Korenix JetNet 5228G Series Rackmount Managed Ethernet Switch User Manual Version 1.1, Apr., 2009 www.korenix.com...
Page 2
Korenix JetNet 5228G Series Rackmount Managed Ethernet Switch User’s Manual Copyright Notice Copyright ¤ 2006-2009 Korenix Technology Co., Ltd. All rights reserved. Reproduction in any form or by any means without permission is prohibited.
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 6
Contents Saving or Restoring Configuration Settings 3-24 Downloading Configuration Settings from a Server 3-25 Console Port Settings 3-26 Telnet Settings 3-28 Configuring Event Logging 3-30 System Log Configuration 3-30 Remote Log Configuration 3-31 Displaying Log Messages 3-33 Sending Simple Mail Transfer Protocol Alerts 3-33 Resetting the System 3-35...
Page 7
Contents Configuring 802.1X Port Authentication 3-80 Displaying 802.1X Global Settings 3-81 Configuring 802.1X Global Settings 3-82 Configuring Port Settings for 802.1X 3-83 Displaying 802.1X Statistics 3-86 Filtering IP Addresses for Management Access 3-88 Client Security 3-90 Configuring Port Security 3-91 Web Authentication 3-93 Configuring Web Authentication...
Page 8
Contents Rate Limit Configuration 3-138 Showing Port Statistics 3-139 Address Table Settings 3-143 Setting Static Addresses 3-143 Displaying the Address Table 3-144 Changing the Aging Time 3-146 Spanning Tree Algorithm Configuration 3-147 Displaying Global Settings 3-149 Configuring Global Settings 3-152 Displaying Interface Settings 3-156 Configuring Interface Settings...
Page 9
Contents Displaying LLDP Device Statistics 3-212 Displaying Detailed LLDP Device Statistics 3-214 Class of Service Configuration 3-215 Layer 2 Queue Settings 3-215 Setting the Default Priority for Interfaces 3-215 Mapping CoS Values to Egress Queues 3-217 Selecting the Queue Mode 3-219 Setting the Service Weight for Traffic Classes 3-220...
Page 10
Contents Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 11
Contents show banner 4-25 System Status Commands 4-25 show startup-config 4-26 show running-config 4-28 show system 4-30 show users 4-30 show version 4-31 Frame Size Commands 4-32 jumbo frame 4-32 File Management Commands 4-33 copy 4-34 delete 4-36 4-37 whichboot 4-38 boot system 4-38...
Page 12
Contents Time Commands 4-58 sntp client 4-59 sntp server 4-60 sntp poll 4-60 show sntp 4-61 clock timezone 4-61 calendar set 4-62 show calendar 4-62 Switch Cluster Commands 4-63 cluster 4-64 cluster commander 4-64 cluster ip-pool 4-65 cluster member 4-66 rcommand 4-66 show cluster...
Page 13
Contents radius-server retransmit 4-90 radius-server timeout 4-91 show radius-server 4-92 TACACS+ Client 4-92 tacacs-server host 4-93 tacacs-server port 4-93 tacacs-server key 4-94 tacacs-server retransmit 4-94 tacacs-server timeout 4-95 show tacacs-server 4-96 AAA Commands 4-96 aaa group server 4-97 server 4-97 aaa accounting dot1x 4-98 aaa accounting exec...
Page 15
Contents show ip dhcp snooping 4-152 show ip dhcp snooping binding 4-153 IP Source Guard Commands 4-153 ip source-guard 4-153 ip source-guard binding 4-155 show ip source-guard 4-156 show ip source-guard binding 4-156 Access Control List Commands 4-157 IP ACLs 4-157 access-list ip 4-158...
Page 16
Contents lacp system-priority 4-187 lacp admin-key (Ethernet Interface) 4-188 lacp admin-key (Port Channel) 4-189 lacp port-priority 4-190 show lacp 4-191 Mirror Port Commands 4-194 port monitor 4-194 show port monitor 4-195 Rate Limit Commands 4-196 rate-limit 4-196 Address Table Commands 4-197 mac-address-table static 4-197...
Page 19
Contents map ip precedence 4-284 map ip tos 4-285 map access-list ip 4-286 map access-list mac 4-286 show map ip dscp 4-287 show map ip port 4-287 show map ip precedence 4-288 show map ip tos 4-288 show map access-list 4-289 Quality of Service Commands 4-290...
Page 20
Contents ip igmp max-groups action 4-312 show ip igmp filter 4-313 show ip igmp profile 4-314 show ip igmp throttle interface 4-314 Multicast VLAN Registration Commands 4-315 mvr (Global Configuration) 4-315 mvr (Interface Configuration) 4-317 show mvr 4-318 IP Interface Commands 4-321 ip address 4-321...
Page 21
Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-30 Table 3-4 SNMPv3 Security Models and Levels 3-40 Table 3-5 Supported Notification Messages 3-51 Table 3-6 HTTPS System Support 3-73 Table 3-7 802.1X Statistics...
Page 22
Tables Table 4-19 Time Commands 4-58 Table 4-20 Switch Cluster Commands 4-63 Table 4-21 SNMP Commands 4-68 Table 4-22 show snmp engine-id - display description 4-77 Table 4-23 show snmp view - display description 4-78 Table 4-24 show snmp group - display description 4-81 Table 4-26 Authentication Commands...
Page 23
Tables Table 4-65 Default STA Path Costs 4-212 Table 4-64 Recommended STA Path Cost 4-212 Table 4-66 VLAN Command Groups 4-220 Table 4-67 GVRP and Bridge Extension Commands 4-221 Table 4-68 Editing VLAN Groups 4-225 Table 4-69 Configuring VLAN Interfaces 4-227 Table 4-70 Show VLAN Commands...
Page 27
Figures Figure 3-87 Setting the Address Aging Time 3-146 Figure 3-88 Displaying Spanning Tree Information 3-150 Figure 3-89 Configuring Spanning Tree 3-155 Figure 3-90 Displaying Spanning Tree Port Information 3-158 Figure 3-91 Configuring Spanning Tree per Port 3-162 Figure 3-92 Configuring Multiple Spanning Trees 3-163 Figure 3-93...
Page 28
Figures Figure 3-132 Globally Enabling the IP TOS Priority Status 3-227 Figure 3-133 Mapping IP TOS to Class of Service Queues 3-228 Figure 3-134 Mapping CoS Values to ACLs 3-229 Figure 3-135 Configuring Class Maps 3-232 Figure 3-136 Configuring Policy Maps 3-235 Figure 3-137 Service Policy Settings 3-236...
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Introduction Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, private VLANs, voice VLANs, and QinQ tunnel Traffic Prioritization Default port priority, traffic class map, queue scheduling, or Differentiated Services Code Point (DSCP), IP Precedence, IP TOS, and TCP/UDP Port Quality of Service Supports Differentiated Services (DiffServ) Link Layer Discovery Protocol Used to discover basic information about neighboring devices...
Page 31
Description of Software Features Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access. Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, or TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type).
Page 32
Introduction Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 2 Mbits for frame buffering.
Page 33
Description of Software Features Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093) is reserved for switch clustering. Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using four priority queues with strict priority, Weighted Round Robin, or hybrid queuing.
Introduction that advertises information about the sending device and collects information gathered from neighboring network nodes it discovers. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 35
System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Port Number SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview...
Page 36
Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP DSCP Priority Disabled IP Precedence Priority Disabled IP TOS Priority Disabled IP Port Priority Disabled...
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Initial Configuration • Configure up to 12 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Initial Configuration Type “end” to return to the Privileged Exec mode. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.”...
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Rack Mounting Installation The Rack Mount Kit is attached inside the package. 2.1.1 Attach the brackets to the device using the screws provided in the Rack Mount kit. 2.2.2 Mount the device in the 19’ rack, using four rack-mounting screws provided by the rack manufacturer.
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page SNMPv3 Simple Network Management Protocol (Version 3) 3-45 Engine ID Sets the SNMP v3 engine ID on this switch 3-45 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-46 Users Configures SNMP v3 users on this switch...
Page 52
Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page 802.1X 3-80 Information Displays global configuration settings 3-81 Configuration Configures the global configuration settings 3-82 Port Configuration Sets parameters for individual ports 3-83 Statistics Displays protocol statistics for the selected port 3-86 Web Authentication 3-93...
Page 53
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Mirror Port Configuration Sets the source and target ports for mirroring 3-137 Rate Limit 3-138 Input Port Configuration Sets the input rate limit for each port 3-138 Output Port Configuration Sets the output rate limit for ports 3-138 Port Statistics...
Page 54
Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Static Membership by Port Configures membership type for interfaces, including tagged, 3-178 untagged or forbidden Port Configuration Specifies default PVID and VLAN attributes 3-179 Trunk Configuration Specifies default trunk VID and VLAN attributes 3-179 Tunnel Port Configuration Adds an interface to a QinQ Tunnel...
Page 55
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Priority 3-215 Default Port Priority Sets the default priority for each port 3-215 Default Trunk Priority Sets the default priority for each trunk 3-215 Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-217 Queue Mode Sets queue mode to strict, Weighted Round-Robin, or hybrid...
Page 56
Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Multicast Router Displays the ports that are attached to a neighboring multicast 3-242 Port Information router for each VLAN ID Static Multicast Router Port Assigns ports that are attached to a neighboring multicast router 3-243 Configuration IP Multicast Registration...
Page 57
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Cluster 3-259 Configuration Globally enables clustering for the switch 3-260 Member Configuration Adds switch Members to the cluster 3-261 Member Information Displays cluster Member switch information 3-262 Candidate Information Displays network Candidate switch information 3-263 3-11...
Configuring the Switch Basic Confisfguration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Basic Confisfguration Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information CLI –...
Configuring the Switch Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 61
Basic Confisfguration CLI – Use the following command to display version information. Console#show version 4-31 Serial Number: 0012CF422DC0 Service Tag: Hardware Version: EPLD Version: 0.00 Number of Ports: Main Power Status: Loader Version: 1.0.0.2 Boot ROM Version: 0.0.1.1 Operation Code Version: 0.0.3.5 Console# 3-15...
Configuring the Switch Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Basic Confisfguration CLI – Enter the following command. Console#show bridge-ext 4-222 Max Support VLAN Numbers: Max Support VLAN ID: 4094 Extended Multicast Filtering Services: No Static Entry Individual Port: VLAN Learning: Configurable PVID Tagging: Local VLAN Capable: Traffic Classes: Enabled Global GVRP Status: Disabled GMRP:...
Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Basic Confisfguration Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Configuring the Switch Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Basic Confisfguration Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version.
Configuring the Switch Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web –Click System, File Management, Copy Operation.
Basic Confisfguration To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI –...
Configuring the Switch Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server. The configuration files can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The configuration copy operation includes these options: - file to file –...
Basic Confisfguration Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.
Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-34 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Basic Confisfguration • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 bps) •...
Configuring the Switch CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-40 Console(config-line)#login local 4-40 Console(config-line)#password 0 secret 4-41...
Basic Confisfguration • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) •...
Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Basic Confisfguration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-16 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Configuring the Switch Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-17 Remote Logs CLI –...
Basic Confisfguration Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Configuring the Switch • Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list. Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type the new IP address in the Server IP Address box, and then click Add.
Basic Confisfguration CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.4 4-55 Console(config)#logging sendmail level 3 4-56...
Configuring the Switch Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Basic Confisfguration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-60 Console(config)#sntp poll 60 4-60 Console(config)#sntp client 4-59 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 60...
Configuring the Switch Setting the Time Manually You can set the system time on the switch manually without using SNTP. Web – Select System, Calendar. Set the current date and time using the fields provided. Click Apply to start using the configured time. Figure 3-23 Setting the Current Date and Time CLI –...
Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Configuring the Switch Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write) noAuthNoPriv user defined user defined user defined user defined Community string only noAuthNoPriv public defaultview none...
Simple Network Management Protocol Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Configuring the Switch Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 89
Simple Network Management Protocol Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) •...
Configuring the Switch Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add.
Simple Network Management Protocol Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Simple Network Management Protocol Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes •...
Configuring the Switch Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Simple Network Management Protocol Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Configuring the Switch Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Simple Network Management Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 98
Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, linkDown acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...
Page 101
Simple Network Management Protocol CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-77 Console(config)#exit Console#show snmp view 4-78 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Configuring the Switch Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: •...
Authentication Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 105
Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings 3-60...
Page 107
Authentication CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-86 Console(config)#radius-server auth-port 181 4-89 Console(config)#radius-server key green 4-90 Console(config)#radius-server retransmit 5 4-90 Console(config)#radius-server timeout 10 4-91 Console(config)#radius-server 1 host 192.168.1.25 4-88 Console(config)#end Console#show radius-server 4-92 Global Settings: Communication Key with RADIUS Server:...
Configuring the Switch AAA Authorization and Accounting Authentication, authorization, and accounting (AAA) provides a framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. •...
Authentication AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) • Server Index - Specifies a RADIUS server and the sequence to use for the group. (Range: 1-5) When specifying the index for a RADIUS sever, the server index must already be defined (see “Configuring Local/Remote Logon Authentication”...
Configuring the Switch AAA TACACS+ Group Settings The AAA TACACS+ Group Settings screen defines the configured TACACS+ servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the TACACS+ server group. (1-255 characters) •...
Authentication • Group Name - Specifes the accounting server group. (Range: 1-255 characters) The group names “radius” and “tacacs+” specifies all configured RADIUS and TACACS+ hosts (see “Configuring Local/Remote Logon Authentication” on page 3-58). Any other group name refers to a server group configured on the RADIUS or TACACS+ Group Settings pages.
Configuring the Switch AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web –...
Authentication Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply. Figure 3-38 AAA Accounting 802.1X Port Settings CLI – Specify the accounting method to apply to the selected interface. Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps-method 4-101 Console(config-if)#...
Configuring the Switch Web – Click Security, AAA, Accounting, Command Privilges. Enter a defined method name for console and Telnet privilege levels. Click Apply. Figure 3-39 AAA Accounting Exec Command Privileges CLI – Specify the accounting method to use for console and Telnet privilege levels. Console(config)#line console 4-40 Console(config-line)#accounting commands 15 tps-method...
Authentication AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Configuring the Switch Web – Click Security, AAA, Accounting, Summary. Figure 3-41 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-104 Accounting Type : dot1x Method List : default Group List : radius...
Authentication Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type : exec Username : admin Interface : vty 0 Time elapsed since connected: 00:25:09 Console# Authorization Settings AAA authorization is used to verify that a user has access to specific services.
Configuring the Switch Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Authentication Web – Click Security, AAA, Authorization, Summary. Figure 3-44 AAA Authorization Summary Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage •...
Configuring the Switch Command Attributes • HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/ SSL connection to the switch’s web interface. (Default: Port 443) Web –...
Authentication Note: The switch must be reset for the new certificate to be activated. To reset the switch, type: Console#reload Configuring Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments.
Page 122
Configuring the Switch 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-34) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-56.) The clients are subsequently authenticated using these keys.
Authentication Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process.
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-46 SSH Host-Key Settings CLI –...
Authentication Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Configuring the Switch CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-111 Console(config)#ip ssh timeout 100 4-112 Console(config)#ip ssh authentication-retries 5 4-113...
Authentication TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet.
Configuring the Switch CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-124 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 1/28 Console#...
Authentication Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Configuring the Switch • Supplicant – Indicates the MAC address of a connected client. • Trunk – Indicates if the port is configured as a trunk port. Web – Click Security, 802.1X, Port Configuration. Modify the parameters required, and click Apply. Figure 3-50 802.1X Port Configuration 3-84...
Page 131
Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-124. Console(config)#interface ethernet 1/2 4-172 Console(config-if)#dot1x port-control auto 4-120 Console(config-if)#dot1x re-authentication 4-122 Console(config-if)#dot1x max-req 5 4-119 Console(config-if)#dot1x timeout quiet-period 30...
Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Authentication Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-51 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-124 Eth 1/4 Rx: EAPOL...
Configuring the Switch Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage •...
Authentication Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-52 Creating an IP Filter List CLI –...
Configuring the Switch Client Security This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Client Security Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-53 Configuring Port Security CLI –...
Client Security Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Configuring the Switch CLI – This example globally enables system authentication control, configures the session timeout, quiet period and login attempts, and then displays the configured global parameters. Console(config)#mac-authentication reauth-time 3000 4-137 Console(config)#web-auth system-auth-control 4-142 Console(config)#web-auth session-timeout 1800 4-142 Console(config)#web-auth quiet-period 20 4-141 Console(config)#web-auth login-attempts 2 4-141...
Client Security CLI – This example enables web authentication for ethernet port 1/5 and displays a summary of web authentication parameters. Console(config)#interface ethernet 1/5 4-172 Console(config-if)#web-auth 4-143 Console(config-if)#end Console#show web-auth summary 4-145 Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count...
Configuring the Switch CLI – This example displays web authentication parameters for port 1/5. Console#show web-auth interface ethernet 1/5 4-145 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- 1.1.1.1 Authenticated 1.1.1.2 Authenticated Console# Re-authenticating Web Authenticated Ports The switch allows an administrator to manually force re-authentication of any web-authenticated host connected to any port.
Client Security Network Access MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points. This switch enables network access from these devices to be controlled by authenticating device MAC addresses with a central RADIUS server.
Configuring the Switch Configuring the MAC Authentication Reauthentication Time MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally to all ports on the switch. Command Attributes • Authenticated Age – The secure MAC address table aging time. This parameter setting is the same as switch MAC address table aging time and is only configurable from the Address Table, Aging Time web page (see page 3-146).
Client Security Configuring MAC Authentication for Ports Configures MAC authentication on switch ports, including setting the maximum MAC count, applying a MAC address filter, and enabling dynamic VLAN assignment. Command Attributes • Mode – Enables MAC authentication on a port. (Default: None) •...
Configuring the Switch Web – Click Security, Network Access, Port Configuration. Figure 3-59 Network Access Port Configuration CLI – This example configures MAC authentication for port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access mode mac-authentication 4-133 Console(config-if)#network-access max-mac-count 10 4-134 Console(config-if)#mac-authentication max-mac-count 24 4-135 Console(config-if)#network-access dynamic-vlan 4-136...
Client Security Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table.
Configuring the Switch CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table 4-139 ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s...
Client Security Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 15 characters) • Type – There are three filtering modes: - Standard –...
Configuring the Switch Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
Client Security Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. (Default: Permit rules) • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Client Security Configuring a MAC ACL Command Usage Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host”...
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Client Security Web – Click Security, ACL, Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply. Figure 3-65 Configuring ACL Port Binding CLI –...
Page 156
Configuring the Switch • The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. • When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
Client Security Configuring DHCP Snooping Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on the switch, or to configure MAC Address Verification. Command Attributes • DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) • DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
Configuring the Switch Command Attributes • VLAN ID – ID of a configured VLAN. (Range: 1-4094) • DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. Web – Click DHCP Snooping, VLAN Configuration. Enable DHCP Snooping on the required VLAN and click Apply.
Page 159
Client Security • DHCP reply packets received by the relay agent (that is, this switch) are handled in the following way: 1. When the relay agent receives a DHCP reply packet with Option 82 information, it first ensures that the packet is destined for it, and then removes the Option 82 field from the packet.
Configuring the Switch Web – Click DHCP Snooping, Information Option Configuration. Enable Option 82, and set the policy for handling request packets, then click Apply. Figure 3-68 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-150...
Client Security Command Attributes • Trust Status – Enables or disables port as trusted. Web – Click DHCP Snooping, Information Option Configuration. Figure 3-69 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-149...
Page 162
Configuring the Switch Command Usage • Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the SIP-MAC option to check these same parameters, plus the source MAC address.
Client Security Web – Click IP Source Guard, Port Configuration. Set the required filtering type for each port and click Apply. Figure 3-70 IP Source Guard Port Configuration CLI – This example shows how to enable IP source guard on port 5 Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip 4-153...
Configuring the Switch - If there is an entry with the same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Command Attributes •...
Client Security Displaying Information for Dynamic IP Source Guard Bindings Use the Dynamic Information page to display the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding. (Options: Port, VLAN, MAC Address, or IP Address) •...
Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 167
Port Configuration Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100T or 1000T) • MAC Address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-17.) Configuration: •...
Configuring the Switch CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 4-180 Information of Eth 1/5 Basic information: Port type: 100TX Mac address: 00-12-CF-12-34-61 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Broadcast storm: Enabled Broadcast Storm Limit:...
Port Configuration pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation. Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
Configuring the Switch CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/3 4-172 Console(config-if)#description RD SW#13 4-173 Console(config-if)#shutdown 4-177 Console(config-if)#no shutdown Console(config-if)#no negotiation 4-174 Console(config-if)#speed-duplex 100half 4-173 Console(config-if)#flowcontrol 4-176 Console(config-if)#negotiation Console(config-if)#capabilities 100half 4-175 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate...
Port Configuration • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-172 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-172 Console(config-if)#channel-group 2 4-185 Console(config-if)#exit...
Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.
Configuring the Switch Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. •...
Port Configuration Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Configuring the Switch CLI – The following example configures LACP parameters for ports 1-8. Ports 1-8 are used as active members of the LAG; ports 9-10 are set to backup mode. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#lacp actor system-priority 3 4-187 Console(config-if)#lacp actor admin-key 120 4-188 Console(config-if)#lacp actor port-priority 128...
Port Configuration Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.
Port Configuration Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-79 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-191 Port channel : 1...
Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-191 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-12-CF-CE-2A-20...
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-81 Port Broadcast Control CLI – Set the threshold, then enable broadcast control on any interface. The following sets broadcast control threshold at 500 kbytes per second, and then enables broadcast storm control for port 1.
Port Configuration Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped.
Port Configuration CLI - This example sets the rate limit level for input traffic passing through port 3. Console(config)#interface ethernet 1/3 4-172 Console(config-if)#rate-limit input scale 100k level 5 4-196 Console(config-if)# Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 186
Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. Transmit Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this...
Page 187
Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-84 Port Statistics 3-142...
Configuring the Switch Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-85 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Address Table Settings Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-86 Configuring a Dynamic Address Table CLI –...
Configuring the Switch Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-98301 seconds;...
Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 194
Configuring the Switch convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing. One or more VLANs can be grouped into a Multiple Spanning Tree Instance (MSTI). MSTP builds a separate Multiple Spanning Tree (MST) for each instance to maintain connectivity among each of the assigned VLAN groups.
Spanning Tree Algorithm Configuration Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network.
Configuring the Switch • Instance – Instance identifier of this spanning tree. (This is always 0 for the CIST.) • VLANs configuration – VLANs assigned to the CIST. • Priority – Bridge priority is used in selecting the root device, root port, and designated port.
Page 197
Spanning Tree Algorithm Configuration CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-218 Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Configuring the Switch Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 199
Spanning Tree Algorithm Configuration address will then become the root device. (Note that lower numeric values indicate higher priority.) - Default: 32768 - Range: 0-61440, in steps of 4096 - Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration •...
Page 200
Configuring the Switch Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table.
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-89 Configuring Spanning Tree 3-155...
Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-202 Console(config)#spanning-tree mode mstp 4-202 Console(config)#spanning-tree priority 40960 4-205 Console(config)#spanning-tree hello-time 5 4-204 Console(config)#spanning-tree max-age 28 4-205 Console(config)#spanning-tree forward-time 20 4-203...
Page 203
Spanning Tree Algorithm Configuration • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Configuring the Switch These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Configuring the Switch The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Spanning Tree Algorithm Configuration Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001 Ethernet Half Duplex 2,000,000 Full Duplex 1,000,000 Trunk 500,000 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000 •...
Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-91 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-172 Console(config-if)#spanning-tree port-priority 0 4-213...
Spanning Tree Algorithm Configuration To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) •...
Page 210
Configuring the Switch CLI – This example sets the priority for MSTI 1, and adds VLAN 1 to this MSTI. It then displays the STA settings for instance 1, followed by settings for each port. Console(config)#spanning-tree mst configuration 4-207 Console(config-mst)#mst 1 priority 4096 4-208 Console(config-mstp)#mst 1 vlan 1 4-208...
Spanning Tree Algorithm Configuration Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes MST Instance ID – Instance identifier to configure. (Default: 0) Note: The other attributes are described under “Displaying Interface Settings”...
Page 212
Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-218 Spanning Tree Information...
Spanning Tree Algorithm Configuration Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...
Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-94 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...
Page 215
VLAN Configuration This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 216
Configuring the Switch printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security.
VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard.
VLAN Configuration Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.
Configuring the Switch Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. •...
VLAN Configuration • Remove – Removes a VLAN group from the current list. If any port is assigned to this group as untagged, it will be reassigned to VLAN group 1 as untagged. Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add.
Configuring the Switch Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
Configuring the Switch Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
VLAN Configuration Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Configuring the Switch • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-172 Console(config-if)#switchport acceptable-frame-types tagged 4-228 Console(config-if)#switchport ingress-filtering...
Page 228
Configuring the Switch processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Page 229
VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: •...
Page 230
Configuring the Switch Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.
VLAN Configuration Enabling QinQ Tunneling on the Switch The switch can be configured to operate in normal VLAN mode or IEEE 802.1Q (QinQ) tunneling mode which is used for passing Layer 2 traffic across a service provider’s metropolitan area network. Command Attributes 802.1Q Tunnel Status –...
Configuring the Switch the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port. •...
VLAN Configuration CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#switchport dot1q-tunnel mode access 4-235 Console(config-if)#switchport dot1q-tunnel tpid 9100 4-236...
Configuring the Switch channeling all other traffic through promiscuous ports). Then assign any promiscuous ports to a primary VLAN and any host ports a community VLAN. To configure an isolated VLAN, follow these steps: Use the Private VLAN Configuration menu (page 3-189) to designate an isolated VLAN that will channel all traffic through a single promiscuous port.
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
Configuring the Switch Associating VLANs Each community VLAN must be associated with a primary VLAN. Command Attributes • Primary VLAN ID – ID of primary VLAN (2-4094). • Association – Community VLANs associated with the selected primary VLAN. • Non-Association – Community VLANs not associated with the selected VLAN. Web –...
VLAN Configuration • Primary VLAN – Conveys traffic between promiscuous ports, and between promiscuous ports and community ports within the associated secondary VLANs. • Community VLAN – Conveys traffic between community ports, and from community ports to their designated promiscuous ports. •...
Configuring the Switch Configuring Private VLAN Interfaces Use the Private VLAN Port Configuration page to set the private VLAN interface type, and assign the interfaces to a private VLAN. Command Attributes • Port – The switch interface. • PVLAN Port Type – Sets the private VLAN port types. - Normal –...
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and associated with VLAN 6.
Configuring the Switch • Up to 5 Protocol VLAN groups can be concurrently mapped per port. One Protocol VLAN group for each of the predefined protocols can be mapped to a port, while a maximum of two groups based on user defined frame and protocol settings can be mapped per port.
VLAN Configuration Web – Click VLAN, Protocol VLAN, Configuration. For predefined protocol types, enter a protocol group ID and protocol type. For user defined protocol types, enter the protocol group ID, frame type, and a hexadecimal value for the protocol type. Click Apply.
Configuring the Switch Configuring Protocol VLAN Interfaces Use the Protocol VLAN Port Configuration menu to map a Protocol VLAN Group to a VLAN for the currently selected port or trunk. Command Usage • Before assigning a protocol group and associated VLAN to a port or trunk, first select the required interface from the scroll-down list and click Query.
VLAN Configuration CLI - This example shows Port 1 configured with Protocol VLAN Group 1 mapped to VLAN 5 and Protocol VLAN Group 2 mapped to VLAN 6. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#protocol-vlan protocol-group 1 vlan 5 4-245 Console(config-if)#protocol-vlan protocol-group 2 vlan 6 Voice VLANs When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic.
Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-111 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, and then sets the VLAN aging time to 3000 seconds.
VLAN Configuration address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...
Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 Console(config-if)#switchport voice vlan auto 4-250 Console(config-if)#switchport voice vlan security 4-251 Console(config-if)#switchport voice vlan rule oui 4-251 Console(config-if)#switchport voice vlan priority 5 4-252 Console(config-if)#exit...
Link Layer Discovery Protocol Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
Configuring the Switch Setting LLDP Timing Attributes Use the LLDP Configuration screen to set attributes for general functions such as globally enabling LLDP on the switch, setting the message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB.
Link Layer Discovery Protocol lldpRemTablesChange notification-events missed due to throttling or transmission loss. • MED Fast Start Count – Configures the amount of LLDP MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanisim. (Range: 1-10 packets; Default: 4 packets) The MED Fast Start Count parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port.
Configuring the Switch Configuring LLDP Interface Attributes Use the LLDP Port/Trunk Configuration to specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Page 251
Link Layer Discovery Protocol Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Configuring the Switch Web – Click LLDP, Port/Trunk Configuration. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, select the information to advertise in LLDP messages, select the information to advertise in MED-TLV messages and specify whether or not to send MED notifications. Then click Apply. Figure 3-115 LLDP Port Configuration CLI –...
Link Layer Discovery Protocol Displaying LLDP Local Device Information Use the LLDP Local Device Information screen to display information about the switch, such as its MAC address, chassis ID, management IP address, and port information. Field Attributes Global Settings • Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent.
Configuring the Switch • System Capabilities Enabled – The primary function(s) of the system which are currently enabled. Refer to the preceding table. • Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Link Layer Discovery Protocol CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-273 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : Layer2+ Fast Ethernet Standalone Switch 24FE+4G System Capabilities Support : Bridge System Capabilities Enable : Bridge...
Configuring the Switch Web – Click LLDP, Remote Port/Trunk Information. Figure 3-117 LLDP Remote Port Information CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP. Console#show lldp info remote-device 4-274 LLDP Remote Devices Information Interface | ChassisId...
Link Layer Discovery Protocol Table 3-17 Port ID Subtype (Continued) ID Basis Reference Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned • System Name – An string that indicates the system’s administratively assigned name. • System Description – A textual description of the network entity. •...
Configuring the Switch CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch. Console#show lldp info remote-device detail ethernet 1/1 4-274 LLDP Remote Devices Information Detail --------------------------------------------------------------- Local PortName : Eth 1/1 Chassis Type : MAC Address Chassis Id...
Link Layer Discovery Protocol Web – Click LLDP, Device Statistics. Figure 3-119 LLDP Device Statistics CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-275 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count...
Configuring the Switch Displaying Detailed LLDP Device Statistics Use the LLDP Device Statistics Details screen to display detailed statistics for LLDP-capable devices attached to specific interfaces on the switch. Field Attributes • Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV.
Class of Service Configuration CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-275 LLDP Port Statistics Detail PortName : Eth 1/1 Frames Discarded Frames Invalid Frames Received...
Configuring the Switch Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port.
Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on Strict, Weighted Round Robin (WRR), or Hybrid. Up to eight separate traffic priorities are defined in IEEE 802.1p.
Configuring the Switch Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-122 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#queue cos-map 0 0...
Class of Service Configuration Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue, or a combination of strict service for the high priority queues and weighted queueing for the remaining queues.
Configuring the Switch Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-217, the traffic classes are mapped to one of the eight egress queues provided for each port.
Class of Service Configuration CLI – The following example shows how to configure the WRR weights for each priority queue, then how to display the WRR weights assigned to each of the priority queues. Console(config)#queue bandwidth 1 2 4 8 4-279 Console(config)#end Console#show queue bandwidth...
Configuring the Switch The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS queue 0. Table 3-20 IP DSCP to CoS Queue Mapping IP DSCP Value CoS Queue 0, 8 10, 12, 14, 16, 18, 20, 22, 24...
Class of Service Configuration CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS queue 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-282 Console(config)#map ip dscp 0 cos 1 Console(config)#end Console#show map ip dscp 4-287...
Configuring the Switch Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS queue in the Class of Queue Service box, and then click Apply. Figure 3-128 IP Port Priority CLI –...
Class of Service Configuration Mapping IP Precedence Priority The Type of Service (TOS) octet in the IPv4 header includes three precedence bits (see page 3-227) defining eight different priority levels ranging from highest priority (7) for network control packets to lowest priority (0) for routine traffic. Bits 6 and 7 are used for network control, and the other bits for various application types.
Configuring the Switch Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-130 Mapping IP Precedence to Class of Service Queues CLI –...
Class of Service Configuration Mapping IP TOS Priority The Type of Service (TOS) octet in the IPv4 header is divided into three parts; Precedence (3 bits), TOS (4 bits), and MBZ (1 bit). The Precedence bits indicate the importance of a packet, whereas the TOS bits indicate how the network should make tradeoffs between throughput, delay, reliability, and cost (as defined in RFC 1394).
Configuring the Switch Click Priority, IP TOS Priority. Select an IP TOS value in the IP TOS Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-133 Mapping IP TOS to Class of Service Queues CLI –...
Class of Service Configuration Mapping CoS Values to ACLs Use the ACL CoS Priority page to set the output queue for packets matching a configured ACL rule. For information on configuring ACLs, see “Access Control Lists” on page 3-102. Command Usage You must configure an ACL before you can map a CoS queue to the rule.
Configuring the Switch Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
Quality of Service Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name”...
Configuring the Switch Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-135 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets matching the access list “rd.”...
Quality of Service Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-231. - Open the Policy Map page, and click Add Policy.
Page 280
Configuring the Switch • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS or DSCP value in a matching packet (as specified in Match Class Settings on page 3-231).
Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-136 Configuring Policy Maps 3-235...
Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to drop the violating packets. Console(config)#policy-map rd_policy#3 4-292 Console(config-pmap)#class rd_class#3 4-293 Console(config-pmap-c)#set ip dscp 4 4-294 Console(config-pmap-c)#police 100000 1522 exceed-action drop...
Multicast Filtering Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Configuring the Switch Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-239) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Multicast Filtering Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-245). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
Configuring the Switch • IGMP Report Delay — Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list. (Range: 5-25 seconds; Default: 10) •...
Configuring the Switch Command Attributes • VLAN ID – VLAN Identifier. (Range: 1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply.
Multicast Filtering Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-140 Displaying Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
Configuring the Switch Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-142 IP Multicast Registration Table CLI –...
Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add.
Multicast Filtering IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.
Configuring the Switch Configuring IGMP Filter Profiles When you have created an IGMP profile number, you can then configure the multicast groups to filter and set the access mode. Command Usage • Each profile has only one access mode; either permit or deny. •...
Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile number you want to configure; then click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list.
Configuring the Switch • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.
Multicast VLAN Registration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed. Console(config)#interface ethernet 1/1 4-172 Console(config-if)#ip igmp filter 19 4-311 Console(config-if)#ip igmp max-groups 64...
Configuring the Switch Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings”...
Multicast VLAN Registration Command Attributes • MVR Status – When MVR is enabled on the switch, any multicast data associated with an MVR group is sent from all designated source ports, and to all receiver ports that have registered to receive data from that multicast group. (Default: Disabled) •...
Configuring the Switch CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping 4-299 Console(config)#mvr 4-315 Console(config)#mvr group 228.1.23.1 10 4-315 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes •...
Multicast VLAN Registration Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...
Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Multicast VLAN Registration - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) •...
Configuring the Switch • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. Command Attributes • Interface – Indicates a port or trunk. •...
Switch Clustering Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Configuring the Switch Configuring General Settings for Clusters To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with the network IP subnet. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
Switch Clustering CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster 4-64 Console(config)#cluster commander 4-64 Console(config)#cluster ip-pool 10.2.3.4 4-65 Console(config)#end Console#show cluster 4-67 Role: commander Interval heartbeat: Heartbeat loss count: 3...
Configuring the Switch CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-66 Console(config)#end Console#show cluster candidates 4-67 Cluster Candidates: Role Description --------------- ----------------- ---------------------------------------- MEMBER TOBE 00-12-34-56-78-9a...
Switch Clustering Displaying Information on Cluster Candidates Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members. Command Attributes • Role – Indicates the current status of Candidate switches in the network. •...
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Entering Commands The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information protocol-group Protocol group status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands Username: guest Password: [guest login password] CLI session with the 24FE+4G is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.
Command Line Interface Table 4-2 Configuration Modes (Continued) Mode Command Prompt Page MSTP spanning-tree mst-configuration Console(config-mstp)# 4-207 Policy Map policy map Console(config-pmap) 4-292 Server Group aaa group server radius Console(config-sg-radius) 4-97 4-97 aaa group server tacacs+ Console(config-sg-tacacs+) VLAN vlan database Console(config-vlan) 4-225 For example, you can use the following commands to enter interface configuration...
Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page General Basic commands for entering privileged access mode, restarting the 4-10 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation, 4-15...
Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) NE (Normal Exec) CM (Class Map Configuration) PE (Privileged Exec) GC (Global Configuration) PM (Policy Map Configuration) IC (Interface Configuration) SG (Server Group) LC (Line Configuration) VC (VLAN Database Configuration)
General Commands Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-85.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
General Commands The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config).
Command Line Interface Example Console(config)#prompt RD2 RD2(config)# This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, and VLAN Database Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console#...
System Management Commands Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: System Management Commands These commands are used to control system logs, passwords, user names, browser...
Command Line Interface Device Designation Commands Table 4-7 Device Designation Commands Command Function Mode Page hostname Specifies the host name for the switch 4-16 snmp-server contact Sets the system contact string 4-71 snmp-server location Sets the system location string 4-72 hostname This command specifies or modifies the host name for this device.
System Management Commands Table 4-8 Banner Commands (Continued) Command Function Mode Page banner configure Configures Equipment information displayed by the banner 4-20 equipment-info banner configure Configures Equipment Location information displayed by the 4-21 equipment-location banner banner configure Configures IP and LAN information displayed by the banner 4-21 ip-lan banner configure...
Command Line Interface Example Console(config)#banner configure Company: Edge-corE Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment.
System Management Commands Example Console(config)#banner configure company Edge-corE Console(config)# banner configure dc-power-info This command is use to configure DC power information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number.
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
System Management Commands Example Console(config)#banner configure equipment-info manufacturer-id switch35 floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-corE Console(config)# banner configure equipment-location This command is used to configure the equipment location information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure equipment-location location no banner configure equipment-location...
Command Line Interface Command Mode Global Configuration Command Usage Inpu strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
System Management Commands banner configure manager-info This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.
Command Line Interface show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory.
Command Line Interface show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 339
System Management Commands Example Console#show running-config building startup-config, please wait..!<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-7d-25-bc_01</stackingMac> phymap 00-12-cf-7d-25-bc SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 broadcast byte-rate 1000 level 5 no dot1q-tunnel system-tunnel-control SNMP-server community public ro SNMP-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca...
Command Line Interface show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. • The POST results should all display “PASS.” If any POST test indicates “FAIL,”...
Command Line Interface Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 4-10 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames 4-32 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting...
System Management Commands File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Command Line Interface copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 345
System Management Commands • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate”...
Command Line Interface The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
System Management Commands Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory for unit 1.
Command Line Interface Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) ------------------------------------- -------------- ------- ----------- Unit1: 24FE+4G_DIAG_V0011.bix Boot-Rom Image 305424 24FE+4G_RUNTIME_V0035_m.bix Operation Code 3018936 Factory_Default_Config.cfg Config File startup1.cfg Config File 4648 --------------------------------------------------------------------------- Total free space:...
Line Commands Command Mode Global Configuration Command Usage • A colon (:) is required after the specified unit number and file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-37)
Command Line Interface line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Line Commands Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).
Command Line Interface Command Usage • When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Line Commands Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# Related Commands silent-time (4-44) exec-timeout (4-43) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout...
Command Line Interface password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120;...
Line Commands Command Mode Line Configuration Example To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# Related Commands password-thresh (4-44) databits This command sets the number of data bits per character that are interpreted and generated by the console port.
Command Line Interface parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity • none - No parity • even - Even parity •...
Line Commands Example To specify 57600 bps, enter this command: Console(config-line)#speed 19200 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} •...
Command Line Interface Related Commands show ssh (4-116) show users (4-30) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode...
Line Commands Event Logging Commands This section describes commands used to configure event logging on the switch. Table 4-14 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-49 logging history Limits syslog messages saved to switch memory based on 4-50 severity logging host...
Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Line Commands logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Line Commands Related Commands show logging (4-53) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Command Line Interface • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again.
Line Commands Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example This example will set the source email john@acme.com. Console(config)#logging sendmail source-email john@acme.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages.
Line Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration...
Command Line Interface sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).
Line Commands Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-59) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending...
Command Line Interface Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Line Commands Command Mode Normal Exec, Privileged Exec Example Console#show calendar 15:12:43 April 1 2004 Console# Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Command Line Interface cluster This command enables clustering on the switch. Use the no form to disable clustering. Syntax [no] cluster Default Setting Enabled Command Mode Global Configuration Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander.
Line Commands • Cluster Member switches can be managed through using a Telnet connection to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address.
Command Line Interface cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address mac-address id member-id no cluster member id member-id • mac-address - The MAC address of the Candidate switch. •...
Line Commands show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role: commander Interval heartbeat: Heartbeat loss count: 3 Number of Members: Number of Candidates: 2 Console# show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example...
Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Command Line Interface Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...
SNMP Commands Default Setting • public - Read-only access. Authorized management stations are only able to retrieve MIB objects. • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)#...
Command Line Interface snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 383
SNMP Commands • version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) - auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol”...
Command Line Interface To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 4-68). 2. Allow the switch to send SNMP traps; i.e., notifications (page 4-74). 3. Specify the target host that will receive inform messages with the snmp-server host command as described in this section.
SNMP Commands Command Usage • If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Command Line Interface Command Usage • An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
SNMP Commands Table 4-22 show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device.
Command Line Interface This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included...
SNMP Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...
Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
SNMP Commands Table 4-24 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
Command Line Interface Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-75) to specify the engine ID for the remote device where the user resides.
Authentication Commands Table 4-25 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.
Command Line Interface User Account Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-39), user authentication via a remote authentication server (page 4-83), and host access authentication for specific ports (page 4-118).
Authentication Commands Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how to set the access level and password for a user.
Command Line Interface Related Commands enable (4-10) authentication enable (4-87) Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 4-29 Authentication Sequence Command Function...
Authentication Commands Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-84) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-10).
Command Line Interface RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Authentication Commands Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server auth-port This command sets the RADIUS server port used for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port...
Command Line Interface Example Console(config)#radius-server acct-port 8181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Authentication Commands radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Command Line Interface show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Global Settings: Communication Key with RADIUS Server: Auth-Port: 1812 Acct-port: 1813 Retransmit Times: Request Timeout: Server 1: Server IP Address: 10.1.2.3...
Authentication Commands tacacs-server host This command specifies TACACS+ servers and parameters. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...
Command Line Interface Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Authentication Commands tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Command Line Interface show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number: Retransmit Times Request Times Server 1: Server IP address:...
Authentication Commands Table 4-32 AAA Commands (Continued) Command Function Mode Page accounting exec Applies an accounting method to local console, Telnet or Line 4-102 SSH connections accounting commands Applies an accounting method to CLI commands entered Line 4-102 by a user aaa authorization exec Enables authorization of Exec sessions 4-103...
Command Line Interface Command Mode Server Group Configuration Command Usage • When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command (see page 4-88). • When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command (see page 4-93).
Authentication Commands Command Usage Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use. Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)#...
Command Line Interface Example Console(config)#aaa accounting exec default start-stop group tacacs+ Console(config)# aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ | server-group} no aaa accounting commands level {default | method-name} •...
Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...
Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec •...
Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} •...
Command Line Interface authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-103).
Authentication Commands Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
Command Line Interface Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-106) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled...
Authentication Commands • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Command Line Interface Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Authentication Commands Example Console(config)#ip telnet server Console(config)#ip telnet port 123 Console(config)# Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 420
Command Line Interface To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Authentication Commands Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Command Line Interface • The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. •...
Authentication Commands ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Command Line Interface delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Authentication Commands Related Commands ip ssh crypto zeroize (4-115) ip ssh save host-key (4-115) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
Command Line Interface Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-114) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99...
Authentication Commands Table 4-37 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Command Line Interface Example Console#show public-key host Host: RSA: 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication.
Authentication Commands dot1x system-auth-control This command enables 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dotx system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control •...
Authentication Commands Default Single-host Command Mode Interface Configuration Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-120). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
Command Line Interface dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Authentication Commands Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mode...
Command Line Interface dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action...
Page 435
Authentication Commands Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface, including the following items: - Status –...
Page 436
Command Line Interface - Reauth Count – Number of times connecting state is re-entered. • Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count – Number of EAP Request packets sent to the Supplicant without receiving a response.
Page 437
Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/28 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
Command Line Interface Management IP Filter Commands This section describes commands used to configure IP management access to the switch Table 4-39 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access 4-128 show management Displays the switch to be monitored or configured from a browser PE 4-129 management...
Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Command Line Interface Client Security Commands This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Client Security Commands Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Client Security Commands Table 4-42 Network Access (Continued) Command Function Mode Page mac-authentication Sets a maximum for mac-authentication autenticated 4-135 max-mac-count MAC addresses on an interface network-access Enables dynamic VLAN assignment from a RADIUS 4-136 dynamic-vlan server network-access guest-vlan Specifies the guest VLAN 4-136 mac-authentication Sets the time period after which a connected MAC...
Command Line Interface • MAC authentication cannot be configured on trunk ports. • When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. • The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Client Security Commands mac-authentication intrusion-action Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default. Syntax mac-authentication intrusion-action [block traffic | pass traffic] no mac-authentication intrusion-action Default Setting Block Traffic Command Mode...
Command Line Interface network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage • When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have already been created on the switch.
Client Security Commands Command Mode Interface Configuration Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active (see “vlan database” on page 4-225). • When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan”...
Client Security Commands Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment...
Command Line Interface Example Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s Console# Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication methods are infeasible or impractical.
Client Security Commands web-auth login-attempts This command defines the limit for failed web authentication login attempts. After the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts...
Command Line Interface web-auth session-timeout This command defines the amount of time a web-authentication session remains valid. When the session-timeout has been reached, the host is logged off and must be re-authenticated the next time data is transmitted. Use the no form to restore the default.
Client Security Commands web-auth This command enables web authentication for a port. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for web authentication to be active.
Command Line Interface web-auth re-authenticate (IP) This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1.
Client Security Commands show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-20) Default Setting None Command Mode...
Command Line Interface Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------ 1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 457
Client Security Commands Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall. When DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by the ip dhcp snooping vlan command (page 4-148), DHCP messages received on an untrusted interface (as specified by the no ip dhcp snooping trust command, page 4-149) from a...
Command Line Interface • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (ip dhcp snooping trust, page 4-149). Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
Client Security Commands Example This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# Related Commands ip dhcp snooping (4-146) ip dhcp snooping trust (4-149) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Command Line Interface Related Commands ip dhcp snooping (4-146) ip dhcp snooping vlan (4-148) ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
Client Security Commands Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Command Line Interface Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. Either the switch can drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Client Security Commands show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console#...
Page 464
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. •...
Client Security Commands Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (4-155) ip dhcp snooping (4-146) ip dhcp snooping vlan (4-148) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
Command Line Interface - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Access Control List Commands Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type).
Command Line Interface access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address.
Access Control List Commands permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Command Line Interface permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule. Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source}...
Access Control List Commands specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. • The following control codes may be specified: - 1 (fin) – Finish - 2 (syn) –...
Command Line Interface Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.255.0 Console# Related Commands permit, deny 4-159 ip access-group (4-162) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} •...
Access Control List Commands show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands ip access-group (4-162) map access-list ip This command sets the output queue for packets matching an ACL rule.
Command Line Interface Related Commands queue cos-map (4-279) show map access-list ip (4-164) show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list ip [interface] interface...
Access Control List Commands access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...
Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Access Control List Commands Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP...
Command Line Interface mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) •...
Access Control List Commands map access-list mac This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself. Use the no form to remove the CoS mapping. Syntax [no] map access-list mac acl_name cos cos-queue •...
Command Line Interface show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list mac [interface] interface •...
Access Control List Commands ACL Information Table 4-51 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-171 show access-group Shows the ACLs assigned to each port 4-171 show access-list This command shows all ACLs and associated rules. Command Mode Privileged Exec Example...
Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-52 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-172 mode description...
Interface Commands Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Command Line Interface Note: 1000full operation cannot be forced. The Gigabit Combo ports can only operate at 1000full when auto-negotiation is enabled. Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full.
Interface Commands Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. •...
Command Line Interface Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
Interface Commands • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. Example The following example enables flow control on port 5.
Interface Commands Command Usage This command enables or disables broadcast storm control for the selected interface. However, the threshold value, specified using the broadcast byte-rate command, applies to all ports on the switch. Example The following shows how to enable broadcast storm control for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast Console(config-if)#...
Command Line Interface show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-12) •...
Interface Commands show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces.
Command Line Interface Table 4-53 Interfaces Switchport Statistics (Continued) Field Description 802.1Q-tunnel Status Shows if 802.1Q tunnel is enabled on this interface (page 4-235). 802.1Q-tunnel Mode Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink (page 4-235). 802.1Q-tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets (page 4-236).
Link Aggregation Commands • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the SFP transceivers can be trunked together, including those of different media types.
Command Line Interface Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting...
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Link Aggregation Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} • port-channel - Local identifier for a link aggregation group. (Range: 1-12) • counters - Statistics for LACP protocol messages. •...
Command Line Interface Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 Console# Table 4-58 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group.
Mirror Port Commands Command Mode Interface Configuration (Ethernet, destination port) Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Command Line Interface Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode Console# Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface.
Address Table Commands Command Mode Interface Configuration (Ethernet) Command Usage The scale and level are multiplied by one another to set the rate limit. For example, to limit port traffic to 500K bytes per second, select the scale as 100K and set the level to 5. Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input scale 100k level 5...
Command Line Interface • action - - delete-on-reset - Assignment lasts until the switch is reset. - permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN.
Address Table Commands show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Command Line Interface mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-98301 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...
Spanning Tree Commands Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-62 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-202 spanning-tree mode...
Command Line Interface spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
Spanning Tree Commands Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Command Line Interface Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Spanning Tree Commands spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Command Line Interface Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Spanning Tree Commands spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
Command Line Interface mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range •...
Spanning Tree Commands Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Command Line Interface revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration...
Spanning Tree Commands specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface.
Page 522
Command Line Interface Table 4-64 Recommended STA Path Cost Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet Half Duplex 2,000,000 Full Duplex 1,999,999 Trunk 1,000,000 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000...
Spanning Tree Commands spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting Command Mode Interface Configuration (Ethernet, Port Channel)
Command Line Interface devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems.
Spanning Tree Commands Related Commands spanning-tree edge-port (4-213) spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type •...
Command Line Interface spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...
Spanning Tree Commands spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority •...
Command Line Interface Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Page 529
Spanning Tree Commands items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-156. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Command Line Interface show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- 1,3-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
VLAN Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Command Line Interface show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-172 and “Displaying Bridge Extension Capabilities” on page 3-16 for a description of the displayed items.
VLAN Commands show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-12) Default Setting Shows both global and interface-specific configuration.
Command Line Interface Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.
Command Line Interface vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) •...
Command Line Interface switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid | private-vlan} no switchport mode • hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
VLAN Commands Default Setting All frame types Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged...
Command Line Interface Example The following example shows how to select port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default.
VLAN Commands switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
Command Line Interface switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
VLAN Commands Displaying VLAN Information Table 4-70 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-233 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-180 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-182 interface...
Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
VLAN Commands reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting...
Command Line Interface • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. •...
Command Line Interface This section describes commands used to configure private VLANs. Table 4-72 Private VLAN Commands Command Function Mode Page Edit Private VLAN Groups private-vlan Adds or deletes primary, community, or isolated VLANs 4-239 private-vlan association Associates a community VLAN with a primary VLAN 4-240 Configure Private VLAN Interfaces switchport mode...
VLAN Commands private-vlan Use this command to create a primary, community, or isolated private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4094, no leading zeroes). •...
Command Line Interface private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...
VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. •...
Command Line Interface switchport private-vlan isolated Use this command to assign an interface to an isolated VLAN. Use the no form to remove this assignment. Syntax switchport private-vlan isolated isolated-vlan-id no switchport private-vlan isolated isolated-vlan-id - ID of isolated VLAN. (Range: 1-4094). Default Setting None Command Mode...
VLAN Commands Example Console(config)#interface ethernet 1/2 Console(config-if)#switchport private-vlan mapping 2 Console(config-if)# show private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces.
Command Line Interface Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
VLAN Commands Default Setting No protocol groups are configured. Command Mode Global Configuration Example The following creates protocol group 1, and specifies the IPX protocol type. Protocol VLAN group 2 is created with protocol-type IPv6 (86DD) and frame-type ethernet specified: Console(config)#protocol-vlan protocol-group 1 add protocol-type ipx Console(config)#protocol-vlan protocol-group 2 add protocol-type 86dd frame-type ethernet...
Command Line Interface Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups. Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group.
VLAN Commands show interfaces protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-26) •...
Command Line Interface Table 4-74 Voice VLAN Commands (Continued) Command Function Mode Page switchport voice vlan priority Sets the VoIP traffic priority for ports 4-252 show voice vlan Displays Voice VLAN settings 4-253 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
VLAN Commands voice vlan aging This command sets the Voice VLAN membership time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes...
Command Line Interface Command Mode Global Configuration Command Usage • VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
VLAN Commands Example The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the selected detection method on a port.
Command Line Interface Default Setting Disabled Command Mode Interface Configuration Command Usage • Security filtering discards any non-VoIP packets received on a port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.
VLAN Commands Example The following example sets the CoS priority to 5 on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan priority 5 Console(config-if)# show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list.
Command Line Interface LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 565
LLDP Commands Table 4-75 LLDP Commands (Continued) Command Function Mode Page lldp basic-tlv Configures an LLDP-enabled port to advertise its system 4-264 system-name name lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported 4-265 protocols lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port related 4-265 VLAN information...
Command Line Interface lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
LLDP Commands lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp medfaststartcount packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode...
Command Line Interface • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
LLDP Commands Default Setting 2 seconds Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Command Line Interface lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. •...
LLDP Commands of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# lldp mednotification This command enables the transmission of SNMP trap notifications about...
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode...
LLDP Commands lldp basic-tlv port-description This command configures an LLDP-enabled port to advertise its port description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Command Line Interface lldp basic-tlv system-description This command configures an LLDP-enabled port to advertise the system description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type,...
LLDP Commands lldp dot1-tlv proto-ident This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature. Syntax dot1-tlv proto-ident [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface.
Command Line Interface lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv pvid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see switchport native...
LLDP Commands lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv link-agg Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
Command Line Interface lldp dot3-tlv max-frame This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv max-frame Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands”...
LLDP Commands lldp medtlv extpoe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature. Syntax [no] lldp medtlv extpoe Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including...
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp medtlv inventory Console(config-if)# lldp medtlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp medtlv location Default Setting Enabled Command Mode...
LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv med-cap Console(config-if)# lldp medtlv network-policy This command configures an LLDP-MED-enabled port to advertise its network policy configuration. Use the no form to disable this feature. Syntax [no] lldp medtlv network-policy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel)
Page 582
Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...
LLDP Commands show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Command Line Interface show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit.
LLDP Commands show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Command Line Interface Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Class of Service Commands queue mode This command sets the queue mode to strict priority, Weighted Round-Robin (WRR), or or a combination of both for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr | hybrid} no queue mode...
Command Line Interface switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7.
Class of Service Commands queue bandwidth This command assigns weighted round-robin (WRR) weights to the four class of service (CoS) priority queues. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight4 no queue bandwidth weight1...weight4 - The ratio of weights for queues 0-3 determines the weights used by the WRR scheduler.
Command Line Interface Default Setting This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
Class of Service Commands show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map.
Command Line Interface Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch Table 4-79 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Configures IP DSCP to CoS queue mapping 4-282 map ip port...
Class of Service Commands Command Mode Global Configuration Command Usage • The command map ip dscp enables the feature on the switch. The command map ip dscp dscp-value cos cos-queue maps DSCP values to port CoS queues. • The precedence for priority mapping is IP Port, IP Precedence/DSCP/TOS, and default switchport priority.
Command Line Interface Example The following example shows how to map HTTP traffic to CoS queue 0, then enable the feature globally on the switch. Console(config)#map ip port 80 cos 0 Console(config)#map ip port Console(config)# map ip precedence Use this command to enable and set IP precedence priority mapping. Use the no form to disable the feature or restore a default setting.
Class of Service Commands Example The following example shows how to map IP precedence value 1 to CoS value 0 and enable the feature on the switch. Console(config)#map ip precedence 1 cos 0 Console(config)#map ip precedence Console(config)# map ip tos Use this command to enable and set IP TOS priority mapping (i.e., IP Type of Service priority mapping).
Command Line Interface • IP Precedence, IP DSCP, and IP TOS Priority cannot all be enabled at the same time. Enabling one of these priority types automatically disables the others. Example The following example shows how to map IP TOS value 0 to CoS value 1 and enable the feature on the switch.
Class of Service Commands Command Mode Interface Configuration (Ethernet) Command Usage You must configure an ACL before you can map a CoS queue to the rule. Example Console(config)#interface ethernet 1/2 Console(config-if)#map access-list mac steve cos 0 Console(config-if)# show map ip dscp This command shows the IP DSCP priority map.
Command Line Interface Example The following shows that FTP traffic has been mapped to CoS value 2: Console#show map ip port TCP Port Mapping Status: Disabled Port no. COS -------- --- Console# Related Commands map ip port (4-283) show map ip precedence Use this command to show the IP precedence priority map.
Class of Service Commands Example Console#show map ip tos tos Mapping Status: Disabled TOS COS --- --- Console# Related Commands map ip tos (4-285) show map access-list This command shows the CoS queue mapped to an ACL for the current interface. Syntax show map access-list {ip | mac} [interface] •...
Command Line Interface Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. You should create a Class Map (page 4-291) before creating a Policy Map (page 4-292). Otherwise, you will not be able to specify a Class Map with the class command (page 4-293) after entering Policy-Map Configuration mode.
Command Line Interface match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match access-list acl-name acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Quality of Service Commands Command Usage • Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches criteria defined in a class map. • A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command (page 4-296).
Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Quality of Service Commands police This command defines an policer for classified traffic. Use the no form to remove a policer. Syntax [no] police rate-kbps burst-byte [exceed-action drop] • rate-kbps - Rate in kilobits per second. (Range: 1-100000 kbps or maximum port speed, whichever is lower) •...
Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name •...
Quality of Service Commands Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Command Line Interface Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
Multicast Filtering Commands Table 4-85 IGMP Snooping Commands (Continued) Command Function Mode Page show ip igmp snooping Shows the IGMP snooping and query configuration 4-302 show mac-address-table Shows the IGMP snooping MAC multicast list 4-302 multicast ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting...
Command Line Interface Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
Multicast Filtering Commands Default Setting Disabled Command Mode Global Configuration Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. •...
Command Line Interface Example The following shows how to enable immediate leave. Console(config)#interface vlan 1 Console(config-if)#ip igmp snooping immediate-leave Console(config-if)# show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters”...
Multicast Filtering Commands Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr.
Command Line Interface Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 4-300). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)#...
Multicast Filtering Commands ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Command Line Interface Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (4-300) ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time...
Multicast Filtering Commands Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 4-87 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port 4-307 show ip igmp snooping mrouter Shows multicast router ports 4-308...
Command Line Interface show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...
Multicast Filtering Commands Table 4-88 IGMP Filtering and Throttling Commands (Continued) Command Function Mode Page show ip igmp filter Displays the IGMP filtering status 4-313 show ip igmp profile Displays IGMP profiles and settings 4-314 show ip igmp throttle interface Displays the IGMP throttling setting for interfaces 4-314 ip igmp filter (Global Configuration)
Command Line Interface Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode;...
Multicast Filtering Commands Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Command Line Interface ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Multicast Filtering Commands Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Command Line Interface show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19...
Multicast Filtering Commands Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR).
Page 626
Command Line Interface Default Setting • MVR is disabled. • No MVR group address is defined. • The default number of contiguous addresses is 0. • MVR VLAN ID is 1. Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.
Multicast Filtering Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
Command Line Interface • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Multicast Filtering Commands Default Setting Displays global configuration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN.
Command Line Interface Table 4-91 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE”...
IP Interface Commands IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server.
Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
IP Interface Commands ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. •...
Command Line Interface show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-322) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] •...
Page 635
IP Interface Commands Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Appendix A: Software Specifications Software Features Management Authentication Local, RADIUS, TACACS, Port Authentication (802.1X), MAC Authentication, Web Authentication, HTTPS, SSH Client Access Control Access Control Lists (IP, MAC - 100 rules), Port Authentication (802.1X), Port Security, DHCP Snooping (with Option 82 relay information), IP Source Guard DHCP Client BOOTP Client Port Configuration...
Software Specifications Class of Service Supports 4 levels of priority Strict, Weighted Round Robin, or Hybrid queuing CoS configured by port or VLAN tag Layer 3/4 priority mapping: IP DSCP, IP Precedence, IP TOS, IP Port Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies...
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 644
Glossary packets sent back from the DHCP server. This information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
Page 645
Glossary IEEE 802.1s An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Page 646
Glossary Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device.
Page 647
Glossary the size of each region, and prevents VLAN members from being segmented from the rest of the group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 648
Glossary Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard.
Page 649
Glossary Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. Universal Time Coordinate (UTC) UTC is a time scale that couples Greenwich Mean Time (based solely on the Earth’s rotation rate) with highly accurate atomic time. The UTC does not have daylight saving time.
Page 654
Index Simple Network Management Protocol system mode, normal or QinQ 3-158, See SNMP 4-232 SNMP 3-35 system software, downloading from community string 3-36, 3-41, 3-43, server 3-19 3-44, 3-46, 4-135 enabling traps 3-37, 4-139 filtering IP addresses 3-96 TACACS+, logon authentication 3-50, trap manager 3-37, 4-137 4-85 software...
Page 655
Index Web interface access requirements 3-1 configuration buttons 3-3 home page 3-2 menu list 3-4 panel display 3-3 Index-5...