaying Web Authentication Port Information
Client Security CLI – This example enables web authentication for ethernet port 1/5 and displays a summary of web authentication parameters. Console(config)#interface ethernet 1/5 4-172 Console(config-if)#web-auth 4-143 Console(config-if)#end Console#show web-auth summary 4-145 Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count...
Page 142: Re-Authenticating Web Authenticated Ports
Configuring the Switch CLI – This example displays web authentication parameters for port 1/5. Console#show web-auth interface ethernet 1/5 4-145 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- 1.1.1.1 Authenticated 1.1.1.2 Authenticated Console# Re-authenticating Web Authenticated Ports The switch allows an administrator to manually force re-authentication of any web-authenticated host connected to any port.
Page 143: Network Access (Mac Address Authentication)
Client Security Network Access MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points. This switch enables network access from these devices to be controlled by authenticating device MAC addresses with a central RADIUS server.
Page 144: Configuring The Mac Authentication Reauthentication Time
Configuring the Switch Configuring the MAC Authentication Reauthentication Time MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally to all ports on the switch. Command Attributes • Authenticated Age – The secure MAC address table aging time. This parameter setting is the same as switch MAC address table aging time and is only configurable from the Address Table, Aging Time web page (see page 3-146).
Page 145: Configuring Mac Authentication For Ports
Client Security Configuring MAC Authentication for Ports Configures MAC authentication on switch ports, including setting the maximum MAC count, applying a MAC address filter, and enabling dynamic VLAN assignment. Command Attributes • Mode – Enables MAC authentication on a port. (Default: None) •...
Page 146: Figure 3-59 Network Access Port Configuration
Configuring the Switch Web – Click Security, Network Access, Port Configuration. Figure 3-59 Network Access Port Configuration CLI – This example configures MAC authentication for port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access mode mac-authentication 4-133 Console(config-if)#network-access max-mac-count 10 4-134 Console(config-if)#mac-authentication max-mac-count 24 4-135 Console(config-if)#network-access dynamic-vlan 4-136...
Page 147: Displaying Secure Mac Address Information
Client Security Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table.
Page 148: Access Control Lists
Configuring the Switch CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table 4-139 ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s...
Page 149: Setting The Acl Name And Type
Client Security Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 15 characters) • Type – There are three filtering modes: - Standard –...
Page 150: Configuring A Standard Ip Acl
Configuring the Switch Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
Page 151: Configuring An Extended Ip Acl
Client Security Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. (Default: Permit rules) • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...
Page 152: Figure 3-63 Configuring Extended Ip Acls
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 153: Configuring A Mac Acl
Client Security Configuring a MAC ACL Command Usage Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host”...
Page 154: Binding A Port To An Access Control List
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Page 155: Dhcp Snooping
Client Security Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply. Figure 3-65 Configuring ACL Port Binding CLI –...
Page 156 Configuring the Switch • The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. • When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
Page 157: Configuring Dhcp Snooping
Client Security Configuring DHCP Snooping Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on the switch, or to configure MAC Address Verification. Command Attributes • DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) • DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
Page 158: Configuring The Dhcp Snooping Information Option
Configuring the Switch Command Attributes • VLAN ID – ID of a configured VLAN. (Range: 1-4094) • DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. Web – Click DHCP Snooping, VLAN Configuration. Enable DHCP Snooping on the required VLAN and click Apply.
Page 159 Client Security • DHCP reply packets received by the relay agent (that is, this switch) are handled in the following way: 1. When the relay agent receives a DHCP reply packet with Option 82 information, it first ensures that the packet is destined for it, and then removes the Option 82 field from the packet.
Page 160: Configuring Ports For Dhcp Snooping
Configuring the Switch Web – Click DHCP Snooping, Information Option Configuration. Enable Option 82, and set the policy for handling request packets, then click Apply. Figure 3-68 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-150...
Page 161: Ip Source Guard
Client Security Command Attributes • Trust Status – Enables or disables port as trusted. Web – Click DHCP Snooping, Information Option Configuration. Figure 3-69 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-149...
Page 162 Configuring the Switch Command Usage • Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the SIP-MAC option to check these same parameters, plus the source MAC address.
Page 163: Configuring Static Binding For Ip Source Guard
Client Security Web – Click IP Source Guard, Port Configuration. Set the required filtering type for each port and click Apply. Figure 3-70 IP Source Guard Port Configuration CLI – This example shows how to enable IP source guard on port 5 Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip 4-153...
Page 164: Figure 3-71 Static Ip Source Guard Binding Configuration
Configuring the Switch - If there is an entry with the same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Command Attributes •...
Page 165: Displaying Information For Dynamic Ip Source Guard Bindings
Client Security Displaying Information for Dynamic IP Source Guard Bindings Use the Dynamic Information page to display the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding. (Options: Port, VLAN, MAC Address, or IP Address) •...
Page 166: Port Configuration
Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 167 Port Configuration Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100T or 1000T) • MAC Address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-17.) Configuration: •...
Page 168: Configuring Interface Connections
Configuring the Switch CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 4-180 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast Storm Limit:...
Page 169: Figure 3-74 Port/Trunk Configuration
Port Configuration pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation. Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
Page 170: Creating Trunk Groups
Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/3 4-172 Console(config-if)#description RD SW#13 4-173 Console(config-if)#shutdown 4-177 Console(config-if)#no shutdown Console(config-if)#no negotiation 4-174 Console(config-if)#speed-duplex 100half 4-173 Console(config-if)#flowcontrol 4-176 Console(config-if)#negotiation Console(config-if)#capabilities 100half 4-175 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate...
Page 171: Statically Configuring A Trunk
Port Configuration • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
Page 172: Enabling Lacp On Selected Ports
Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-172 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-172 Console(config-if)#channel-group 2 4-185 Console(config-if)#exit...
Page 173: Figure 3-76 Lacp Trunk Configuration
Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Page 174: Configuring Lacp Parameters
Configuring the Switch Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. •...
Page 175: Figure 3-77 Lacp Port Configuration
Port Configuration Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 176: Displaying Lacp Port Counters
Configuring the Switch CLI – The following example configures LACP parameters for ports 1-8. Ports 1-8 are used as active members of the LAG; ports 9-10 are set to backup mode. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#lacp actor system-priority 3 4-187 Console(config-if)#lacp actor admin-key 120 4-188 Console(config-if)#lacp actor port-priority 128...
Page 177: Figure 3-78 Lacp - Port Counters Information
Port Configuration Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 178: Displaying Lacp Settings And Status For The Local Side
Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Page 179: Figure 3-79 Lacp - Port Internal Information
Port Configuration Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-79 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-191 Port channel : 1...
Page 180: Displaying Lacp Settings And Status For The Remote Side
Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Page 181: Setting Broadcast Storm Thresholds
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-191 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-12-CF-CE-2A-20...
Page 182: Figure 3-81 Port Broadcast Control
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-81 Port Broadcast Control CLI – Set the threshold, then enable broadcast control on any interface. The following sets broadcast control threshold at 500 kbytes per second, and then enables broadcast storm control for port 1.
Page 183: Configuring Port Mirroring
Port Configuration Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.
Page 184: Configuring Rate Limits
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 185: Showing Port Statistics
Port Configuration CLI - This example sets the rate limit level for input traffic passing through port 3. Console(config)#interface ethernet 1/3 4-172 Console(config-if)#rate-limit input scale 100k level 5 4-196 Console(config-if)# Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 186 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. Transmit Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this...
Page 187 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Page 188: Figure 3-84 Port Statistics
Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-84 Port Statistics 3-142...
Page 189: Address Table Settings
Address Table Settings CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-181 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 190: Displaying The Address Table
Configuring the Switch Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-85 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 191: Figure 3-86 Configuring A Dynamic Address Table
Address Table Settings Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-86 Configuring a Dynamic Address Table CLI –...
Page 192: Changing The Aging Time
Configuring the Switch Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-98301 seconds;...
Page 193: Spanning Tree Algorithm Configuration
Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 194 Configuring the Switch convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing. One or more VLANs can be grouped into a Multiple Spanning Tree Instance (MSTI). MSTP builds a separate Multiple Spanning Tree (MST) for each instance to maintain connectivity among each of the assigned VLAN groups.
Page 195: Displaying Global Settings
Spanning Tree Algorithm Configuration Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
Page 196: Figure 3-88 Displaying Spanning Tree Information
Configuring the Switch • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port.
Page 197 Spanning Tree Algorithm Configuration CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-218 Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 198: Configuring Global Settings
Configuring the Switch Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 199 Spanning Tree Algorithm Configuration address will then become the root device. (Note that lower numeric values indicate higher priority.) - Default: 32768 - Range: 0-61440, in steps of 4096 - Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration •...
Page 200 Configuring the Switch Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
Page 201: Figure 3-89 Configuring Spanning Tree
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-89 Configuring Spanning Tree 3-155...
Page 202: Displaying Interface Settings
Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-202 Console(config)#spanning-tree mode mstp 4-202 Console(config)#spanning-tree priority 40960 4-205 Console(config)#spanning-tree hello-time 5 4-204 Console(config)#spanning-tree max-age 28 4-205 Console(config)#spanning-tree forward-time 20 4-203...
Page 203 Spanning Tree Algorithm Configuration • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Page 204: Figure 3-90 Displaying Spanning Tree Port Information
Configuring the Switch These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 205: Configuring Interface Settings
Spanning Tree Algorithm Configuration CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-218 1/ 5 information -------------------------------------------------------------- Admin Status: Enabled Role: Disabled State: Discarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 2000000 Internal Oper Path Cost:...
Page 206: Table 3-12 Recommended Sta Path Cost Range
Configuring the Switch The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 207: Table 3-14 Default Sta Path Costs
Spanning Tree Algorithm Configuration Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001 Ethernet Half Duplex 2,000,000 Full Duplex 1,000,000 Trunk 500,000 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000 •...
Page 208: Configuring Multiple Spanning Trees
Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-91 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-172 Console(config-if)#spanning-tree port-priority 0 4-213...
Page 209: Figure 3-92 Configuring Multiple Spanning Trees
Spanning Tree Algorithm Configuration To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) •...
Page 210 Configuring the Switch CLI – This example sets the priority for MSTI 1, and adds VLAN 1 to this MSTI. It then displays the STA settings for instance 1, followed by settings for each port. Console(config)#spanning-tree mst configuration 4-207 Console(config-mst)#mst 1 priority 4096 4-208 Console(config-mstp)#mst 1 vlan 1 4-208...
Page 211: Displaying Interface Settings For Mstp
Spanning Tree Algorithm Configuration Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes MST Instance ID – Instance identifier to configure. (Default: 0) Note: The other attributes are described under “Displaying Interface Settings”...
Page 212 Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-218 Spanning Tree Information...
Page 213: Configuring Interface Settings For Mstp
Spanning Tree Algorithm Configuration Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...
Page 214: Vlan Configuration
Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-94 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...
Page 215 VLAN Configuration This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 216 Configuring the Switch printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security.
Page 217: Enabling Gvrp (Global Setting)
VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 218: Displaying Basic Vlan Information
Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard.
Page 219: Displaying Current Vlans
VLAN Configuration Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.
Page 220: Creating Vlans
Configuring the Switch Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. •...
Page 221: Figure 3-98 Configuring A Vlan Static List
VLAN Configuration • Remove – Removes a VLAN group from the current list. If any port is assigned to this group as untagged, it will be reassigned to VLAN group 1 as untagged. Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add.
Page 222: Adding Static Members To Vlans (Vlan Index)
Configuring the Switch Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
Page 223: Figure 3-99 Configuring A Vlan Static Table
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
Page 224: Adding Static Members To Vlans (Port Index)
Configuring the Switch Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
Page 225: Configuring Vlan Behavior For Interfaces
VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 226: Figure 3-101 Configuring Vlans Per Port
Configuring the Switch • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
Page 227: Ieee 802.1Q Tunneling
VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-172 Console(config-if)#switchport acceptable-frame-types tagged 4-228 Console(config-if)#switchport ingress-filtering...
Page 228 Configuring the Switch processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Page 229 VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: •...
Page 230 Configuring the Switch Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.
Page 231: Enabling Qinq Tunneling On The Switch
VLAN Configuration Enabling QinQ Tunneling on the Switch The switch can be configured to operate in normal VLAN mode or IEEE 802.1Q (QinQ) tunneling mode which is used for passing Layer 2 traffic across a service provider’s metropolitan area network. Command Attributes 802.1Q Tunnel Status –...
Page 232: Figure 3-103 Tunnel Port Configuration
Configuring the Switch the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port. •...
Page 233: Private Vlans
VLAN Configuration CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#switchport dot1q-tunnel mode access 4-235 Console(config-if)#switchport dot1q-tunnel tpid 9100 4-236...
Page 234: Displaying Current Private Vlans
Configuring the Switch channeling all other traffic through promiscuous ports). Then assign any promiscuous ports to a primary VLAN and any host ports a community VLAN. To configure an isolated VLAN, follow these steps: Use the Private VLAN Configuration menu (page 3-189) to designate an isolated VLAN that will channel all traffic through a single promiscuous port.
Page 235: Configuring Private Vlans
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
Page 236: Associating Vlans
Configuring the Switch Associating VLANs Each community VLAN must be associated with a primary VLAN. Command Attributes • Primary VLAN ID – ID of primary VLAN (2-4094). • Association – Community VLANs associated with the selected primary VLAN. • Non-Association – Community VLANs not associated with the selected VLAN. Web –...
Page 237: Figure 3-107 Private Vlan Port Information
VLAN Configuration • Primary VLAN – Conveys traffic between promiscuous ports, and between promiscuous ports and community ports within the associated secondary VLANs. • Community VLAN – Conveys traffic between community ports, and from community ports to their designated promiscuous ports. •...
Page 238: Configuring Private Vlan Interfaces
Configuring the Switch Configuring Private VLAN Interfaces Use the Private VLAN Port Configuration page to set the private VLAN interface type, and assign the interfaces to a private VLAN. Command Attributes • Port – The switch interface. • PVLAN Port Type – Sets the private VLAN port types. - Normal –...
Page 239: Protocol Vlans
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6.
Page 240: Configuring Protocol Vlan Groups
Configuring the Switch • Up to 5 Protocol VLAN groups can be concurrently mapped per port. One Protocol VLAN group for each of the predefined protocols can be mapped to a port, while a maximum of two groups based on user defined frame and protocol settings can be mapped per port.
Page 241: Figure 3-109 Protocol Vlan Configuration
VLAN Configuration Web – Click VLAN, Protocol VLAN, Configuration. For predefined protocol types, enter a protocol group ID and protocol type. For user defined protocol types, enter the protocol group ID, frame type, and a hexadecimal value for the protocol type. Click Apply.
Page 242: Configuring Protocol Vlan Interfaces
Configuring the Switch Configuring Protocol VLAN Interfaces Use the Protocol VLAN Port Configuration menu to map a Protocol VLAN Group to a VLAN for the currently selected port or trunk. Command Usage • Before assigning a protocol group and associated VLAN to a port or trunk, first select the required interface from the scroll-down list and click Query.
Page 243: Voice Vlans
VLAN Configuration CLI - This example shows Port 1 configured with Protocol VLAN Group 1 mapped to VLAN 5 and Protocol VLAN Group 2 mapped to VLAN 6. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#protocol-vlan protocol-group 1 vlan 5 4-245 Console(config-if)#protocol-vlan protocol-group 2 vlan 6 Voice VLANs When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic.
Page 244: Configuring Voip Traffic Ports
Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-111 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, and then sets the VLAN aging time to 3000 seconds.
Page 245: Figure 3-112 Voip Traffic Port Configuration
VLAN Configuration address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...
Page 246: Configuring Telephony Oui
Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 Console(config-if)#switchport voice vlan auto 4-250 Console(config-if)#switchport voice vlan security 4-251 Console(config-if)#switchport voice vlan rule oui 4-251 Console(config-if)#switchport voice vlan priority 5 4-252 Console(config-if)#exit...
Page 247: Link Layer Discovery Protocol
Link Layer Discovery Protocol Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
Page 248: Setting Lldp Timing Attributes
Configuring the Switch Setting LLDP Timing Attributes Use the LLDP Configuration screen to set attributes for general functions such as globally enabling LLDP on the switch, setting the message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB.
Page 249: Figure 3-114 Lldp Configuration
Link Layer Discovery Protocol lldpRemTablesChange notification-events missed due to throttling or transmission loss. • MED Fast Start Count – Configures the amount of LLDP MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanisim. (Range: 1-10 packets; Default: 4 packets) The MED Fast Start Count parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port.
Page 250: Configuring Lldp Interface Attributes
Configuring the Switch Configuring LLDP Interface Attributes Use the LLDP Port/Trunk Configuration to specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Page 251 Link Layer Discovery Protocol Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Page 252: Figure 3-115 Lldp Port Configuration
Configuring the Switch Web – Click LLDP, Port/Trunk Configuration. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, select the information to advertise in LLDP messages, select the information to advertise in MED-TLV messages and specify whether or not to send MED notifications. Then click Apply. Figure 3-115 LLDP Port Configuration CLI –...
Page 253: Displaying Lldp Local Device Information
Link Layer Discovery Protocol Displaying LLDP Local Device Information Use the LLDP Local Device Information screen to display information about the switch, such as its MAC address, chassis ID, management IP address, and port information. Field Attributes Global Settings • Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent.
Page 254: Figure 3-116 Lldp Local Device Information
Configuring the Switch • System Capabilities Enabled – The primary function(s) of the system which are currently enabled. Refer to the preceding table. • Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Page 255: Displaying Lldp Remote Port Information
Link Layer Discovery Protocol CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-273 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : Layer2+ Fast Ethernet Standalone Switch 24FE+4G System Capabilities Support : Bridge System Capabilities Enable : Bridge...
Page 256: Displaying Lldp Remote Information Details
Configuring the Switch Web – Click LLDP, Remote Port/Trunk Information. Figure 3-117 LLDP Remote Port Information CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP. Console#show lldp info remote-device 4-274 LLDP Remote Devices Information Interface | ChassisId...
Page 257: Figure 3-118 Lldp Remote Information Details
Link Layer Discovery Protocol Table 3-17 Port ID Subtype (Continued) ID Basis Reference Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned • System Name – An string that indicates the system’s administratively assigned name. • System Description – A textual description of the network entity. •...
Page 258: Displaying Lldp Device Statistics
Configuring the Switch CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch. Console#show lldp info remote-device detail ethernet 1/1 4-274 LLDP Remote Devices Information Detail --------------------------------------------------------------- Local PortName : Eth 1/1 Chassis Type : MAC Address Chassis Id...
Page 259: Figure 3-119 Lldp Device Statistics
Link Layer Discovery Protocol Web – Click LLDP, Device Statistics. Figure 3-119 LLDP Device Statistics CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-275 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count...
Page 260: Displaying Detailed Lldp Device Statistics
Configuring the Switch Displaying Detailed LLDP Device Statistics Use the LLDP Device Statistics Details screen to display detailed statistics for LLDP-capable devices attached to specific interfaces on the switch. Field Attributes • Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV.
Page 261: Class Of Service Configuration
Class of Service Configuration CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-275 LLDP Port Statistics Detail PortName : Eth 1/1 Frames Discarded Frames Invalid Frames Received...
Page 262: Figure 3-121 Port Priority Configuration
Configuring the Switch Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port.
Page 263: Mapping Cos Values To Egress Queues
Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on Strict, Weighted Round Robin (WRR), or Hybrid. Up to eight separate traffic priorities are defined in IEEE 802.1p.
Page 264: Figure 3-122 Traffic Classes
Configuring the Switch Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-122 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#queue cos-map 0 0...
Page 265: Selecting The Queue Mode
Class of Service Configuration Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue, or a combination of strict service for the high priority queues and weighted queueing for the remaining queues.
Page 266: Setting The Service Weight For Traffic Classes
Configuring the Switch Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-217, the traffic classes are mapped to one of the eight egress queues provided for each port.
Page 267: Layer 3/4 Priority Settings
Class of Service Configuration CLI – The following example shows how to configure the WRR weights for each priority queue, then how to display the WRR weights assigned to each of the priority queues. Console(config)#queue bandwidth 1 2 4 8 4-279 Console(config)#end Console#show queue bandwidth...
Page 268: Table 3-20 Ip Dscp To Cos Queue Mapping
Configuring the Switch The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS queue 0. Table 3-20 IP DSCP to CoS Queue Mapping IP DSCP Value CoS Queue 0, 8 10, 12, 14, 16, 18, 20, 22, 24...
Page 269: Mapping Ip Port Priority
Class of Service Configuration CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS queue 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-282 Console(config)#map ip dscp 0 cos 1 Console(config)#end Console#show map ip dscp 4-287...
Page 270: Figure 3-128 Ip Port Priority
Configuring the Switch Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS queue in the Class of Queue Service box, and then click Apply. Figure 3-128 IP Port Priority CLI –...
Page 271: Mapping Ip Precedence Priority
Class of Service Configuration Mapping IP Precedence Priority The Type of Service (TOS) octet in the IPv4 header includes three precedence bits (see page 3-227) defining eight different priority levels ranging from highest priority (7) for network control packets to lowest priority (0) for routine traffic. Bits 6 and 7 are used for network control, and the other bits for various application types.
Page 272: Figure 3-130 Mapping Ip Precedence To Class Of Service Queues
Configuring the Switch Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-130 Mapping IP Precedence to Class of Service Queues CLI –...
Page 273: Mapping Ip Tos Priority
Class of Service Configuration Mapping IP TOS Priority The Type of Service (TOS) octet in the IPv4 header is divided into three parts; Precedence (3 bits), TOS (4 bits), and MBZ (1 bit). The Precedence bits indicate the importance of a packet, whereas the TOS bits indicate how the network should make tradeoffs between throughput, delay, reliability, and cost (as defined in RFC 1394).
Page 274: Figure 3-133 Mapping Ip Tos To Class Of Service Queues
Configuring the Switch Click Priority, IP TOS Priority. Select an IP TOS value in the IP TOS Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-133 Mapping IP TOS to Class of Service Queues CLI –...
Page 275: Mapping Cos Values To Acls
Class of Service Configuration Mapping CoS Values to ACLs Use the ACL CoS Priority page to set the output queue for packets matching a configured ACL rule. For information on configuring ACLs, see “Access Control Lists” on page 3-102. Command Usage You must configure an ACL before you can map a CoS queue to the rule.
Page 276: Quality Of Service
Configuring the Switch Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
Page 277: Configuring A Class Map
Quality of Service Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name”...
Page 278: Figure 3-135 Configuring Class Maps
Configuring the Switch Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-135 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets matching the access list “rd.”...
Page 279: Creating Qos Policies
Quality of Service Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-231. - Open the Policy Map page, and click Add Policy.
Page 280 Configuring the Switch • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS or DSCP value in a matching packet (as specified in Match Class Settings on page 3-231).
Page 281: Figure 3-136 Configuring Policy Maps
Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-136 Configuring Policy Maps 3-235...
Page 282: Attaching A Policy Map To Ingress Queues
Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to drop the violating packets. Console(config)#policy-map rd_policy#3 4-292 Console(config-pmap)#class rd_class#3 4-293 Console(config-pmap-c)#set ip dscp 4 4-294 Console(config-pmap-c)#police 100000 1522 exceed-action drop...
Page 283: Multicast Filtering
Multicast Filtering Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Page 284: Layer 2 Igmp (Snooping And Query)
Configuring the Switch Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-239) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Page 285: Configuring Igmp Snooping And Query Parameters
Multicast Filtering Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-245). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
Page 286: Figure 3-138 Igmp Configuration
Configuring the Switch • IGMP Report Delay — Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list. (Range: 5-25 seconds; Default: 10) •...
Page 287: Enabling Igmp Immediate Leave
Multicast Filtering CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 4-299 Console(config)#ip igmp snooping querier 4-303 Console(config)#ip igmp snooping query-count 10 4-304 Console(config)#ip igmp snooping query-interval 100 4-305 Console(config)#ip igmp snooping query-max-response-time 20 4-305 Console(config)#ip igmp snooping router-port-expire-time 300 4-306...
Page 288: Displaying Interfaces Attached To A Multicast Router
Configuring the Switch Command Attributes • VLAN ID – VLAN Identifier. (Range: 1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply.
Page 289: Specifying Static Interfaces For A Multicast Router
Multicast Filtering Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-140 Displaying Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
Page 290: Displaying Port Members Of Multicast Services
Configuring the Switch Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
Page 291: Assigning Ports To Multicast Services
Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-142 IP Multicast Registration Table CLI –...
Page 292: Igmp Filtering And Throttling
Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add.
Page 293: Enabling Igmp Filtering And Throttling
Multicast Filtering IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.
Page 294: Configuring Igmp Filter Profiles
Configuring the Switch Configuring IGMP Filter Profiles When you have created an IGMP profile number, you can then configure the multicast groups to filter and set the access mode. Command Usage • Each profile has only one access mode; either permit or deny. •...
Page 295: Configuring Igmp Filtering And Throttling For Interfaces
Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile number you want to configure; then click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list.
Page 296: Figure 3-146 Igmp Filter And Throttling Port Configuration
Configuring the Switch • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.
Page 297: Multicast Vlan Registration
Multicast VLAN Registration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#ip igmp filter 19 4-311 Console(config-if)#ip igmp max-groups 64...
Page 298: Configuring Global Mvr Settings
Configuring the Switch Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings”...
Page 299: Figure 3-147 Mvr Global Configuration
Multicast VLAN Registration Command Attributes • MVR Status – When MVR is enabled on the switch, any multicast data associated with an MVR group is sent from all designated source ports, and to all receiver ports that have registered to receive data from that multicast group. (Default: Disabled) •...
Page 300: Displaying Mvr Interface Status
Configuring the Switch CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping 4-299 Console(config)#mvr 4-315 Console(config)#mvr group 228.1.23.1 10 4-315 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes •...
Page 301: Displaying Port Members Of Multicast Groups
Multicast VLAN Registration Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...
Page 302: Configuring Mvr Interface Status
Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Page 303: Assigning Static Multicast Groups To Interfaces
Multicast VLAN Registration - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) •...
Page 304: Figure 3-151 Mvr Group Member Configuration
Configuring the Switch • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. Command Attributes • Interface – Indicates a port or trunk. •...
Page 305: Switch Clustering
Switch Clustering Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 306: Configuring General Settings For Clusters
Configuring the Switch Configuring General Settings for Clusters To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with the network IP subnet. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
Page 307: Configuring Cluster Members
Switch Clustering CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster 4-64 Console(config)#cluster commander 4-64 Console(config)#cluster ip-pool 10.2.3.4 4-65 Console(config)#end Console#show cluster 4-67 Role: commander Interval heartbeat: Heartbeat loss count: 3...
Page 308: Displaying Information On Cluster Members
Configuring the Switch CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-66 Console(config)#end Console#show cluster candidates 4-67 Cluster Candidates: Role Description --------------- ----------------- ---------------------------------------- MEMBER TOBE 00-12-34-56-78-9a...
Page 309: Displaying Information On Cluster Candidates
Switch Clustering Displaying Information on Cluster Candidates Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members. Command Attributes • Role – Indicates the current status of Candidate switches in the network. •...
Page 310 Configuring the Switch 3-264...
Page 311: Chapter 4: Command Line Interface
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 312: Telnet Connection
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 313: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 314: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 315: Partial Keyword Lookup
Entering Commands The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information protocol-group Protocol group status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 316: Understanding Command Modes
Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Page 317: Configuration Commands
Entering Commands Username: guest Password: [guest login password] CLI session with the 24FE+4G is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.
Page 318: Command Line Processing
Command Line Interface Table 4-2 Configuration Modes (Continued) Mode Command Prompt Page MSTP spanning-tree mst-configuration Console(config-mstp)# 4-207 Policy Map policy map Console(config-pmap) 4-292 Server Group aaa group server radius Console(config-sg-radius) 4-97 4-97 aaa group server tacacs+ Console(config-sg-tacacs+) VLAN vlan database Console(config-vlan) 4-225 For example, you can use the following commands to enter interface configuration...
Page 319: Command Groups
Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page General Basic commands for entering privileged access mode, restarting the 4-10 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation, 4-15...
Page 320: General Commands
Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) NE (Normal Exec) CM (Class Map Configuration) PE (Privileged Exec) GC (Global Configuration) PM (Policy Map Configuration) IC (Interface Configuration) SG (Server Group) LC (Line Configuration) VC (VLAN Database Configuration)
Page 321: Disable
General Commands Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-85.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
Page 322: Configure
Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 323: Reload
General Commands The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config).
Page 324: End
Command Line Interface Example Console(config)#prompt RD2 RD2(config)# This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, and VLAN Database Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console#...
Page 325: System Management Commands
System Management Commands Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: System Management Commands These commands are used to control system logs, passwords, user names, browser...
Page 326: Device Designation Commands
Command Line Interface Device Designation Commands Table 4-7 Device Designation Commands Command Function Mode Page hostname Specifies the host name for the switch 4-16 snmp-server contact Sets the system contact string 4-71 snmp-server location Sets the system location string 4-72 hostname This command specifies or modifies the host name for this device.
Page 327: Banner Configure
System Management Commands Table 4-8 Banner Commands (Continued) Command Function Mode Page banner configure Configures Equipment information displayed by the banner 4-20 equipment-info banner configure Configures Equipment Location information displayed by the 4-21 equipment-location banner banner configure Configures IP and LAN information displayed by the banner 4-21 ip-lan banner configure...
Page 328: Banner Configure Company
Command Line Interface Example Console(config)#banner configure Company: Edge-corE Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment.
Page 329: Banner Configure Dc-Power-Info
System Management Commands Example Console(config)#banner configure company Edge-corE Console(config)# banner configure dc-power-info This command is use to configure DC power information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number.
Page 330: Banner Configure Equipment-Info
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
Page 331: Banner Configure Equipment-Location
System Management Commands Example Console(config)#banner configure equipment-info manufacturer-id switch35 floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-corE Console(config)# banner configure equipment-location This command is used to configure the equipment location information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure equipment-location location no banner configure equipment-location...
Page 332: Banner Configure Lp-Number
Command Line Interface Command Mode Global Configuration Command Usage Inpu strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
Page 333: Banner Configure Manager-Info
System Management Commands banner configure manager-info This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Page 334: Banner Configure Note
Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
Page 335: Show Banner
System Management Commands show banner This command displays all banner information. Command Mode Normal Exec, Privileged Exec Example Console#show banner Edge-corE WARNING - MONITORED ACTIONS AND ACCESSES R&D_Dept Albert_Einstein - 123-555-1212 Steve - 123-555-9876 Lamar - 123-555-3322 Station's information: 710_Network_Path,Indianapolis Edge-corE - switch35 Floor / Row / Rack / Sub-Rack 7 / 10 / 15 / 6...
Page 336: Show Startup-Config
Command Line Interface show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 337: Related Commands
System Management Commands Example Console#show startup-config building startup-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-7d-25-bc_01</stackingMac> phymap 00-12-cf-7d-25-bc SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 broadcast byte-rate 1000 level 5 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca...
Page 338: Show Running-Config
Command Line Interface show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 339 System Management Commands Example Console#show running-config building startup-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-7d-25-bc_01</stackingMac> phymap 00-12-cf-7d-25-bc SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 broadcast byte-rate 1000 level 5 no dot1q-tunnel system-tunnel-control SNMP-server community public ro SNMP-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca...
Page 340: Show System
Command Line Interface show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. • The POST results should all display “PASS.” If any POST test indicates “FAIL,”...
Page 341: Show Version
System Management Commands Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14 VTY 0 admin 0:00:00 192.168.1.19 SSH 1 steve...
Page 342: Frame Size Commands
Command Line Interface Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 4-10 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames 4-32 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting...
Page 343: File Management Commands
System Management Commands File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 344: Copy
Command Line Interface copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 345 System Management Commands • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate”...
Page 346: Delete
Command Line Interface The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Page 347: Dir
System Management Commands Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory for unit 1.
Page 348: Whichboot
Command Line Interface Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: 24FE+4G_DIAG_V0011.bix Boot-Rom Image 305424 24FE+4G_RUNTIME_V0035_m.bix Operation Code 3018936 Factory_Default_Config.cfg Config File startup1.cfg Config File 4648 --------------------------------------------------------------------------- Total free space:...
Page 349: Line Commands
Line Commands Command Mode Global Configuration Command Usage • A colon (:) is required after the specified unit number and file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-37)
Page 350: Line
Command Line Interface line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 351: Password
Line Commands Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
Page 352: Timeout Login Response
Command Line Interface Command Usage • When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Page 353: Exec-Timeout
Line Commands Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# Related Commands silent-time (4-44) exec-timeout (4-43) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout...
Page 354: Password-Thresh
Command Line Interface password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120;...
Page 355: Databits
Line Commands Command Mode Line Configuration Example To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# Related Commands password-thresh (4-44) databits This command sets the number of data bits per character that are interpreted and generated by the console port.
Page 356: Parity
Command Line Interface parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity • none - No parity • even - Even parity •...
Page 357: Stopbits
Line Commands Example To specify 57600 bps, enter this command: Console(config-line)#speed 19200 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} •...
Page 358: Show Line
Command Line Interface Related Commands show ssh (4-116) show users (4-30) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode...
Page 359: Event Logging Commands
Line Commands Event Logging Commands This section describes commands used to configure event logging on the switch. Table 4-14 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-49 logging history Limits syslog messages saved to switch memory based on 4-50 severity logging host...
Page 360: Logging History
Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 361: Logging Host
Line Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Page 362: Logging Trap
Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 363: Show Logging
Line Commands Related Commands show logging (4-53) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Page 364: Show Log
Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Page 365: Smtp Alert Commands
Line Commands Example The following example shows sample messages stored in RAM. Console#show log ram [1] 00:00:38 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:00:37 2001-01-01 "System coldStart notification." level: 6, module: 5, function: 1, and event no.: 1 Console# SMTP Alert Commands...
Page 366: Logging Sendmail Level
Command Line Interface • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again.
Page 367: Logging Sendmail Destination-Email
Line Commands Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example This example will set the source email john@acme.com. Console(config)#logging sendmail source-email john@acme.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages.
Page 368: Show Logging Sendmail
Command Line Interface Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------- 1. 192.168.1.200 SMTP minimum severity level: 4 SMTP destination email addresses ----------------------------------------------- 1.
Page 369: Sntp Client
Line Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration...
Page 370: Sntp Server
Command Line Interface sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).
Page 371: Show Sntp
Line Commands Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-59) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending...
Page 372: Calendar Set
Command Line Interface Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 373: Table 4-20 Switch Cluster Commands
Line Commands Command Mode Normal Exec, Privileged Exec Example Console#show calendar 15:12:43 April 1 2004 Console# Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 374: Cluster
Command Line Interface cluster This command enables clustering on the switch. Use the no form to disable clustering. Syntax [no] cluster Default Setting Enabled Command Mode Global Configuration Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander.
Page 375: Cluster Ip-Pool
Line Commands • Cluster Member switches can be managed through using a Telnet connection to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address.
Page 376: Cluster Member
Command Line Interface cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address mac-address id member-id no cluster member id member-id • mac-address - The MAC address of the Candidate switch. •...
Page 377: Show Cluster
Line Commands show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role: commander Interval heartbeat: Heartbeat loss count: 3 Number of Members: Number of Candidates: 2 Console# show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example...
Page 378: Snmp Commands
Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 379: Show Snmp
SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 380: Snmp-Server Community
Command Line Interface Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...
Page 381: Snmp-Server Contact
SNMP Commands Default Setting • public - Read-only access. Authorized management stations are only able to retrieve MIB objects. • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)#...
Page 382: Snmp-Server Location
Command Line Interface snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 383 SNMP Commands • version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) - auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol”...
Page 384: Snmp-Server Enable Traps
Command Line Interface To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 4-68). 2. Allow the switch to send SNMP traps; i.e., notifications (page 4-74). 3. Specify the target host that will receive inform messages with the snmp-server host command as described in this section.
Page 385: Snmp-Server Engine-Id
SNMP Commands Command Usage • If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 386: Show Snmp Engine-Id
Command Line Interface Command Usage • An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Page 387: Snmp-Server View
SNMP Commands Table 4-22 show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device.
Page 388: Show Snmp View
Command Line Interface This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included...
Page 389: Snmp-Server Group
SNMP Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...
Page 390: Show Snmp Group
Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
Page 391: Snmp-Server User
SNMP Commands Table 4-24 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
Page 392: Show Snmp User
Command Line Interface Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-75) to specify the engine ID for the remote device where the user resides.
Page 393: Authentication Commands
Authentication Commands Table 4-25 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.
Page 394: User Account Commands
Command Line Interface User Account Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-39), user authentication via a remote authentication server (page 4-83), and host access authentication for specific ports (page 4-118).
Page 395: Enable Password
Authentication Commands Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how to set the access level and password for a user.
Page 396: Authentication Sequence
Command Line Interface Related Commands enable (4-10) authentication enable (4-87) Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 4-29 Authentication Sequence Command Function...
Page 397: Authentication Enable
Authentication Commands Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-84) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-10).
Page 398: Radius Client
Command Line Interface RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 399: Radius-Server Auth-Port
Authentication Commands Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server auth-port This command sets the RADIUS server port used for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port...
Page 400: Radius-Server Key
Command Line Interface Example Console(config)#radius-server acct-port 8181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Page 401: Radius-Server Timeout
Authentication Commands radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Page 402: Show Radius-Server
Command Line Interface show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Global Settings: Communication Key with RADIUS Server: Auth-Port: 1812 Acct-port: 1813 Retransmit Times: Request Timeout: Server 1: Server IP Address: 10.1.2.3...
Page 403: Tacacs-Server Host
Authentication Commands tacacs-server host This command specifies TACACS+ servers and parameters. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...
Page 404: Tacacs-Server Key
Command Line Interface Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Page 405: Tacacs-Server Timeout
Authentication Commands tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Page 406: Show Tacacs-Server
Command Line Interface show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number: Retransmit Times Request Times Server 1: Server IP address:...
Page 407: Aaa Group Server
Authentication Commands Table 4-32 AAA Commands (Continued) Command Function Mode Page accounting exec Applies an accounting method to local console, Telnet or Line 4-102 SSH connections accounting commands Applies an accounting method to CLI commands entered Line 4-102 by a user aaa authorization exec Enables authorization of Exec sessions 4-103...
Page 408: Aaa Accounting Dot1X
Command Line Interface Command Mode Server Group Configuration Command Usage • When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command (see page 4-88). • When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command (see page 4-93).
Page 409: Aaa Accounting Exec
Authentication Commands Command Usage Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use. Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)#...
Page 410: Aaa Accounting Commands
Command Line Interface Example Console(config)#aaa accounting exec default start-stop group tacacs+ Console(config)# aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ | server-group} no aaa accounting commands level {default | method-name} •...
Page 411: Aaa Accounting Update
Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...
Page 412: Accounting Exec
Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec •...
Page 413: Aaa Authorization Exec
Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} •...
Page 414: Authorization Exec
Command Line Interface authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-103).
Page 415: Web Server Commands
Authentication Commands Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
Page 416: Ip Http Server
Command Line Interface Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-106) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled...
Page 417: Ip Http Secure-Port
Authentication Commands • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Page 418: Telnet Server Commands
Command Line Interface Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Page 419: Secure Shell Commands
Authentication Commands Example Console(config)#ip telnet server Console(config)#ip telnet port 123 Console(config)# Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 420 Command Line Interface To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 421: Ip Ssh Server
Authentication Commands Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Page 422: Ip Ssh Timeout
Command Line Interface • The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. •...
Page 423: Ip Ssh Authentication-Retries
Authentication Commands ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Page 424: Delete Public-Key
Command Line Interface delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Page 425: Ip Ssh Crypto Zeroize
Authentication Commands Related Commands ip ssh crypto zeroize (4-115) ip ssh save host-key (4-115) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
Page 426: Show Ip Ssh
Command Line Interface Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-114) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99...
Page 427: Show Public-Key
Authentication Commands Table 4-37 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 428: 802.1X Port Authentication
Command Line Interface Example Console#show public-key host Host: RSA: 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication.
Page 429: Dot1X System-Auth-Control
Authentication Commands dot1x system-auth-control This command enables 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dotx system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
Page 430: Dot1X Port-Control
Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control •...
Page 431: Dot1X Re-Authenticate
Authentication Commands Default Single-host Command Mode Interface Configuration Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-120). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
Page 432: Dot1X Re-Authentication
Command Line Interface dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Page 433: Dot1X Timeout Re-Authperiod
Authentication Commands Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mode...
Page 434: Dot1X Intrusion-Action
Command Line Interface dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action...
Page 435 Authentication Commands Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface, including the following items: - Status –...
Page 436 Command Line Interface - Reauth Count – Number of times connecting state is re-entered. • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response.
Page 437 Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/28 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
Page 438: Management Ip Filter Commands
Command Line Interface Management IP Filter Commands This section describes commands used to configure IP management access to the switch Table 4-39 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access 4-128 show management Displays the switch to be monitored or configured from a browser PE 4-129 management...
Page 439: Show Management
Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Page 440: Client Security Commands
Command Line Interface Client Security Commands This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 441: Port Security Commands
Client Security Commands Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 442: Network Access ( Mac Address Authentication)
Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 443: Network-Access Mode
Client Security Commands Table 4-42 Network Access (Continued) Command Function Mode Page mac-authentication Sets a maximum for mac-authentication autenticated 4-135 max-mac-count MAC addresses on an interface network-access Enables dynamic VLAN assignment from a RADIUS 4-136 dynamic-vlan server network-access guest-vlan Specifies the guest VLAN 4-136 mac-authentication Sets the time period after which a connected MAC...
Page 444: Network-Access Max-Mac-Count
Command Line Interface • MAC authentication cannot be configured on trunk ports. • When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. • The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Page 445: Mac-Authentication Intrusion-Action
Client Security Commands mac-authentication intrusion-action Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default. Syntax mac-authentication intrusion-action [block traffic | pass traffic] no mac-authentication intrusion-action Default Setting Block Traffic Command Mode...
Page 446: Network-Access Dynamic-Vlan
Command Line Interface network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage • When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have already been created on the switch.
Page 447: Mac-Authentication Reauth-Time
Client Security Commands Command Mode Interface Configuration Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active (see “vlan database” on page 4-225). • When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan”...
Page 448: Clear Network-Access
Command Line Interface clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • static - Specifies static address entries. • dynamic - Specifies dynamic address entries. •...
Page 449: Show Network-Access Mac-Address-Table
Client Security Commands Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment...
Page 450: Web Authentication
Command Line Interface Example Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s Console# Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication methods are infeasible or impractical.
Page 451: Web-Auth Login-Attempts
Client Security Commands web-auth login-attempts This command defines the limit for failed web authentication login attempts. After the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts...
Page 452: Web-Auth Session-Timeout
Command Line Interface web-auth session-timeout This command defines the amount of time a web-authentication session remains valid. When the session-timeout has been reached, the host is logged off and must be re-authenticated the next time data is transmitted. Use the no form to restore the default.
Page 453: Web-Auth
Client Security Commands web-auth This command enables web authentication for a port. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for web authentication to be active.
Page 454: Web-Auth Re-Authenticate (Ip)
Command Line Interface web-auth re-authenticate (IP) This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1.
Page 455: Show Web-Auth Interface
Client Security Commands show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-20) Default Setting None Command Mode...
Page 456: Dhcp Snooping Commands
Command Line Interface Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------ 1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 457 Client Security Commands Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall. When DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by the ip dhcp snooping vlan command (page 4-148), DHCP messages received on an untrusted interface (as specified by the no ip dhcp snooping trust command, page 4-149) from a...
Page 458: Ip Dhcp Snooping Vlan
Command Line Interface • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (ip dhcp snooping trust, page 4-149). Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
Page 459: Ip Dhcp Snooping Trust
Client Security Commands Example This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# Related Commands ip dhcp snooping (4-146) ip dhcp snooping trust (4-149) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Page 460: Ip Dhcp Snooping Verify Mac-Address
Command Line Interface Related Commands ip dhcp snooping (4-146) ip dhcp snooping vlan (4-148) ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
Page 461: Ip Dhcp Snooping Information Policy
Client Security Commands Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 462: Show Ip Dhcp Snooping
Command Line Interface Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. Either the switch can drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Page 463: Show Ip Dhcp Snooping Binding
Client Security Commands show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console#...
Page 464 Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. •...
Page 465: Ip Source-Guard Binding
Client Security Commands Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (4-155) ip dhcp snooping (4-146) ip dhcp snooping vlan (4-148) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
Page 466: Show Ip Source-Guard
Command Line Interface - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Page 467: Access Control List Commands
Access Control List Commands Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type).
Page 468: Access-List Ip
Command Line Interface access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address.
Page 469: Permit, Deny (Standard Acl)
Access Control List Commands permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 470: Permit, Deny (Extended Acl)
Command Line Interface permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule. Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source}...
Page 471: Show Ip Access-List
Access Control List Commands specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. • The following control codes may be specified: - 1 (fin) – Finish - 2 (syn) –...
Page 472: Ip Access-Group
Command Line Interface Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.255.0 Console# Related Commands permit, deny 4-159 ip access-group (4-162) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} •...
Page 473: Show Ip Access-Group
Access Control List Commands show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands ip access-group (4-162) map access-list ip This command sets the output queue for packets matching an ACL rule.
Page 474: Show Map Access-List Ip
Command Line Interface Related Commands queue cos-map (4-279) show map access-list ip (4-164) show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list ip [interface] interface...
Page 475: Access-List Mac
Access Control List Commands access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...
Page 476: Permit, Deny (Mac Acl)
Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 477: Show Mac Access-List
Access Control List Commands Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP...
Page 478: Mac Access-Group
Command Line Interface mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) •...
Page 479: Map Access-List Mac
Access Control List Commands map access-list mac This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself. Use the no form to remove the CoS mapping. Syntax [no] map access-list mac acl_name cos cos-queue •...
Page 480: Show Map Access-List Mac
Command Line Interface show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list mac [interface] interface •...
Page 481: Acl Information
Access Control List Commands ACL Information Table 4-51 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-171 show access-group Shows the ACLs assigned to each port 4-171 show access-list This command shows all ACLs and associated rules. Command Mode Privileged Exec Example...
Page 482: Interface Commands
Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-52 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-172 mode description...
Page 483: Description
Interface Commands Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 484: Negotiation
Command Line Interface Note: 1000full operation cannot be forced. The Gigabit Combo ports can only operate at 1000full when auto-negotiation is enabled. Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full.
Page 485: Capabilities
Interface Commands Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. •...
Page 486: Flowcontrol
Command Line Interface Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
Page 487: Shutdown
Interface Commands • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. Example The following example enables flow control on port 5.
Page 488: Broadcast Byte-Rate
Command Line Interface broadcast byte-rate This command configures broadcast storm control threshold. Syntax broadcast byte-rate scale level level • scale – The threshold scale. (Options: 1, 10, 100, 1000 Kbytes per second) • level – The threshold level. (Range: 1-127) Default Setting Threshold Scale: 1000 Kbytes per second Threshold Level: 5...
Page 489: Clear Counters
Interface Commands Command Usage This command enables or disables broadcast storm control for the selected interface. However, the threshold value, specified using the broadcast byte-rate command, applies to all ports on the switch. Example The following shows how to enable broadcast storm control for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast Console(config-if)#...
Page 490: Show Interfaces Status
Command Line Interface show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-12) •...
Page 491: Show Interfaces Counters
Interface Commands show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces.
Page 492: Show Interfaces Switchport
Command Line Interface Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
Page 493: Table 4-53 Interfaces Switchport Statistics
Interface Commands Example This example shows the configuration setting for port 2. Console#show interfaces switchport ethernet 1/2 Information of Eth 1/2 Broadcast Threshold: Enabled, scale:1000K level:5 octets/second LACP Status: Disabled Ingress Rate Limit: Disabled, scale:10M level:1 Egress Rate Limit: Disabled, scale:10M level:1 VLAN Membership Mode: Hybrid Ingress Rule:...
Page 494: Link Aggregation Commands
Command Line Interface Table 4-53 Interfaces Switchport Statistics (Continued) Field Description 802.1Q-tunnel Status Shows if 802.1Q tunnel is enabled on this interface (page 4-235). 802.1Q-tunnel Mode Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink (page 4-235). 802.1Q-tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets (page 4-236).
Page 495: Channel-Group
Link Aggregation Commands • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the SFP transceivers can be trunked together, including those of different media types.
Page 496: Lacp
Command Line Interface Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting...
Page 497: Lacp System-Priority
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Page 498: Lacp Admin-Key (Ethernet Interface)
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 499: Lacp Admin-Key (Port Channel)
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 500: Lacp Port-Priority
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 501: Show Lacp
Link Aggregation Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} • port-channel - Local identifier for a link aggregation group. (Range: 1-12) • counters - Statistics for LACP protocol messages. •...
Page 502: Table 4-56 Show Lacp Internal - Display Description
Command Line Interface Console#show lacp 1 internal Port channel : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation,...
Page 503 Link Aggregation Commands Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key:...
Page 504: Mirror Port Commands
Command Line Interface Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 Console# Table 4-58 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group.
Page 505: Show Port Monitor
Mirror Port Commands Command Mode Interface Configuration (Ethernet, destination port) Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 506: Rate Limit Commands
Command Line Interface Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode Console# Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface.
Page 507: Address Table Commands
Address Table Commands Command Mode Interface Configuration (Ethernet) Command Usage The scale and level are multiplied by one another to set the rate limit. For example, to limit port traffic to 500K bytes per second, select the scale as 100K and set the level to 5. Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input scale 100k level 5...
Page 508: Clear Mac-Address-Table Dynamic
Command Line Interface • action - - delete-on-reset - Assignment lasts until the switch is reset. - permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN.
Page 509: Show Mac-Address-Table
Address Table Commands show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Page 510: Mac-Address-Table Aging-Time
Command Line Interface mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-98301 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...
Page 511: Spanning Tree Commands
Spanning Tree Commands Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-62 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-202 spanning-tree mode...
Page 512: Spanning-Tree
Command Line Interface spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
Page 513: Spanning-Tree Forward-Time
Spanning Tree Commands Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 514: Spanning-Tree Hello-Time
Command Line Interface Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 515: Spanning-Tree Max-Age
Spanning Tree Commands spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 516: Spanning-Tree Pathcost Method
Command Line Interface Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 517: Spanning-Tree Transmission-Limit
Spanning Tree Commands spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
Page 518: Mst Vlan
Command Line Interface mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range •...
Page 519: Name
Spanning Tree Commands Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 520: Revision
Command Line Interface revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration...
Page 521: Spanning-Tree Spanning-Disabled
Spanning Tree Commands specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface.
Page 522 Command Line Interface Table 4-64 Recommended STA Path Cost Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet Half Duplex 2,000,000 Full Duplex 1,999,999 Trunk 1,000,000 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000...
Page 523: Spanning-Tree Port-Priority
Spanning Tree Commands spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting Command Mode Interface Configuration (Ethernet, Port Channel)
Page 524: Spanning-Tree Portfast
Command Line Interface devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems.
Page 525: Spanning-Tree Link-Type
Spanning Tree Commands Related Commands spanning-tree edge-port (4-213) spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type •...
Page 526: Spanning-Tree Mst Cost
Command Line Interface spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...
Page 527: Spanning-Tree Mst Port-Priority
Spanning Tree Commands spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority •...
Page 528: Show Spanning-Tree
Command Line Interface Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Page 529 Spanning Tree Commands items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-156. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Page 530: Table 4-66 Vlan Command Groups
Command Line Interface show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- 1,3-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
Page 531: Bridge-Ext Gvrp
VLAN Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 532: Show Bridge-Ext
Command Line Interface show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-172 and “Displaying Bridge Extension Capabilities” on page 3-16 for a description of the displayed items.
Page 533: Show Gvrp Configuration
VLAN Commands show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-12) Default Setting Shows both global and interface-specific configuration.
Page 534: Show Garp Timer
Command Line Interface Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.
Page 535: Editing Vlan Groups
VLAN Commands Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join timer: 100 centiseconds Leave timer: 60 centiseconds Leaveall timer: 1000 centiseconds Console# Related Commands garp timer (4-223) Editing VLAN Groups Table 4-68 Editing VLAN Groups Command Function Mode...
Page 536: Vlan
Command Line Interface vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) •...
Page 537: Configuring Vlan Interfaces
VLAN Commands Configuring VLAN Interfaces Table 4-69 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN 4-227 switchport mode Configures VLAN membership mode for an interface 4-228 switchport Configures frame types to be accepted by an interface 4-228 acceptable-frame-types switchport ingress-filtering...
Page 538: Switchport Mode
Command Line Interface switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid | private-vlan} no switchport mode • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
Page 539: Switchport Ingress-Filtering
VLAN Commands Default Setting All frame types Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged...
Page 540: Switchport Native Vlan
Command Line Interface Example The following example shows how to select port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default.
Page 541: Switchport Allowed Vlan
VLAN Commands switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 542: Switchport Forbidden Vlan
Command Line Interface switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 543: Displaying Vlan Information
VLAN Commands Displaying VLAN Information Table 4-70 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-233 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-180 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-182 interface...
Page 544: Configuring Ieee 802.1Q Tunneling
Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 545: Dot1Q-Tunnel System-Tunnel-Control
VLAN Commands reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting...
Page 546: Switchport Dot1Q-Tunnel Tpid
Command Line Interface • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. •...
Page 547: Show Dot1Q-Tunnel
VLAN Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (4-182) show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end...
Page 548: Table 4-72 Private Vlan Commands
Command Line Interface This section describes commands used to configure private VLANs. Table 4-72 Private VLAN Commands Command Function Mode Page Edit Private VLAN Groups private-vlan Adds or deletes primary, community, or isolated VLANs 4-239 private-vlan association Associates a community VLAN with a primary VLAN 4-240 Configure Private VLAN Interfaces switchport mode...
Page 549: Private-Vlan
VLAN Commands private-vlan Use this command to create a primary, community, or isolated private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4094, no leading zeroes). •...
Page 550: Private Vlan Association
Command Line Interface private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...
Page 551: Switchport Private-Vlan Host-Association
VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. •...
Page 552: Switchport Private-Vlan Isolated
Command Line Interface switchport private-vlan isolated Use this command to assign an interface to an isolated VLAN. Use the no form to remove this assignment. Syntax switchport private-vlan isolated isolated-vlan-id no switchport private-vlan isolated isolated-vlan-id - ID of isolated VLAN. (Range: 1-4094). Default Setting None Command Mode...
Page 553: Show Private-Vlan
VLAN Commands Example Console(config)#interface ethernet 1/2 Console(config-if)#switchport private-vlan mapping 2 Console(config-if)# show private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces.
Page 554: Configuring Protocol-Based Vlans
Command Line Interface Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 555: Protocol-Vlan Protocol-Group (Configuring Interfaces)
VLAN Commands Default Setting No protocol groups are configured. Command Mode Global Configuration Example The following creates protocol group 1, and specifies the IPX protocol type. Protocol VLAN group 2 is created with protocol-type IPv6 (86DD) and frame-type ethernet specified: Console(config)#protocol-vlan protocol-group 1 add protocol-type ipx Console(config)#protocol-vlan protocol-group 2 add protocol-type 86dd frame-type ethernet...
Page 556: Show Protocol-Vlan Protocol-Group
Command Line Interface Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups. Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group.
Page 557: Show Interfaces Protocol-Group
VLAN Commands show interfaces protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) •...
Page 558: Voice Vlan
Command Line Interface Table 4-74 Voice VLAN Commands (Continued) Command Function Mode Page switchport voice vlan priority Sets the VoIP traffic priority for ports 4-252 show voice vlan Displays Voice VLAN settings 4-253 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
Page 559: Voice Vlan Aging
VLAN Commands voice vlan aging This command sets the Voice VLAN membership time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes...
Page 560: Switchport Voice Vlan
Command Line Interface Command Mode Global Configuration Command Usage • VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 561: Switchport Voice Vlan Rule
VLAN Commands Example The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the selected detection method on a port.
Page 562: Switchport Voice Vlan Priority
Command Line Interface Default Setting Disabled Command Mode Interface Configuration Command Usage • Security filtering discards any non-VoIP packets received on a port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.
Page 563: Show Voice Vlan
VLAN Commands Example The following example sets the CoS priority to 5 on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan priority 5 Console(config-if)# show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list.
Page 564: Lldp Commands
Command Line Interface LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 565 LLDP Commands Table 4-75 LLDP Commands (Continued) Command Function Mode Page lldp basic-tlv Configures an LLDP-enabled port to advertise its system 4-264 system-name name lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported 4-265 protocols lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port related 4-265 VLAN information...
Page 566: Lldp
Command Line Interface lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
Page 567: Lldp Medfaststartcount
LLDP Commands lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp medfaststartcount packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode...
Page 568: Lldp Refresh-Interval
Command Line Interface • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 569: Lldp Tx-Delay
LLDP Commands Default Setting 2 seconds Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Page 570: Lldp Admin-Status
Command Line Interface lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. •...
Page 571: Lldp Mednotification
LLDP Commands of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# lldp mednotification This command enables the transmission of SNMP trap notifications about...
Page 572: Lldp Basic-Tlv Management-Ip-Address
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode...
Page 573: Lldp Basic-Tlv Port-Description
LLDP Commands lldp basic-tlv port-description This command configures an LLDP-enabled port to advertise its port description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Page 574: Lldp Basic-Tlv System-Description
Command Line Interface lldp basic-tlv system-description This command configures an LLDP-enabled port to advertise the system description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type,...
Page 575: Lldp Dot1-Tlv Proto-Ident
LLDP Commands lldp dot1-tlv proto-ident This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature. Syntax dot1-tlv proto-ident [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface.
Page 576: Lldp Dot1-Tlv Pvid
Command Line Interface lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv pvid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see switchport native...
Page 577: Lldp Dot3-Tlv Link-Agg
LLDP Commands lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv link-agg Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
Page 578: Lldp Dot3-Tlv Max-Frame
Command Line Interface lldp dot3-tlv max-frame This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv max-frame Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands”...
Page 579: Lldp Medtlv Extpoe
LLDP Commands lldp medtlv extpoe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature. Syntax [no] lldp medtlv extpoe Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including...
Page 580: Lldp Medtlv Location
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp medtlv inventory Console(config-if)# lldp medtlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp medtlv location Default Setting Enabled Command Mode...
Page 581: Lldp Medtlv Network-Policy
LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv med-cap Console(config-if)# lldp medtlv network-policy This command configures an LLDP-MED-enabled port to advertise its network policy configuration. Use the no form to disable this feature. Syntax [no] lldp medtlv network-policy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel)
Page 582 Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...
Page 583: Show Lldp Info Local-Device
LLDP Commands show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 584: Show Lldp Info Remote-Device
Command Line Interface show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit.
Page 585: Show Lldp Info Statistics
LLDP Commands show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 586: Class Of Service Commands
Command Line Interface Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 587: Queue Mode
Class of Service Commands queue mode This command sets the queue mode to strict priority, Weighted Round-Robin (WRR), or or a combination of both for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr | hybrid} no queue mode...
Page 588: Switchport Priority Default
Command Line Interface switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7.
Page 589: Queue Bandwidth
Class of Service Commands queue bandwidth This command assigns weighted round-robin (WRR) weights to the four class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0-3 determines the weights used by the WRR scheduler.
Page 590: Show Queue Mode
Command Line Interface Default Setting This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
Page 591: Show Queue Bandwidth
Class of Service Commands show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map.
Page 592: Priority Commands (Layer 3 And 4)
Command Line Interface Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch Table 4-79 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Configures IP DSCP to CoS queue mapping 4-282 map ip port...
Page 593: Map Ip Port
Class of Service Commands Command Mode Global Configuration Command Usage • The command map ip dscp enables the feature on the switch. The command map ip dscp dscp-value cos cos-queue maps DSCP values to port CoS queues. • The precedence for priority mapping is IP Port, IP Precedence/DSCP/TOS, and default switchport priority.
Page 594: Map Ip Precedence
Command Line Interface Example The following example shows how to map HTTP traffic to CoS queue 0, then enable the feature globally on the switch. Console(config)#map ip port 80 cos 0 Console(config)#map ip port Console(config)# map ip precedence Use this command to enable and set IP precedence priority mapping. Use the no form to disable the feature or restore a default setting.
Page 595: Map Ip Tos
Class of Service Commands Example The following example shows how to map IP precedence value 1 to CoS value 0 and enable the feature on the switch. Console(config)#map ip precedence 1 cos 0 Console(config)#map ip precedence Console(config)# map ip tos Use this command to enable and set IP TOS priority mapping (i.e., IP Type of Service priority mapping).
Page 596: Map Access-List Ip
Command Line Interface • IP Precedence, IP DSCP, and IP TOS Priority cannot all be enabled at the same time. Enabling one of these priority types automatically disables the others. Example The following example shows how to map IP TOS value 0 to CoS value 1 and enable the feature on the switch.
Page 597: Show Map Ip Dscp
Class of Service Commands Command Mode Interface Configuration (Ethernet) Command Usage You must configure an ACL before you can map a CoS queue to the rule. Example Console(config)#interface ethernet 1/2 Console(config-if)#map access-list mac steve cos 0 Console(config-if)# show map ip dscp This command shows the IP DSCP priority map.
Page 598: Show Map Ip Precedence
Command Line Interface Example The following shows that FTP traffic has been mapped to CoS value 2: Console#show map ip port TCP Port Mapping Status: Disabled Port no. COS -------- --- Console# Related Commands map ip port (4-283) show map ip precedence Use this command to show the IP precedence priority map.
Page 599: Show Map Access-List
Class of Service Commands Example Console#show map ip tos tos Mapping Status: Disabled TOS COS --- --- Console# Related Commands map ip tos (4-285) show map access-list This command shows the CoS queue mapped to an ACL for the current interface. Syntax show map access-list {ip | mac} [interface] •...
Page 600: Quality Of Service Commands
Command Line Interface Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 601: Class-Map
Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. You should create a Class Map (page 4-291) before creating a Policy Map (page 4-292). Otherwise, you will not be able to specify a Class Map with the class command (page 4-293) after entering Policy-Map Configuration mode.
Page 602: Match
Command Line Interface match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match access-list acl-name acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Page 603: Class
Quality of Service Commands Command Usage • Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches criteria defined in a class map. • A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command (page 4-296).
Page 604: Set
Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 605: Police
Quality of Service Commands police This command defines an policer for classified traffic. Use the no form to remove a policer. Syntax [no] police rate-kbps burst-byte [exceed-action drop] • rate-kbps - Rate in kilobits per second. (Range: 1-100000 kbps or maximum port speed, whichever is lower) •...
Page 606: Service-Policy
Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name •...
Page 607: Show Policy-Map
Quality of Service Commands Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Page 608: Multicast Filtering Commands
Command Line Interface Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
Page 609: Table 4-85 Igmp Snooping Commands
Multicast Filtering Commands Table 4-85 IGMP Snooping Commands (Continued) Command Function Mode Page show ip igmp snooping Shows the IGMP snooping and query configuration 4-302 show mac-address-table Shows the IGMP snooping MAC multicast list 4-302 multicast ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting...
Page 610: Ip Igmp Snooping Version
Command Line Interface Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
Page 611: Ip Igmp Snooping Immediate-Leave
Multicast Filtering Commands Default Setting Disabled Command Mode Global Configuration Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. •...
Page 612: Show Ip Igmp Snooping
Command Line Interface Example The following shows how to enable immediate leave. Console(config)#interface vlan 1 Console(config-if)#ip igmp snooping immediate-leave Console(config-if)# show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters”...
Page 613: Igmp Query Commands (Layer 2)
Multicast Filtering Commands Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr.
Page 614: Ip Igmp Snooping Query-Count
Command Line Interface Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 4-300). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)#...
Page 615: Ip Igmp Snooping Query-Interval
Multicast Filtering Commands ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Page 616: Ip Igmp Snooping Router-Port-Expire-Time
Command Line Interface Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (4-300) ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time...
Page 617: Static Multicast Routing Commands
Multicast Filtering Commands Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 4-87 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port 4-307 show ip igmp snooping mrouter Shows multicast router ports 4-308...
Page 618: Show Ip Igmp Snooping Mrouter
Command Line Interface show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...
Page 619: Ip Igmp Filter (Global Configuration)
Multicast Filtering Commands Table 4-88 IGMP Filtering and Throttling Commands (Continued) Command Function Mode Page show ip igmp filter Displays the IGMP filtering status 4-313 show ip igmp profile Displays IGMP profiles and settings 4-314 show ip igmp throttle interface Displays the IGMP throttling setting for interfaces 4-314 ip igmp filter (Global Configuration)
Page 620: Permit, Deny
Command Line Interface Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode;...
Page 621: Ip Igmp Filter (Interface Configuration)
Multicast Filtering Commands Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Page 622: Ip Igmp Max-Groups
Command Line Interface ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Page 623: Show Ip Igmp Filter
Multicast Filtering Commands Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Page 624: Show Ip Igmp Profile
Command Line Interface show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19...
Page 625: Multicast Vlan Registration Commands
Multicast Filtering Commands Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR).
Page 626 Command Line Interface Default Setting • MVR is disabled. • No MVR group address is defined. • The default number of contiguous addresses is 0. • MVR VLAN ID is 1. Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.
Page 627: Mvr (Interface Configuration)
Multicast Filtering Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
Page 628: Show Mvr
Command Line Interface • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Page 629: Table 4-90 Show Mvr - Display Description
Multicast Filtering Commands Default Setting Displays global configuration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN.
Page 630: Table 4-92 Show Mvr Members - Display Description
Command Line Interface Table 4-91 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE”...
Page 631: Ip Interface Commands
IP Interface Commands IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server.
Page 632: Ip Default-Gateway
Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
Page 633: Ip Dhcp Restart
IP Interface Commands ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. •...
Page 634: Show Ip Redirects
Command Line Interface show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-322) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] •...
Page 635 IP Interface Commands Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Page 636 Command Line Interface 4-326...
Page 637: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Management Authentication Local, RADIUS, TACACS, Port Authentication (802.1X), MAC Authentication, Web Authentication, HTTPS, SSH Client Access Control Access Control Lists (IP, MAC - 100 rules), Port Authentication (802.1X), Port Security, DHCP Snooping (with Option 82 relay information), IP Source Guard DHCP Client BOOTP Client Port Configuration...
Page 638: Management Features
Software Specifications Class of Service Supports 4 levels of priority Strict, Weighted Round Robin, or Hybrid queuing CoS configured by port or VLAN tag Layer 3/4 priority mapping: IP DSCP, IP Precedence, IP TOS, IP Port Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies...
Page 639: Management Information Bases
Management Information Bases IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging DHCP Client (RFC 2131, 2132) DHCP Client (RFC 1541) HTTPS IGMPv1 (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9)
Page 640 Software Specifications SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) SNMPv2 IP MIB (RFC 2011) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013)
Page 641: Appendix B: Troubleshooting
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 642: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 643: Glossary
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 644 Glossary packets sent back from the DHCP server. This information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
Page 645 Glossary IEEE 802.1s An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Page 646 Glossary Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device.
Page 647 Glossary the size of each region, and prevents VLAN members from being segmented from the rest of the group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 648 Glossary Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard.
Page 649 Glossary Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. Universal Time Coordinate (UTC) UTC is a time scale that couples Greenwich Mean Time (based solely on the Earth’s rotation rate) with highly accurate atomic time. The UTC does not have daylight saving time.
Page 650 Glossary Glossary-8...
Page 651: Index
Index (not yet updated) configuring 3-180, 4-246, 4-260 Numerics DSCP 3-187 802.1Q tunnel 3-155, 4-232 IP precedence 3-190 description 3-155 layer 3/4 priorities 3-186, 4-252 interface configuration 3-160, queue mapping 3-182, 4-249 4-233–4-234 queue mode 3-184, 4-246 mode selection 3-160 traffic class weights 3-184, 4-248 TPID 4-234 802.1X, port authentication 3-73, 3-89...
Page 652 Index IP address BOOTP/DHCP 3-17, 4-297, 4-299, edge port, STA 3-134, 3-136, 4-212 4-317, 4-318 event logging 4-52 setting 2-4, 3-15, 4-297, 4-317, 4-318 IP precedence enabling 3-186 firmware mapping priorities 3-190, 4-254 displaying version 3-12, 4-71 IP source guard upgrading 3-19, 4-73 configuring static entries 4-311 setting filter criteria 4-309...
Page 653 Index MSTP 4-201 ports global settings 4-200 autonegotiation 3-101, 4-152 interface settings 4-200 broadcast storm threshold 3-114, multicast filtering 3-208, 3-221, 3-236, 4-156 4-275 capabilities 3-101, 4-153 multicast groups 3-214, 4-279 duplex mode 3-101, 4-151 displaying 4-279 flow control 3-101, 4-154 static 3-214, 4-276, 4-277, 4-279 speed 3-101, 4-151 multicast services...
Page 654 Index Simple Network Management Protocol system mode, normal or QinQ 3-158, See SNMP 4-232 SNMP 3-35 system software, downloading from community string 3-36, 3-41, 3-43, server 3-19 3-44, 3-46, 4-135 enabling traps 3-37, 4-139 filtering IP addresses 3-96 TACACS+, logon authentication 3-50, trap manager 3-37, 4-137 4-85 software...
Page 655 Index Web interface access requirements 3-1 configuration buttons 3-3 home page 3-2 menu list 3-4 panel display 3-3 Index-5...
Page 656 Index Index-6...

Korenix JetNet 5228G Series User Manual

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Quick Links

User Manual

Related Manuals for Korenix JetNet 5228G Series

Summary of Contents for Korenix JetNet 5228G Series