Download Print this page

Edge-Core ECS4810-12M Layer 2 Management Manual

Hide thumbs Also See for ECS4810-12M Layer 2:

Management manual (1462 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Management Manual

ECS4810-12M Layer 2

Gigabit Ethernet Switch

Ma nage me nt Gu ide

www.edge-core.com

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the ECS4810-12M Layer 2 and is the answer not in the manual?

Questions and answers

Summary of Contents for Edge-Core ECS4810-12M Layer 2

Page 1 ECS4810-12M Layer 2 Gigabit Ethernet Switch Ma nage me nt Gu ide www.edge-core.com...
Page 3 ANAGEMENT UIDE ECS4810-12M G IGABIT THERNET WITCH Layer 2 Switch with 12 Gigabit Combination Ports (RJ-45/SFP) ECS4810-12M E072011/ST-R01 149100000142A...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 BOUT UIDE – 6 –...
Page 7: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access Managing System Files...
Page 8 ONTENTS Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting The Start-Up File Showing System Files...
Page 9 ONTENTS Performing Cable Diagnostics Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Configuring Load Balancing Saving Power Traffic Segmentation Enabling Traffic Segmentation Configuring Uplink and Downlink Ports...
Page 10 ONTENTS Configuring Loopback Detection Configuring Global Settings for STA Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP IMIT ONFIGURATION 10 S TORM ONTROL ONFIGURATION 11 C LASS OF ERVICE...
Page 11 ONTENTS Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports Configuring Port Link Detection Configuring a MAC Address Filter Displaying Secure MAC Address Information Configuring HTTPS Configuring Global Settings for HTTPS Replacing the Default Secure-site Certificate...
Page 12 ONTENTS Configuring Port Authenticator Settings for 802.1X Configuring Port Supplicant Settings for 802.1X Displaying 802.1X Statistics IP Source Guard Configuring Ports for IP Source Guard Configuring Static Bindings for IP Source Guard Displaying Information for Dynamic IP Source Guard Bindings DHCP Snooping DHCP Snooping Configuration DHCP Snooping VLAN Configuration...
Page 13 ONTENTS Configuring RMON History Samples Configuring RMON Statistical Samples Switch Clustering Configuring General Settings for Clusters Cluster Member Configuration Managing Cluster Members Ethernet Ring Protection Switching ERPS Configuration ERPS Ring Configuration Connectivity Fault Management Configuring Global Settings for CFM Configuring Interfaces for CFM Configuring CFM Maintenance Domains Configuring CFM Maintenance Associations Configuring Maintenance End Points...
Page 14 ONTENTS Address Resolution Protocol Setting the ARP Timeout Displaying ARP Entries Setting the Switch’s IP Address (IP Version 4) Configuring the IPv4 Default Gateway Configuring IPv4 Interface Settings Setting the Switch’s IP Address (IP Version 6) Configuring the IPv6 Default Gateway Configuring IPv6 Interface Settings Configuring an IPv6 Address Showing IPv6 Addresses...
Page 15 ONTENTS Configuring MVR Interface Status Assigning Static Multicast Groups to Interfaces Displaying MVR Receiver Groups Displaying MVR Statistics ECTION OMMAND NTERFACE 19 U SING THE OMMAND NTERFACE Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup...
Page 16 ONTENTS exit 21 S YSTEM ANAGEMENT OMMANDS Device Designation hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status...
Page 17 ONTENTS upgrade opcode auto upgrade opcode path Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail...
Page 18 ONTENTS show sntp clock timezone calendar set show calendar Time Range time-range absolute periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 22 SNMP C OMMANDS snmp-server snmp-server community snmp-server contact snmp-server location show snmp...
Page 19 ONTENTS show nlm oper-status show snmp notify-filter 23 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 24 F AMPLING OMMANDS sflow destination sflow max-datagram-size sflow max-header-size sflow owner...
Page 20 ONTENTS TACACS+ Client tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit tacacs-server timeout show tacacs-server aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-port...
Page 21 ONTENTS ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication dot1x default dot1x eapol-pass-through dot1x system-auth-control dot1x intrusion-action dot1x max-reauth-req dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate dot1x identity profile...
Page 22 ONTENTS mac-authentication reauth-time network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access link-detection network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period...
Page 23 ONTENTS ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding show ip source-guard show ip source-guard binding ARP Inspection ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan...
Page 24 ONTENTS show ipv6 access-group MAC ACLs access-list mac permit, deny (MAC ACL) mac access-group show mac access-group show mac access-list ARP ACLs access-list arp permit, deny (ARP ACL) show arp access-list ACL Information show access-group show access-list 28 I NTERFACE OMMANDS interface alias...
Page 25 ONTENTS show interfaces switchport show interfaces transceiver test cable-diagnostics show cable-diagnostics power-save show power-save 29 L GGREGATION OMMANDS port channel load-balance channel-group lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) show lacp show port-channel load-balance 30 P IRRORING OMMANDS...
Page 26 ONTENTS auto-traffic-control control-release snmp-server enable port-traps atc broadcast-alarm-clear snmp-server enable port-traps atc broadcast-alarm-fire snmp-server enable port-traps atc broadcast-control-apply snmp-server enable port-traps atc broadcast-control-release snmp-server enable port-traps atc multicast-alarm-clear snmp-server enable port-traps atc multicast-alarm-fire snmp-server enable port-traps atc multicast-control-apply snmp-server enable port-traps atc multicast-control-release show auto-traffic-control show auto-traffic-control interface 33 A...
Page 27 ONTENTS spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection action spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority spanning-tree port-bpdu-flooding spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree loopback-detection release spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 35 ERPS C OMMANDS...
Page 28 ONTENTS garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering switchport mode switchport native vlan vlan-trunking Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling...
Page 29 ONTENTS show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan show interfaces subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority switchport voice vlan rule switchport voice vlan security show voice vlan...
Page 30 ONTENTS match rename policy-map class police flow police srtcm-color police trtcm-color set cos 1000 set ip dscp 1001 set phb 1002 service-policy 1003 show class-map 1003 show policy-map 1004 show policy-map interface 1005 39 M 1007 ULTICAST ILTERING OMMANDS IGMP Snooping 1007 ip igmp snooping 1009...
Page 31 ONTENTS ip igmp snooping vlan static 1023 show ip igmp snooping 1024 show ip igmp snooping group 1025 show ip igmp snooping statistics 1026 Static Multicast Routing 1028 ip igmp snooping vlan mrouter 1028 show ip igmp snooping mrouter 1029 IGMP Filtering and Throttling 1030 ip igmp filter (Global Configuration)
Page 32 ONTENTS mvr6 associated-profile 1053 mvr6 domain 1054 mvr6 profile 1054 mvr6 proxy-switching 1055 mvr6 robustness-value 1056 mvr6 upstream-source-ip 1057 mvr6 vlan 1058 mvr6 immediate-leave 1058 mvr6 type 1059 mvr6 vlan group 1060 show mvr6 1061 show mvr6 associated-profile 1062 show mvr6 interface 1062 show mvr6 members 1063...
Page 33 ONTENTS lldp dot3-tlv max-frame 1081 lldp med-location civic-addr 1082 lldp med-notification 1083 lldp med-tlv inventory 1084 lldp med-tlv location 1085 lldp med-tlv med-cap 1085 lldp med-tlv network-policy 1086 lldp notification 1086 show lldp config 1087 show lldp info local-device 1088 show lldp info remote-device 1089 show lldp info statistics...
Page 34 ONTENTS show ethernet cfm errors 1118 ethernet cfm mep crosscheck start-delay 1119 snmp-server enable traps ethernet cfm crosscheck 1119 mep crosscheck mpid 1120 ethernet cfm mep crosscheck 1121 show ethernet cfm maintenance-points remote crosscheck 1122 ethernet cfm linktrace cache 1122 ethernet cfm linktrace cache hold-time 1123 ethernet cfm linktrace cache size...
Page 35 ONTENTS ip domain-name 1147 ip host 1148 ip name-server 1149 ipv6 host 1150 clear dns cache 1150 clear host 1151 show dns 1151 show dns cache 1152 show hosts 1152 44 DHCP C 1155 OMMANDS DHCP Client 1155 ip dhcp client class-id 1156 ip dhcp restart client 1157...
Page 36 ONTENTS ipv6 enable 1177 ipv6 mtu 1178 show ipv6 default-gateway 1179 show ipv6 interface 1180 show ipv6 mtu 1182 show ipv6 traffic 1182 clear ipv6 traffic 1187 ping6 1187 ipv6 nd dad attempts 1188 ipv6 nd ns-interval 1190 ipv6 nd reachable-time 1191 clear ipv6 neighbors 1192...
Page 37: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 38 IGURES Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Figure 34: Showing Port Statistics (Table) Figure 35: Showing Port Statistics (Chart) Figure 36: Showing Statistical History Status Figure 37: Showing Statistical History for an Interface Figure 38: Displaying Transceiver Data Figure 39: Performing Cable Tests Figure 40: Configuring Static Trunks...
Page 39 IGURES Figure 68: Configuring Static VLAN Members by Interface Figure 69: Configuring Static VLAN Members by Interface Range Figure 70: Configuring Global Status of GVRP Figure 71: Configuring GVRP for an Interface Figure 72: Showing Dynamic VLANs Registered on the Switch Figure 73: Showing the Members of a Dynamic VLAN Figure 74: Showing VLAN Statistics Figure 75: QinQ Operational Concept...
Page 40 IGURES Figure 104: STA Port Roles Figure 105: Displaying Interface Settings for STA Figure 106: Creating an MST Instance Figure 107: Displaying MST Instances Figure 108: Modifying the Priority for an MST Instance Figure 109: Displaying Global Settings for an MST Instance Figure 110: Adding a VLAN to an MST Instance Figure 111: Displaying Members of an MST Instance Figure 112: Configuring MSTP Interface Settings...
Page 41 IGURES Figure 140: Configuring the Authentication Sequence Figure 141: Authentication Server Operation Figure 142: Configuring Remote Authentication Server (RADIUS) Figure 143: Configuring Remote Authentication Server (TACACS+) Figure 144: Configuring AAA Server Groups Figure 145: Showing AAA Server Groups Figure 146: Configuring Global Settings for AAA Accounting Figure 147: Configuring AAA Accounting Methods Figure 148: Showing AAA Accounting Methods Figure 149: Configuring AAA Accounting Service for 802.1X Service...
Page 42 IGURES Figure 176: Add a Rule to a Time Range Figure 177: Showing the Rules Configured for a Time Range Figure 178: Showing TCAM Utilization Figure 179: Creating an ACL Figure 180: Showing a List of ACLs Figure 181: Configuring a Standard IPv4 ACL Figure 182: Configuring an Extended IPv4 ACL Figure 183: Configuring a Standard IPv6 ACL Figure 184: Configuring an Extended IPv6 ACL...
Page 43 IGURES Figure 212: Configuring Settings for Remote Logging of Error Messages Figure 213: Configuring SMTP Alert Messages Figure 214: Configuring LLDP Timing Attributes Figure 215: Configuring LLDP Interface Attributes Figure 216: Displaying Local Device Information for LLDP (General) Figure 217: Displaying Local Device Information for LLDP (Port) Figure 218: Displaying Remote Device Information for LLDP (Port) Figure 219: Displaying Remote Device Information for LLDP (Port Details) Figure 220: Displaying LLDP Device Statistics (General)
Page 44 IGURES Figure 248: Showing Collected RMON History Samples Figure 249: Configuring an RMON Statistical Sample Figure 250: Showing Configured RMON Statistical Samples Figure 251: Showing Collected RMON Statistical Samples Figure 252: Configuring a Switch Cluster Figure 253: Configuring a Cluster Members Figure 254: Showing Cluster Members Figure 255: Showing Cluster Candidates Figure 256: Managing a Cluster Member...
Page 45 IGURES Figure 284: Showing Detailed Information on Remote MEPs Figure 285: Showing the Link Trace Cache Figure 286: Showing Settings for the Fault Notification Generator Figure 287: Showing Continuity Check Errors Figure 288: Enabling OAM for Local Ports Figure 289: Displaying Statistics for OAM Messages Figure 290: Displaying the OAM Event Log Figure 291: Displaying Status of Remote Interfaces Figure 292: Running a Remote Loop Back Test...
Page 46 IGURES Figure 320: Configuring a Static Interface for a Multicast Router Figure 321: Showing Static Interfaces Attached a Multicast Router Figure 322: Showing Current Interfaces Attached a Multicast Router Figure 323: Assigning an Interface to a Multicast Service Figure 324: Showing Static Interfaces Assigned to a Multicast Service Figure 325: Showing Current Interfaces Assigned to a Multicast Service Figure 326: Configuring IGMP Snooping on a VLAN Figure 327: Showing Interface Settings for IGMP Snooping...
Page 47: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Internal Configuration Information Table 11: Traffic Segmentation Forwarding...
Page 48 ABLES Table 32: MEP Defect Descriptions Table 33: OAM Operation State Table 34: OAM Operation State Table 35: Address Resolution Protocol Table 36: Show IPv6 Neighbors - display description Table 37: Show IPv6 Statistics - display description Table 38: Show MTU - display description Table 39: General Command Modes Table 40: Configuration Command Modes Table 41: Keystroke Commands...
Page 49 ABLES Table 68: User Access Commands Table 69: Default Login Settings Table 70: Authentication Sequence Commands Table 71: RADIUS Client Commands Table 72: TACACS+ Client Commands Table 73: AAA Commands Table 74: Web Server Commands Table 75: HTTPS System Support Table 76: Telnet Server Commands Table 77: Secure Shell Commands Table 78: show ssh - display description...
Page 50 ABLES Table 104: Mirror Port Commands Table 105: RSPAN Commands Table 106: Rate Limit Commands Table 107: ATC Commands Table 108: Address Table Commands Table 109: Spanning Tree Commands Table 110: Recommended STA Path Cost Range Table 111: Default STA Path Costs Table 112: ERPS Commands Table 113: show erps - summary display description Table 114: show erps domain - detailed display description...
Page 51 ABLES Table 140: IGMP Filtering and Throttling Commands 1030 Table 141: Multicast VLAN Registration Commands 1037 Table 142: show mvr - display description 1047 Table 143: show mvr interface - display description 1049 Table 144: show mvr members - display description 1050 Table 145: show mvr statistics input - display description 1052...
Page 52 ABLES Table 176: show ipv6 mtu - display description 1182 Table 177: show ipv6 traffic - display description 1184 Table 178: show ipv6 neighbors - display description 1192 Table 179: Troubleshooting Chart 1203 – 52 –...
Page 53: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 55 ◆...
Page 54 | Getting Started ECTION – 54 –...
Page 55: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 56: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4093 using IEEE 802.1Q, port-based, protocol-based, voice VLANs, and QinQ tunnel...
Page 57 | Introduction HAPTER Description of Software Features 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Page 58 | Introduction HAPTER Description of Software Features broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold. A static address can be assigned to a specific interface on this switch. TATIC DDRESSES Static addresses are bound to the assigned interface and will not be...
Page 59 | Introduction HAPTER Description of Software Features automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is ◆ a direct extension of RSTP. It can provide an independent spanning tree for different VLANs.
Page 60 | Introduction HAPTER Description of Software Features This switch prioritizes each packet based on the required level of service, RAFFIC using eight priority queues with strict priority, Weighted Round Robin RIORITIZATION (WRR), or a combination of strict and weighted queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application.
Page 61: System Defaults
| Introduction HAPTER System Defaults ERPS can also be used to increase the availability and robustness of THERNET Ethernet rings, such as those used in Metropolitan Area Networks (MAN). ROTECTION ERPS technology converges in a little over 50 ms. ERPS supports up to 255 WITCHING nodes in the ring structure.
Page 62 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled...
Page 63 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled Proxy service: Disabled BOOTP Disabled Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled Querier: Disabled Multicast VLAN Registration...
Page 64 | Introduction HAPTER System Defaults – 64 –...
Page 65: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 66: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4093 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 67: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows ■ keys. Once you have set up the terminal correctly, the console login screen will be displayed.
Page 68: Basic Configuration
| Initial Switch Configuration HAPTER Basic Configuration ASIC ONFIGURATION The CLI program provides two different command levels — normal access ONSOLE level (Normal Exec) and privileged access level (Privileged Exec). The ONNECTION commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Page 69: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Username: admin Password: CLI session with the ECS4810-12M is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING AN management access through the network.
Page 70 | Initial Switch Configuration HAPTER Basic Configuration To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask”...
Page 71 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): (None) Joined group address(es): FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Page 72 | Initial Switch Configuration HAPTER Basic Configuration To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::/64 Console(config-if)#exit...
Page 73 | Initial Switch Configuration HAPTER Basic Configuration To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. At the interface-configuration mode prompt, use one of the following commands: To obtain IP settings via DHCP, type “ip address dhcp”...
Page 74 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Page 75: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# Information passed on to the switch from a DHCP server may also include a...
Page 76: Table 3: Options 60, 66 And 67 Statements
| Initial Switch Configuration HAPTER Basic Configuration To successfully transmit a bootup configuration file to the switch the DHCP daemon (using a Linux based system for this example) must be configured with the following information: Options 60, 66 and 67 statements can be added to the daemon’s ◆...
Page 77: Enabling Snmp Management Access
Simple Network Management Protocol (SNMP) applications such as ANAGEMENT CCESS Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 78 | Initial Switch Configuration HAPTER Basic Configuration SNMP OMMUNITY TRINGS VERSION C CLIENTS Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
Page 79: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files authentication and privacy is used for v3 clients. Then press <Enter>. For a more detailed description of these parameters, see "snmp-server host" on page 662. The following example creates a trap host for each type of SNMP client.
Page 80: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files “startup1.cfg” that contains system settings for switch initialization, including information about the unit identifier, and MAC address for the switch. The configuration settings from the factory defaults configuration file are copied to this file, which is then used to boot the switch.
Page 81 | Initial Switch Configuration HAPTER Managing System Files To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 82 | Initial Switch Configuration HAPTER Managing System Files – 82 –...
Page 83: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 85 ◆ "Basic Management Tasks" on page 103 ◆...
Page 84 | Web Configuration ECTION – 84 –...
Page 85: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 86: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the manufacturer’s web site by clicking on the Edge-Core logo. – 86 –...
Page 87: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 88: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 89 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Mirror Sets the source and target ports for mirroring Show Shows the configured mirror sessions Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics History...
Page 90 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics Load Balance Sets the load-distribution method among ports in aggregated links History Shows statistical history for the specified interfaces Green Ethernet...
Page 91 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface Maps a protocol group to a VLAN Show Shows the protocol groups mapped to each VLAN IP Subnet Maps IP subnet traffic to a VLAN Show Shows IP subnet to VLAN mapping...
Page 92 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Configures global settings for an MST instance Add Member Adds VLAN members for an MST instance Show Member Adds or deletes VLAN members for an MST instance Show Information Displays MSTP values used for the bridge Configure Interface...
Page 93 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Rule Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic Show Rule Shows the rules used to enforce bandwidth policing for a policy Configure Interface...
Page 94 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Service Sets the authorization method applied used for the console port, and for Telnet Show Information Shows the configured authorization methods, and the methods applied to specific interfaces User Accounts Configures user names, passwords, and access levels...
Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Rule Absolute Sets exact time or time range Periodic Sets a recurrent time Show Rule Shows the time specified by a rule Configure ACL Show TCAM Shows utilization parameters for TCAM...
Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Administration System Configure Global Stores error messages in local memory Show System Logs Shows logged error messages Remote Configures the logging of messages to a remote logging process SMTP Sends an SMTP client message to a participating server LLDP...
Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Community Shows community strings and access mode Add SNMPv3 Local User Configures SNMPv3 users on this switch Show SNMPv3 Local User Shows SNMPv3 users configured on this switch Change SNMPv3 Local User Group Assign a local user to a new group...
Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Domain Creates an ERPS ring Show Shows list of configured ERPS rings, status, and settings Configure Details Configures ring parameters Connectivity Fault Management Configure Global Configures global settings, including administrative status, cross-...
Page 99 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Remote MEP Details Displays detailed CFM information about a specified remote MEP in the continuity check database Show Link Trace Cache Shows information about link trace operations launched from this device Show Fault Notification Generator...
Page 100 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Domain Name Defines a list of domain names that can be appended to incomplete host names Show Domain Names Shows the configured domain name list Add Name Server Specifies IP address of name servers for dynamic lookup...
Page 101 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Profile Adds IGMP filter profile; and sets access mode Show Shows configured IGMP filter profiles Add Multicast Group Range Assigns multicast groups to selected profile Show Multicast Group Range Shows multicast groups assigned to a profile...
Page 102 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 102 –...
Page 103: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 104: Basic Management Task
| Basic Management Tasks HAPTER Displaying System Information ARAMETERS These parameters are displayed: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. System Up Time – Length of time the management agent has been ◆...
Page 105: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ISPLAYING ARDWARE OFTWARE ERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI R EFERENCES ◆...
Page 106: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames NTERFACE To view hardware and software version information. Click System, then Switch. Figure 4: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for layer 2 jumbo frames.
Page 107: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities NTERFACE To configure support for jumbo frames: Click System, then Capability. Enable or disable support for jumbo frames. Click Apply. Figure 5: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System >...
Page 108: Figure 6: Displaying Bridge Extension Configuration
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities Configurable PVID Tagging – This switch allows you to override the ◆ default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to "VLAN Configuration"...
Page 109: Managing System Files
| Basic Management Tasks HAPTER Managing System Files ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System > File (Copy) page to upload/download firmware or OPYING ILES VIA configuration settings using FTP, TFTP or HTTP.
Page 110: Figure 7: Copy Firmware
| Basic Management Tasks HAPTER Managing System Files Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. The maximum number of user-defined configuration files is limited only by available flash memory space. The file can be copied to a file server “Factory_Default_Config.cfg”...
Page 111: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch. The configuration settings are not ONFIGURATION TO A automatically saved by the system for subsequent use when the switch is OCAL rebooted.
Page 112: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Set Start-Up) page to specify the firmware or ETTING TART configuration file to use for system initialization.
Page 113: Automatic Operation Code Upgrade
| Basic Management Tasks HAPTER Managing System Files NTERFACE To show the system files: Click System, then File. Select Show from the Action list. To delete a file, mark it in the File List and click Delete. Figure 10: Displaying System Files Use the System >...
Page 114 | Basic Management Tasks HAPTER Managing System Files indicated here). Enter the file name for other switches described in this manual exactly as shown on the web interface. The FTP connection is made with PASV mode enabled. PASV mode is ◆...
Page 115 | Basic Management Tasks HAPTER Managing System Files ARAMETERS The following parameters are displayed: Automatic Opcode Upgrade – Enables the switch to search for an ◆ upgraded operation code file during the switch bootup process. (Default: Disabled) Automatic Upgrade Location URL – Defines where the switch should ◆...
Page 116 | Basic Management Tasks HAPTER Managing System Files Examples The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: tftp://192.168.0.1/ ■ The image file is in the TFTP root directory. tftp://192.168.0.1/switch-opcode/ ■...
Page 117: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock Figure 11: Configuring Automatic Code Upgrade If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0;...
Page 118: Figure 12: Manually Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock ARAMETERS The following parameters are displayed: Current Time – Shows the current time set on the switch. ◆ Hours – Sets the hour. (Range: 0-23; Default: 0) ◆ Minutes – Sets the minute value. (Range: 0-59; Default: 0) ◆...
Page 119: Setting The Sntp Polling Interval
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure General - SNTP) page to set the polling SNTP ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R EFERENCES "Time"...
Page 120: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to specify the IP SNTP PECIFYING address for up to three SNTP time servers. ERVERS CLI R EFERENCES "sntp server" on page 645 ◆...
Page 121 | Basic Management Tasks HAPTER Setting the System Clock ARAMETERS The following parameters are displayed: Direction: Configures the time zone to be before (east of) or after ◆ (west of) UTC. ◆ Name – Assigns a name to the time zone. (Range: 1-29 characters) Hours (0-13) –...
Page 122: Configuring The Console Port
| Basic Management Tasks HAPTER Configuring The Console Port ONFIGURING ONSOLE Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 123: Figure 16: Console Port Settings
| Basic Management Tasks HAPTER Configuring The Console Port The password for the console connection can only be configured through the CLI (see "password" on page 627). Password checking can be enabled or disabled for logging in to the console connection (see "login"...
Page 124: Configuring Telnet Settings
| Basic Management Tasks HAPTER Configuring Telnet Settings ONFIGURING ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 125: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization Password checking can be enabled or disabled for login to the console connection (see "login" on page 625). You can select authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts.
Page 126: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization NTERFACE To display CPU utilization: Click System, then CPU Utilization. Change the update interval if required. Note that the interval is changed as soon as a new setting is selected. Figure 18: Displaying CPU Utilization ISPLAYING EMORY TILIZATION...
Page 127: Resetting The System
| Basic Management Tasks HAPTER Resetting the System NTERFACE To display memory utilization: Click System, then Memory Status. Figure 19: Displaying Memory Utilization ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)"...
Page 128 | Basic Management Tasks HAPTER Resetting the System At – Specifies a periodic interval at which to reload the switch. ■ DD - The day of the month at which to reload. (Range: 1-31) ■ MM - The month at which to reload. (january ... december) ■...
Page 129: Figure 20: Restarting The Switch (Immediately)
| Basic Management Tasks HAPTER Resetting the System Figure 20: Restarting the Switch (Immediately) Figure 21: Restarting the Switch (In) – 129 –...
Page 130: Figure 22: Restarting The Switch (At)
| Basic Management Tasks HAPTER Resetting the System Figure 22: Restarting the Switch (At) Figure 23: Restarting the Switch (Regularly) – 130 –...
Page 131: I Nterface C Onfiguration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
Page 132: Interface Configuration
| Interface Configuration HAPTER Port Configuration ONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Use the Interface > Port > General (Configure by Port List) page to enable/ ONFIGURING BY disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 133 | Interface Configuration HAPTER Port Configuration SFP-Forced - Always uses the SFP port (even if a module is not ■ installed). SFP-Preferred-Auto - Uses SFP port if both combination types are ■ functioning and the SFP port has a valid link. (This is the default for the combination ports.) Autonegotiation (Port Capabilities) –...
Page 134: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration NTERFACE To configure port connection parameters: Click Interface, Port, General. Select Configure by Port List from the Action List. Modify the required interface settings. Click Apply. Figure 24: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE...
Page 135: Displaying Connection Status
| Interface Configuration HAPTER Port Configuration Click Apply. Figure 25: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation.
Page 136: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration NTERFACE To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 26: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING OCAL port to a target port for real-time analysis.
Page 137: Figure 28: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration When mirroring VLAN traffic (see "Configuring VLAN Mirroring" on ◆ page 203) or packets based on a source MAC address (see "Configuring MAC Address Mirroring" on page 212), the target port cannot be set to the same target ports as that used for port mirroring by this command.
Page 138: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 29: Displaying Local Port Mirror Sessions Use the Interface > Port > RSPAN page to mirror traffic from remote ONFIGURING EMOTE switches for analysis at a destination port on the local switch.
Page 139 | Interface Configuration HAPTER Port Configuration OMMAND SAGE ◆ Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in "Configuring Local Port Mirroring" on page 136), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section).
Page 140 | Interface Configuration HAPTER Port Configuration IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. ■ When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
Page 141: Figure 31: Configuring Remote Port Mirroring (Source)
| Interface Configuration HAPTER Port Configuration dynamically add port members to an RSPAN VLAN. Also, note that the VLAN > Static (Show) page will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Type –...
Page 142: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the...
Page 143: Table 7: Port Statistics
| Interface Configuration HAPTER Port Configuration CLI R EFERENCES ◆ "show interfaces counters" on page 833 ARAMETERS These parameters are displayed: Table 7: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters.
Page 144 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size.
Page 145: Figure 34: Showing Port Statistics (Table)
| Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Utilization Statistics Input Octets per second Number of octets entering this interface per second. Input Packets per second Number of packets entering this interface per second. Input Utilization The input utilization rate for this interface.
Page 146: Displaying Statistical History
| Interface Configuration HAPTER Port Configuration To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Page 147: Figure 36: Showing Statistical History Status
| Interface Configuration HAPTER Port Configuration Current Entry – Shows statistics for the specified port and interval. ■ Input Previous Entries – Shows statistical history for ingress ■ traffic. Output Previous Entries – Shows statistical history for egress ■ traffic. Port –...
Page 148: Displaying Transceiver Data
| Interface Configuration HAPTER Port Configuration To show the statistical history for an interface: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Current Entry, Input Previous Entry, or Output Previous Entry from the options for Mode. Select an interface from the Port or Trunk list. Select an sampling period from the Name list.
Page 149 | Interface Configuration HAPTER Port Configuration The threshold value is the power ratio in decibels (dB) of the ■ measured power referenced to one milliwatt (mW). A high-threshold alarm or warning message is sent if the current ■ value is greater than or equal to the threshold, and the last sample value was less than the threshold.
Page 150 | Interface Configuration HAPTER Port Configuration NTERFACE To display identifying information and functional parameters for optical transceivers: Click Interface, Port, Transceiver. Select a port from the scroll-down list. Adjust the alarm or warning thresholds if required. Click Apply. Figure 38: Displaying Transceiver Data –...
Page 151: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING ABLE port. The cable test will check for any cable faults (short, open, etc.). If a IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 152: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration To ensure more accurate measurement of the length to a fault, first disable power-saving mode on the link partner before running cable diagnostics. For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters.
Page 153: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them. If an LACP trunk consists of more than eight ports, all other ports will be placed in standby mode.
Page 154: Figure 41: Creating Static Trunks
| Interface Configuration HAPTER Trunk Configuration CLI R EFERENCES ◆ "Link Aggregation Commands" on page 845 "Interface Commands" on page 817 ◆ OMMAND SAGE When configuring static trunks, you may not be able to link switches of ◆ different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 155: Figure 42: Adding Static Trunks Members
| Interface Configuration HAPTER Trunk Configuration To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member. Click Apply.
Page 156: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 44: Showing Information for Static Trunks Use the Interface > Trunk > Dynamic (Configure Aggregator) page to set ONFIGURING A the administrative key for an aggregation group, enable LACP on a port, YNAMIC...
Page 157 | Interface Configuration HAPTER Trunk Configuration All ports on both ends of an LACP trunk must be configured for full ◆ duplex, and auto-negotiation. Ports are only allowed to join the same Link Aggregation Group (LAG) if ◆ (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured).
Page 158: Figure 46: Configuring The Lacp Aggregator Admin Key
| Interface Configuration HAPTER Trunk Configuration Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. Configuring the port partner sets the remote side of an aggregate link;...
Page 159: Figure 47: Enabling Lacp On A Port
| Interface Configuration HAPTER Trunk Configuration Figure 47: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings.
Page 160: Figure 49: Showing Members Of A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show Member from the Action List. Select a Trunk. Figure 49: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 161: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Select Show from the Action List. Figure 51: Displaying Connection Parameters for Dynamic Trunks Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages.
Page 162: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP port counters: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Counters. Select a group member from the Port list. Figure 52: Displaying LACP Port Counters Use the Interface >...
Page 163 | Interface Configuration HAPTER Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; ◆ Defaulted –...
Page 164: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP settings and status for the local side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Internal. Select a group member from the Port list. Figure 53: Displaying LACP Port Internal Information Use the Interface >...
Page 165: Figure 54: Displaying Lacp Port Remote Information
| Interface Configuration HAPTER Trunk Configuration Table 10: LACP Internal Configuration Information (Continued) Parameter Description Partner Oper Operational port number assigned to this aggregation port by the Port Number port’s protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner.
Page 166: Configuring Load Balancing
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Load Balance page to set the load-distribution ONFIGURING method used among ports in aggregated links. ALANCING CLI R EFERENCES "port channel load-balance" on page 846 ◆ OMMAND SAGE This command applies to all static and dynamic trunks on the switch.
Page 167: Saving Power
| Interface Configuration HAPTER Saving Power ARAMETERS These parameters are displayed for the load balance mode: Destination IP Address - Load balancing based on destination IP ◆ address. ◆ Destination MAC Address - Load balancing based on destination MAC address. ◆...
Page 168 | Interface Configuration HAPTER Saving Power The power-saving methods provided by this switch include: ◆ Power saving when there is no link partner: ■ Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists.
Page 169: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation Figure 56: Enabling Power Savings RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 170 | Interface Configuration HAPTER Traffic Segmentation Forwarding – Forwards traffic between uplink ports assigned to ■ different sessions. NTERFACE To enable traffic segmentation: Click Interface, Traffic Segmentation. Select Configure Global from the Step list. Mark the Status check box, and set the required uplink-to-uplink mode. Click Apply.
Page 171: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 172: Figure 58: Configuring Members For Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-12) ■ Trunk – Trunk Identifier. (Range: 1-12) ■ NTERFACE To configure the members of the traffic segmentation group: Click Interface, Traffic Segmentation.
Page 173: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking" on page 944 ◆ OMMAND SAGE Use this feature to configure a tunnel across one or more intermediate ◆...
Page 174: Figure 61: Configuring Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-12) ◆ Trunk – Trunk Identifier. (Range: 1-12) ◆ VLAN Trunking Status – Enables VLAN trunking on the selected ◆...
Page 175: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 176: Figure 62: Vlan Compliant And Vlan Non-Compliant Devices
| VLAN Configuration HAPTER IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4093 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit or ◆...
Page 177 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 178: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 63: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 179: Figure 64: Creating Static Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring ◆ Remote Port Mirroring" on page 138). Modify VLAN ID – ID of configured VLAN (1-4093). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆...
Page 180: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 181 | VLAN Configuration HAPTER IEEE 802.1Q VLANs CLI R EFERENCES ◆ "Configuring VLAN Interfaces" on page 939 "Displaying VLAN Information" on page 945 ◆ ARAMETERS These parameters are displayed: Edit Member by VLAN VLAN – ID of configured VLAN (1-4093). ◆...
Page 182 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for ■ VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 183: Figure 67: Configuring Static Members By Vlan Index
| VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To configure static members by the VLAN index: Click VLAN, Static. Select Edit Member by VLAN from the Action list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required. Click Apply.
Page 184: Figure 68: Configuring Static Vlan Members By Interface
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Action list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply. Figure 68: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static.
Page 185: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 69: Configuring Static VLAN Members by Interface Range Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION...
Page 186: Figure 70: Configuring Global Status Of Gvrp
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Join – The interval between transmitting requests/queries to ■ participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) Leave – The interval a port waits before leaving a VLAN group. This ■ time should be set to more than twice the join time.
Page 187: Figure 71: Configuring Gvrp For An Interface
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure GVRP status and timers on a port or trunk: Click VLAN, Dynamic. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk. Modify the GVRP status or timers for any interface. Click Apply.
Page 188: Showing Vlan Statistics
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To show the members of a dynamic VLAN: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN Members from the Action list. Figure 73: Showing the Members of a Dynamic VLAN Use the VLAN >...
Page 189: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 74: Showing VLAN Statistics IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 190: Figure 75: Qinq Operational Concept
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing. However, the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the customer’s network.
Page 191 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: ◆...
Page 192 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If ◆ the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
Page 193: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON THE Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
Page 194: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 76: Enabling QinQ Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.
Page 195: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To add an interface to a QinQ tunnel: Click VLAN, Tunnel. Select Configure Interface from the Step list. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. Click Apply.
Page 196: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs Then map the protocol for each interface to the appropriate VLAN using the Configure Interface (Add) page. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Page 197: Figure 78: Configuring Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Add from the Action list. Select an entry from the Frame Type list. Select an entry from the Protocol Type list. Enter an identifier for the protocol group.
Page 198: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group. NTERFACES CLI R EFERENCES "protocol-vlan protocol-group (Configuring Interfaces)"...
Page 199: Figure 80: Assigning Interfaces To Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To map a protocol group to a VLAN for a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Add from the Action list. Select a port or trunk. Enter the identifier for a protocol group.
Page 200: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 201: Figure 82: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
Page 202: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 203: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring Click Apply. Figure 84: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 85: Showing MAC-Based VLANs VLAN M ONFIGURING IRRORING Use the VLAN >...
Page 204: Figure 86: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring When VLAN mirroring and port mirroring are both enabled, the target ◆ port can receive a mirrored packet twice; once from the source mirror port and again from the source mirrored VLAN. The target port receives traffic from all monitored source VLANs and ◆...
Page 205: Figure 87: Showing The Vlans To Mirror
| VLAN Configuration HAPTER Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror. Select Show from the Action list. Figure 87: Showing the VLANs to Mirror – 205 –...
Page 206 | VLAN Configuration HAPTER Configuring VLAN Mirroring – 206 –...
Page 207: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 208 | Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed: VLAN – ID of configured VLAN. (Range: 1-4093) ◆ Interface – Port or trunk associated with the device assigned a static ◆ address. MAC Address – Physical address of a device mapped to this interface. ◆...
Page 209: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Figure 89: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
Page 210: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
Page 211: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
Page 212: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring NTERFACE To clear the entries in the dynamic address table: Click MAC Address, Dynamic. Select Clear Dynamic MAC from the Action list. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface).
Page 213: Figure 93: Mirroring Packets Based On The Source Mac Address
| Address Table Settings HAPTER Configuring MAC Address Mirroring cannot be set to the same target ports as that used for port mirroring (see "Configuring Local Port Mirroring" on page 136). When traffic matches the rules for both port mirroring, and for ◆...
Page 214: Figure 94: Showing The Source Mac Addresses To Mirror
| Address Table Settings HAPTER Configuring MAC Address Mirroring To show the MAC addresses to be mirrored: Click MAC Address, Mirror. Select Show from the Action list. Figure 94: Showing the Source MAC Addresses to Mirror – 214 –...
Page 215: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 216: Figure 95: Stp Root Ports And Designated Ports
| Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 95: STP Root Ports and Designated Ports Designated Root...
Page 217: Figure 96: Mstp Region, Internal Spanning Tree, Multiple Spanning Tree
| Spanning Tree Algorithm HAPTER Overview Figure 96: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 218: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 219: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Loopback Detection. Click Port or Trunk to display the required interface type. Modify the required loopback detection attributes. Click Apply Figure 98: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR...
Page 220 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives ■ an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
Page 221 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.) Default: 32768 ■ Range: 0-61440, in steps of 4096 ■ Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, ■...
Page 222 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) Default: 20 ■...
Page 223: Figure 99: Configuring Global Settings For Sta (Stp)
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 99: Configuring Global Settings for STA (STP) Figure 100: Configuring Global Settings for STA (RSTP) – 223 –...
Page 224: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 101: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 225: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the ◆ root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 226: Table 12: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES ◆ "Spanning Tree Commands" on page 891 ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. ◆...
Page 227: Table 13: Default Sta Path Costs
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 13: Default STA Path Costs Port Type Short Path Cost Long Path Cost (IEEE 802.1D-1998) (802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 Admin Link Type – The link type attached to this interface. ◆...
Page 228 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 219), edge-port mode ■ cannot automatically transition to operational edge-port state using the automatic setting.
Page 229: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 103: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 230 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging ■ device is always forwarding. If two ports of a switch are connected to the same segment and ■...
Page 231: Figure 104: Sta Port Roles
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 104: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 232: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 891 ◆...
Page 233: Figure 106: Creating An Mst Instance
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 234: Figure 107: Displaying Mst Instances
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To show the MSTP instances: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show from the Action list. Figure 107: Displaying MST Instances To modify the priority for an MST instance: Click Spanning Tree, MSTP.
Page 235: Figure 109: Displaying Global Settings For An Mst Instance
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To display global settings for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Information from the Action list. Select an MST ID. The attributes displayed on this page are described under "Displaying Global Settings for STA"...
Page 236: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To show the VLAN members of an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Member from the Action list. Figure 111: Displaying Members of an MST Instance MSTP ONFIGURING NTERFACE...
Page 237: Figure 112: Configuring Mstp Interface Settings
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP Priority – Defines the priority used for this port in the Spanning Tree ◆ Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 238: Figure 113: Displaying Mstp Interface Settings
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Show Information from the Action list. Figure 113: Displaying MSTP Interface Settings –...
Page 239: Rate Limit Configuration
IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 240 | Rate Limit Configuration HAPTER NTERFACE To configure rate limits: Click Traffic, Rate Limit. Enable the Rate Limit Status for the required ports or trunks. Set the rate limit for the individual ports,. Click Apply. Figure 114: Configuring Rate Limits –...
Page 241: Storm Control Configuration
TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 242: Figure 115: Configuring Storm Control
| Storm Control Configuration HAPTER ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Type – Indicates interface type. (100Base SFP, 1000Base-T, ◆ 1000Base SFP) Unknown Unicast – Specifies storm control for unknown unicast ◆...
Page 243: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 244: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, ◆...
Page 245 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a ◆...
Page 246: Figure 117: Setting The Queue Mode (Strict)
| Class of Service HAPTER Layer 2 Queue Settings Weight – Sets a weight for each queue which is used by the WRR ◆ scheduler. (Range: 1-255; Default: Weights 1, 2, 4, 6, 8, 10, 12 and 14 are assigned to queues 0 - 7 respectively) NTERFACE To configure the queue mode: Click Traffic, Priority, Queue.
Page 247: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 119: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...
Page 248: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES ◆...
Page 249: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 120: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Select an interface. Figure 121: Showing CoS Values to Egress Queue Mapping 3/4 P AYER...
Page 250: Setting Priority Processing To Dscp Or Cos
| Class of Service HAPTER Layer 3/4 Priority Settings The precedence for priority mapping is DSCP Priority and then Default Port Priority. The default settings used for mapping priority values from ingress traffic to internal DSCP values are used to determine the hardware queues used for egress traffic, not to replace the priority values.
Page 251: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To configure the trust mode: Click Traffic, Priority, Trust Mode. Select the interface type to display (Port or Trunk). Set the trust mode. Click Apply. Figure 122: Setting the Trust Mode Use the Traffic >...
Page 252: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings Random Early Detection starts dropping yellow and red packets when ◆ the buffer fills up to 0x60 packets, and then starts dropping any packets regardless of color when the buffer fills up to 0x80 packets. ARAMETERS These parameters are displayed: Port –...
Page 253: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 123: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list. Select a port. Figure 124: Showing DSCP to DSCP Internal Mapping Use the Traffic >...
Page 254: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings If a packet arrives with a 802.1Q header but it is not an IP packet, then ◆ the CoS/CFI-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command.
Page 255: Figure 125: Configuring Cos To Dscp Internal Mapping
| Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To map CoS/CFI values to internal PHB/drop precedence: Click Traffic, Priority, CoS to DSCP. Select Configure from the Action list. Select a port. Set the PHB and drop precedence for any of the CoS/CFI combinations. Click Apply.
Page 256 | Class of Service HAPTER Layer 3/4 Priority Settings – 256 –...
Page 257: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 258: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port.
Page 259: Figure 127: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set ◆...
Page 260: Figure 128: Showing Class Maps
| Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 128: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 261: Figure 129: Adding Rules To A Class Map
| Quality of Service HAPTER Configuring a Class Map Figure 129: Adding Rules to a Class Map To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 130: Showing the Rules for a Class Map –...
Page 262: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies REATING OLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 258), modify service tagging, and enforce bandwidth policing.
Page 263 | Quality of Service HAPTER Creating QoS Policies mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter.
Page 264 | Quality of Service HAPTER Creating QoS Policies information rate (PIR), and their associated burst sizes – committed burst size (BC, or burst rate), and peak burst size (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size.
Page 265 | Quality of Service HAPTER Creating QoS Policies The trTCM can be used to mark a IP packet stream in a service, where ◆ different, decreasing levels of assurances (either absolute or relative) are given to packets which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM.
Page 266 | Quality of Service HAPTER Creating QoS Policies Table 17, "Default Mapping of DSCP Values to Internal PHB/ Drop Values," on page 252). Set IP DSCP – Configures the service provided to ingress traffic by ■ setting an IP DSCP value for a matching packet (as specified in rule settings for a class map).
Page 267 | Quality of Service HAPTER Creating QoS Policies packet, the switch will also mark the two color bits used to set the drop precedence of a packet for Random Early Detection. The color modes include “Color-Blind” which assumes that the packet stream is uncolored, and “Color-Aware”...
Page 268 | Quality of Service HAPTER Creating QoS Policies throughput but within the peak information rate, or exceeding the peak information rate. In addition to the actions defined by this command to transmit, remark the DSCP service value, or drop a packet, the switch will also mark the two color bits used to set the drop precedence of a packet for Random Early Detection.
Page 269: Figure 131: Configuring A Policy Map
| Quality of Service HAPTER Creating QoS Policies Drop – Drops out of conformance traffic. ■ NTERFACE To configure a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add from the Action list. Enter a policy name. Enter a description.
Page 270: Figure 133: Adding Rules To A Policy Map
| Quality of Service HAPTER Creating QoS Policies To edit the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add Rule from the Action list. Select the name of a policy map. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class.
Page 271: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 134: Showing the Rules for a Policy Map TTACHING A OLICY AP TO A...
Page 272: Figure 135: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port Check the box under the Ingress field to enable a policy map for a port. Select a policy map from the scroll-down box. Click Apply. Figure 135: Attaching a Policy Map to a Port –...
Page 273: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 274: V O Ip T Raffic C Onfiguration
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES ◆ "Configuring Voice VLANs" on page 966 OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...
Page 275: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI Figure 136: Configuring a Voice VLAN ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 276: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices. Click Apply. Figure 137: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP.
Page 277 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...
Page 278: Figure 139: Configuring Port Settings For A Voice Vlan
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports NTERFACE To configure VoIP traffic settings for a port: Click Traffic, VoIP. Select Configure Interface from the Step list. Configure any required changes to the VoIP settings each port. Click Apply. Figure 139: Configuring Port Settings for a Voice VLAN –...
Page 279: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 280: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source ◆ address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 281: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Page 282: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting [authentication sequence] – User authentication is performed by up ■ to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods).
Page 283 | Security Measures HAPTER AAA Authorization and Accounting CLI R EFERENCES ◆ "RADIUS Client" on page 696 "TACACS+ Client" on page 700 ◆ "AAA" on page 704 ◆ OMMAND SAGE If a remote authentication server is used, you must specify the ◆...
Page 284 | Security Measures HAPTER AAA Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. ■ Authentication Key – Encryption key used to authenticate logon ■ access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
Page 285: Figure 142: Configuring Remote Authentication Server (Radius)
| Security Measures HAPTER AAA Authorization and Accounting When specifying the priority sequence for a sever, the server index must already be defined (see "Configuring Local/Remote Logon Authentication" on page 281). NTERFACE To configure the parameters for RADIUS or TACACS+ authentication: Click Security, AAA, Server.
Page 286: Figure 143: Configuring Remote Authentication Server (Tacacs+)
| Security Measures HAPTER AAA Authorization and Accounting Figure 143: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list.
Page 287: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 145: Showing AAA Server Groups Use the Security >...
Page 288 | Security Measures HAPTER AAA Authorization and Accounting Exec – Administrative accounting for local console, Telnet, or SSH ■ connections. Method Name – Specifies an accounting method for service requests. ◆ The “default” methods are used for a requested service if no other methods have been defined.
Page 289: Figure 146: Configuring Global Settings For Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting Show Information – Statistics User Name - Displays a registered user name. ◆ Accounting Type - Displays the accounting service. ◆ Interface - Displays the receive port number through which this user ◆...
Page 290: Figure 147: Configuring Aaa Accounting Methods
| Security Measures HAPTER AAA Authorization and Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list. Select the accounting type (802.1X, Exec).
Page 291: Figure 149: Configuring Aaa Accounting Service For 802.1X Service
| Security Measures HAPTER AAA Authorization and Accounting To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list. Select the accounting type (802.1X, Exec).
Page 292: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary. Figure 151: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting.
Page 293 | Security Measures HAPTER AAA Authorization and Accounting AAA authentication through a RADIUS or TACACS+ server must be ◆ enabled before authorization is enabled. ARAMETERS These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as Exec, indicating administrative authorization for local console, Telnet, or SSH connections.
Page 294: Figure 153: Configuring Aaa Authorization Methods
| Security Measures HAPTER AAA Authorization and Accounting NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group: Click Security, AAA, Authorization. Select Configure Method from the Step list. Specify the name of the authorization method and server group name. Click Apply.
Page 295: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts Enter the required authorization method. Click Apply. Figure 155: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization. Select Show Information from the Step list.
Page 296 | Security Measures HAPTER Configuring User Accounts ARAMETERS These parameters are displayed: User Name – The name of the user. ◆ (Maximum length: 32 characters; maximum number of users: 16) ◆ Access Level – Specifies the user level. (Options: 0 - Normal, 15 - Privileged) Normal privilege level provides access to a limited number of the commands which display the current status of the switch, as well as...
Page 297: Web Authentication
| Security Measures HAPTER Web Authentication Figure 157: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 158: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 298: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 281.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.
Page 299: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Figure 159: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...
Page 300: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate. Figure 160: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 301: Table 19: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). Authenticated MAC addresses are stored as dynamic entries in the ◆...
Page 302 | Security Measures HAPTER Network Access (MAC Address Authentication) For example, the attribute “service-policy-in=pp1;rate-limit- input=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps. If duplicate profiles are passed in the Filter-ID attribute, then only the ◆...
Page 303: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) MAC address authentication is configured on a per-port basis, however ONFIGURING LOBAL there are two configurable parameters that apply globally to all ports on ETTINGS FOR the switch. Use the Security > Network Access (Configure Global) page to ETWORK CCESS configure MAC address authentication aging and reauthentication time.
Page 304: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 161: Configuring Global Settings for Network Access Use the Security > Network Access (Configure Interface - General) page to ONFIGURING configure MAC authentication on switch ports, including enabling address ETWORK CCESS authentication, setting the maximum MAC count, and enabling dynamic ORTS...
Page 305 | Security Measures HAPTER Network Access (MAC Address Authentication) Dynamic VLAN – Enables dynamic VLAN assignment for an ◆ authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch.
Page 306: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 162: Configuring Interface Settings for Network Access Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION occurs.
Page 307: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 308: Figure 164: Configuring A Mac Address Filter For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC ◆ addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 309: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.
Page 310: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 166: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 311: Table 20: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above. The following web browsers and operating systems currently support ◆...
Page 312: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Figure 167: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 313: Figure 168: Downloading The Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Private Key Source File Name – Name of private key file stored on ◆ the TFTP server. Private Password – Password stored in the private key file. This ◆ password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
Page 314: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 315 | Security Measures HAPTER Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 319, or use the copy tftp public-key command (page 615) to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Page 316: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
Page 317 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, ◆ but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that ◆...
Page 318: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...
Page 319: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell Figure 170: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
Page 320: Figure 172: Copying The Ssh User's Public Key
| Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed: User Name – This drop-down box selects the user who’s public key ◆ you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...
Page 321: Access Control Lists
| Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 322: Settinga Time Range
| Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 128. ◆ The maximum number of rules per system is 512 rules. ◆ An ACL can have up to 64 rules. However, due to resource restrictions, ◆...
Page 323: Figure 174: Setting The Name Of A Time Range
| Security Measures HAPTER Access Control Lists NTERFACE To configure a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Add from the Action list. Enter the name of a time range. Click Apply. Figure 174: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL.
Page 324: Figure 176: Add A Rule To A Time Range
| Security Measures HAPTER Access Control Lists Fill in the required parameters for the selected mode. Click Apply. Figure 176: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list.
Page 325: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Show TCAM) page to show TCAM HOWING utilization parameters for TCAM (Ternary Content Addressable Memory), TILIZATION including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Page 326: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Figure 178: Showing TCAM Utilization Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R EFERENCES "access-list ip" on page 794 ◆ "show ip access-list" on page 799 ◆...
Page 327: Figure 179: Creating An Acl
| Security Measures HAPTER Access Control Lists NTERFACE To configure the name and type of an ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add from the Action list. Fill in the ACL Name field, and select the ACL type. Click Apply.
Page 328: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IP ACL)" on page 795 ◆...
Page 329: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Click Apply. Figure 181: Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES...
Page 330 | Security Measures HAPTER Access Control Lists Source/Destination Port Bit Mask – Decimal number representing ◆ the port bits to match. (Range: 0-65535) Protocol – Specifies the protocol type to match as TCP, UDP or Others, ◆ where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others;...
Page 331 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IPv4 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Extended from the Type list. Select the name of an ACL from the Name list.
Page 332: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)" on page 801 ◆...
Page 333 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list. Select the name of an ACL from the Name list.
Page 334: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 802 ◆...
Page 335 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Extended from the Type list. Select the name of an ACL from the Name list.
Page 336: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)" on page 807 ◆...
Page 337 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 338: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 339: Figure 186: Configuring A Arp Acl
| Security Measures HAPTER Access Control Lists NTERFACE To add rules to an ARP ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 340: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.
Page 341: Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select IP or MAC from the Type list. Select a port. Select the name of an ACL from the ACL list. Click Apply.
Page 342: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection (ACLs) for hosts with statically configured addresses (see "Configuring an ARP ACL" on page 338). OMMAND SAGE Enabling & Disabling ARP Inspection ◆ ARP Inspection is controlled on a global and VLAN basis. By default, ARP Inspection is disabled both globally and on all VLANs. ◆...
Page 343 | Security Measures HAPTER ARP Inspection Destination MAC – Checks the destination MAC address in the ■ Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
Page 344: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection IP – Checks the ARP body for invalid and unexpected IP addresses. ■ Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses. Src-MAC –...
Page 345 | Security Measures HAPTER ARP Inspection ARP Inspection ACLs are configured within the ARP ACL configuration ◆ page (see page 338). ARP Inspection ACLs can be applied to any configured VLAN. ◆ ARP Inspection uses the DHCP snooping bindings database for the list ◆...
Page 346: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 189: Configuring VLAN Settings for ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate.
Page 347: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection NTERFACE To configure interface settings for ARP Inspection: Click Security, ARP Inspection. Select Configure Interface from the Step list. Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. Click Apply. Figure 190: Configuring Interface Settings for ARP Inspection Use the Security >...
Page 348: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection Table 21: ARP Inspection Statistics (Continued) Parameter Description ARP packets dropped by Count of packets that failed the source MAC address test. additional validation (Src-MAC) ARP packets dropped by ARP Count of ARP packets that failed validation against ARP ACL ACLs rules.
Page 349: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access Table 22: ARP Inspection Log (Continued) Parameter Description Src. IP Address The source IP address in the packet. Dst. IP Address The destination IP address in the packet. Src. MAC Address The source MAC address in the packet.
Page 350: Figure 193: Creating An Ip Address Filter For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access When entering addresses for the same group (i.e., SNMP, web or ◆ Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Page 351: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 194: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 352 | Security Measures HAPTER Configuring Port Security If port security is enabled, any device not in the address table that ◆ attempts to use the port will be prevented from accessing the switch. If a port is disabled (shut down) due to a security violation, it must be ◆...
Page 353: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port security: Click Security, Port Security. Mark the check box in the Security Status column to enable security, set the action to take when an invalid address is detected on a port, and set the maximum number of MAC addresses allowed on the port.
Page 354: Figure 196: Configuring Port Security
| Security Measures HAPTER Configuring 802.1X Port Authentication Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet.
Page 355: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication Use the Security > Port Authentication (Configure Global) page to 802.1X ONFIGURING configure IEEE 802.1X port authentication. The 802.1X protocol must be LOBAL ETTINGS enabled globally for the switch system before port settings are active. CLI R EFERENCES "802.1X Port Authentication"...
Page 356: Configuring Port Authenticator Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server. Click Apply Figure 197: Configuring Global Settings for 802.1X Port Authentication Use the Security >...
Page 357 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port – Port number. ◆ Status – Indicates if authentication is enabled or disabled on the port. ◆ The status is disabled if the control mode is set to Force-Authorized. Authorized –...
Page 358 | Security Measures HAPTER Configuring 802.1X Port Authentication Max Request – Sets the maximum number of times the switch port ◆ will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) Quiet Period –...
Page 359 | Security Measures HAPTER Configuring 802.1X Port Authentication Authenticator PAE State Machine State – Current state (including initialize, disconnected, connecting, ◆ authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count – Number of times connecting state is re-entered. ◆ Current Identifier – Identifier sent in each EAP Success, Failure or ◆...
Page 360: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 198: Configuring Interface Settings for 802.1X Port Authenticator Use the Security > Port Authentication (Configure Interface – Supplicant) ONFIGURING page to configure 802.1X port settings for supplicant requests issued from UPPLICANT ETTINGS a port to an authenticator on another device.
Page 361 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port – Port number. ◆ PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled) ◆ If the attached client must be authenticated through another device in the network, supplicant status must be enabled. Supplicant status can only be enabled if PAE Control Mode is set to “Force-Authorized”...
Page 362: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 199: Configuring Interface Settings for 802.1X Port Supplicant Use the Security > Port Authentication (Show Statistics) page to display 802.1X ISPLAYING statistics for dot1x protocol exchanges for any port. TATISTICS CLI R EFERENCES "show dot1x"...
Page 363 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator.
Page 364: Figure 200: Showing Statistics For 802.1X Port Authenticator
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 200: Showing Statistics for 802.1X Port Authenticator – 364 –...
Page 365: Ip Source Guard
| Security Measures HAPTER IP Source Guard To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 201: Showing Statistics for 802.1X Port Supplicant IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 366 | Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 367: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and ■ corresponding MAC addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be ◆ bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see...
Page 368 | Security Measures HAPTER IP Source Guard If there is an entry with the same VLAN ID and MAC address, and ■ the type of entry is static IP source guard binding, then the new entry will replace the old one. If there is an entry with the same VLAN ID and MAC address, and ■...
Page 369: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Add from the Action list. Enter the required bindings for each port. Click Apply Figure 203: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration.
Page 370: Figure 205: Showing The Ip Source Guard Binding Table
| Security Measures HAPTER IP Source Guard ARAMETERS These parameters are displayed: Query by Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4093) ◆ ◆ MAC Address – A valid unicast MAC address. IP Address –...
Page 371: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 372 | Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or ■ RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from a client, such as a DISCOVER, ■...
Page 373: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping the DHCP client request, including the port and VLAN ID. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them to the entire VLAN. If DHCP Snooping Information Option 82 is enabled on the switch, ◆...
Page 374: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click Security, DHCP Snooping. Select Configure Global from the Step list. Select the required options for the general DHCP snooping process and for the DHCP Option 82 information policy. Click Apply Figure 206: Configuring Global Settings for DHCP Snooping Use the IP Service >...
Page 375: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping DHCP Snooping Status – Enables or disables DHCP snooping for the ◆ selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Page 376: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping ARAMETERS These parameters are displayed: Trust Status – Enables or disables a port as trusted. ◆ (Default: Disabled) NTERFACE To configure global settings for DHCP Snooping: Click Security, DHCP Snooping. Select Configure Interface from the Step list. Set any ports within the local network or firewall to trusted.
Page 377: Figure 209: Displaying The Binding Table For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping VLAN – VLAN to which this entry is bound. ◆ Interface – Port or trunk to which this entry is bound. ◆ Store – Writes all dynamically learned snooping entries to flash ◆ memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 378 | Security Measures HAPTER DHCP Snooping – 378 –...
Page 379: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 380: Configuring Event Logging
| Basic Administration Protocols HAPTER Configuring Event Logging ONFIGURING VENT OGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Use the Administration >...
Page 381: Figure 210: Configuring Settings For System Memory Logs
| Basic Administration Protocols HAPTER Configuring Event Logging Table 24: Logging Levels (Continued) Level Severity Name Description Alert Immediate action needed Emergency System unusable * There are only Level 2, 5 and 6 error messages for the current firmware release. RAM Level –...
Page 382: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging To show the error messages logged to system or flash memory: Click Administration, Log, System. Select Show System Logs from the Step list. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory.
Page 383: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23) Logging Trap Level – Limits log messages that are sent to the remote ◆...
Page 384: Figure 213: Configuring Smtp Alert Messages
| Basic Administration Protocols HAPTER Configuring Event Logging Severity – Sets the syslog severity threshold level (see table on ◆ page 380) used to trigger alert messages. All events at this level or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0.
Page 385: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 386 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Page 387: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 214: Configuring LLDP Timing Attributes Use the Administration > LLDP (Configure Interface) page to specify the LLDP ONFIGURING message attributes for individual interfaces, including whether messages NTERFACE are transmitted, received, or both transmitted and received, whether SNMP TTRIBUTES notifications are sent, and the type of information advertised.
Page 388 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol MED Notification – Enables the transmission of SNMP trap ◆ notifications about LLDP-MED changes. (Default: Enabled) Basic Optional TLVs – Configures basic information included in the ◆ TLV field of advertised messages. Management Address –...
Page 389 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the ■ VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 175). VLAN Name – The name of all VLANs to which this interface has ■...
Page 390: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To configure LLDP interface attributes: Click Administration, LLDP. Select Configure Interface from the Step list. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages.
Page 391: Table 25: Chassis Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 25: Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Interface alias IfAlias (IETF RFC 2863) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’...
Page 392: Figure 216: Displaying Local Device Information For Lldp (General)
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Interface Settings The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. Port/Trunk Description – A string that indicates the port or trunk ◆...
Page 393: Displaying Lldp Remote Port Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE which are advertising information through LLDP, or to display detailed NFORMATION information about an LLDP-enabled device connected to a specific port on the local switch.
Page 394 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 27: Port ID Subtype (Continued) ID Basis Reference Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863)
Page 395: Table 28: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port Details – 802.3 Extension Port Information Remote Port Auto-Neg Supported – Shows whether the given port ◆ (associated with remote system) supports auto-negotiation. Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ◆...
Page 396 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Power Pairs – “Signal” means that the signal pairs only are ◆ in use, and “Spare” means that the spare pairs only are in use. Remote Power MDI Supported – Shows whether MDI power is ◆...
Page 397: Figure 218: Displaying Remote Device Information For Lldp (Port)
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To display LLDP information for a remote port: Click Administration, LLDP. Select Show Remote Device Information from the Step list. Select Port, Port Details, Trunk, or Trunk Details. Figure 218: Displaying Remote Device Information for LLDP (Port) –...
Page 398: Figure 219: Displaying Remote Device Information For Lldp (Port Details)
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 219: Displaying Remote Device Information for LLDP (Port Details) – 398 –...
Page 399: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces. CLI R EFERENCES "show lldp info statistics"...
Page 400: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To display statistics for LLDP-capable devices attached to the switch: Click Administration, LLDP. Select Show Device Statistics from the Step list. Select General, Port, or Trunk. Figure 220: Displaying LLDP Device Statistics (General) Figure 221: Displaying LLDP Device Statistics (Port) IMPLE ETWORK...
Page 401: Table 29: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device.
Page 402 | Basic Administration Protocols HAPTER Simple Network Management Protocol The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access. OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration >...
Page 403: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Global) page to enable SNMPv3 ONFIGURING LOBAL service for all management clients (i.e., versions 1, 2c, 3), and to enable SNMP ETTINGS FOR trap messages. CLI R EFERENCES "snmp-server"...
Page 404: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE OCAL change the local engine ID. An SNMPv3 engine is an independent SNMP NGINE agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Page 405: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A EMOTE page to configure a engine ID for a remote management station. To allow NGINE management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 406: Setting Snmpv3 Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure a remote SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Add Remote Engine from the Action list. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host.
Page 407: Figure 226: Creating An Snmp View
| Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Add View View Name – The name of the SNMP view. (Range: 1-64 characters) ◆ OID Subtree – Specifies the initial object identifier of a branch within ◆...
Page 408: Figure 227: Showing Snmp Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 227: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP.
Page 409: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list. Select a view name from the list of existing views.
Page 410: Table 30: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Read View – The configured view for read access. ◆ (Range: 1-64 characters) Write View – The configured view for write access. ◆ (Range: 1-64 characters) Notify View – The configured view for notifications. ◆...
Page 411 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 30: Supported Notification Messages (Continued) Model Level Group Private Traps † swPowerStatus ChangeTrap 1.3.6.1.4.1.259.10.1.11.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.11.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled.
Page 412: Figure 230: Creating An Snmp Group
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 413: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 414: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 233: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify...
Page 415 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters ◆...
Page 416: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 235: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from...
Page 417 | Basic Administration Protocols HAPTER Simple Network Management Protocol Security Level – The following security levels are only used for the ◆ groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in ■ SNMP communications.
Page 418 | Basic Administration Protocols HAPTER Simple Network Management Protocol specified. If the security level is authPriv, a privacy password must also be specified. Click Apply Figure 236: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list.
Page 419: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 420 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 421 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 422: Figure 238: Configuring Trap Managers (Snmpv1)
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 238: Configuring Trap Managers (SNMPv1) Figure 239: Configuring Trap Managers (SNMPv2c)
Page 423: Figure 240: Configuring Trap Managers (Snmpv3)
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 240: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 241: Showing Trap Managers –...
Page 424: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 425 | Basic Administration Protocols HAPTER Remote Monitoring Interval – The polling interval. (Range: 1-31622400 seconds) ◆ Sample Type – Tests for absolute or relative changes in the specified ◆ variable. Absolute – The variable is compared directly to the thresholds at ■...
Page 426: Figure 242: Configuring An Rmon Alarm
| Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON alarm: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Alarm. Enter an index number, the MIB object to be polled (etherStatsEntry.n.n), the polling interval, the sample type, the thresholds, and the event to trigger.
Page 427: Configuring Rmon Events
| Basic Administration Protocols HAPTER Remote Monitoring Figure 243: Showing Configured RMON Alarms Use the Administration > RMON (Configure Global - Add - Event) page to RMON ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager.
Page 428: Figure 244: Configuring An Rmon Event
| Basic Administration Protocols HAPTER Remote Monitoring Log and Trap – Logs the event and sends a trap message. ■ Community – A password-like community string sent with the trap ◆ operation to SNMP v1 and v2c hosts. Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see "Setting Community Access Strings"...
Page 429: Configuring Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 245: Showing Configured RMON Events Use the Administration > RMON (Configure Interface - Add - History) page RMON ONFIGURING to collect statistics on a physical interface to monitor network utilization,...
Page 430: Figure 246: Configuring An Rmon History Sample
| Basic Administration Protocols HAPTER Remote Monitoring ARAMETERS These parameters are displayed: Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 ◆...
Page 431: Figure 247: Showing Configured Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History. Figure 247: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON.
Page 432: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates. CLI R EFERENCES "Remote Monitoring Commands"...
Page 433: Figure 249: Configuring An Rmon Statistical Sample
| Basic Administration Protocols HAPTER Remote Monitoring Figure 249: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click Statistics.
Page 434: Switch Clustering
| Basic Administration Protocols HAPTER Switch Clustering To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics. Figure 251: Showing Collected RMON Statistical Samples WITCH LUSTERING Switch clustering is a method of grouping switches together to enable...
Page 435: Configuring General Settings For Clusters
| Basic Administration Protocols HAPTER Switch Clustering information between the Commander and potential Candidates or active Members through VLAN 4093. Once a switch has been configured to be a cluster Commander, it ◆ automatically discovers other cluster-enabled switches in the network. These “Candidate”...
Page 436: Cluster Member Configuration
| Basic Administration Protocols HAPTER Switch Clustering Number of Members – The current number of Member switches in the ◆ cluster. Number of Candidates – The current number of Candidate switches ◆ discovered in the network that are available to become Members. NTERFACE To configure a switch cluster: Click Administration, Cluster.
Page 437: Figure 253: Configuring A Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering NTERFACE To configure cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Add from the Action list. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate.
Page 438: Managing Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering To show cluster candidates: Click Administration, Cluster. Select Configure Member from the Step list. Select Show Candidate from the Action list. Figure 255: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING LUSTER switch in the cluster.
Page 439: Ethernet Ring Protection Switching
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate. Figure 256: Managing a Cluster Member THERNET ROTECTION WITCHING...
Page 440: Figure 257: Erps Ring Components
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching blocked to traffic. One designated node, the RPL owner, is responsible for blocking traffic over the RPL. When a ring failure occurs, the RPL owner is responsible for unblocking the RPL, allowing this link to be used for traffic. Ring nodes may be in one of two states: Idle –...
Page 441 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Configuration Guidelines for ERPS Create an ERPS ring (Configure Domain – Add): The ring name is used as an index in the G.8032 database. Configure the east and west interfaces (Configure Domain – Configure Details): Each node on the ring connects to it through two ring ports.
Page 442: Erps Configuration
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Ring ports can not be a member of a dynamic trunk. ◆ Dynamic VLANs are not supported as protected data ports. ◆ Exclusive use of STP, EAPS or ERPS on any port. ◆...
Page 443: Erps Ring Configuration
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Domain) pages to configure ERPS R ERPS rings. ONFIGURATION CLI R EFERENCES "ERPS Commands" on page 919 ◆ OMMAND SAGE An ERPS ring containing one Control VLAN and one or more protected ◆...
Page 444 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Configure Details Domain Name – Name of a configured ERPS ring. ◆ Admin Status – Activates the current ERPS ring. ◆ Before enabling a ring, the global ERPS function should be enabled see ("ERPS Configuration"...
Page 445 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching RPL Owner – Configures a ring node to be the Ring Protection Link ◆ (RPL) owner. Holdoff Timer – The hold-off timer is used to filter out intermittent ◆ link faults. Faults will only be reported to the ring protection mechanism if this timer expires.
Page 446 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Control VLAN must be tagged. Failure to observe these restrictions can result in a loop in the network. Once the ring has been activated, the configuration of the control VLAN cannot be modified. Use the Admin Status parameter to stop the ERPS ring before making any configuration changes to the control VLAN.
Page 447: Figure 259: Creating An Erps Ring
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 259: Creating an ERPS Ring To configure the ERPS parameters for a ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Configure Details from the Action list. Configure the ERPS parameters for this node.
Page 448: Figure 261: Creating An Erps Ring (Secondary Ring)
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 261: Creating an ERPS Ring (Secondary Ring) To show the configure ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 262: Showing Configured ERPS Rings –...
Page 449: Connectivity Fault Management
| Basic Administration Protocols HAPTER Connectivity Fault Management ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 450: Figure 263: Single Cfm Maintenance Domain
| Basic Administration Protocols HAPTER Connectivity Fault Management the DSAPs within an MA, and may also include interconnection points in lower-level domains if exposed by CFM settings. The following figure shows a single Maintenance Domain, with DSAPs located on the domain boundary, and Internal Service Access Points (ISAPs) inside the domain through which frames may pass between the DSAPs.
Page 451 | Basic Administration Protocols HAPTER Connectivity Fault Management distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN. Basic CFM Operations CFM uses standard Ethernet frames for sending protocol messages. Both the source and destination address for these messages are based on unicast or multicast MAC addresses, and therefore confined to a single Layer 2 CFM service VLAN.
Page 452: Configuring Global Settings For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management Configure the local maintenance end points (MEPs) which will serve as the domain service access points for the specified maintenance association using the MEP List (see "Configuring CFM Maintenance Associations"). Enter a static list of MEPs assigned to other devices within the same maintenance association using the Remote MEP List (see "Configuring Remote Maintenance End...
Page 453 | Basic Administration Protocols HAPTER Connectivity Fault Management Domains"), Configure MA page (see "Configuring CFM Maintenance Associations"), and the Configure MEP page (see "Configuring Maintenance End Points"). When CFM is enabled, hardware resources are allocated for CFM processing. MEP Cross Check Start Delay – Sets the maximum delay that a ◆...
Page 454 | Basic Administration Protocols HAPTER Connectivity Fault Management Continuity Check Errors Connectivity Check Config – Sends a trap if this device receives a ◆ continuity check message (CCM) with the same maintenance end point identifier (MPID) as its own but with a different source MAC address, indicating that a CFM configuration error exists.
Page 455 | Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To configure global settings for CFM: Click Administration, CFM. Select Configure Global from the Step list. Before enabling CFM processing on the switch, first configure the required CFM domains, maintenance associations, and static MEPs. Then set the delay time to wait for a remote MEP comes up before the switch starts cross-checking the end points learned through CCMs against those stored in the static list.
Page 456: Configuring Interfaces For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings. CLI R EFERENCES "ethernet cfm port-enable"...
Page 457 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1093 OMMAND SAGE Configuring General Settings Where domains are nested, an upper-level hierarchical domain must ◆ have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Page 458: Table 31: Remote Mep Priority Levels
| Basic Administration Protocols HAPTER Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification A fault alarm can generate an SNMP notification. It is issued when the ◆...
Page 459 | Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: Creating a Maintenance Domain MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric ◆ characters) MD Level – Authorized maintenance level for this domain. ◆...
Page 460: Figure 267: Configuring Maintenance Domains
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To create a maintenance domain: Click Administration, CFM. Select Configure MD from the Step list. Select Add from the Action list. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). Specify the manner in which MIPs can be created within each domain.
Page 461: Configuring Cfm Maintenance Associations
| Basic Administration Protocols HAPTER Connectivity Fault Management To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters. Click Apply Figure 269: Configuring Detailed Settings for Maintenance Domains Use the Administration >...
Page 462 | Basic Administration Protocols HAPTER Connectivity Fault Management Multiple domains at the same maintenance level cannot have an MA on ◆ the same VLAN (see "Configuring CFM Maintenance Domains" on page 456). Before removing an MA, first remove the MEPs assigned to it (see ◆...
Page 463 | Basic Administration Protocols HAPTER Connectivity Fault Management MIP Creation Type – Specifies the CFM protocol’s creation method for ◆ maintenance intermediate points (MIPs) in this MA: Default – MIPs can be created for this MA on any bridge port ■...
Page 464: Figure 270: Creating Maintenance Associations
| Basic Administration Protocols HAPTER Connectivity Fault Management AIS Transmit Level – Configure the AIS maintenance level in an MA. ◆ (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level AIS Suppress Alarm – Enables/disables suppression of the AIS. ◆...
Page 465: Figure 271: Showing Maintenance Associations
| Basic Administration Protocols HAPTER Connectivity Fault Management Select an entry from the MD Index list. Figure 271: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM. Select Configure MA from the Step list. Select Configure Details from the Action list. Select an entry from MD Index and MA Index.
Page 466: Configuring Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.
Page 467: Configuring Remote Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Figure 273: Configuring Maintenance End Points To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 274: Showing Maintenance End Points Use the Administration >...
Page 468 | Basic Administration Protocols HAPTER Connectivity Fault Management OMMAND SAGE ◆ All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross-check process. Remote MEPs can only be configured if local domain service access ◆...
Page 469: Transmitting Link Trace Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 275: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 276: Showing Remote Maintenance End Points Use the Administration >...
Page 470 | Basic Administration Protocols HAPTER Connectivity Fault Management LTMs are used to isolate faults. However, this task can be difficult in an ◆ Ethernet environment, since each node is connected through multipoint links. Fault isolation is even more challenging since the MAC address of the target node can age out in several minutes.
Page 471: Transmitting Loop Back Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 277: Transmitting Link Trace Messages Use the Administration > CFM (Transmit Loopback) page to transmit RANSMITTING Loopback Messages (LBMs). These messages can be used to isolate or ESSAGES verify connectivity faults by submitting a request to a target node (i.e., a remote MEP or MIP) to echo the message back to the source.
Page 472 | Basic Administration Protocols HAPTER Connectivity Fault Management Source MEP ID – The identifier of a source MEP that will send the ◆ loopback message. (Range: 1-8191) Target ◆ MEP ID – The identifier of a remote MEP that is the target of a ■...
Page 473: Transmitting Delay-Measure Requests
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Transmit Delay Measure) page to send RANSMITTING ELAY periodic delay-measure requests to a specified MEP within a maintenance EASURE EQUESTS association. CLI R EFERENCES "ethernet cfm delay-measure two-way" on page 1132 ◆...
Page 474: Figure 279: Transmitting Delay-Measure Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management Count – The number of times to retry sending the message if no ◆ response is received before the specified timeout. (Range: 1-5; Default: 5) Packet Size – The size of the delay-measure message. ◆...
Page 475: Displaying Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP) page ISPLAYING OCAL to show information for the MEPs configured on this device. CLI R EFERENCES "show ethernet cfm maintenance-points local" on page 1109 ◆...
Page 476: Displaying Details For Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP ISPLAYING ETAILS Details) page to show detailed CFM information about a local MEP in the OCAL continuity check database. CLI R EFERENCES "show ethernet cfm maintenance-points local detail mep"...
Page 477: Figure 281: Showing Detailed Information On Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Suppress Alarm – Shows if the specified MEP is configured to ◆ suppress sending frames containing AIS information following the detection of defect conditions. Suppressing Alarms – Shows if the specified MEP is currently ◆...
Page 478: Displaying Local Mips
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MIP) page ISPLAYING OCAL to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) CLI R...
Page 479: Displaying Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Remote MEP) ISPLAYING EMOTE page to show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
Page 480: Displaying Details For Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Remote MEP ISPLAYING ETAILS Details) page to show detailed information for MEPs located on other EMOTE devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
Page 481: Figure 284: Showing Detailed Information On Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Down – The interface cannot pass packets. ■ Testing – The interface is in some test mode. ■ Unknown – The interface status cannot be determined for some ■ reason. Dormant – The interface is not in a state to pass packets but is in a ■...
Page 482: Displaying The Link Trace Cache
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Link Trace ISPLAYING THE Cache) page to show information about link trace operations launched from RACE ACHE this device. CLI R EFERENCES "show ethernet cfm linktrace-cache" on page 1126 ◆...
Page 483: Displaying Fault Notification Settings
| Basic Administration Protocols HAPTER Connectivity Fault Management EgrVid – The Egress Port can be identified, but the bridge port is not ■ in the LTM’s VID member set, and was therefore filtered by egress filtering. Reply – Reply action: ◆...
Page 484: Displaying Continuity Check Errors
| Basic Administration Protocols HAPTER Connectivity Fault Management Alarm Time – The time a defect must exist before a fault alarm is ◆ issued Reset Time – The time after a fault alarm has been issued, and no ◆ defect exists, before another fault alarm can be issued NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM.
Page 485: Figure 287: Showing Continuity Check Errors
| Basic Administration Protocols HAPTER Connectivity Fault Management and some other MA y, at a higher maintenance level, and associated with at least one of the VID(s) also in MA x, does have a MEP configured on the bridge port. VIDS –...
Page 486: Oam Configuration
| Basic Administration Protocols HAPTER OAM Configuration OAM C ONFIGURATION The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loopback testing, and displaying remote device information.
Page 487 | Basic Administration Protocols HAPTER OAM Configuration Table 33: OAM Operation State (Continued) State Description Operational When the local OAM entity learns that both it and the remote OAM entity have accepted the peering, the state moves to this state. Non Oper Half Duplex This state is returned whenever Ethernet OAM is enabled but the interface is in half-duplex operation.
Page 488: Displaying Statistics For Oam Messages
| Basic Administration Protocols HAPTER OAM Configuration Window Size – The period of time in which to check the reporting ■ threshold for errored frame link events. (Range: 10-65535 in units of 10 milliseconds; Default: 10 units of 10 milliseconds, or the equivalent of 1 second) Threshold Count –...
Page 489: Displaying The Oam Event Log
| Basic Administration Protocols HAPTER OAM Configuration Clear – Clears statistical counters for the selected ports. ◆ OAMPDU – Message types transmitted and received by the OAM ◆ protocol, including Information OAMPDUs, unique Event OAMPDUs, Loopback Control OAMPDUs, and Organization Specific OAMPDUs. NTERFACE To display statistics for OAM messages: Click Administration, OAM, Counters.
Page 490: Displaying The Status Of Remote Interfaces
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display link events for the selected port: Click Administration, OAM, Event Log. Select a port from the drop-down list. Figure 290: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING THE information about attached OAM-enabled devices.
Page 491: Configuring A Remote Loop Back Test
| Basic Administration Protocols HAPTER OAM Configuration not support the unidirectional function, but can parse error messages sent from a peer with unidirectional capability. Link Monitor – Shows if the OAM entity can send and receive Event ◆ Notification OAMPDUs. MIB Variable Retrieval –...
Page 492: Table 34: Oam Operation State
| Basic Administration Protocols HAPTER OAM Configuration To perform a loopback test, first enable Remote Loop Back Mode, click ◆ Test, and then click End. The number of packets transmitted and received will be displayed. ARAMETERS These parameters are displayed: Loopback Mode of Remote Device Port –...
Page 493: Displaying Results Of Remote Loop Back Testing
| Basic Administration Protocols HAPTER OAM Configuration Packets Received – The number of loop back frames received ■ during the last loopback test on this interface. Loss Rate – The percentage of packets for which there was no ■ response. NTERFACE To initiate a loop back test to the peer device attached to the selected port: Click Administration, OAM, Remote Loop Back.
Page 494: Figure 293: Displaying The Results Of Remote Loop Back Testing
| Basic Administration Protocols HAPTER OAM Configuration Packets Received – The number of loop back frames received during ◆ the last loop back test on this interface. Loss Rate – The percentage of packets transmitted for which there ◆ was no response. NTERFACE To display the results of remote loop back testing for each port for which this information is available:...
Page 495: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 496: Address Resolution Protocol
| IP Configuration HAPTER Address Resolution Protocol The following are some results of the ping command: ◆ Normal response - The normal response occurs in one to ten ■ seconds, depending on network traffic. Destination does not respond - If the host does not respond, a ■...
Page 497: Setting The Arp Timeout
| IP Configuration HAPTER Address Resolution Protocol traffic passes along the path to its final destination in this way, with each routing device mapping the destination IP address to the MAC address of the next hop toward the recipient, until the packet is delivered to the final destination.
Page 498: Displaying Arp Entries
| IP Configuration HAPTER Address Resolution Protocol NTERFACE To configure the timeout for the ARP cache: Click IP, ARP. Select Configure General from the Step List. Set the timeout to a suitable value for the ARP cache. Click Apply. Figure 295: Setting the ARP Timeout Use the IP >...
Page 499: Setting The Switch's Ip Address (Ip Version 4)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an IPv4 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Page 500: Configuring Ipv4 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Use the System > IP (Configure Interface – Add Address) page to ONFIGURING configure an IPv4 address for the switch. An IPv4 address is obtained via NTERFACE ETTINGS DHCP by default for VLAN 1.
Page 501: Figure 298: Configuring A Static Ipv4 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static IPv4 address for the switch: Click System, IP. Select Configure Interface from the Step list. Select Add Address from the Action list. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,”...
Page 502: Figure 299: Configuring A Dynamic Ipv4 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: Click System, IP. Select Configure Interface from the Step list. Select Add Address from the Action list. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP”...
Page 503: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Select Configure Interface from the Step list. Select Show Address from the Action list. Select an entry from the VLAN list. Figure 300: Showing the IPv4 Address Configured for an Interface ’...
Page 504: Configuring Ipv6 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: Default Gateway – Sets the IPv6 address of the default next hop ◆ router. An IPv6 default gateway must be defined if the management station ■...
Page 505 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) enabled. In this case, you must manually configure an address (see "Configuring an IPv6 Address" on page 507). IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution ◆ Protocol in IPv6 networks. IPv6 nodes on the same network segment use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers and to maintain reachability information about the paths to active neighbors.
Page 506 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) IPv6 must be enabled on an interface before the MTU can be set. If ■ an IPv6 address has not been assigned to the switch, “N/A” is displayed in the MTU field. ND DAD Attempts –...
Page 507: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Restart DHCPv6 – DHCPv6 stateful configuration of IP address prefixes is not supported in the current software release. If the router advertisements have the “other stateful configuration” flag set, the switch will attempt to acquire other non-address configuration information (such as a default gateway) from a DHCPv6 server.
Page 508 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) The switch must always be configured with a link-local address. ◆ Therefore any configuration process that enables IPv6 functionality, or assigns a global unicast address to the switch, including address auto- configuration or explicitly enabling IPv6 (see "Configuring IPv6 Interface Settings"...
Page 509 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) by a forward slash, and a decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). EUI-64 (Extended Universal Identifier) –...
Page 510: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To configure an IPv6 address: Click IP, IPv6 Configuration. Select Add IPv6 Address from the Action list. Specify the VLAN to configure, select the address type, and then enter an IPv6 address and prefix length.
Page 511: Figure 304: Showing Configured Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) addresses, including all nodes (FF02::1), all routers (FF02::2), and solicited nodes (FF02::1:FFXX:XXXX) as described below. A node is also required to compute and join the associated solicited- node multicast addresses for every unicast and anycast address it is assigned.
Page 512: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to HOWING THE display the IPv6 addresses detected for neighbor devices. EIGHBOR ACHE CLI R EFERENCES "show ipv6 neighbors" on page 1192 ◆...
Page 513: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 305: Showing IPv6 Neighbors Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic"...
Page 514: Table 37: Show Ipv6 Statistics - Display Description
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: Table 37: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Page 515 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
Page 516 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement The number of ICMP Neighbor Advertisement messages received Messages by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership The number of ICMPv6 Group Membership Query messages Query Messages...
Page 517 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description No Port Errors The total number of received UDP datagrams for which there was no application at the destination port. Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the...
Page 518: Figure 307: Showing Ipv6 Statistics (Icmpv6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 307: Showing IPv6 Statistics (ICMPv6) Figure 308: Showing IPv6 Statistics (UDP) – 518 –...
Page 519: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch. ESTINATIONS CLI R EFERENCES...
Page 520 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 520 –...
Page 521: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 371. DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network.
Page 522: Configuring A List Of Domain Names
| IP Services HAPTER Configuring a List of Domain Names NTERFACE To configure general settings for DNS: Click IP Service, DNS. Select Configure Global from the Action list. Enable domain lookup, and set the default domain name. Click Apply. Figure 310: Configuring General Settings for DNS ONFIGURING A IST OF OMAIN...
Page 523: Figure 311: Configuring A List Of Domain Names For Dns
| IP Services HAPTER Configuring a List of Domain Names ARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) NTERFACE To create a list domain names: Click IP Service, DNS.
Page 524: Configuring A List Of Name Servers
| IP Services HAPTER Configuring a List of Name Servers ONFIGURING A IST OF ERVERS Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order. CLI R EFERENCES "ip name-server"...
Page 525: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Configuring Static DNS Host to Address Entries To show the list name servers: Click IP Service, DNS. Select Show Name Servers from the Action list. Figure 314: Showing the List of Name Servers for DNS DNS H ONFIGURING TATIC OST TO...
Page 526: Figure 315: Configuring Static Entries In The Dns Table
| IP Services HAPTER Configuring Static DNS Host to Address Entries NTERFACE To configure static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Add from the Action list. Enter a host name and the corresponding address. Click Apply.
Page 527: Displaying The Dns Cache
| IP Services HAPTER Displaying the DNS Cache DNS C ISPLAYING THE ACHE Use the IP Service > DNS - Cache page to display entries in the DNS cache that have been learned via the designated name servers. CLI R EFERENCES "show dns cache"...
Page 528 | IP Services HAPTER Displaying the DNS Cache – 528 –...
Page 529: Multicast
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP – Configure snooping and query parameters. ◆ Filtering and Throttling – Filter specified multicast service, or throttling ◆ the maximum of multicast groups allowed on an interface. Multicast VLAN Registration (MVR) –...
Page 530: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 531 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) also request that service be forwarded from any source except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN.
Page 532: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic intelligently. Based on the IGMP query and NOOPING AND UERY report messages, the switch forwards multicast traffic only to the ports ARAMETERS that request it.
Page 533 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy ◆ Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 534 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred.
Page 535: Figure 319: Configuring General Settings For Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Router Port Expire Time – The time the switch waits after the ◆ previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) IGMP Snooping Version –...
Page 536: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add) page to PECIFYING TATIC statically attach an interface to a multicast router/switch. NTERFACES FOR A ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 537: Figure 321: Showing Static Interfaces Attached A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the static interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information. Figure 321: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router.
Page 538: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) SSIGNING page to statically assign a multicast service to an interface. NTERFACES TO ULTICAST ERVICES Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters"...
Page 539: Figure 323: Assigning An Interface To A Multicast Service
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 323: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
Page 540: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 325: Showing Current Interfaces Assigned to a Multicast Service Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to IGMP ETTING configure IGMP snooping attributes for a VLAN interface. To configure NOOPING TATUS snooping globally, refer to...
Page 541 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the occurrence of these events: Upon the expiration of a periodic (randomized) timer. ■...
Page 542 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Version Exclusive – Discards any received IGMP messages (except for ◆...
Page 543 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Interface Version – Sets the protocol version for compatibility with ◆ other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
Page 544: Figure 326: Configuring Igmp Snooping On A Vlan
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Query Address – A static source address for locally generated ◆ query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 545: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show VLAN Information from the Action list. Figure 327: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping.
Page 546: Displaying Igmp Snooping Statistics
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 328: Showing Multicast Groups Learned by IGMP Snooping Use the Multicast >...
Page 547 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Specific Query Received – The number of specific queries received ◆ on this interface. Specific Query Sent – The number of specific queries sent from this ◆ interface. Number of Reports Sent – The number of reports sent from this ◆...
Page 548: Figure 329: Displaying Igmp Snooping Statistics – Query
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To display statistics for IGMP snooping query-related messages: Click Multicast, IGMP Snooping, Statistics. Select Show Query Statistics from the Action list. Select a VLAN. Figure 329: Displaying IGMP Snooping Statistics – Query –...
Page 549: Figure 330: Displaying Igmp Snooping Statistics – Vlan
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics. Select Show VLAN Statistics from the Action list. Select a VLAN. Figure 330: Displaying IGMP Snooping Statistics – VLAN –...
Page 550: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port. Figure 331: Displaying IGMP Snooping Statistics – Port IGMP G ILTERING AND HROTTLING...
Page 551: Enabling Igmp Filtering And Throttling
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Use the Multicast > IGMP Snooping > Filter (Configure General) page to IGMP NABLING enable IGMP filtering and throttling globally on the switch.
Page 552: Figure 333: Creating An Igmp Filtering Profile
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed: Profile ID – Creates an IGMP profile. (Range: 1-4294967295) ◆ Access Mode – Sets the access mode of the profile; either permit or ◆ deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Page 553: Figure 334: Showing The Igmp Filtering Profiles Created
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To show the IGMP filter profiles: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Show from the Action list. Figure 334: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filter.
Page 554: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Select Show Multicast Group Range from the Action list. Select the profile for which to display this information. Figure 336: Showing the Groups Assigned to an IGMP Filtering Profile Use the Multicast > IGMP Snooping > Configure Interface page to assign IGMP ONFIGURING and IGMP filter profile to interfaces on the switch, or to throttle multicast...
Page 555: Multicast Vlan Registration
| Multicast Filtering HAPTER Multicast VLAN Registration Throttling Action Mode – Sets the action to take when the maximum ◆ number of multicast groups for the interface has been exceeded. (Default: Deny) Deny - The new multicast group join report is dropped. ■...
Page 556 | Multicast Filtering HAPTER Multicast VLAN Registration onto different VLAN groups from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services). Figure 338: MVR Concept Multicast Router Satellite Services Service Network Multicast Server...
Page 557: Configuring Mvr Domain Settings
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure Domain) page to enable MVR globally ONFIGURING on the switch, and select the VLAN that will serve as the sole channel for OMAIN ETTINGS common multicast streams supported by the service provider. CLI R EFERENCES "Multicast VLAN Registration"...
Page 558: Configuring Mvr Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration Enable MVR for the selected domain, select the MVR VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required.
Page 559: Figure 340: Configuring An Mvr Group Address Profile
| Multicast Filtering HAPTER Multicast VLAN Registration ARAMETERS These parameters are displayed: Configure Profile Profile Name – The name of a profile containing one or more MVR ◆ group addresses. (Range: 1-20 characters) Start IP Address – Starting IP address for an MVR multicast group. ◆...
Page 560: Figure 341: Displaying Mvr Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration To show the configured MVR group address profiles: Click Multicast, MVR. Select Configure Profile from the Step list. Select Show from the Action list. Figure 341: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: Click Multicast, MVR.
Page 561: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration To show the MVR group address profiles assigned to a domain: Click Multicast, MVR. Select Associate Profile from the Step list. Select Show from the Action list. Figure 343: Showing the MVR Group Address Profiles Assigned to a Domain Use the Multicast >...
Page 562 | Multicast Filtering HAPTER Multicast VLAN Registration Immediate leave applies only to receiver ports. When enabled, the ◆ receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a query message to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Page 563: Assigning Static Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure interface settings for MVR: Click Multicast, MVR. Select Configure Interface from the Step list. Select Configure Port or Configure Trunk from the Action list. Select an MVR domain. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached.
Page 564: Figure 345: Assigning Static Mvr Groups To A Port
| Multicast Filtering HAPTER Multicast VLAN Registration The MVR VLAN cannot be specified as the receiver VLAN for static ◆ bindings. ARAMETERS These parameters are displayed: Domain ID – An independent multicast domain. (Range: 1-5) ◆ ◆ Interface – Port or trunk identifier. VLAN –...
Page 565: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration To show the static MVR groups assigned to an interface: Click Multicast, MVR. Select Configure Static Group Member from the Step list. Select Show from the Action list. Select an MVR domain. Select the port or trunk for which to display this information. Figure 346: Showing the Static MVR Groups Assigned to a Port Use the Multicast >...
Page 566: Displaying Mvr Statistics
| Multicast Filtering HAPTER Multicast VLAN Registration Expire – Time before this entry expires if no membership report is ◆ received from currently active or new clients. Count – The number of multicast services currently being forwarded ◆ from the MVR VLAN. NTERFACE To display the interfaces assigned to the MVR receiver groups: Click Multicast, MVR.
Page 567 | Multicast Filtering HAPTER Multicast VLAN Registration Querier Expire Time – The time after which this querier is assumed to ◆ have expired. General Query Received – The number of general queries received ◆ on this interface. General Query Sent – The number of general queries sent from this ◆...
Page 568 | Multicast Filtering HAPTER Multicast VLAN Registration G(-S)-S Query – The number of group specific or group-and-source ◆ specific query messages sent from this interface. NTERFACE To display statistics for MVR query-related messages: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list.
Page 569: Figure 349: Displaying Mvr Statistics – Vlan
| Multicast Filtering HAPTER Multicast VLAN Registration To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain. Select a VLAN. Figure 349: Displaying MVR Statistics –...
Page 570: Figure 350: Displaying Mvr Statistics – Port
| Multicast Filtering HAPTER Multicast VLAN Registration To display MVR protocol-related statistics for a port: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR domain. Select a Port. Figure 350: Displaying MVR Statistics –...
Page 571: Ection
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 573 ◆ "General Commands" on page 587 ◆...
Page 572 | Command Line Interface ECTION "Quality of Service Commands" on page 987 ◆ "Multicast Filtering Commands" on page 1007 ◆ "LLDP Commands" on page 1069 ◆ "CFM Commands" on page 1093 ◆ "OAM Commands" on page 1135 ◆ "Domain Name Service Commands" on page 1145 ◆...
Page 573: Using The Command Line Interface
SING THE OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). CCESSING THE When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Page 574: Telnet Connection
| Using the Command Line Interface HAPTER Accessing the CLI Telnet operates over the IP transport protocol. In this environment, your ELNET ONNECTION management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 575: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 576: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 577: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands radius-server RADIUS server information reload Shows the reload settings rmon Remote Monitoring Protocol rspan Display status of the current RSPAN configuration running-config Information on the running configuration sflow Shows the sflow information snmp Simple Network Management Protocol configuration and statistics...
Page 578: Negating The Effect Of Commands
| Using the Command Line Interface HAPTER Entering Commands For many configuration commands you can enter the prefix keyword “no” EGATING THE FFECT to cancel the effect of a command or reset the configuration to the default OMMANDS value. For example, the logging command will log system messages to a host server.
Page 579: Configuration Commands
| Using the Command Line Interface HAPTER Entering Commands display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password]...
Page 580: Table 40: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands IGMP Profile - Sets a profile group and enters IGMP filter profile ◆ configuration mode. Interface Configuration - These commands modify the port ◆ configuration such as speed-duplex and negotiation. Line Configuration - These commands modify the console port and ◆...
Page 581 | Using the Command Line Interface HAPTER Entering Commands Table 40: Configuration Command Modes (Continued) Mode Command Prompt Page Time Range time-range Console(config-time-range) VLAN vlan database Console(config-vlan) For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)#...
Page 582: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 583: Output Modifiers
| Using the Command Line Interface HAPTER CLI Command Groups VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Console# Some of the show commands include options for output modifiers. For UTPUT ODIFIERS example, the “show running-config” command includes the following keyword options: Console#show running-config ? | Output modifiers...
Page 584 | Using the Command Line Interface HAPTER CLI Command Groups Table 42: Command Group Index (Continued) Command Group Description Page User Authentication Configures user names and passwords, logon access using local or remote authentication, management access through the web server, Telnet server and Secure Shell;...
Page 585 | Using the Command Line Interface HAPTER CLI Command Groups Table 42: Command Group Index (Continued) Command Group Description Page Configures Operations, Administration and Maintenance 1135 remote management tools required to monitor and maintain the links to subscriber CPEs Domain Name Service Configures DNS services.
Page 586 | Using the Command Line Interface HAPTER CLI Command Groups – 586 –...
Page 587: General Commands
ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 43: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 588: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload (Global delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 589: Enable
| General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 590: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (592) enable password (692) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 591: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 592: Disable
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 593: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 594 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 594 –...
Page 595: System Management Commands
YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 44: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 596: Hostname
| System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 597: Banner Configure
If, for example, a mistake is made in the company name, it can be corrected with the banner configure company command. XAMPLE Console(config)#banner configure Company: Edge-Core Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr.
Page 598: Banner Configure Company
| System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
Page 599: Banner Configure Dc-Power-Info
| System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 600: Banner Configure Equipment-Info
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 601: Banner Configure Equipment-Location
HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id ECS4810-12M floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting.
Page 602: Banner Configure Lp-Number
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 603: Banner Configure Manager-Info
| System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 604: Banner Configure Note
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 605: Show Banner
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis Edge-Core - ECS4810-12M Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 606: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status This command shows utilization parameters for TCAM (Ternary Content show access-list Addressable Memory), including the number policy control entries in use, tcam-utilization the number of free entries, and the overall percentage of TCAM in use. OMMAND Privileged Exec OMMAND...
Page 607: Show Process Cpu
| System Management Commands HAPTER System Status This command shows the CPU utilization parameters. show process cpu OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# This command displays the configuration information currently in use. show running- config YNTAX...
Page 608: Show Startup-Config
| System Management Commands HAPTER System Status Interface settings ■ Any configured settings for the console port and Telnet ■ XAMPLE Console#show running-config Building startup configuration. Please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-e0-0c-00-00-fd_00</stackingMac> snmp-server community public ro snmp-server community private rw snmp-server enable traps authentication username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0...
Page 609: Show System
| System Management Commands HAPTER System Status This command displays settings for key command modes. Each mode ◆ group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: MAC address for the switch ■...
Page 610: Show Tech-Support
| System Management Commands HAPTER System Status XAMPLE Console#show system System Description : ECS4810-12M System OID String : 1.3.6.1.4.1.259.10.1.11 System Information System Up Time : 0 days, 7 hours, 20 minutes, and 43.30 seconds System Name System Location System Contact MAC Address (Unit 1) : 00-E0-0C-00-00-FD Web Server...
Page 611: Show Users
| System Management Commands HAPTER System Status Shows all active console and Telnet sessions, including user name, idle show users time, and IP address of Telnet client. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 612: Frame Size
| System Management Commands HAPTER Frame Size XAMPLE Console#show version Unit 1 Serial Number : S123456 Hardware Version : R0A EPLD Version : 0.00 Number of Ports : 12 Main Power Status : Up Redundant Power Status : Not present Role : Master Loader Version...
Page 613: File Management
| System Management Commands HAPTER File Management size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames. The current setting for jumbo frames can be displayed with the show ◆ system command. XAMPLE Console(config)#jumbo frame Console(config)# ANAGEMENT...
Page 614: Boot System
| System Management Commands HAPTER File Management Table 49: Flash/File Commands (Continued) Command Function Mode Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image when a new version is detected on the indicated server upgrade opcode path Specifies an FTP/TFTP server and directory in which the new opcode is stored This command specifies the file or image used to start up the system.
Page 615: Copy
| System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 616 | System Management Commands HAPTER File Management The Boot ROM and Loader cannot be uploaded or downloaded from the ◆ FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the ◆...
Page 617: System Management Commands
| System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 618: Delete
| System Management Commands HAPTER File Management This command deletes a file or image. delete YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE ◆ If the file type is used for system startup, then this file cannot be deleted.
Page 619: Whichboot
| System Management Commands HAPTER File Management OMMAND SAGE ◆ If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 50: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file.
Page 620: Upgrade Opcode Auto
| System Management Commands HAPTER File Management XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- -----------...
Page 621: Upgrade Opcode Path
| System Management Commands HAPTER File Management XAMPLE Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0;...
Page 622 | System Management Commands HAPTER File Management When specifying an FTP server, the following syntax must be used, ◆ where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous” will be used for the connection.
Page 623: Line
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 624: Databits
| System Management Commands HAPTER Line OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 625: Exec-Timeout
| System Management Commands HAPTER Line ELATED OMMANDS parity (626) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval. (Range: 0 - 65535 seconds;...
Page 626: Parity
| System Management Commands HAPTER Line EFAULT ETTING login local OMMAND Line Configuration OMMAND SAGE There are three authentication modes provided by the switch itself at ◆ login: login selects authentication by a single global password as ■ specified by the password line configuration command.
Page 627: Password
| System Management Commands HAPTER Line EFAULT ETTING No parity OMMAND Line Configuration OMMAND SAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. XAMPLE To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# This command specifies the password for a line.
Page 628: Password-Thresh
| System Management Commands HAPTER Line XAMPLE Console(config-line)#password 0 secret Console(config-line)# ELATED OMMANDS login (625) password-thresh (628) This command sets the password intrusion threshold which limits the password-thresh number of failed logon attempts. Use the no form to remove the threshold value.
Page 629: Silent-Time
| System Management Commands HAPTER Line This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. YNTAX silent-time [seconds] no silent-time...
Page 630: Stopbits
| System Management Commands HAPTER Line be supported. The system indicates if the speed you selected is not supported. XAMPLE To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# This command sets the number of the stop bits transmitted per byte. Use stopbits the no form to restore the default setting.
Page 631: Disconnect
| System Management Commands HAPTER Line OMMAND Line Configuration OMMAND SAGE If a login attempt is not detected within the timeout interval, the ◆ connection is terminated for the session. This command applies to both the local console and Telnet connections. ◆...
Page 632: Show Line
| System Management Commands HAPTER Event Logging This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING Shows all lines OMMAND Normal Exec, Privileged Exec XAMPLE...
Page 633: Logging Facility
| System Management Commands HAPTER Event Logging Table 52: Event Logging Commands (Continued) Command Function Mode logging trap Limits syslog messages saved to a remote server based on severity clear log Clears messages from the logging buffer show log Displays log messages show logging Displays the state of logging This command sets the facility type for remote logging of syslog messages.
Page 634: Logging History
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 635: Logging Host
| System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address host-ip-address - The IP address of a syslog server. EFAULT ETTING None...
Page 636: Logging Trap
| System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (634) logging trap (636) clear log (636) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 637: Show Log
| System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (637) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 638: Show Logging
| System Management Commands HAPTER Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 639: Smtp Alerts
| System Management Commands HAPTER SMTP Alerts Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console# Table 55: show logging trap - display description Field...
Page 640: Logging Sendmail
| System Management Commands HAPTER SMTP Alerts This command enables SMTP event handling. Use the no form to disable logging sendmail this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail the no form to remove an SMTP server.
Page 641: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# This command sets the severity threshold used to trigger alert messages. logging sendmail Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
Page 642: Logging Sendmail Source-Email
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# This command sets the email address used for the “From” field in alert logging sendmail messages.
Page 643: Time
| System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source Email Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 644: Sntp Poll
| System Management Commands HAPTER Time OMMAND SAGE ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 645: Sntp Server
| System Management Commands HAPTER Time ELATED OMMANDS sntp client (643) This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 646: Clock Timezone
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# This command sets the time zone for the switch’s internal clock.
Page 647: Calendar Set
| System Management Commands HAPTER Time This command sets the system clock. It may be used if there is no time calendar set server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
Page 648: Time Range
| System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 58: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
Page 649: Absolute
| System Management Commands HAPTER Time Range This command sets the time range for the execution of a command. Use absolute the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Page 650: Periodic
| System Management Commands HAPTER Time Range This command sets the time range for the periodic execution of a periodic command. Use the no form to remove a previously specified time range. YNTAX [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend |...
Page 651: Show Time-Range
| System Management Commands HAPTER Switch Clustering This command shows configured time ranges. show time-range YNTAX show time-range [name] name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic Daily 01:01 to...
Page 652: Cluster
| System Management Commands HAPTER Switch Clustering then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. Clustered switches must be in the same Ethernet broadcast domain. In ◆ other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Page 653: Cluster Commander
| System Management Commands HAPTER Switch Clustering XAMPLE Console(config)#cluster Console(config)# This command enables the switch as a cluster Commander. Use the no cluster commander form to disable the switch as cluster Commander. YNTAX [no] cluster commander EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE...
Page 654: Cluster Member
| System Management Commands HAPTER Switch Clustering OMMAND SAGE ◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
Page 655: Rcommand
| System Management Commands HAPTER Switch Clustering This command provides access to a cluster Member CLI for configuration. rcommand YNTAX rcommand id member-id member-id - The ID number of the Member switch. (Range: 1-36) OMMAND Privileged Exec OMMAND SAGE This command only operates through a Telnet connection to the ◆...
Page 656: Show Cluster Members
| System Management Commands HAPTER Switch Clustering This command shows the current switch cluster members. show cluster members OMMAND Privileged Exec XAMPLE Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : ECS4810-12M Console# This command shows the discovered Candidate switches in the network.
Page 657: Snmp Commands
SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 658: Snmp-Server
| SNMP Commands HAPTER Table 60: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter Displays the configured notification logs...
Page 659: Snmp-Server Community
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server Console(config)# This command defines community access strings used to authorize snmp-server management access by clients using SNMP v1 or v2c. Use the no form to community remove the specified community string. YNTAX snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Page 660: Snmp-Server Location
| SNMP Commands HAPTER OMMAND Global Configuration XAMPLE Console(config)#snmp-server contact Paul Console(config)# ELATED OMMANDS snmp-server location (660) This command sets the system location string. Use the no form to remove snmp-server the location string. location YNTAX snmp-server location text no snmp-server location text - String that describes the system location.
Page 661: Snmp-Server Enable Traps
| SNMP Commands HAPTER XAMPLE Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled Link-up-down : Enabled SNMP Communities : 1. public, and the access level is read-only 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied...
Page 662: Snmp-Server Host
| SNMP Commands HAPTER OMMAND SAGE ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 663 | SNMP Commands HAPTER community-string - Password-like community string sent with the notification operation to SNMP V1 and V2c hosts. Although you can set this string using the snmp-server host command by itself, we recommend defining it with the snmp-server community command prior to using the snmp-server host command.
Page 664 | SNMP Commands HAPTER To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 658). Create a view with the required notification messages (page 668). Create a group that includes the required notify view (page 666).
Page 665: Snmp-Server Engine-Id
| SNMP Commands HAPTER This command configures an identification string for the SNMPv3 engine. snmp-server Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device.
Page 666: Snmp-Server Group
| SNMP Commands HAPTER ELATED OMMANDS snmp-server host (662) This command adds an SNMP group, mapping SNMP users to SNMP views. snmp-server group Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.
Page 667: Snmp-Server User
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Page 668: Snmp-Server View
| SNMP Commands HAPTER Remote users (i.e., the command specifies a remote engine identifier) ◆ must be configured to identify the source of SNMPv3 inform messages sent from the local switch. The SNMP engine ID is used to compute the authentication/privacy ◆...
Page 669: Show Snmp Engine-Id
| SNMP Commands HAPTER OMMAND SAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB ◆ tree. XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.
Page 670: Show Snmp Group
| SNMP Commands HAPTER Table 61: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. Four default groups are provided –...
Page 671: Show Snmp User
| SNMP Commands HAPTER Table 62: show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 672: Show Snmp View
| SNMP Commands HAPTER This command shows information on the SNMP views. show snmp view OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 673: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Disabling logging with this command does not delete the entries stored ◆ in the notification log. XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# This command creates an SNMP notification log. Use the no form to snmp-server notify- remove this log.
Page 674: Show Nlm Oper-Status
| SNMP Commands HAPTER To avoid this problem, notification logging should be configured and ◆ enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 675: Show Snmp Notify-Filter
| SNMP Commands HAPTER This command displays the configured notification logs. show snmp notify- filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23 Console# –...
Page 676 | SNMP Commands HAPTER – 676 –...
Page 677: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 678: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 679: Rmon Event
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and ◆ the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 680: Rmon Collection History
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm ◆ triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.
Page 681: Rmon Collection Rmon1
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# This command enables the collection of statistics on a physical interface. rmon collection Use the no form to disable statistics collection. rmon1 YNTAX rmon collection rmon1 controlEntry index [owner name]...
Page 682: Show Rmon Alarms
| Remote Monitoring Commands HAPTER This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 This command shows the settings for all configured events.
Page 683: Show Rmon Statistics
| Remote Monitoring Commands HAPTER This command shows the information collected for all configured entries in show rmon the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets,...
Page 684 | Remote Monitoring Commands HAPTER – 684 –...
Page 685: Flow Sampling Commands
AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 686: Sflow Max-Datagram-Size
| Flow Sampling Commands HAPTER One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. destination-udp-port - The UDP port on which the Collector is listening for sFlow streams. (Range: 0-65534) EFAULT ETTING IP Address: null...
Page 687: Sflow Max-Header-Size
| Flow Sampling Commands HAPTER This command configures the maximum size of the sFlow datagram header. sflow max-header- Use the no form to restore the default setting. size YNTAX sflow max-header-size max-header-size no max-header-size max-header-size - The maximum size of the sFlow datagram header.
Page 688: Sflow Sample
| Flow Sampling Commands HAPTER This command configures the packet sampling rate. Use the no form to sflow sample restore the default rate. YNTAX sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken.
Page 689: Sflow Timeout
| Flow Sampling Commands HAPTER This command configures the length of time samples are sent to the sflow timeout Collector before resetting all sFlow port parameters. Use the no form to restore the default time out. YNTAX sflow timeout seconds no sflow timeout seconds - The length of time the sFlow process continuously sends samples to the Collector before resetting all sFlow port parameters.
Page 690 | Flow Sampling Commands HAPTER OMMAND Privileged Exec XAMPLE Console#show sflow interface ethernet 1/9 Interface of Ethernet Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.4 Owner socket port : 6343 Time out : 9994 Maximum header size : 256 Maximum datagram size : 1500 Sample rate...
Page 691: Authentication
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 692: Enable Password
| Authentication Commands HAPTER User Accounts After initially logging onto the system, you should set the Privileged Exec enable password password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 693: Username
| Authentication Commands HAPTER User Accounts This command adds named users, requires authentication at login, username specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Page 694: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 70: Authentication Sequence Commands Command Function Mode...
Page 695: Authentication Login
| Authentication Commands HAPTER Authentication Sequence XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (692) This command defines the login authentication method and precedence. authentication login Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login...
Page 696: Radius Client
| Authentication Commands HAPTER RADIUS Client ELATED OMMANDS username - for setting the local user names and passwords (693) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 697: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client This command sets the RADIUS server network port. Use the no form to radius-server auth- restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 698: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS encryption key. Use the no form to restore radius-server key the default.
Page 699: Radius-Server Timeout
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication radius-server requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...
Page 700: Tacacs+ Client
| Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout RADIUS Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C...
Page 701: Tacacs-Server Key
| Authentication Commands HAPTER TACACS+ Client key - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 48 characters) port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Page 702: Tacacs-Server Port
| Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 703: Tacacs-Server Timeout
| Authentication Commands HAPTER TACACS+ Client This command sets the interval between transmitting authentication tacacs-server requests to the TACACS+ server. Use the no form to restore the default. timeout YNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Page 704: Aaa
| Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 73: AAA Commands Command Function Mode...
Page 705: Aaa Accounting Exec
| Authentication Commands HAPTER EFAULT ETTING Accounting is not enabled No servers are specified OMMAND Global Configuration OMMAND SAGE Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Page 706: Aaa Accounting Update
| Authentication Commands HAPTER OMMAND SAGE ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. Note that the default and method-name fields are only used to ◆ describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Page 707: Aaa Authorization Exec
| Authentication Commands HAPTER This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service. exec YNTAX aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Page 708: Aaa Group Server
| Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 709: Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 710: Authorization Exec
| Authentication Commands HAPTER XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to local console, Telnet or authorization exec SSH connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...
Page 711: Web Server
| Authentication Commands HAPTER Web Server user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show accounting Accounting Type : dot1x Method List : default Group List...
Page 712: Ip Http Port
| Authentication Commands HAPTER Web Server This command specifies the TCP port number used by the web browser ip http port interface. Use the no form to use the default port. YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Page 713: Ip Http Secure-Port
| Authentication Commands HAPTER Web Server This command specifies the UDP port number used for HTTPS connection to ip http secure-port the switch’s web interface. Use the no form to restore the default port. YNTAX ip http secure-port port_number no ip http secure-port port_number –...
Page 714: Table 75: Https System Support
| Authentication Commands HAPTER Web Server OMMAND SAGE ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. If you enable HTTPS, you must indicate this in the URL that you specify ◆...
Page 715: Telnet Server
| Authentication Commands HAPTER Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 76: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 716: Ip Telnet Port
| Authentication Commands HAPTER Telnet Server This command specifies the TCP port number used by the Telnet interface. ip telnet port Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 717: Show Ip Telnet
| Authentication Commands HAPTER Secure Shell This command displays the configuration settings for the Telnet server. show ip telnet OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE HELL...
Page 718 | Authentication Commands HAPTER Secure Shell Table 77: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 719 | Authentication Commands HAPTER Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 720: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell The client sends a signature generated using the private key to the switch. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.
Page 721: Ip Ssh Server-Key Size
| Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The SSH server supports up to four client sessions. The maximum ◆ number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server uses DSA or RSA for key exchange when the client first ◆...
Page 722: Ip Ssh Timeout
| Authentication Commands HAPTER Secure Shell This command configures the timeout for the SSH server. Use the no form ip ssh timeout to restore the default setting. YNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING...
Page 723: Ip Ssh Crypto Host-Key Generate
| Authentication Commands HAPTER Secure Shell XAMPLE Console#delete public-key admin dsa Console# This command generates the host key pair (i.e., public and private). ip ssh crypto host- key generate YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...
Page 724: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell This command clears the host key from memory (i.e. RAM). ip ssh crypto zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. EFAULT ETTING Clears both the DSA and RSA key.
Page 725: Show Ip Ssh
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (723) This command displays the connection settings used when authenticating show ip ssh client access to the SSH server. OMMAND Privileged Exec XAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 726: Show Ssh
| Authentication Commands HAPTER Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5...
Page 727: Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 728: Dot1X Default
| Authentication Commands HAPTER 802.1X Port Authentication Table 79: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator Display Information Commands show dot1x Shows all dot1x related information This command sets all configurable dot1x global and port settings to their...
Page 729: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# This command enables IEEE 802.1X port authentication globally on the dot1x system-auth- switch.
Page 730: Dot1X Max-Reauth-Req
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# This command sets the maximum number of times that the switch sends dot1x max-reauth- an EAP-request/identity frame to the client before restarting the authentication process. Use the no form to restore the default. YNTAX dot1x max-reauth-req count no dot1x max-reauth-req...
Page 731: Dot1X Operation-Mode
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# This command allows hosts (clients) to connect to an 802.1X-authorized dot1x operation- port. Use the no form with no keywords to restore the default to single mode host.
Page 732: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 733: Dot1X Timeout Quiet-Period
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# ELATED OMMANDS dot1x timeout re-authperiod (733) This command sets the time that a switch port waits after the maximum dot1x timeout quiet- request count (see page 730) has been exceeded before attempting to period acquire a new client.
Page 734: Dot1X Timeout Supp-Timeout
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout supp- response to an EAP request from a client before re-transmitting an EAP timeout packet.
Page 735: Dot1X Re-Authenticate
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT 30 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# This command forces re-authentication on all ports or a specific interface. dot1x re- authenticate YNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Page 736: Dot1X Identity Profile
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the dot1x supplicant user name and password. Use the dot1x identity no form to delete the identity settings. profile YNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.
Page 737: Dot1X Pae Supplicant
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# This command enables dot1x supplicant mode on a port. Use the no form dot1x pae to disable dot1x supplicant mode on a port. supplicant YNTAX [no] dot1x pae supplicant EFAULT Disabled...
Page 738: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits for a response dot1x timeout auth- from the authenticator. Use the no form to restore the default setting. period YNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Page 739: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits before resending dot1x timeout start- an EAPOL start frame to the authenticator. Use the no form to restore the period default setting. YNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Page 740 | Authentication Commands HAPTER 802.1X Port Authentication Supplicant Parameters – Shows the supplicant user name used when ◆ the switch responds to an MD5 challenge from an authenticator (page 736). 802.1X Port Summary – Displays the port access control parameters ◆...
Page 741: X Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication Identifier (Server)– Identifier carried in the most recent EAP ■ Success, Failure or Request packet received from the Authentication Server. Reauthentication State Machine ◆ State – Current state (including initialize, reauthenticate). XAMPLE Console#show dot1x Global 802.1X Parameters System Auth Control : Enabled...
Page 742: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch. Table 80: Management IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management access...
Page 743: Show Management
| Authentication Commands HAPTER Management IP Filter IP address can be configured for SNMP, web, and Telnet access ◆ respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. When entering addresses for the same group (i.e., SNMP, web, or ◆...
Page 744: Authentication Commands
| Authentication Commands HAPTER Management IP Filter TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# – 744 –...
Page 745: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 746: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 747 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE When port security is enabled with this command, or the maximum ◆ number or allowed addresses is set to value lower than the current limit after port security has been enabled, the switch first clears all dynamically learned entries from the address table.
Page 748: Show Port Security
| General Security Measures HAPTER Port Security This command displays port security status and the secure address count. show port security YNTAX show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
Page 749 | General Security Measures HAPTER Port Security The following example shows the port security settings and number of secure addresses for a specific port. The Last Intrusion MAC and Last Time Detected Intrusion MAC fileds show information about the last detected intrusion MAC address.
Page 750: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 751: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored network-access in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
Page 752: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the ◆ mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
Page 753: Network-Access Dynamic-Qos
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
Page 754: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# Use this command to enable dynamic VLAN assignment for an network-access authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan...
Page 755: Network-Access Guest-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to assign all traffic on a port to a guest VLAN when network-access 802.1x authentication is rejected. Use the no form of this command to guest-vlan disable guest VLAN assignment. YNTAX network-access guest-vlan vlan-id no network-access guest-vlan...
Page 756: Network-Access Link-Detection Link-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to detect link-down events. When detected, the switch network-access can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.
Page 757: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# Use this command to detect link-up and link-down events. When either network-access event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.
Page 758: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 759: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from ◆ the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN ◆...
Page 760: Mac-Authentication Intrusion-Action
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...
Page 761: Clear Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to clear entries from the secure MAC addresses table. clear network- access YNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 762: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC address Aging : Enabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Page 763: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication 00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. XAMPLE Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17...
Page 764: Web-Auth Login-Attempts
| General Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 694). Web authentication cannot be configured on trunk ports. Table 86: Web Authentication Command Function Mode...
Page 765: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth login-attempts 2 Console(config)# This command defines the amount of time a host must wait after exceeding web-auth quiet- the limit for failed login attempts, before it may attempt web period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 766: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# This command globally enables web authentication for the switch. Use the web-auth system- no form to restore the default. auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE...
Page 767: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth re- and forces the users to re-authenticate. authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 768: Show Web-Auth
| General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
Page 769: Show Web-Auth Summary
| General Security Measures HAPTER DHCP Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 770: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command enables DHCP snooping globally. Use the no form to restore ip dhcp snooping the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are ◆...
Page 771 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or ■ RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, ■...
Page 772: Ip Dhcp Snooping Information Option
| General Security Measures HAPTER DHCP Snooping This command enables the use of DHCP Option 82 information for the ip dhcp snooping switch, and specifies the frame format to use for the remote-id when information option Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no- subtype keyword to enable use of sub-type and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to...
Page 773: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping When the DHCP Snooping Information Option is enabled, clients can be ◆ identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
Page 774: Ip Dhcp Snooping Verify Mac-Address
| General Security Measures HAPTER DHCP Snooping OMMAND SAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Page 775: Ip Dhcp Snooping Vlan
| General Security Measures HAPTER DHCP Snooping This command enables DHCP snooping on the specified VLAN. Use the no ip dhcp snooping form to restore the default setting. vlan YNTAX [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4093) EFAULT ETTING Disabled...
Page 776: Clear Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping OMMAND SAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Page 777: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 778: Show Ip Dhcp Snooping Binding
| General Security Measures HAPTER IP Source Guard This command shows the DHCP snooping binding table entries. show ip dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5...
Page 779 | General Security Measures HAPTER IP Source Guard ip-address - A valid unicast IP address, including classful types A, B or C. unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) EFAULT ETTING No configured entries OMMAND Global Configuration OMMAND SAGE...
Page 780: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard This command configures the switch to filter inbound traffic based source ip source-guard IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...
Page 781: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: ◆ If DHCP snooping is disabled (see page 770), IP source guard will ■ check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 782: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 783: Arp Inspection
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 784: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 89: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...
Page 785: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use ip arp inspection the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 786: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 787: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 788: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection ◆ command, it becomes active only on those VLANs where it has been enabled with this command.
Page 789: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, ◆ the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 790: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection This command displays the global configuration settings for ARP show ip arp Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 791: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip arp the associated VLAN, port, and address components. inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 792 | General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# – 792 –...
Page 793: Lists
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 794: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 795: Permit, Deny (Standard Ip Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 796: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 797 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 798: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 799: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE ◆ Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, ◆ the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 800: Ipv6 Acls
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (795) ip access-group (798) 6 ACL The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, or next header type.
Page 801: Permit, Deny (Standard Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 802: Permit, Deny (Extended Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 803 | Access Control Lists HAPTER IPv6 ACLs to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
Page 804: Show Ipv6 Access-List
| Access Control Lists HAPTER IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (800) Time Range (648) This command displays the rules for configured IPv6 ACLs. show ipv6 access- list YNTAX...
Page 805: Show Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs time-range-name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING None OMMAND Interface Configuration (Ethernet) OMMAND SAGE ◆ A port can only be bound to one ACL. If a port is already bound to an ACL and you bind it to a different ACL, ◆...
Page 806: Mac Acls
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 807: (Mac Acl)
| Access Control Lists HAPTER MAC ACLs ELATED OMMANDS permit, deny (807) mac access-group (809) show mac access-list (810) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 808 | Access Control Lists HAPTER MAC ACLs {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 –...
Page 809: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs XAMPLE This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# ELATED OMMANDS access-list mac (806) Time Range (648) This command binds a MAC ACL to a port.
Page 810: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs This command shows the ports assigned to MAC ACLs. show mac access- group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS mac access-group (809) This command displays the rules for configured MAC ACLs.
Page 811: Arp Acls
| Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
Page 812: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny (ARP a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
Page 813: Show Arp Access-List
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (811) This command displays the rules for configured ARP ACLs.
Page 814: Acl Information
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 95: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules This command shows the port assignments of ACLs.
Page 815: Acl Information
| Access Control Lists HAPTER ACL Information XAMPLE Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2 MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6:...
Page 816 | Access Control Lists HAPTER ACL Information – 816 –...
Page 817: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 96: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 818: Interface
| Interface Commands HAPTER Table 96: Interface Commands (Continued) Command Function Mode show interfaces Displays the administrative and operational status of NE, PE switchport an interface show interfaces Displays the temperature, voltage, bias current, transceiver transmit power, and receive power Cable Diagnostics test cable-diagnostics Performs cable diagnostics on the specified port...
Page 819: Alias
| Interface Commands HAPTER XAMPLE To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 820: Capabilities
| Interface Commands HAPTER This command advertises the port capabilities of a given interface during capabilities auto-negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values. YNTAX [no] capabilities {1000full | 100full | 100half | 10full | 10half | flowcontrol | symmetric} 1000full - Supports 1 Gbps full-duplex operation...
Page 821: Description
| Interface Commands HAPTER ELATED OMMANDS negotiation (824) speed-duplex (825) flowcontrol (821) This command adds a description to an interface. Use the no form to description remove the description. YNTAX description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 822: History
| Interface Commands HAPTER OMMAND SAGE ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. Flow control can eliminate frame loss by “blocking” traffic from end ◆ stations or segments connected directly to the switch when its buffers fill.
Page 823: Media-Type
| Interface Commands HAPTER EFAULT ETTING 15min - 15 minute interval, 96 buckets 1day - 1 day interval, 7 buckets OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE This example sets a interval of 15 minutes for sampling standard statisical values on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#history 15min 15 10 Console(config-if)#...
Page 824: Negotiation
| Interface Commands HAPTER This command enables auto-negotiation for a given interface. Use the no negotiation form to disable auto-negotiation. YNTAX [no] negotiation EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 825: Speed-Duplex
| Interface Commands HAPTER OMMAND SAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. XAMPLE The following example disables port 5.
Page 826: Switchport Packet-Rate
| Interface Commands HAPTER the speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. XAMPLE The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS...
Page 827: Transceiver-Threshold Current
| Interface Commands HAPTER The rate limits set by this command are also used by automatic storm ◆ control when the control response is set to rate limiting by the auto- traffic-control action command. Using both rate limiting and storm control on the same interface may ◆...
Page 828: Transceiver-Threshold Rx-Power
| Interface Commands HAPTER OMMAND SAGE ◆ A high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the high threshold and reaches the low threshold.
Page 829: Transceiver-Threshold Temperature
| Interface Commands HAPTER EFAULT ETTING None OMMAND Interface Configuration (Ethernet) OMMAND SAGE The threshold value is the power ratio in decibels (dB) of the measured ◆ power referenced to one milliwatt (mW). Refer to the Command Usage section under the transceiver-threshold ◆...
Page 830: Transceiver-Threshold Tx-Power
| Interface Commands HAPTER OMMAND Interface Configuration (Ethernet) OMMAND SAGE Refer to the Command Usage section under the transceiver-threshold ◆ current command for more information on configuring transceiver thresholds. Trap messages configured by this command are sent to any ◆ management station configured by the snmp-server host command.
Page 831: Transceiver-Threshold Voltage
| Interface Commands HAPTER Refer to the Command Usage section under the transceiver-threshold ◆ current command for more information on configuring transceiver thresholds. Trap messages configured by this command are sent to any ◆ management station configured by the snmp-server host command.
Page 832: Clear Counters
| Interface Commands HAPTER XAMPLE The following example sets alarm thresholds for the transceiver voltage at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold voltage low-alarm 4 Console(config-if)#transceiver-threshold voltage high-alarm 2 Console# This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port...
Page 833: Show Interfaces Brief
| Interface Commands HAPTER This command displays a summary of key information, including show interfaces operational status, native VLAN ID, default priority, speed/duplex mode, brief and port type for all ports. OMMAND Privileged Exec XAMPLE Console#show interfaces brief Interface Name Status PVID Pri Speed/Duplex Type...
Page 834: Interface Commands
| Interface Commands HAPTER 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protos Input 0 QLen Output ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 Alignment Errors...
Page 835: Show Interfaces History
| Interface Commands HAPTER This command displays statistical history for the specified interfaces. show interfaces history show interfaces history [interface [name [current | previous index count] [input | output]]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) name - Name of sample as defined in the history...
Page 836 | Interface Commands HAPTER Discards Errors Unknown Proto ------------- ------------- ------------- Octets Output Unicast Multicast Broadcast --------------- ------------- ------------- ------------- 84493398 106787 47232 1158 Discards Errors ------------- ------------- Interface : Eth 1/ 1 Name : 15min Interval : 15 minute(s) Buckets Requested : 96 Buckets Granted : 11...
Page 837 | Interface Commands HAPTER This example shows the statistics recorded for a named entry in the sampling table. Console#show interfaces history ethernet 1/1 1min Interface : Eth 1/ 1 Name : 1min Interval : 1 minute(s) Buckets Requested : 10 Buckets Granted Status : Active...
Page 838: Show Interfaces Status
| Interface Commands HAPTER This command displays the status for an interface. show interfaces status YNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093) EFAULT ETTING Shows the status for all interfaces.
Page 839: Show Interfaces Switchport
| Interface Commands HAPTER This command displays the administrative and operational status of the show interfaces specified interfaces. switchport YNTAX show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) EFAULT ETTING Shows all interfaces.
Page 840: Show Interfaces Transceiver
| Interface Commands HAPTER Table 97: show interfaces switchport - display description (Continued) Field Description Unknown-unicast Shows if unknown unicast storm suppression is enabled or disabled; if Threshold enabled it also shows the threshold level (page 826). LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 848).
Page 841: Test Cable-Diagnostics
| Interface Commands HAPTER OMMAND SAGE The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm...
Page 842: Show Cable-Diagnostics
| Interface Commands HAPTER OMMAND SAGE ◆ Cable diagnostics are performed using Digital Signal Processing (DSP) test methods. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. This cable test is only accurate for cables 7 - 140 meters long. ◆...
Page 843: Power-Save
| Interface Commands HAPTER OMMAND SAGE ◆ The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found. To ensure more accurate measurement of the length to a fault, first ◆...
Page 844: Show Power-Save
| Interface Commands HAPTER is detected, the switch immediately turns on both the transmitter and receiver functions, and powers up the MAC interface. Power saving when there is a link partner: ■ Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter.
Page 845: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 846: Port Channel Load-Balance
| Link Aggregation Commands HAPTER All ports in a trunk must be configured in an identical manner, including ◆ communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. Any of the Gigabit ports on the front panel can be trunked together, ◆...
Page 847 | Link Aggregation Commands HAPTER OMMAND Global Configuration OMMAND SAGE This command applies to all static and dynamic trunks on the switch. ◆ To ensure that the switch traffic load is distributed evenly across all ◆ links in a trunk, select the source and destination addresses used in the load-balance calculation to provide the best result for trunk connections: dst-ip: All traffic with the same destination IP address is output on...
Page 848: Channel-Group
| Link Aggregation Commands HAPTER This command adds a port to a trunk. Use the no form to remove a port channel-group from a trunk. YNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-12) EFAULT ETTING The current port will be added to this trunk. OMMAND Interface Configuration (Ethernet) OMMAND...
Page 849: Show Interfaces
| Link Aggregation Commands HAPTER A trunk formed with another switch using LACP will automatically be ◆ assigned the next available port-channel ID. If the target switch has also enabled LACP on the connected ports, the ◆ trunk will be activated automatically. If more than eight ports attached to the same target switch have LACP ◆...
Page 850: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER This command configures a port's LACP administration key. Use the no lacp admin-key form to restore the default setting. (Ethernet Interface) YNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 851: Lacp Port-Priority
| Link Aggregation Commands HAPTER This command configures LACP port priority. Use the no form to restore lacp port-priority the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 852: Lacp System-Priority
| Link Aggregation Commands HAPTER This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 853: Show Lacp
| Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system ◆ priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 854: Table 99: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent : 12 LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 99: show lacp counters - display description Field Description LACPDUs Sent...
Page 855: Table 101: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Table 100: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired –...
Page 856: Show Port-Channel Load-Balance
| Link Aggregation Commands HAPTER Table 101: show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner.
Page 857: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 858 | Port Mirroring Commands HAPTER Local Port Mirroring Commands mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. EFAULT ETTING No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received ◆ and transmitted packets.
Page 859: Show Port Monitor
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands This command displays mirror information. show port monitor YNTAX show port monitor [interface | vlan vlan-id | mac-address mac-address] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 860 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Table 105: RSPAN Commands (Continued) Command Function Mode rspan destination Specifies the destination port to monitor the mirrored traffic rspan remote vlan Specifies the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports no rspan session Deletes a configured RSPAN session...
Page 861: Rspan Source
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports.
Page 862: Rspan Destination
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND SAGE ◆ One or more source ports can be assigned to the same RSPAN session, either on the same switch or on different switches. Only ports can be configured as an RSPAN source – static and dynamic ◆...
Page 863: Rspan Remote Vlan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND SAGE ◆ Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured ◆...
Page 864: No Rspan Session
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands uplink - A port configured to receive or transmit remotely mirrored traffic. interface - ethernet unit/port ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) EFAULT ETTING None OMMAND Global Configuration...
Page 865: Show Rspan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND Global Configuration OMMAND SAGE The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database (see the vlan command). XAMPLE Console(config)#no rspan session 1 Console(config)# Use this command to displays the configuration settings for an RSPAN...
Page 866 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands – 866 –...
Page 867: Rate Limit Commands
IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 868 | Rate Limit Commands HAPTER by the storm control command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (839) – 868 –...
Page 869: Automatic Traffic Control Commands
UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 107: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...
Page 870 | Automatic Traffic Control Commands HAPTER Table 107: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...
Page 871: Figure 352: Storm Control By Shutting Down A Port
| Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release ◆ timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
Page 872: Auto-Traffic-Control Apply-Timer
| Automatic Traffic Control Commands HAPTER This command sets the time at which to apply the control response after auto-traffic-control ingress traffic has exceeded the upper threshold. Use the no form to apply-timer restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer broadcast - Specifies automatic storm control for broadcast traffic.
Page 873: Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER EFAULT ETTING 900 seconds OMMAND Global Configuration OMMAND SAGE This command sets the delay after which the control response can be terminated. The auto-traffic-control auto-control-release command must be used to enable or disable the automatic release of a control response of rate-limiting.
Page 874: Auto-Traffic-Control Action
| Automatic Traffic Control Commands HAPTER XAMPLE This example enables automatic storm control for broadcast traffic on port Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# This command sets the control action to limit ingress traffic or shut down auto-traffic-control the offending port. Use the no form to restore the default setting. action YNTAX auto-traffic-control {broadcast | multicast}...
Page 875: Auto-Traffic-Control Alarm-Clear-Threshold
| Automatic Traffic Control Commands HAPTER XAMPLE This example sets the control response for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast action shutdown Console(config-if)# This command sets the lower threshold for ingress traffic beneath which a auto-traffic-control control response for rate limiting will be released after the Release Timer alarm-clear- expires, if so configured by the...
Page 876: Auto-Traffic-Control Alarm-Fire-Threshold
| Automatic Traffic Control Commands HAPTER XAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# This command sets the upper threshold for ingress traffic beyond which a auto-traffic-control storm control response is triggered after the apply timer expires.
Page 877: Auto-Traffic-Control Auto-Control-Release
| Automatic Traffic Control Commands HAPTER This command automatically releases a control response of rate-limiting auto-traffic-control after the time specified in the auto-traffic-control release-timer command auto-control-release has expired. YNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Page 878: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Clear
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast control-release interface ethernet 1/1 Console#(config-if) This command sends a trap when broadcast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap.
Page 879: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Apply
| Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-fire-threshold (876) This command sends a trap when broadcast traffic exceeds the upper snmp-server enable threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. broadcast-control- apply YNTAX...
Page 880: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Clear
| Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-clear-threshold (875) auto-traffic-control action (874) auto-traffic-control release-timer (872) This command sends a trap when multicast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap.
Page 881: Snmp-Server Enable Port-Traps Atc Multicast-Control-Apply
| Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-fire-threshold (876) This command sends a trap when multicast traffic exceeds the upper snmp-server enable threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. multicast-control- apply YNTAX...
Page 882: Show Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-clear-threshold (875) auto-traffic-control action (874) auto-traffic-control release-timer (872) This command shows global configuration settings for automatic storm show auto-traffic- control. control OMMAND Privileged Exec XAMPLE Console#show auto-traffic-control Storm-control: Broadcast Apply-Timer (sec) : 300 Release-Timer (sec) : 900 Storm-control: Multicast...
Page 883 | Automatic Traffic Control Commands HAPTER Trap Traffic Release: Disabled Disabled ------------------------------------------------------------------------ Console# – 883 –...
Page 884 | Automatic Traffic Control Commands HAPTER – 884 –...
Page 885: Address Table Commands
DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 108: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 886: Mac-Address-Table Static
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# This command maps a static address to a destination port in a VLAN. Use mac-address-table the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 887: Clear Mac-Address-Table Dynamic
| Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# This command removes any learned entries from the forwarding database. clear mac-address- table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# This command shows classes of entries in the bridge-forwarding database.
Page 888: Show Mac-Address-Table Aging-Time
| Address Table Commands HAPTER OMMAND SAGE ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries ■ Config - Static entry ■...
Page 889: Show Mac-Address-Table Count
| Address Table Commands HAPTER This command shows the number of MAC addresses used and the number show mac-address- of available MAC addresses for the overall system or for an interface. table count YNTAX show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Page 890 | Address Table Commands HAPTER – 890 –...
Page 891: Spanning Tree Commands
PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 109: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree cisco- Configures spanning tree operation to be compatible prestandard...
Page 892: Spanning-Tree
| Spanning Tree Commands HAPTER Table 109: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback- Configures loopback release mode for a port detection release-mode spanning-tree loopback- Enables BPDU loopback SNMP trap notification for a detection trap port spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST...
Page 893: Spanning-Tree Cisco-Prestandard
| Spanning Tree Commands HAPTER XAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# This command configures spanning tree operation to be compatible with spanning-tree cisco- Cisco prestandard versions. Use the no form to restore the default setting. prestandard [no] spanning-tree cisco-prestandard EFAULT...
Page 894: Spanning-Tree Hello-Time
| Spanning Tree Commands HAPTER OMMAND SAGE This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 895: Spanning-Tree Max-Age
| Spanning Tree Commands HAPTER This command configures the spanning tree bridge maximum age globally spanning-tree max- for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 896 | Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Spanning Tree Protocol ◆ Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 897: Spanning-Tree Pathcost Method
| Spanning Tree Commands HAPTER This command configures the path cost method used for Rapid Spanning spanning-tree Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method YNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.
Page 898: Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER OMMAND Global Configuration OMMAND SAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 899: Spanning-Tree System-Bpdu-Flooding
| Spanning Tree Commands HAPTER This command configures the system to flood BPDUs to all other ports on spanning-tree the switch or just to all other ports in the same VLAN when spanning tree is system-bpdu- disabled globally on the switch or disabled on a specific port. Use the no flooding form to restore the default.
Page 900: Max-Hops
| Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# This command configures the maximum number of hops in the region max-hops before a BPDU is discarded. Use the no form to restore the default. YNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) EFAULT ETTING...
Page 901: Mst Vlan
| Spanning Tree Commands HAPTER EFAULT ETTING 32768 OMMAND MST Configuration OMMAND SAGE MST priority is used in selecting the root bridge and alternate bridge of ◆ the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 902: Name
| Spanning Tree Commands HAPTER which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (page 902) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree.
Page 903: Spanning-Tree Bpdu-Filter
| Spanning Tree Commands HAPTER EFAULT ETTING OMMAND MST Configuration OMMAND SAGE The MST region name (page 902) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 904: Spanning-Tree Bpdu-Guard
| Spanning Tree Commands HAPTER Console(config-if)#spanning-tree bpdu-filter Console(config-if)# ELATED OMMANDS spanning-tree edge-port (906) This command shuts down an edge port (i.e., an interface set for fast spanning-tree bpdu- forwarding) if it receives a BPDU. Use the no form without any keywords to guard disable this feature, or with a keyword to restore the default settings.
Page 905: Spanning-Tree Cost
| Spanning Tree Commands HAPTER This command configures the spanning tree path cost for the specified spanning-tree cost interface. Use the no form to restore the default auto-configuration mode. YNTAX spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method , 1-200,000,000 for long path cost method)
Page 906: Spanning-Tree Edge-Port
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# This command specifies an interface as an edge port. Use the no form to spanning-tree edge- restore the default. port YNTAX spanning-tree edge-port [auto] no spanning-tree edge-port auto - Automatically determines if an interface is an edge port.
Page 907: Spanning-Tree Link-Type
| Spanning Tree Commands HAPTER This command configures the link type for Rapid Spanning Tree and spanning-tree link- Multiple Spanning Tree. Use the no form to restore the default. type YNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Page 908: Spanning-Tree Loopback-Detection Action
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). Port Loopback Detection will not be active if Spanning Tree is disabled ◆...
Page 909: Spanning-Tree Loopback-Detection Release-Mode
| Spanning Tree Commands HAPTER This command configures the release mode for a port that was placed in spanning-tree the discarding state because a loopback BPDU was received. Use the no loopback-detection form to restore the default. release-mode YNTAX spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the...
Page 910: Spanning-Tree Loopback-Detection Trap
| Spanning Tree Commands HAPTER This command enables SNMP trap notification for Spanning Tree loopback spanning-tree BPDU detections. Use the no form to restore the default. loopback-detection trap YNTAX [no] spanning-tree loopback-detection trap EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap...
Page 911: Spanning-Tree Mst Port-Priority
| Spanning Tree Commands HAPTER This command is used by the multiple spanning-tree algorithm to ◆ determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. Use the no spanning-tree mst cost command to specify auto- ◆...
Page 912: Spanning-Tree Port-Bpdu-Flooding
| Spanning Tree Commands HAPTER ELATED OMMANDS spanning-tree mst cost (910) This command floods BPDUs to other ports when spanning tree is disabled spanning-tree port- globally or disabled on a specific port. Use the no form to restore the bpdu-flooding default setting.
Page 913: Spanning-Tree Root-Guard
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 914: Spanning-Tree Spanning-Disabled
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# This command disables the spanning tree algorithm for the specified spanning-tree interface. Use the no form to re-enable the spanning tree algorithm for the spanning-disabled specified interface. YNTAX [no] spanning-tree spanning-disabled EFAULT...
Page 915: Spanning-Tree Protocol-Migration
| Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree loopback-detection release ethernet 1/1 Console# This command re-checks the appropriate BPDU format to send on the spanning-tree selected interface. protocol-migration YNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 916: Show Spanning-Tree
| Spanning Tree Commands HAPTER This command shows the configuration for the common spanning tree show spanning-tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id] interface ethernet unit/port unit - Unit identifier.
Page 917: Spanning Tree Commands
| Spanning Tree Commands HAPTER VLANs Configured : 1-4093 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max.
Page 918: Show Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER This command shows the configuration of the multiple spanning tree. show spanning-tree mst configuration OMMAND Privileged Exec XAMPLE Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4093 Console# –...
Page 919: Ommands
ERPS C OMMANDS The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS. Table 112: ERPS Commands Command Function Mode erps...
Page 920: Erps
| ERPS Commands HAPTER Configure the RPL owner: Configure one node in the ring as the Ring Protection Link (RPL) owner using the rpl owner command. When this switch is configured as the RPL owner, the west ring port is set as being connected to the RPL.
Page 921: Erps Domain
| ERPS Commands HAPTER OMMAND SAGE ERPS must be enabled globally on the switch before it can enabled on an ERPS ring using the enable command. XAMPLE Console(config)#erps Console(config)# ELATED OMMANDS enable (922) This command creates an ERPS ring and enters ERPS configuration mode erps domain for the specified domain.
Page 922: Enable
| ERPS Commands HAPTER the east and west interface as tagged members to this VLAN (switchport allowed vlan, page 941), and then use the control-vlan command to add it to the ring. The Control VLAN must not be configured as a Layer 3 interface (with ◆...
Page 923: Guard-Timer
| ERPS Commands HAPTER XAMPLE Console(config-erps)#enable Console(config-erps)# ELATED OMMANDS erps (920) This command sets the guard timer to prevent ring nodes from receiving guard-timer outdated R-APS messages. Use the no form to restore the default setting. YNTAX guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Page 924: Major-Domain
| ERPS Commands HAPTER EFAULT ETTING 0 milliseconds OMMAND ERPS Configuration OMMAND SAGE In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer.
Page 925: Meg-Level
| ERPS Commands HAPTER can only be a major ring, not a secondary ring (or sub-domain) which can have only one physical ring port. This command will therefore fail if the east port is already configured (see the ring-port command). XAMPLE Console(config-eaps)#major-domain rd0 Console(config-eaps)#...
Page 926: Propagate-Tc
| ERPS Commands HAPTER OMMAND ERPS Configuration OMMAND SAGE The ring node identifier is informational, and does not affect ring protection switching operations. It may be used for debugging, such as to distinguish messages when a node is connected to more than one ring. XAMPLE Console(config-erps)#node-id 00-12-CF-61-24-2D Console(config-erps)#...
Page 927: Ring-Port
| ERPS Commands HAPTER This command configures a node’s connection to the ring through the east ring-port or west interface. Use the no form to disassociate a node from the ring. YNTAX ring-port {east | west} interface interface east - Connects to next ring node to the east. west - Connects to next ring node to the west.
Page 928: Wtr-Timer
| ERPS Commands HAPTER The east and west connections to the ring must be specified for all ring ◆ nodes using the ring-port command. When this switch is configured as the RPL owner, the west ring port is set as being connected to the RPL. XAMPLE Console(config-erps)#rpl owner Console(config-erps)#...
Page 929: Table 113: Show Erps - Summary Display Description
| ERPS Commands HAPTER XAMPLE This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ERPS Status : Enabled Number of ERPS Domains Domain State MEL Enabled West East RPL Owner Ctrl VLAN ------------ ---------- --- ------- -------- -------- --------- --------- Idle 0 Yes Eth 1/12 Eth 1/10 Yes...
Page 930: Table 114: Show Erps Domain - Detailed Display Description
| ERPS Commands HAPTER WTR Timer : 5 minutes Control VLAN Propagate TC : Disabled Console# Table 114: show erps domain - detailed display description Field Description Domain Name The ERPS ring name. Admin Status Shows if the specified ring is enabled. MEG Level The maintenance entity group (MEG) level providing a communication channel for ring automatic protection switching...
Page 931: Table 115: Vlan Commands
VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 932: Ommands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 933: Garp Timer
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command sets the values for the join, leave and leaveall timers. Use garp timer the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 934: Switchport Forbidden Vlan
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command configures forbidden VLANs. Use the no form to remove the switchport list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 935: Show Bridge-Ext
| VLAN Commands HAPTER GVRP and Bridge Extension Commands OMMAND SAGE GVRP cannot be enabled for ports set to Access mode using the switchport mode command. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# This command shows the configuration for bridge extension commands. show bridge-ext EFAULT ETTING...
Page 936: Show Gvrp Configuration
| VLAN Commands HAPTER GVRP and Bridge Extension Commands EFAULT ETTING Shows all GARP timers. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# ELATED...
Page 937: Editing Vlan Groups
| VLAN Commands HAPTER Editing VLAN Groups VLAN G DITING ROUPS Table 117: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs vlan Configures a VLAN, including VID, name and state This command enters VLAN database mode.
Page 938: Vlan
| VLAN Commands HAPTER Editing VLAN Groups This command configures a VLAN. Use the no form to restore the default vlan settings or delete a VLAN. YNTAX vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Page 939: Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# ELATED OMMANDS show vlan (945) VLAN I ONFIGURING NTERFACES...
Page 940: Switchport Acceptable-Frame-Types
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# ELATED OMMANDS shutdown (824) interface (818)
Page 941: Switchport Allowed Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces This command configures VLAN groups on the selected interface. Use the switchport allowed no form to restore the default. vlan YNTAX switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add.
Page 942: Switchport Ingress-Filtering
| VLAN Commands HAPTER Configuring VLAN Interfaces This command enables ingress filtering for an interface. Use the no form to switchport ingress- restore the default. filtering YNTAX [no] switchport ingress-filtering EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Ingress filtering only affects tagged frames.
Page 943: Switchport Native Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. EFAULT ETTING All ports are in access mode with the PVID set to VLAN 1. OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Access mode is mutually exclusive with VLAN trunking (see the...
Page 944: Vlan-Trunking
| VLAN Commands HAPTER Configuring VLAN Interfaces If acceptable frame types is set to all or switchport mode is set to ◆ hybrid, the PVID will be inserted into all untagged frames entering the ingress port. XAMPLE The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)#...
Page 945: Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information VLAN trunking is mutually exclusive with the “access” switchport mode ◆ (see the switchport mode command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
Page 946: Configuring Ieee 802.1Q Tunneling
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling EFAULT ETTING Shows all VLANs. OMMAND Normal Exec, Privileged Exec XAMPLE The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S)
Page 947: Dot1Q-Tunnel System-Tunnel-Control
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Create a SPVLAN (vlan). Configure the QinQ tunnel access port to dot1Q-tunnel access mode (switchport dot1q-tunnel mode). Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 948: Switchport Dot1Q-Tunnel Mode
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling XAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)# ELATED OMMANDS show dot1q-tunnel (951) show interfaces switchport (839) This command configures an interface as a QinQ tunnel port. Use the no switchport dot1q- form to disable QinQ on the interface. tunnel mode YNTAX switchport dot1q-tunnel mode {access | uplink}...
Page 949: Switchport Dot1Q-Tunnel Service Match Cvid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling This command creates a CVLAN to SPVLAN mapping entry. Use the no switchport dot1q- form to delete a VLAN mapping entry. tunnel service match cvid YNTAX switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] svid - VLAN ID for the outer VLAN tag (Service Provider VID).
Page 950: Switchport Dot1Q-Tunnel Tpid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling XAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# In the following examples, ports 1 and 2 are configured as follows: Port 1 = Access, PVID = 100, VLAN = 100(u), 101(u)
Page 951: Show Dot1Q-Tunnel
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use the switchport dot1q-tunnel tpid command to set a custom ◆ 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Page 952: Configuring L2Cp Tunneling
| VLAN Commands HAPTER Configuring L2CP Tunneling Console(config-if)#end Console#show dot1q-tunnel 802.1Q Tunnel Status : Enabled Port Mode TPID (hex) -------- ------ ---------- Eth 1/ 1 Access 8100 Eth 1/ 2 Uplink 8100 Eth 1/ 3 Normal 8100 Console#show dot1q-tunnel interface ethernet 1/5 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID Remove C-Tag...
Page 953 | VLAN Commands HAPTER Configuring L2CP Tunneling EFAULT ETTING 01-12-CF-.00-00-02, proprietary tunnel address OMMAND Global Configuration OMMAND SAGE When L2PT is not used, protocol packets (such as STP) are flooded to ◆ 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports.
Page 954 | VLAN Commands HAPTER Configuring L2CP Tunneling When a protocol packet is received on an access port (i.e., an 802.1Q ◆ trunk port connecting the edge switch to the local customer network) with the destination address 01-80-C2-00-00-00,0B~0F (C-VLAN), ■ L2PT is enabled on the port, the frame is forwarded to all QinQ ■...
Page 955: Switchport L2Protocol-Tunnel
| VLAN Commands HAPTER Configuring L2CP Tunneling recognized as a GBPT protocol packet (i.e., having the destination ■ address 01-00-0C-CD-CD-D0), and L2PT is enabled on this port, it is forwarded to other access ■ ports in the same S-VLAN for which L2PT is enabled L2PT is disabled on this port, it is forwarded to the following ■...
Page 956: Show L2Protocol-Tunnel
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation XAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#switchport l2protocol-tunnel spanning-tree Console(config-if)# This command shows settings for Layer 2 Protocol Tunneling (L2PT). show l2protocol- tunnel OMMAND Privileged Exec XAMPLE Console#show l2protocol-tunnel Layer 2 Protocol Tunnel Tunnel MAC Address : 01-12-CF-00-00-00 Interface...
Page 957: Show Traffic-Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation EFAULT ETTING Disabled globally No segmented port groups are defined. OMMAND Global Configuration OMMAND SAGE Traffic segmentation provides port-based security and isolation ◆ between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).
Page 958: Configuring Protocol-Based Vlans
| VLAN Commands HAPTER Configuring Protocol-based VLANs Ethernet 1/8 Console# VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 959: Protocol-Vlan Protocol-Group (Configuring Groups)
| VLAN Commands HAPTER Configuring Protocol-based VLANs This command creates a protocol group, or to add specific protocols to a protocol-vlan group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.
Page 960: Show Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this ◆ command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 961: Show Interfaces Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# This command shows the mapping from protocol groups to VLANs for the show interfaces selected interfaces.
Page 962: Configuring Ip Subnet Vlans
| VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Page 963: Show Interfaces Subnet-Vlan
| VLAN Commands HAPTER Configuring IP Subnet VLANs When an untagged frame is received by a port, the source IP address is ◆ checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame.
Page 964: Show Subnet-Vlan
| VLAN Commands HAPTER Configuring MAC Based VLANs Eth 1/9 192.168.12.255 255.255.255.255 Console# This command displays IP Subnet VLAN assignments. show subnet-vlan OMMAND Privileged Exec OMMAND SAGE Use this command to display subnet-to-VLAN mappings. ◆ The last matched entry is used if more than one entry can be matched. ◆...
Page 965: Mac-Vlan
| VLAN Commands HAPTER Configuring MAC Based VLANs This command configures MAC address-to-VLAN mapping. Use the no form mac-vlan to remove an assignment. YNTAX mac-vlan mac-address mac-address vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses.
Page 966: Configuring Voice Vlans
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example displays all configured MAC address-based VLANs. Console#show mac-vlan MAC Address VLAN ID Priority ----------------- -------- -------- 00-00-00-11-22-33 Console# VLAN ONFIGURING OICE The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic.
Page 967: Voice Vlan Aging
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND Global Configuration OMMAND SAGE When IP telephony is deployed in an enterprise network, it is ◆ recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality.
Page 968: Voice Vlan Mac-Address
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example configures the Voice VLAN aging time as 3000 minutes. Console(config)#voice vlan aging 3000 Console(config)# This command specifies MAC address ranges to add to the OUI Telephony voice vlan mac- list.
Page 969: Switchport Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs This command specifies the Voice VLAN mode for ports. Use the no form to switchport voice disable the Voice VLAN feature on the port. vlan YNTAX switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
Page 970: Switchport Voice Vlan Rule
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND Interface Configuration OMMAND SAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. XAMPLE The following example sets the CoS priority to 5 on port 1.
Page 971: Switchport Voice Vlan Security
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# This command enables security filtering for VoIP traffic on a port. Use the switchport voice no form to disable filtering on a port.
Page 972: Privileged Exec
| VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule...
Page 973: Class Of Service Commands
LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 974: Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) This command sets the scheduling mode used for processing each of the queue mode class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Page 975: Queue Weight
| Class of Service Commands HAPTER Priority Commands (Layer 2) Service time is shared at the egress ports by defining scheduling ◆ weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Page 976: Switchport Priority Default
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# ELATED OMMANDS...
Page 977: Show Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# ELATED OMMANDS show interfaces switchport (839) This command shows the current queue mode.
Page 978: Priority Commands (Layer 3 And 4)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 129: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 979: Table 130: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) EFAULT ETTING Table 130: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) OMMAND Interface Configuration (Port, Static Aggregation) OMMAND...
Page 980: Qos Map Dscp-Mutation
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command maps DSCP values in incoming packets to per-hop behavior qos map dscp- and drop precedence values for priority processing. Use the no form to mutation restore the default settings. YNTAX qos map dscp-mutation phb drop-precedence from dscp0 ...
Page 981: Qos Map Phb-Queue
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. Random Early Detection starts dropping yellow and red packets when ◆...
Page 982: Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# This command sets QoS mapping to DSCP or CoS. Use the no form to qos map trust-mode restore the default setting.
Page 983: Show Qos Map Cos-Dscp
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows ingress CoS/CFI to internal DSCP map. show qos map cos- dscp YNTAX show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 984: Show Qos Map Phb-Queue
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The ingress DSCP is composed of “d1” (most significant digit in the left column) and “d2” (least significant digit in the top row (in other words, ingress DSCP = d1 * 10 + d2); and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table.
Page 985: Show Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows the QoS mapping mode. show qos map trust- mode YNTAX show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 986 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) – 986 –...
Page 987: Quality Of Service Commands
UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 988: Class-Map
| Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an...
Page 989: Description
| Quality of Service Commands HAPTER OMMAND SAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. One or more class maps can be assigned to a policy map (page 992).
Page 990: Match
| Quality of Service Commands HAPTER This command defines the criteria used to classify traffic. Use the no form match to delete the matching criteria. YNTAX [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | source-port interface| vlan vlan} acl-name - Name of the access control list.
Page 991: Rename
| Quality of Service Commands HAPTER XAMPLE This example creates a class map called “rd-class#1,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd-class#1 match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5.
Page 992: Policy-Map
| Quality of Service Commands HAPTER This command creates a policy map that can be attached to multiple policy-map interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. YNTAX [no] policy-map policy-map-name policy-map-name - Name of the policy map. (Range: 1-16 characters) EFAULT ETTING...
Page 993 | Quality of Service Commands HAPTER EFAULT ETTING None OMMAND Policy Map Configuration OMMAND SAGE Use the policy-map command to specify a policy map and enter Policy ◆ Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: set phb command sets the per-hop behavior value in matching...
Page 994: Police Flow
| Quality of Service Commands HAPTER This command defines an enforcer for classified traffic based on the police flow metered flow rate. Use the no form to remove a policer. YNTAX [no] police flow committed-rate committed-burst conform-action transmit violate-action {drop| new-dscp} committed-rate - Committed information rate (CIR) in kilobits per second.
Page 995: Police Srtcm-Color
| Quality of Service Commands HAPTER The behavior of the meter is specified in terms of one token bucket (C), ◆ the rate at which the tokens are incremented (CIR – Committed Information Rate), and the maximum size of the token bucket (BC – Committed Burst Size).
Page 996 | Quality of Service Commands HAPTER committed-burst - Committed burst size (BC) in bytes. (Range: 4000-16000000 at a granularity of 4k bytes) excess-burst - Excess burst size (BE) in bytes. (Range: 4000-1600000 at a granularity of 4k bytes) conform-action - Action to take when rate is within the CIR and BC.
Page 997 | Quality of Service Commands HAPTER maximum size of the token bucket C is BC and the maximum size of the token bucket E is BE. The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE.
Page 998: Police Trtcm-Color
| Quality of Service Commands HAPTER This command defines an enforcer for classified traffic based on a two rate police trtcm-color three color meter (trTCM). Use the no form to remove a policer. YNTAX [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp}...
Page 999 | Quality of Service Commands HAPTER The committed-rate and peak-rate cannot exceed the configured ◆ interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes. The trTCM as defined in RFC 2698 meters a traffic stream and ◆ processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP).
Page 1000: Set Cos
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark...
Page 1001: Set Ip Dscp
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
Page 1002: Set Phb
| Quality of Service Commands HAPTER This command services IP traffic by setting a per-hop behavior value for a set phb matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. YNTAX [no] set phb phb-value phb-value - Per-hop behavior value.