Page 1 ES3528MV2 Management Guide ES3528MV2-DC 28-Port Fast Ethernet Layer 2 Switch www.edge-core.com...
Page 3 ANAGEMENT UIDE ES3528MV2 F THERNET WITCH Layer 2 Switch with 24 10/100BASE-TX (RJ-45) Ports, and 4 Gigabit Combination Ports (RJ-45/SFP) ES3528MV2-DC F THERNET WITCH Layer 2 Switch with DC power input with 24 10/100BASE-TX (RJ-45) Ports, and 4 Gigabit Combination Ports (RJ-45/SFP)
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 BOUT UIDE This section summarizes the changes in each revision of this guide. EVISION ISTORY 2013 R OVEMBER EVISION This is the third version of this guide. This guide is valid for software release v1.4.0.0. It includes the following updates to the manual: Updated parameter ranges under "Configuring The Console Port"...
Page 7 BOUT UIDE Updated default settings and added “MED-Location Civic Address” ◆ parameter under "Configuring LLDP Interface Attributes" on page 427. Added the section "Configuring LLDP Interface Civic-Address" on ◆ page 430. Added parameters for Port Details under "Displaying LLDP Remote ◆...
Page 8 BOUT UIDE Updated syntax for the command "delete" on page 723. ◆ Updated range for the command "exec-timeout" on page 730. ◆ Added the command "terminal" on page 737. ◆ Updated parameter options for the command "snmp-server ◆ enable traps" on page 778.
Page 9 BOUT UIDE Added the command "clear access-list hardware counters" on ◆ page 973. Updated description of parameters for the command "capabilities" on ◆ page 977. Added the command "discard" on page 979. ◆ Added description of seven new DDM commands beginning ◆...
Page 10 BOUT UIDE Added new section "MLD Snooping" on page 1239. ◆ Added new section "MLD Filtering and Throttling" on page 1249. ◆ Updated range for the command "mvr priority" on page 1262. ◆ Added commands "clear mrv groups dynamic" on page 1269 "clear ◆...
Page 11: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access Managing System Files...
Page 12 ONTENTS Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting the Start-up File Showing System Files...
Page 13 ONTENTS Configuring Transceiver Thresholds Performing Cable Diagnostics Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Configuring Load Balancing Saving Power Traffic Segmentation Enabling Traffic Segmentation...
Page 14 ONTENTS Configuring MAC Address Mirroring PANNING LGORITHM Overview Configuring Loopback Detection Configuring Global Settings for STA Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP ONGESTION ONTROL Rate Limiting...
Page 15 ONTENTS 13 S ECURITY EASURES AAA Authorization and Accounting Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization Configuring User Accounts Web Authentication Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports...
Page 16 ONTENTS ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Configuring Port Security Configuring 802.1X Port Authentication Configuring 802.1X Global Settings Configuring Port Authenticator Settings for 802.1X Configuring Port Supplicant Settings for 802.1X...
Page 17 ONTENTS Displaying LLDP Local Device Information Displaying LLDP Remote Device Information Displaying Device Statistics Simple Network Management Protocol Configuring Global Settings for SNMP Setting the Local Engine ID Specifying a Remote Engine ID Setting SNMPv3 Views Configuring SNMPv3 Groups Setting Community Access Strings Configuring Local SNMPv3 Users Configuring Remote SNMPv3 Users Specifying Trap Managers...
Page 18 ONTENTS Transmitting Loop Back Messages Transmitting Delay-Measure Requests Displaying Local MEPs Displaying Details for Local MEPs Displaying Local MIPs Displaying Remote MEPs Displaying Details for Remote MEPs Displaying the Link Trace Cache Displaying Fault Notification Settings Displaying Continuity Check Errors OAM Configuration Enabling OAM on Local Ports Displaying Statistics for OAM Messages...
Page 19 ONTENTS 16 IP S ERVICES Domain Name Service Configuring General DNS Service Parameters Configuring a List of Domain Names Configuring a List of Name Servers Configuring Static DNS Host to Address Entries Displaying the DNS Cache Dynamic Host Configuration Protocol Specifying A DHCP Client Identifier Configuring DHCP Relay Option 82 Configuring the PPPoE Intermediate Agent...
Page 20 ONTENTS Configuring MVR Domain Settings Configuring MVR Group Address Profiles Configuring MVR Interface Status Assigning Static MVR Multicast Groups to Interfaces Displaying MVR Receiver Groups Displaying MVR Statistics Multicast VLAN Registration for IPv6 Configuring MVR6 Global Settings Configuring MVR6 Domain Settings Configuring MVR6 Group Address Profiles Configuring MVR6 Interface Status Assigning Static MVR6 Multicast Groups to Interfaces...
Page 21 ONTENTS reload (Global Configuration) enable quit show history configure disable reload (Privileged Exec) show reload exit 20 S YSTEM ANAGEMENT OMMANDS Device Designation hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number...
Page 22 ONTENTS show watchdog watchdog software Frame Size jumbo frame File Management General Commands boot system copy delete whichboot Automatic Code Upgrade Commands upgrade opcode auto upgrade opcode path upgrade opcode reload show upgrade Line line databits exec-timeout login parity password password-thresh silent-time speed...
Page 23 ONTENTS logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands sntp client sntp poll sntp server show sntp NTP Commands ntp authenticate ntp authentication-key ntp client...
Page 24 ONTENTS Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 21 SNMP C OMMANDS General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host snmp-server enable port-traps mac-notification show snmp-server enable port-traps...
Page 25 ONTENTS Additional Trap Commands memory process cpu 22 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 23 F AMPLING OMMANDS sflow owner sflow polling instance sflow sampling instance show sflow...
Page 26 ONTENTS tacacs-server key tacacs-server port tacacs-server retransmit tacacs-server timeout show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting commands accounting exec authorization exec show accounting Web Server ip http port ip http server...
Page 27 ONTENTS ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication General Commands dot1x default dot1x eapol-pass-through dot1x system-auth-control Authenticator Commands dot1x intrusion-action dot1x max-reauth-req dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period...
Page 28 ONTENTS pppoe intermediate-agent port-enable pppoe intermediate-agent port-format-type pppoe intermediate-agent trust pppoe intermediate-agent vendor-tag strip clear pppoe intermediate-agent statistics show pppoe intermediate-agent info show pppoe intermediate-agent statistics 25 G ENERAL ECURITY EASURES Port Security mac-learning port security port security mac-address-as-permanent show port security Network Access (MAC Address Authentication) network-access aging network-access mac-filter...
Page 29 ONTENTS web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCPv4 Snooping ip dhcp snooping ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping limit rate ip dhcp snooping verify mac-address ip dhcp snooping vlan ip dhcp snooping information option circuit-id...
Page 30 ONTENTS ip source-guard max-binding ip source-guard mode clear ip source-guard binding blocked show ip source-guard show ip source-guard binding IPv6 Source Guard ipv6 source-guard binding ipv6 source-guard ipv6 source-guard max-binding show ipv6 source-guard show ipv6 source-guard binding ARP Inspection ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate...
Page 31 ONTENTS traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 26 A CCESS ONTROL ISTS IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs access-list ipv6 permit, deny (Standard IPv6 ACL) permit, deny (Extended IPv6 ACL) ipv6 access-group...
Page 32 ONTENTS alias capabilities description discard flowcontrol media-type negotiation shutdown speed-duplex clear counters show discard show interfaces brief show interfaces counters show interfaces status show interfaces switchport Transceiver Threshold Configuration transceiver-threshold-auto transceiver-monitor transceiver-threshold current transceiver-threshold rx-power transceiver-threshold temperature transceiver-threshold tx-power transceiver-threshold voltage show interfaces transceiver show interfaces transceiver-threshold Cable Diagnostics...
Page 33 ONTENTS Dynamic Configuration Commands 1006 lacp 1006 lacp admin-key (Ethernet Interface) 1008 lacp port-priority 1009 lacp system-priority 1010 lacp admin-key (Port Channel) 1010 lacp timeout 1011 Trunk Status Display Commands 1012 show lacp 1012 show port-channel load-balance 1015 29 P 1017 IRRORING OMMANDS...
Page 34 ONTENTS SNMP Trap Commands 1040 snmp-server enable port-traps atc broadcast-alarm-clear 1040 snmp-server enable port-traps atc broadcast-alarm-fire 1040 snmp-server enable port-traps atc broadcast-control-apply 1041 snmp-server enable port-traps atc broadcast-control-release 1041 snmp-server enable port-traps atc multicast-alarm-clear 1042 snmp-server enable port-traps atc multicast-alarm-fire 1042 snmp-server enable port-traps atc multicast-control-apply 1043...
Page 35 ONTENTS spanning-tree hello-time 1068 spanning-tree max-age 1069 spanning-tree mode 1069 spanning-tree pathcost method 1071 spanning-tree priority 1071 spanning-tree mst configuration 1072 spanning-tree system-bpdu-flooding 1073 spanning-tree transmission-limit 1073 max-hops 1074 mst priority 1074 mst vlan 1075 name 1076 revision 1076 spanning-tree bpdu-filter 1077 spanning-tree bpdu-guard 1078...
Page 36 ONTENTS control-vlan 1096 enable 1097 guard-timer 1098 holdoff-timer 1098 major-domain 1099 meg-level 1100 mep-monitor 1100 node-id 1101 non-erps-dev-protect 1102 non-revertive 1103 propagate-tc 1107 raps-def-mac 1108 raps-without-vc 1108 ring-port 1110 rpl neighbor 1111 rpl owner 1112 version 1113 wtr-timer 1114 clear erps statistics 1114 erps clear 1115...
Page 37 ONTENTS Configuring VLAN Interfaces 1133 interface vlan 1133 switchport acceptable-frame-types 1134 switchport allowed vlan 1135 switchport ingress-filtering 1136 switchport mode 1136 switchport native vlan 1137 vlan-trunking 1138 Displaying VLAN Information 1139 show vlan 1139 Configuring IEEE 802.1Q Tunneling 1140 dot1q-tunnel system-tunnel-control 1141 switchport dot1q-tunnel mode 1142...
Page 38 ONTENTS voice vlan aging 1162 voice vlan mac-address 1163 switchport voice vlan 1164 switchport voice vlan priority 1165 switchport voice vlan rule 1165 switchport voice vlan security 1166 show voice vlan 1167 37 C 1169 LASS OF ERVICE OMMANDS Priority Commands (Layer 2) 1169 queue mode 1170...
Page 39 ONTENTS service-policy 1199 show class-map 1199 show policy-map 1200 show policy-map interface 1201 39 M 1203 ULTICAST ILTERING OMMANDS IGMP Snooping 1204 ip igmp snooping 1205 ip igmp snooping priority 1206 ip igmp snooping proxy-reporting 1206 ip igmp snooping querier 1207 ip igmp snooping router-alert-option-check 1207...
Page 40 ONTENTS IGMP Filtering and Throttling 1227 ip igmp filter (Global Configuration) 1228 ip igmp profile 1229 permit, deny 1229 range 1230 ip igmp authentication 1230 ip igmp filter (Interface Configuration) 1232 ip igmp max-groups 1233 ip igmp max-groups action 1233 ip igmp query-drop 1234 ip multicast-data-drop...
Page 41 ONTENTS MLD Filtering and Throttling 1249 ipv6 mld filter (Global Configuration) 1250 ipv6 mld profile 1251 permit, deny 1251 range 1252 ipv6 mld filter (Interface Configuration) 1252 ipv6 mld max-groups 1253 ipv6 mld max-groups action 1254 ipv6 mld query-drop 1254 ipv6 multicast-data-drop 1255 show ipv6 mld filter...
Page 42 ONTENTS show mvr statistics 1275 MVR for IPv6 1277 mvr6 associated-profile 1278 mvr6 domain 1279 mvr6 profile 1279 mvr6 proxy-query-interval 1280 mvr6 proxy-switching 1281 mvr6 robustness-value 1282 mvr6 source-port-mode dynamic 1283 mvr6 upstream-source-ip 1283 mvr6 vlan 1284 mvr6 immediate-leave 1285 mvr6 type 1285 mvr6 vlan group...
Page 43 ONTENTS lldp dot1-tlv proto-ident 1304 lldp dot1-tlv proto-vid 1305 lldp dot1-tlv pvid 1305 lldp dot1-tlv vlan-name 1306 lldp dot3-tlv link-agg 1306 lldp dot3-tlv mac-phy 1307 lldp dot3-tlv max-frame 1307 lldp med-location civic-addr 1308 lldp med-notification 1309 lldp med-tlv inventory 1310 lldp med-tlv location 1311 lldp med-tlv med-cap...
Page 44 ONTENTS show ethernet cfm maintenance-points remote detail 1337 Continuity Check Operations 1339 ethernet cfm cc ma interval 1339 ethernet cfm cc enable 1340 snmp-server enable traps ethernet cfm cc 1341 mep archive-hold-time 1342 clear ethernet cfm maintenance-points remote 1342 clear ethernet cfm errors 1343 show ethernet cfm errors 1343...
Page 45 ONTENTS efm oam link-monitor frame window 1364 efm oam mode 1365 clear efm oam counters 1366 clear efm oam event-log 1366 efm oam remote-loopback 1367 efm oam remote-loopback test 1368 show efm oam counters interface 1369 show efm oam event-log interface 1369 show efm oam remote-loopback interface 1371...
Page 46 ONTENTS ip dhcp relay information policy 1393 show ip dhcp relay 1394 45 IP I 1395 NTERFACE OMMANDS IPv4 Interface 1395 Basic IPv4 Configuration 1396 ip address 1396 ip default-gateway 1398 show ip default-gateway 1398 show ip interface 1399 show ip traffic 1399 traceroute 1400...
Page 47 ONTENTS ipv6 nd reachable-time 1427 clear ipv6 neighbors 1428 show ipv6 nd raguard 1428 show ipv6 neighbors 1429 ND Snooping 1430 ipv6 nd snooping 1431 ipv6 nd snooping auto-detect 1432 ipv6 nd snooping auto-detect retransmit count 1433 ipv6 nd snooping auto-detect retransmit interval 1434 ipv6 nd snooping prefix timeout 1434...
Page 48 ONTENTS – 48 –...
Page 49: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 50 IGURES Figure 32: Configuring Local Port Mirroring Figure 33: Configuring Local Port Mirroring Figure 34: Displaying Local Port Mirror Sessions Figure 35: Configuring Remote Port Mirroring Figure 36: Configuring Remote Port Mirroring (Source) Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Figure 39: Showing Port Statistics (Table) Figure 40: Showing Port Statistics (Chart)
Page 51 IGURES Figure 68: Creating Static VLANs Figure 69: Modifying Settings for Static VLANs Figure 70: Showing Static VLANs Figure 71: Configuring Static Members by VLAN Index Figure 72: Configuring Static VLAN Members by Interface Figure 73: Configuring Static VLAN Members by Interface Range Figure 74: Configuring Global Status of GVRP Figure 75: Configuring GVRP for an Interface Figure 76: Showing Dynamic VLANs Registered on the Switch...
Page 52 IGURES Figure 104: STP Root Ports and Designated Ports Figure 105: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree Figure 106: Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree Figure 107: Configuring Port Loopback Detection Figure 108: Configuring Global Settings for STA (STP) Figure 109: Configuring Global Settings for STA (RSTP) Figure 110: Configuring Global Settings for STA (MSTP) Figure 111: Displaying Global Settings for STA...
Page 53 IGURES Figure 140: Configuring a Class Map Figure 141: Showing Class Maps Figure 142: Adding Rules to a Class Map Figure 143: Showing the Rules for a Class Map Figure 144: Configuring a Policy Map Figure 145: Showing Policy Maps Figure 146: Adding Rules to a Policy Map Figure 147: Showing the Rules for a Policy Map Figure 148: Attaching a Policy Map to a Port...
Page 54 IGURES Figure 176: Configuring Interface Settings for Network Access Figure 177: Configuring Link Detection for Network Access Figure 178: Configuring a MAC Address Filter for Network Access Figure 179: Showing the MAC Address Filter Table for Network Access Figure 180: Showing Addresses Authenticated for Network Access Figure 181: Configuring HTTPS Figure 182: Downloading the Secure-Site Certificate Figure 183: Configuring the SSH Server...
Page 55 IGURES Figure 212: Configuring Port Security Figure 213: Configuring Port Security Figure 214: Configuring Global Settings for 802.1X Port Authentication Figure 215: Configuring Interface Settings for 802.1X Port Authenticator Figure 216: Configuring Interface Settings for 802.1X Port Supplicant Figure 217: Showing Statistics for 802.1X Port Authenticator Figure 218: Showing Statistics for 802.1X Port Supplicant Figure 219: Protecting Against DoS Attacks Figure 220: Setting the Filter Type for IP Source Guard...
Page 56 IGURES Figure 248: Configuring the Local Engine ID for SNMP Figure 249: Configuring a Remote Engine ID for SNMP Figure 250: Showing Remote Engine IDs for SNMP Figure 251: Creating an SNMP View Figure 252: Showing SNMP Views Figure 253: Adding an OID Subtree to an SNMP View Figure 254: Showing the OID Subtree Configured for SNMP Views Figure 255: Creating an SNMP Group Figure 256: Showing SNMP Groups...
Page 57 IGURES Figure 284: Managing a Cluster Member Figure 285: ERPS Ring Components Figure 286: Ring Interconnection Architecture (Multi-ring/Ladder Network) Figure 287: Setting ERPS Global Status Figure 288: Sub-ring with Virtual Channel Figure 289: Sub-ring without Virtual Channel Figure 290: Creating an ERPS Ring Figure 291: Creating an ERPS Ring Figure 292: Showing Configured ERPS Rings Figure 293: Blocking an ERPS Ring Port...
Page 58 IGURES Figure 320: Displaying Statistics for OAM Messages Figure 321: Displaying the OAM Event Log Figure 322: Displaying Status of Remote Interfaces Figure 323: Running a Remote Loop Back Test Figure 324: Displaying the Results of Remote Loop Back Testing Figure 325: Pinging a Network Device Figure 326: Tracing the Route to a Network Device Figure 327: Setting the ARP Timeout...
Page 59 IGURES Figure 356: Showing PPPoE Intermediate Agent Statistics Figure 357: Multicast Filtering Concept Figure 358: Configuring General Settings for IGMP Snooping Figure 359: Configuring a Static Interface for a Multicast Router Figure 360: Showing Static Interfaces Attached a Multicast Router Figure 361: Showing Current Interfaces Attached a Multicast Router Figure 362: Assigning an Interface to a Multicast Service Figure 363: Showing Static Interfaces Assigned to a Multicast Service...
Page 60 IGURES Figure 392: Showing the MVR Group Address Profiles Assigned to a Domain Figure 393: Configuring Interface Settings for MVR Figure 394: Assigning Static MVR Groups to a Port Figure 395: Showing the Static MVR Groups Assigned to a Port Figure 396: Displaying MVR Receiver Groups Figure 397: Displaying MVR Statistics –...
Page 61: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Remote Device Configuration Information Table 11: Traffic Segmentation Forwarding...
Page 62 ABLES Table 32: ERPS Request/State Priority Table 33: Remote MEP Priority Levels Table 34: MEP Defect Descriptions Table 35: OAM Operation State Table 36: OAM Operation State Table 37: Address Resolution Protocol Table 38: Show IPv6 Neighbors - display description Table 39: Show IPv6 Statistics - display description Table 40: Show MTU - display description Table 41: General Command Modes...
Page 63 ABLES Table 68: RMON Commands Table 69: sFlow Commands Table 70: Authentication Commands Table 71: User Access Commands Table 72: Default Login Settings Table 73: Authentication Sequence Commands Table 74: RADIUS Client Commands Table 75: TACACS+ Client Commands Table 76: AAA Commands Table 77: Web Server Commands Table 78: HTTPS System Support Table 79: Telnet Server Commands...
Page 64 ABLES Table 104: MAC ACL Commands Table 105: ARP ACL Commands Table 106: ACL Information Commands Table 107: Interface Commands Table 108: show interfaces switchport - display description Table 109: Link Aggregation Commands 1003 Table 110: show lacp counters - display description 1013 Table 111: show lacp internal - display description 1013...
Page 65 ABLES Table 140: VLAN Translation Commands 1151 Table 141: Protocol-based VLAN Commands 1153 Table 142: IP Subnet VLAN Commands 1157 Table 143: MAC Based VLAN Commands 1159 Table 144: Voice VLAN Commands 1161 Table 145: Priority Commands 1169 Table 146: Priority Commands (Layer 2) 1169 Table 147: Priority Commands (Layer 3 and 4) 1174...
Page 66 ABLES Table 176: LLDP MED Location CA Types 1308 Table 177: CFM Commands 1319 Table 178: show ethernet cfm configuration traps - display description 1333 Table 179: show ethernet cfm maintenance-points local detail mep - display 1336 Table 180: show ethernet cfm maintenance-points remote detail - display 1338 Table 181: show ethernet cfm errors - display description 1344...
Page 67: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 69 ◆...
Page 68 | Getting Started ECTION – 68 –...
Page 69: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 70: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4094 using IEEE 802.1Q, port-based, protocol-based, voice VLANs, and QinQ tunnel...
Page 71 | Introduction HAPTER Description of Software Features 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Page 72 | Introduction HAPTER Description of Software Features Broadcast, multicast and unknown unicast storm suppression prevents TORM ONTROL traffic from overwhelming the network.When enabled on a port, the level of traffic passing through the port is restricted. If traffic rises above a pre- defined threshold, it will be throttled until the level falls back beneath the threshold.
Page 73 | Introduction HAPTER Description of Software Features 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
Page 74 | Introduction HAPTER Description of Software Features frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network. This switch prioritizes each packet based on the required level of service, RAFFIC using eight priority queues with strict priority, Weighted Round Robin RIORITIZATION (WRR), or a combination of strict and weighted queuing.
Page 75: System Defaults
| Introduction HAPTER System Defaults LLDP is used to discover basic information about neighboring devices AYER within the local broadcast domain. LLDP is a Layer 2 protocol that ISCOVERY ROTOCOL advertises information about the sending device and collects information gathered from neighboring network nodes it discovers. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 76 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication IP Filtering Disabled (continued) DHCP Snooping Disabled Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Server Port SNMP SNMP Agent Enabled Community Strings “public”...
Page 77 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight Queue: 0 1 2 3 4 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled...
Page 78 | Introduction HAPTER System Defaults – 78 –...
Page 79: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 80: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆ Configure IGMP multicast filtering ◆ Upload and download system firmware or configuration files via HTTP ◆...
Page 81: Remote Connections
| Initial Switch Configuration HAPTER Basic Configuration Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see "Using the Command Line Interface" on page 679. For a list of all the CLI commands and detailed information on using the CLI, refer to "CLI Command Groups"...
Page 82: Setting Passwords
Console(config)#username admin password 0 [password] Console(config)# * This manual covers the ES3528MV2 and ES3528MV2-DC switches. There are no significant differences in the user interface for these switches, so all of the screen display examples are based on the ES3528MV2. – 82 –...
Page 83: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration You must establish IP address information for the switch to obtain ETTING AN management access through the network. This can be done in either of the DDRESS following ways: Manual — You have to input the information, including IP address and ◆...
Page 84 | Initial Switch Configuration HAPTER Basic Configuration To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit...
Page 85 | Initial Switch Configuration HAPTER Basic Configuration IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# Address for Multi-segment Network —...
Page 86 | Initial Switch Configuration HAPTER Basic Configuration IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds...
Page 87 | Initial Switch Configuration HAPTER Basic Configuration Type “end” to return to the Privileged Exec mode. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.”...
Page 88 | Initial Switch Configuration HAPTER Basic Configuration ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages.
Page 89: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration Information passed on to the switch from a DHCP server may also include a OWNLOADING A configuration file to be downloaded and the TFTP servers where that file ONFIGURATION can be accessed. If the Factory Default Configuration file is used to EFERENCED BY A provision the switch at startup, in addition to requesting IP configuration DHCP S...
Page 90: Enabling Snmp Management Access
Simple Network Management Protocol (SNMP) applications such as ANAGEMENT CCESS Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the...
Page 91 | Initial Switch Configuration HAPTER Basic Configuration requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred. The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients.
Page 92 | Initial Switch Configuration HAPTER Basic Configuration ECEIVERS You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
Page 93: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files ANAGING YSTEM ILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 94 | Initial Switch Configuration HAPTER Managing System Files contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup”...
Page 95: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 97 ◆ "Basic Management Tasks" on page 117 ◆...
Page 96 | Web Configuration ECTION – 96 –...
Page 97: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions).
Page 98: Navigating The Web Browser Interface
Ethernet switches. There are no significant differences in the user interface for these switches, so all of the screen display examples are based on the ES3528MV2. The panel graphics for both switch types are shown on the following page. You can open a connection to the vendor’s web site by clicking on the Edge-Core logo.
Page 99: Configuration Options
ISPLAY set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Figure 2: Front Panel Indicators ES3528MV2 ES3528MV2-DC – 99 –...
Page 100: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 101 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Interface Port General Configure by Port List Configures connection settings per port Configure by Port Range Configures connection settings for a range of ports Show Information Displays port connection status Mirror...
Page 102 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Neighbors Displays configuration settings and operational state for the remote side of a link aggregation Configure Trunk Configure Configures connection settings Show Displays port connection status Show Member...
Page 103 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface Maps a protocol group to a VLAN Show Shows the protocol groups mapped to each VLAN IP Subnet Maps IP subnet traffic to a VLAN Show Shows IP subnet to VLAN mapping...
Page 104 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page MSTP Multiple Spanning Tree Algorithm Configure Global Configures initial VLAN and priority for an MST instance Modify Configures the priority or an MST instance Show Configures global settings for an MST instance Add Member...
Page 105 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows configured class maps Modify Modifies the name of a class map Add Rule Configures the criteria used to classify ingress traffic Show Rule Shows the traffic classification rules for a class map Configure Policy...
Page 106 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Service Sets the accounting method applied to specific interfaces for 802.1X, CLI command privilege levels for the console port, and for Telnet Show Information Summary...
Page 107 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Host Key Generate Generates the host key pair (public and private) Show Displays RSA and DSA host keys; deletes host keys Configure User Key Copy Imports user public keys from TFTP server...
Page 108 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows the addresses to be allowed management access Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses Port Authentication IEEE 802.1X Configure Global...
Page 109 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Port/Trunk Details Displays detailed information about a remote device connected to this switch Show Device Statistics General Displays statistics for all connected remote devices Port/Trunk Displays statistics for remote devices on a selected port or trunk SNMP...
Page 110 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page RMON Remote Monitoring Configure Global Alarm Sets threshold bounds for a monitored variable Event Creates a response event for an alarm Show Alarm Shows all configured alarms...
Page 111 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Details Configures the archive hold time and fault notification settings Show Shows list of configured maintenance domains Configure MA Configure Maintenance Associations Defines a unique CFM service instance, identified by its parent MD, the MA index, the VLAN assigned to the MA, and the MIP creation...
Page 112 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Remote Loopback Performs a loopback test on the specified port General Ping Sends ICMP echo request packets to another node on the network Trace Route Shows the route packets take to the specified destination...
Page 113 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page DHCP Dynamic Host Configuration Protocol Client Specifies the DHCP client identifier for an interface Relay Configures DHCP relay service for attached host devices, including DHCP option 82 information, and relay servers Snooping Configure Global...
Page 114 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Filter Configure General Enables IGMP filtering for the switch Configure Profile Adds IGMP filter profile; and sets access mode Show Shows configured IGMP filter profiles Add Multicast Group Range Assigns multicast groups to selected profile...
Page 115 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Static Group Member Statically assigns MVR multicast streams to an interface Show Shows MVR multicast streams assigned to an interface Show Member Shows the multicast groups assigned to an MVR VLAN, the source address of the multicast services, and the interfaces with active...
Page 116 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 116 –...
Page 117: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 118: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS These parameters are displayed: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. (ES3528MV: 1.3.6.1.4.1.259.10.1.22.101; ES3528MV-DC: 1.3.6.1.4.1.259.10.1.22.102) ◆...
Page 119 | Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS The following parameters are displayed: Main Board Information Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ ◆ Hardware Version – Hardware version of the main board. Main Power Status –...
Page 120: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Page 121: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 122: Managing System Files
| Basic Management Tasks HAPTER Managing System Files NTERFACE To view Bridge Extension information: Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System >...
Page 123 | Basic Management Tasks HAPTER Managing System Files ARAMETERS The following parameters are displayed: Copy Type – The firmware copy operation includes these options: ◆ FTP Upgrade – Copies a file from an FTP server to the switch. ■ FTP Download – Copies a file from the switch to an FTP server. ■...
Page 124: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files Set the file type to Operation Code. Enter the name of the file to download. Select a file on the switch to overwrite or specify a new file name. Then click Apply. Figure 7: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System >...
Page 125: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files The maximum number of user-defined configuration files is limited only by available flash memory space. NTERFACE To save the running configuration file: Click System, then File. Select Copy from the Action list. Select Running-Config from the Copy Type list.
Page 126: Showing System Files
| Basic Management Tasks HAPTER Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Use the System > File (Show) page to show the files in the system HOWING directory, or to delete a file.
Page 127: Automatic Operation Code Upgrade
NetBSD, OpenBSD, and most Linux distributions, etc.) are case- sensitive, meaning that two files in the same directory, es3528mv2.bix and ES3528MV2.bix are considered to be unique files. Thus, if the upgrade file is stored as ES3528MV2.bix (or even Es3528mv2.bix) on a case-sensitive server, then the switch (requesting es3528mv2.bix) will...
Page 128 Automatic Upgrade Location URL – Defines where the switch should ◆ search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The es3528mv2.bix filename must not be included since it is automatically appended by the switch. (Options: ftp, tftp)
Page 129 | Basic Management Tasks HAPTER Managing System Files ftp://[username[:password@]]host[/filedir]/ ftp:// – Defines FTP protocol for the server connection. ■ username – Defines the user name for the FTP connection. If the ■ user name is omitted, then “anonymous” is the assumed user name for the connection.
Page 130 | Basic Management Tasks HAPTER Managing System Files ftp://switches:upgrade@192.168.0.1/switches/opcode/ ■ The user name is “switches” and the password is “upgrade”. The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the FTP root. NTERFACE To configure automatic code upgrade: Click System, then File.
Page 131: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 132: Setting The Sntp Polling Interval
| Basic Management Tasks HAPTER Setting the System Clock Figure 12: Manually Setting the System Clock Use the System > Time (Configure General - SNTP) page to set the polling SNTP ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R...
Page 133: Configuring Ntp
| Basic Management Tasks HAPTER Setting the System Clock Figure 13: Setting the Polling Interval for SNTP Use the System > Time (Configure General - NTP) page to configure NTP ONFIGURING authentication and show the polling interval at which the switch will query the specified time servers.
Page 134: Configuring Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Figure 14: Configuring NTP Use the System > Time (Configure Time Server) pages to specify the IP ONFIGURING address for NTP/SNTP time servers, or to set the authentication key for ERVERS NTP time servers.
Page 135 | Basic Management Tasks HAPTER Setting the System Clock Figure 15: Specifying SNTP Time Servers NTP T PECIFYING ERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI R EFERENCES "ntp server"...
Page 136 | Basic Management Tasks HAPTER Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: Click System, then Time. Select Configure Time Server from the Step list. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List NTP A PECIFYING...
Page 137 | Basic Management Tasks HAPTER Setting the System Clock NTERFACE To add an entry to NTP authentication key list: Click System, then Time. Select Configure Time Server from the Step list. Select Add NTP Authentication Key from the Action list. Enter the index number and MD5 authentication key string.
Page 138: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 139: Configuring The Console Port
| Basic Management Tasks HAPTER Configuring The Console Port ONFIGURING ONSOLE Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 140: Configuring Telnet Settings
| Basic Management Tasks HAPTER Configuring Telnet Settings The password for the console connection can only be configured through the CLI (see "password" on page 733). Password checking can be enabled or disabled for logging in to the console connection (see "login"...
Page 141 | Basic Management Tasks HAPTER Configuring Telnet Settings ARAMETERS The following parameters are displayed: Telnet Status – Enables or disables Telnet access to the switch. ◆ (Default: Enabled) ◆ TCP Port – Sets the TCP port number for Telnet on the switch. (Range: 1-65535;...
Page 142: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization Figure 22: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization. CLI R EFERENCES "show process cpu" on page 711 ◆ ARAMETERS The following parameters are displayed: ◆...
Page 143: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization Figure 23: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES "show memory" on page 710 ◆ ARAMETERS The following parameters are displayed: ◆...
Page 144: Resetting The System
| Basic Management Tasks HAPTER Resetting the System ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)" on page 696 ◆...
Page 145 | Basic Management Tasks HAPTER Resetting the System At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload. (Range: 01-31) ■ MM - The month at which to reload. (Range: 01-12) ■...
Page 146 | Basic Management Tasks HAPTER Resetting the System Figure 25: Restarting the Switch (Immediately) Figure 26: Restarting the Switch (In) – 146 –...
Page 147 | Basic Management Tasks HAPTER Resetting the System Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 147 –...
Page 148 | Basic Management Tasks HAPTER Resetting the System – 148 –...
Page 149: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
Page 150: Port Configuration
| Interface Configuration HAPTER Port Configuration ONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Use the Interface > Port > General (Configure by Port List) page to enable/ ONFIGURING BY disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 151 | Interface Configuration HAPTER Port Configuration Media Type – Configures the forced/preferred port type to use for the ◆ combination ports (Ports 25-28). Copper-Forced - Always uses the built-in RJ-45 port. ■ SFP-Forced 100FX - Always uses 100BASE-FX mode. ■ SFP-Forced 1000SFP - Always uses 1000BASE SFP mode.
Page 152: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Modify the required interface settings. Click Apply. Figure 29: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 153: Displaying Connection Status
| Interface Configuration HAPTER Port Configuration Figure 30: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES "show interfaces status"...
Page 154: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration Figure 31: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING OCAL port to a target port for real-time analysis. You can then attach a logic IRRORING analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 155 | Interface Configuration HAPTER Port Configuration The destination port cannot be a trunk or trunk member port. ◆ Note that Spanning Tree BPDU packets are not mirrored to the target ◆ port. ARAMETERS These parameters are displayed: ◆ Source Port – The port whose traffic will be monitored. Target Port –...
Page 156: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration Figure 34: Displaying Local Port Mirror Sessions Use the Interface > RSPAN page to mirror traffic from remote switches for ONFIGURING EMOTE analysis at a destination port on the local switch. This feature, also called IRRORING Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports for each session over a user-specified VLAN...
Page 157 | Interface Configuration HAPTER Port Configuration Configuration Guidelines ◆ Take the following step to configure an RSPAN session: Use the VLAN Static List (see "Configuring VLAN Groups" on page 196) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN”...
Page 158 | Interface Configuration HAPTER Port Configuration Port Security – If port security is enabled on any port, that port ■ cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Page 159 | Interface Configuration HAPTER Port Configuration Destination Port – Specifies the destination port to monitor the traffic ◆ mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
Page 160: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 38: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 161 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher- layer protocol.
Page 162 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Internal MAC Receive A count of frames for which reception on a particular interface fails Errors due to an internal MAC sublayer receive error. Internal MAC Transmit A count of frames for which transmission on a particular interface Errors fails due to an internal MAC sublayer transmit error.
Page 163 | Interface Configuration HAPTER Port Configuration NTERFACE To show a list of port statistics: Click Interface, Port, Statistics. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). Select a port from the drop-down list. Use the Refresh button at the bottom of the page if you need to update the screen.
Page 164: Displaying Transceiver Data
| Interface Configuration HAPTER Port Configuration Figure 40: Showing Port Statistics (Chart) Use the Interface > Port > Transceiver page to display identifying ISPLAYING information, and operational for optical transceivers which support Digital RANSCEIVER Diagnostic Monitoring (DDM). CLI R EFERENCES "show interfaces transceiver"...
Page 165: Configuring Transceiver Thresholds
| Interface Configuration HAPTER Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Page 166 | Interface Configuration HAPTER Port Configuration "transceiver-threshold temperature" on page 993 ◆ "transceiver-threshold tx-power" on page 994 ◆ ◆ "transceiver-threshold voltage" on page 995 "show interfaces transceiver-threshold" on page 997 ◆ ARAMETERS These parameters are displayed: ◆ Port – Port number. (Range: 1-28) General –...
Page 167 | Interface Configuration HAPTER Port Configuration The threshold value for Rx and Tx power is calculated as the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). Threshold values for alarm and warning messages can be configured as described below.
Page 168: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration Figure 42: Configuring Transceiver Thresholds Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING ABLE port. The cable test will check for any cable faults (short, open, etc.). If a IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 169 | Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed: Port – Switch port identifier. ◆ Type – Displays media type. (FE – Fast Ethernet, GE – Gigabit ◆ Ethernet) Link Status – Shows if the port link is up or down. ◆...
Page 170: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two devices.
Page 171: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Static page to create a trunk, assign member ONFIGURING A ports, and configure the connection parameters. TATIC RUNK Figure 44: Configuring Static Trunks statically configured active links CLI R EFERENCES "Link Aggregation Commands"...
Page 172 | Interface Configuration HAPTER Trunk Configuration Set the unit and port for the initial trunk member. Click Apply. Figure 45: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list.
Page 173: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration Figure 47: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 48: Showing Information for Static Trunks Use the Interface >...
Page 174 | Interface Configuration HAPTER Trunk Configuration CLI R EFERENCES ◆ "Link Aggregation Commands" on page 1003 OMMAND SAGE To avoid creating a loop in the network, be sure you enable LACP before ◆ connecting the ports, and also disconnect the ports before disabling LACP.
Page 175 | Interface Configuration HAPTER Trunk Configuration transmit LACPDU interval to 1 second. When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds. If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group.
Page 176 | Interface Configuration HAPTER Trunk Configuration Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. Configuring the port partner sets the remote side of an aggregate link;...
Page 177 | Interface Configuration HAPTER Trunk Configuration Figure 51: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings.
Page 178 | Interface Configuration HAPTER Trunk Configuration Figure 53: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Configure from the Action List. Modify the required interface settings. (See "Configuring by Port List"...
Page 179: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 1012 ◆...
Page 180: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Figure 56: Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
Page 181 | Interface Configuration HAPTER Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Aggregation – The system considers this link to be aggregatable; ◆ Oper State i.e., a potential candidate for aggregation. (continued) Long timeout – Periodic transmission of LACPDUs uses a slow ◆...
Page 182: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation. FOR THE EMOTE CLI R...
Page 183: Configuring Load Balancing
| Interface Configuration HAPTER Trunk Configuration Figure 58: Displaying LACP Port Remote Information Use the Interface > Trunk > Load Balance page to set the load-distribution ONFIGURING method used among ports in aggregated links. ALANCING CLI R EFERENCES "port channel load-balance" on page 1004 ◆...
Page 184 | Interface Configuration HAPTER Trunk Configuration trunk. This mode works best for switch-to-router trunk links where traffic through the switch is received from and destined for many different hosts. Source and Destination MAC Address: All traffic with the same ■ source and destination MAC address is output on the same link in a trunk.
Page 185: Saving Power
| Interface Configuration HAPTER Saving Power Figure 59: Configuring Load Balancing AVING OWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI R EFERENCES "power-save" on page 1000 ◆ "show power-save" on page 1001 ◆...
Page 186 | Interface Configuration HAPTER Saving Power Power savings can only be implemented on Gigabit Ethernet ports when using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Page 187: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 188: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Figure 61: Enabling Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 189 | Interface Configuration HAPTER Traffic Segmentation assigned downlink ports will not be able to communicate with any other ports. If a downlink port is not configured for the session, the assigned uplink ◆ ports will operate as normal ports. ARAMETERS These parameters are displayed: Session ID –...
Page 190: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 63: Showing Traffic Segmentation Members VLAN T RUNKING Use the Interface >...
Page 191 | Interface Configuration HAPTER VLAN Trunking connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports.
Page 192 | Interface Configuration HAPTER VLAN Trunking Figure 65: Configuring VLAN Trunking – 192 –...
Page 193: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 194 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN.
Page 195 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 196: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 67: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 197 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring ◆ Remote Port Mirroring" on page 156). Modify VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆...
Page 198: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 199 | VLAN Configuration HAPTER IEEE 802.1Q VLANs CLI R EFERENCES ◆ "Configuring VLAN Interfaces" on page 1133 "Displaying VLAN Information" on page 1139 ◆ ARAMETERS These parameters are displayed: Edit Member by VLAN VLAN – ID of configured VLAN (1-4094). ◆...
Page 200 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for ■ VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 201 | VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To configure static members by the VLAN index: Click VLAN, Static. Select Edit Member by VLAN from the Action list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required. Click Apply.
Page 202 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Action list. Set the Interface type to display as Port or Trunk. Enter an interface range.
Page 203: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES "GVRP and Bridge Extension Commands" on page 1126 ◆...
Page 204 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN –...
Page 205 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 75: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 76: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
Page 206: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 207 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 78: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel...
Page 208 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) ◆...
Page 209 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If ◆ the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
Page 210: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON THE Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
Page 211: Creating Cvlan To Spvlan Mapping Entries
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 79: Enabling QinQ Tunneling Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to REATING SPVLAN mapping entry. CVLAN SPVLAN APPING NTRIES CLI R EFERENCES "switchport dot1q-tunnel service match cvid" on page 1143 ◆...
Page 212 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) ◆ NTERFACE To configure a mapping entry: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Add from the Action list. Select an interface from the Port list.
Page 213: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the switchport dot1q-tunnel service match cvid command.
Page 214: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs Click Apply. Figure 82: Adding an Interface to a QinQ Tunnel VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 215: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol ONFIGURING groups. VLAN ROTOCOL ROUPS CLI R EFERENCES "protocol-vlan protocol-group (Configuring Groups)" on page 1154 ◆ ARAMETERS These parameters are displayed: ◆...
Page 216: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Figure 83: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 84: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING protocol group to a VLAN for each interface that will participate in the ROTOCOL...
Page 217 | VLAN Configuration HAPTER Protocol VLANs When a frame enters a port that has been assigned to a protocol VLAN, ◆ it is processed in the following manner: If the frame is tagged, it will be processed according to the standard ■...
Page 218 | VLAN Configuration HAPTER Protocol VLANs Figure 85: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk.
Page 219: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 220 | VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
Page 221: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 222: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring Click Apply. Figure 89: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 90: Showing MAC-Based VLANs VLAN M ONFIGURING IRRORING Use the VLAN >...
Page 223 | VLAN Configuration HAPTER Configuring VLAN Mirroring When VLAN mirroring and port mirroring are both enabled, the target ◆ port can receive a mirrored packet twice; once from the source mirror port and again from the source mirrored VLAN. The target port receives traffic from all monitored source VLANs and ◆...
Page 224: Configuring Vlan Translation
| VLAN Configuration HAPTER Configuring VLAN Translation To show the VLANs to be mirrored: Click VLAN, Mirror. Select Show from the Action list. Figure 92: Showing the VLANs to Mirror VLAN T ONFIGURING RANSLATION Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling.
Page 225 | VLAN Configuration HAPTER Configuring VLAN Translation If VLAN translation is set on an interface, and the same interface is also ◆ configured as a QinQ access port on the VLAN > Tunnel (Configure Interface) page, VLAN tag assignments will be determined by the QinQ process, not by VLAN translation.
Page 226 | VLAN Configuration HAPTER Configuring VLAN Translation – 226 –...
Page 227: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 228 | Address Table Settings HAPTER Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the ◆ following conditions exist: 802.1X Port Authentication has been globally enabled on the switch ■ (see "Configuring 802.1X Global Settings" on page 386).
Page 229: Setting Static Addresses
| Address Table Settings HAPTER Setting Static Addresses ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 230 | Address Table Settings HAPTER Setting Static Addresses NTERFACE To configure a static MAC address: Click MAC Address, Static. Select Add from the Action list. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. Click Apply.
Page 231: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time HANGING THE GING Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. CLI R EFERENCES ◆...
Page 232: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table ISPLAYING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 233: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table Figure 100: Displaying the Dynamic MAC Address Table LEARING THE YNAMIC DDRESS ABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. CLI R EFERENCES "clear mac-address-table dynamic"...
Page 234: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring Figure 101: Clearing Entries in the Dynamic MAC Address Table MAC A ONFIGURING DDRESS IRRORING Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis.
Page 235 | Address Table Settings HAPTER Configuring MAC Address Mirroring Target Port – The port that will mirror the traffic from the source port. ◆ (Range: 1-28) NTERFACE To mirror packets based on a MAC address: Click MAC Address, Mirror. Select Add from the Action list. Specify the source MAC address and destination port.
Page 236 | Address Table Settings HAPTER Configuring MAC Address Mirroring – 236 –...
Page 237: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 238 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 104: STP Root Ports and Designated Ports Designated Root...
Page 239 | Spanning Tree Algorithm HAPTER Overview Figure 105: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 240: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 241 | Spanning Tree Algorithm HAPTER Configuring Loopback Detection Shutdown Interval – The duration to shut down the interface. ◆ (Range: 60-86400 seconds; Default: 60 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired.
Page 242: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA ONFIGURING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI R EFERENCES ◆...
Page 243 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Be careful when switching between spanning tree modes. Changing ■ modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Page 244 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the switch uses a backwards-compatible subset of RSTP to implement STP, and also apply to MSTP which is based on RSTP according to the standard: Path Cost Method –...
Page 245 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA RSTP does not depend on the forward delay timer in most cases. It is able to confirm that a port can transition to the forwarding state without having to rely on any timer configuration. To achieve fast convergence, RSTP relies on the use of edge ports, and automatic detection of point-to-point link types, both of which allow a port to directly transition to the forwarding state.
Page 246 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 108: Configuring Global Settings for STA (STP) Figure 109: Configuring Global Settings for STA (RSTP) – 246 –...
Page 247: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 110: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 248: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the ◆ root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 249: Table 12: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES ◆ "Spanning Tree Commands" on page 1065 ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. ◆...
Page 250: Table 13: Default Sta Path Costs
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 13: Default STA Path Costs Port Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 Admin Link Type – The link type attached to this interface. ◆...
Page 251 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 242), edge-port mode ■ cannot automatically transition to operational edge-port state using the automatic setting.
Page 252: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 112: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES ◆...
Page 253 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging ■ device is always forwarding. If two ports of a switch are connected to the same segment and ■...
Page 254 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 113: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 255: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 1065 ◆...
Page 256 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 257 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 258 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 259: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 1065 ◆...
Page 260 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 249. The default path costs are listed in Table 13 on page 250. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.
Page 261: Congestion Control
ONGESTION ONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 262: Storm Control
| Congestion Control HAPTER Storm Control Rate – Sets the rate limit level. ◆ (Range: 64 - 100,000 kbits per second for Fast Ethernet ports; 64 - 1,000,000 kbits per second for Gigabit Ethernet ports) NTERFACE To configure rate limits: Click Traffic, Rate Limit.
Page 263 | Congestion Control HAPTER Storm Control When traffic exceeds the threshold specified for broadcast and ◆ multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. Traffic storms can be controlled at the hardware level using Storm ◆...
Page 264: Automatic Traffic Control
| Congestion Control HAPTER Automatic Traffic Control Figure 124: Configuring Storm Control UTOMATIC RAFFIC ONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI R EFERENCES "Automatic Traffic Control Commands"...
Page 265 | Congestion Control HAPTER Automatic Traffic Control The key elements of this diagram are described below: Alarm Fire Threshold – The highest acceptable traffic rate. When ◆ ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it. When traffic exceeds the alarm fire threshold and the apply timer ◆...
Page 266: Setting The Atc Timers
| Congestion Control HAPTER Automatic Traffic Control Use the Traffic > Auto Traffic Control (Configure Global) page to set the ETTING THE time at which to apply the control response after ingress traffic has ATC T IMERS exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Page 267: Configuring Atc Thresholds And Responses
| Congestion Control HAPTER Automatic Traffic Control Figure 127: Configuring ATC Timers Use the Traffic > Auto Traffic Control (Configure Interface) page to set the ONFIGURING storm control mode (broadcast or multicast), the traffic thresholds, the HRESHOLDS AND control response, to automatically release a response of rate limiting, or to ESPONSES send related SNMP trap messages.
Page 268 | Congestion Control HAPTER Automatic Traffic Control Auto Release Control – Automatically stops a traffic control response ◆ of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 125 on page 264.
Page 269 | Congestion Control HAPTER Automatic Traffic Control NTERFACE To configure the response timers for automatic storm control: Click Traffic, Automatic Storm Control. Select Configure Interface from the Step field. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send.
Page 270 | Congestion Control HAPTER Automatic Traffic Control – 270 –...
Page 271: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 272: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, ◆...
Page 273 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a ◆...
Page 274 | Class of Service HAPTER Layer 2 Queue Settings NTERFACE To configure the queue mode: Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 275: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 132: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...
Page 276: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES ◆...
Page 277 | Class of Service HAPTER Layer 2 Queue Settings Figure 133: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Select an interface. Figure 134: Showing CoS Values to Egress Queue Mapping –...
Page 278: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Page 279: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: Trust Mode ◆ CoS – Maps layer 3/4 priorities using Class of Service values. ■ (This is the default setting.) DSCP – Maps layer 3/4 priorities using Differentiated Services Code ■...
Page 280: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings This map is only used when the priority mapping mode is set to DSCP ◆ (see page 278), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP.
Page 281 | Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To map DSCP values to internal PHB/drop precedence: Click Traffic, Priority, DSCP to DSCP. Select Configure from the Action list. Select a port. Set the PHB and drop precedence for any DSCP value. Click Apply.
Page 282: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in APPING incoming packets to per-hop behavior and drop precedence values for RIORITIES TO priority processing. DSCP NTERNAL ALUES CLI R...
Page 283: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) NTERFACE To map CoS/CFI values to internal PHB/drop precedence: Click Traffic, Priority, CoS to DSCP.
Page 284 | Class of Service HAPTER Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Select a port. Figure 139: Showing CoS to DSCP Internal Mapping –...
Page 285: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 286: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port.
Page 287 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the ◆...
Page 288 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 141: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 289: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 143: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 290 | Quality of Service HAPTER Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
Page 291 | Quality of Service HAPTER Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B ≥ 0, the ■...
Page 292 | Quality of Service HAPTER Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: If Tp(t)-B <...
Page 293 | Quality of Service HAPTER Creating QoS Policies Class Name – Name of a class map that defines a traffic classification ◆ upon which a policy can act. Action – This attribute is used to set an internal QoS value in hardware ◆...
Page 294 | Quality of Service HAPTER Creating QoS Policies Violate – Specifies whether the traffic that exceeds the ■ maximum rate (CIR) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of ■...
Page 295 | Quality of Service HAPTER Creating QoS Policies Violate – Specifies whether the traffic that exceeds the excess ■ burst size (BE) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of ■...
Page 296 | Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether traffic that exceeds the maximum ■ rate (CIR) but is within the peak information rate (PIR) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of ■...
Page 297 | Quality of Service HAPTER Creating QoS Policies To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 145: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
Page 298 | Quality of Service HAPTER Creating QoS Policies Figure 146: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 147: Showing the Rules for a Policy Map –...
Page 299: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. CLI R EFERENCES "Quality of Service Commands" on page 1183 ◆...
Page 300 | Quality of Service HAPTER Attaching a Policy Map to a Port – 300 –...
Page 301: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 302: Configuring Voip Traffic
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic IP T ONFIGURING RAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 303: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI Figure 149: Configuring a Voice VLAN ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses.
Page 304 | VoIP Traffic Configuration HAPTER Configuring Telephony OUI Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices. Click Apply. Figure 150: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP.
Page 305: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports IP T ONFIGURING RAFFIC ORTS Use the Traffic > VoIP (Configure Interface) page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority. You can also enable security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN.
Page 306 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports LLDP – Uses LLDP (IEEE 802.1AB) to discover VoIP devices ■ attached to the port. LLDP checks that the “telephone bit” in the system capability TLV is turned on. See "Link Layer Discovery Protocol"...
Page 307: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 308: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting IPv4 Source Guard – Filters IPv4 traffic on insecure ports for which the ◆ source address cannot be identified via DHCPv4 snooping nor static source bindings. IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the ◆...
Page 309: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting To configure AAA on the switch, you need to follow this general process: Configure RADIUS and TACACS+ server access parameters. See "Configuring Local/Remote Logon Authentication" on page 309. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services.
Page 310: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting Local – User authentication is performed only locally by the switch. ■ RADIUS – User authentication is performed using a RADIUS server ■ only. TACACS – User authentication is performed using a TACACS+ ■...
Page 311 | Security Measures HAPTER AAA Authorization and Accounting RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a more reliable connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Page 312 | Security Measures HAPTER AAA Authorization and Accounting Authentication Timeout – The number of seconds the switch ■ waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) Authentication Retries – Number of times the switch tries to ■...
Page 313 | Security Measures HAPTER AAA Authorization and Accounting Configure Group Server Type – Select RADIUS or TACACS+ server. ◆ Group Name - Defines a name for the RADIUS or TACACS+ server ◆ group. (Range: 1-64 characters) Sequence at Priority - Specifies the server and sequence to use for ◆...
Page 314 | Security Measures HAPTER AAA Authorization and Accounting Figure 156: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list.
Page 315: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 158: Showing AAA Server Groups Use the Security >...
Page 316 | Security Measures HAPTER AAA Authorization and Accounting Exec – Administrative accounting for local console, Telnet, or SSH ■ connections. Method Name – Specifies an accounting method for service requests. ◆ The “default” methods are used for a requested service if no other methods have been defined.
Page 317 | Security Measures HAPTER AAA Authorization and Accounting Show Information – Summary Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting ◆ method. Server Group Name - Displays the accounting server group. ◆...
Page 318 | Security Measures HAPTER AAA Authorization and Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list. Select the accounting type (802.1X, Command, Exec).
Page 319 | Security Measures HAPTER AAA Authorization and Accounting Figure 161: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list.
Page 320 | Security Measures HAPTER AAA Authorization and Accounting Figure 163: Configuring AAA Accounting Service for Command Service Figure 164: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting.
Page 321: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Statistics. Figure 166: Displaying Statistics for AAA Accounting Sessions Use the Security >...
Page 322 | Security Measures HAPTER AAA Authorization and Accounting other group name refers to a server group configured on the TACACS+ Group Settings page. Authorization is only supported for TACACS+ servers. Configure Service Authorization Type – Specifies the service as Exec, indicating ◆...
Page 323 | Security Measures HAPTER AAA Authorization and Accounting To show the authorization method applied to the EXEC service type and the assigned server group: Click Security, AAA, Authorization. Select Configure Method from the Step list. Select Show from the Action list. Figure 168: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections:...
Page 324: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization. Select Show Information from the Step list. Figure 170: Displaying the Applied AAA Authorization Method ONFIGURING CCOUNTS Use the Security >...
Page 325 | Security Measures HAPTER Configuring User Accounts Plain Password – Plain text unencrypted password. ■ Encrypted Password – Encrypted password. ■ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP or FTP server.
Page 326: Web Authentication
| Security Measures HAPTER Web Authentication Figure 172: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
Page 327: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Session Timeout – Configures how long an authenticated session ◆ stays active before it must re-authenticate itself. (Range: 300-3600 seconds; Default: 3600 seconds) Quiet Period – Configures how long a host must wait to attempt ◆...
Page 328: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Host IP Address – Indicates the IP address of each connected host. ◆ Remaining Session Time – Indicates the remaining time until the ◆ current authorization session for the host expires. Apply – Enables web authentication if the Status box is checked. ◆...
Page 329: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Page 330: Table 19: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) The RADIUS server may optionally return a VLAN identifier list to be ◆ applied to the switch port. The following attributes need to be configured on the RADIUS server. Tunnel-Type = VLAN ■...
Page 331: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) The Filter-ID attribute format for dynamic QoS assignment is ■ unrecognizable (can not recognize the whole Filter-ID attribute). Dynamic QoS assignment fails and the authentication result changes ◆ from success to failure when the following conditions occur: Illegal characters found in a profile value (for example, a non-digital ■...
Page 332: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) port remains unaffected. (Range: 120-1000000 seconds; Default: 1800 seconds) NTERFACE To configure aging status and reauthentication time for MAC address authentication: Click Security, Network Access. Select Configure Global from the Step list. Enable or disable aging for secure addresses, and modify the reauthentication time as required.
Page 333 | Security Measures HAPTER Network Access (MAC Address Authentication) the Network Access process described in this section. (Range: 1-1024; Default: 1024) Network Access Max MAC Count – Sets the maximum number of ◆ MAC addresses that can be authenticated on a port interface via all forms of authentication (including Network Access and IEEE 802.1X).
Page 334: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) supported, the guest VLAN to use when MAC Authentication or 802.1X Authentication fails, and the dynamic VLAN and QoS assignments. Click Apply. Figure 176: Configuring Interface Settings for Network Access Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION...
Page 335: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 336 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC ◆ addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 337: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.
Page 338: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 180: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 339: Table 20: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. The following web browsers and operating systems currently support ◆...
Page 340: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Figure 181: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 341 | Security Measures HAPTER Configuring HTTPS Private Key Source File Name – Name of private key file stored on ◆ the TFTP server. Private Password – Password stored in the private key file. This ◆ password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
Page 342: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 343 | Security Measures HAPTER Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 347, or use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Page 344: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
Page 345 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, ◆ but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that ◆...
Page 346: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...
Page 347: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell Figure 184: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
Page 348 | Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed: User Name – This drop-down box selects the user who’s public key ◆ you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...
Page 349: Access Control Lists
| Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 350 | Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 64. ◆ The maximum number of rules per system is 512 rules. ◆ An ACL can have up to 64 rules. However, due to resource restrictions, ◆...
Page 351: Setting A Time Range
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure Time Range) page to sets a time range ETTING A during which ACL functions are applied. ANGE CLI R EFERENCES "Time Range" on page 762 ◆ OMMAND SAGE If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if...
Page 352 | Security Measures HAPTER Access Control Lists Figure 188: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL. Select Configure Time Range from the Step list. Select Show from the Action list. Figure 189: Showing a List of Time Ranges To configure a rule for a time range: Click Security, ACL.
Page 353: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists Figure 190: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list. Figure 191: Showing the Rules Configured for a Time Range Use the Security >...
Page 354: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Source Guard filter rules, Quality of Service (QoS) processes, QinQ, MAC-based VLANs, VLAN translation, or traps. For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Page 355 | Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ◆ IP Standard: IPv4 ACL mode filters packets based on the source ■...
Page 356: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists To show a list of ACLs: Click Security, ACL. Select Configure ACL from the Step list. Select Show from the Action list. Figure 194: Showing a List of ACLs Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL.
Page 357 | Security Measures HAPTER Access Control Lists Source Subnet Mask – A subnet mask containing four integers from 0 ◆ to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Page 358: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv4 ACL)" on page 954 ◆...
Page 359 | Security Measures HAPTER Access Control Lists 1 (fin) – Finish ■ 2 (syn) – Synchronize ■ 4 (rst) – Reset ■ 8 (psh) – Push ■ 16 (ack) – Acknowledgement ■ 32 (urg) – Urgent pointer ■ For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use control-code 2, control bit mask 2 ■...
Page 360: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Figure 196: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
Page 361 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. ◆ NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list.
Page 362: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 960 ◆...
Page 363 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. ◆ NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Extended from the Type list.
Page 364: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and MAC ACL Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)"...
Page 365 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 366: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ARP ACL ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 367 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an ARP ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 368: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.
Page 369: Configuring Acl Mirroring
| Security Measures HAPTER Access Control Lists Figure 201: Binding a Port to an ACL After configuring ACLs, use the Security > ACL > Configure Interface (Add ONFIGURING Mirror) page to mirror traffic matching an ACL from one or more source ACL M IRRORING ports to a target port for real-time analysis.
Page 370 | Security Measures HAPTER Access Control Lists NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select Add Mirror from the Action list. Select a port. Select the name of an ACL from the ACL list. Click Apply.
Page 371: Showing Acl Hardware Counters
| Security Measures HAPTER Access Control Lists Use the Security > ACL > Configure Interface (Show Hardware Counters) HOWING page to show statistics for ACL hardware counters. ARDWARE OUNTERS CLI R EFERENCES "show access-list" on page 974 ◆ ARAMETERS These parameters are displayed: ◆...
Page 372: Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 204: Showing ACL Statistics ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
Page 373: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection When ARP Inspection is disabled, all ARP request and reply packets ■ will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect ■...
Page 374 | Security Measures HAPTER ARP Inspection ARP Inspection Logging By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, ◆...
Page 375: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 376: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection If Static is not specified, ARP packets are first validated against the ◆ selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. ARAMETERS These parameters are displayed: ARP Inspection VLAN ID –...
Page 377: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate. ARP I NSPECTION CLI R EFERENCES "ARP Inspection" on page 931 ◆...
Page 378: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection Figure 207: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or ARP I NSPECTION dropped for various reasons.
Page 379: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Statistics from the Action list. Figure 208: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated ARP I...
Page 380: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Log from the Action list. Figure 209: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
Page 381 | Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or ◆ by specifying both the start address and end address. ARAMETERS These parameters are displayed: Mode ◆ Web –...
Page 382: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 211: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 383 | Security Measures HAPTER Configuring Port Security When the port security state is changed from enabled to disabled, all ◆ dynamically learned entries are cleared from the address table. If port security is enabled, and the maximum number of allowed ◆...
Page 384: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication MAC Filter – Shows if MAC address filtering has been set under ◆ Security > Network Access (Configure MAC Filter) as described on page 335. MAC Filter ID – The identifier for a MAC address filter. ◆...
Page 385 | Security Measures HAPTER Configuring 802.1X Port Authentication rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server.
Page 386: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication The RADIUS server and client also have to support the same EAP ◆ authentication type – MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 8, 7, Vista and XP. Use the Security >...
Page 387: Configuring Port Authenticator Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure global settings for 802.1X: Click Security, Port Authentication. Select Configure Global from the Step list. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server.
Page 388 | Security Measures HAPTER Configuring 802.1X Port Authentication When devices attached to a port must submit requests to another ◆ authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 386) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate clients through the remote authenticator (see...
Page 389 | Security Measures HAPTER Configuring 802.1X Port Authentication MAC-Based – Allows multiple hosts to connect to this port, with ■ each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
Page 390 | Security Measures HAPTER Configuring 802.1X Port Authentication before it times out the authentication session. (Range: 1-10; Default: 2) Intrusion Action – Sets the port’s response to a failed authentication. ◆ Block Traffic – Blocks all non-EAP traffic on the port. (This is the ■...
Page 391: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Click Apply Figure 215: Configuring Interface Settings for 802.1X Port Authenticator Use the Security > Port Authentication (Configure Interface – Supplicant) ONFIGURING page to configure 802.1X port settings for supplicant requests issued from UPPLICANT ETTINGS a port to an authenticator on another device.
Page 392 | Security Measures HAPTER Configuring 802.1X Port Authentication This switch can be configured to serve as the authenticator on selected ◆ ports by setting the Control Mode to Auto on the Authenticator configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on that configuration page and enabling the PAE supplicant on the Supplicant configuration page.
Page 393: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 216: Configuring Interface Settings for 802.1X Port Supplicant Use the Security > Port Authentication (Show Statistics) page to display 802.1X ISPLAYING statistics for dot1x protocol exchanges for any port. TATISTICS CLI R EFERENCES "show dot1x"...
Page 394 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator.
Page 395 | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 217: Showing Statistics for 802.1X Port Authenticator – 395 –...
Page 396: Dos Protection
| Security Measures HAPTER DoS Protection To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 218: Showing Statistics for 802.1X Port Supplicant ROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks.
Page 397 | Security Measures HAPTER DoS Protection Echo/Chargen Attack Rate – Maximum allowed rate. ◆ (Range: 64-2000 kbits/second; Default: 1000 kbits/second) Smurf Attack – Attacks in which a perpetrator generates a large ◆ amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Page 398: Ipv4 Source Guard
| Security Measures HAPTER IPv4 Source Guard URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.” This did not cause any damage to, or change data on, the computer’s hard disk, but any unsaved data would be lost.
Page 399: Configuring Ports For Ip Source Guard
| Security Measures HAPTER IPv4 Source Guard Use the Security > IP Source Guard > Port Configuration page to set the ONFIGURING filtering type based on source IP address, or source IP address and MAC ORTS FOR address pairs. OURCE UARD IP Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be...
Page 400 | Security Measures HAPTER IPv4 Source Guard ARAMETERS These parameters are displayed: Filter Type – Configures the switch to filter inbound traffic based ◆ source IP address, or source IP address and corresponding MAC address. (Default: None) None – Disables IP source guard filtering on the port. ■...
Page 401: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IPv4 Source Guard Use the Security > IP Source Guard > Static Configuration page to bind a ONFIGURING static address to a port. Table entries include a MAC address, IP address, TATIC INDINGS FOR lease time, entry type (Static, Dynamic), VLAN identifier, and port IP S OURCE UARD...
Page 402 | Security Measures HAPTER IPv4 Source Guard IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client. ◆ (This value is zero for all static addresses.) NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration.
Page 403: Displaying Information For Dynamic Ipv4 Source Guard Bindings
| Security Measures HAPTER IPv4 Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface. NFORMATION FOR YNAMIC CLI R EFERENCES OURCE UARD "show ip dhcp snooping binding" on page 910 ◆...
Page 404: Ipv6 Source Guard
| Security Measures HAPTER IPv6 Source Guard Figure 223: Showing the IP Source Guard Binding Table OURCE UARD IPv6 Source Guard is a security feature that filters IPv6 traffic on non- routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see the...
Page 405 | Security Measures HAPTER IPv6 Source Guard snooping or DHCPv6 snooping, or static addresses configured in the source guard binding table. The port allows only IPv6 traffic with a matching entry in the binding table and denies all other IPv6 traffic. Table entries include a MAC address, IPv6 global unicast address, entry ◆...
Page 406: Configuring Static Bindings For Ipv6 Source Guard
| Security Measures HAPTER IPv6 Source Guard This parameter sets the maximum number of IPv6 global unicast ■ source IPv6 address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping (see the DHCPv6 Snooping commands), and static entries set by IPv6 Source Guard (see...
Page 407 | Security Measures HAPTER IPv6 Source Guard OMMAND SAGE ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number. Static addresses entered in the source guard binding table are ◆ automatically configured with an infinite lease time. When source guard is enabled, traffic is filtered based upon dynamic ◆...
Page 408 | Security Measures HAPTER IPv6 Source Guard IPv6 Address – IPv6 address corresponding to the client. ◆ Type – Shows the entry type: ◆ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■...
Page 409: Displaying Information For Dynamic Ipv6 Source Guard Bindings
| Security Measures HAPTER IPv6 Source Guard Use the Security > IPv6 Source Guard > Dynamic Binding page to display ISPLAYING the source-guard binding table for a selected interface. NFORMATION YNAMIC CLI R EFERENCES OURCE UARD "show ipv6 source-guard binding" on page 931 ◆...
Page 410: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 411 | Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or ■ RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from a client, such as a DISCOVER, ■...
Page 412: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping the DHCP client request, including the port and VLAN ID. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them to the entire VLAN. If DHCP Snooping Information Option 82 is enabled on the switch, ◆...
Page 413 | Security Measures HAPTER DHCP Snooping string - An arbitrary string inserted into the remote identifier field. ■ (Range: 1-32 characters) DHCP Snooping Information Option Policy – Specifies how to ◆ handle DHCP client request packets which already contain Option 82 information.
Page 414: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or DHCP S NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan" on page 905 ◆...
Page 415: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Interface) page to ONFIGURING ORTS configure switch ports as trusted or untrusted. DHCP S NOOPING CLI R EFERENCES "ip dhcp snooping trust" on page 907 ◆...
Page 416: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping Figure 230: Configuring the Port Mode for DHCP Snooping Use the IP Service > DHCP > Snooping (Show Information) page to display DHCP ISPLAYING entries in the binding table. NOOPING INDING NFORMATION CLI R EFERENCES "show ip dhcp snooping binding"...
Page 417 | Security Measures HAPTER DHCP Snooping Use the Store or Clear function if required. Figure 231: Displaying the Binding Table for DHCP Snooping – 417 –...
Page 418 | Security Measures HAPTER DHCP Snooping – 418 –...
Page 419: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 420: Configuring Event Logging
| Basic Administration Protocols HAPTER Configuring Event Logging ONFIGURING VENT OGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Use the Administration >...
Page 421 | Basic Administration Protocols HAPTER Configuring Event Logging RAM Level – Limits log messages saved to the switch’s temporary RAM ◆ memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) The Flash Level must be equal to or less than the RAM Level.
Page 422: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 233: Showing Error Messages Logged to System Memory Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations. You can also limit the event ONFIGURATION messages sent to only those messages below a specified level.
Page 423: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging NTERFACE To configure the logging of error messages to remote servers: Click Administration, Log, Remote. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. Click Apply.
Page 424: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Email Destination Address – Specifies the email recipients of alert ◆ messages. You can specify up to five recipients. Server IP Address – Specifies a list of up to three recipient SMTP ◆...
Page 425: Setting Lldp Timing Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy, power, inventory, and device location details.
Page 426 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Notification Interval – Configures the allowed interval for sending ◆ SNMP notifications about LLDP MIB changes. (Range: 5-3600 seconds; Default: 5 seconds) This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management.
Page 427: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Configure Interface - Configure General) ONFIGURING page to specify the message attributes for individual interfaces, including LLDP I NTERFACE whether messages are transmitted, received, or both transmitted and TTRIBUTES received, whether SNMP notifications are sent, and the type of information advertised.
Page 428 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management...
Page 429 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Max Frame Size – The maximum frame size. (See "Configuring ■ Support for Jumbo Frames" on page 120 for information on configuring the maximum frame size for this switch MAC/PHY Configuration/Status – The MAC/PHY configuration ■...
Page 430: Configuring Lldp Interface Civic-Address
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To configure LLDP interface attributes: Click Administration, LLDP. Select Configure Interface from the Step list. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages.
Page 431: Table 25: Lldp Med Location Ca Types
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 25: LLDP MED Location CA Types CA Type Description CA Value Example National subdivisions (state, canton, province) California County, parish Orange City, township Irvine City division, borough, city district West Irvine Neighborhood, block Riverside Group of streets below the neighborhood level...
Page 432: Table 26: Chassis Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 238: Configuring the Civic Address for an LLDP Interface Use the Administration > LLDP (Show Local Device Information) page to LLDP ISPLAYING display information about the switch, such as its MAC address, chassis ID, OCAL EVICE management IP address, and port information.
Page 433: Table 27: System Capabilities
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Description – A textual description of the network entity. This ◆ field is also displayed by the show system command. System Capabilities Supported – The capabilities that define the ◆ primary function(s) of the system.
Page 434: Table 28: Port Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port/Trunk ID Type – There are several ways in which a port may be ◆ identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV. Table 28: Port ID Subtype ID Basis Reference...
Page 435 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 239: Displaying Local Device Information for LLDP (General) Figure 240: Displaying Local Device Information for LLDP (Port) Figure 241: Displaying Local Device Information for LLDP (Port Details) – 435 –...
Page 436 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE EVICE which are advertising information through LLDP, or to display detailed NFORMATION information about an LLDP-enabled device connected to a specific port on the local switch.
Page 437: Table 29: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port ID – A string that contains the specific identifier for the port from ◆ which this LLDPDU was transmitted. System Capabilities Supported – The capabilities that define the ◆ primary function(s) of the system. (See Table 27, "System Capabilities,"...
Page 438 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 29: Remote Port Auto-Negotiation Advertised Capability Capability 100BASE-T4 100BASE-TX half duplex mode 100BASE-TX full duplex mode 100BASE-T2 half duplex mode 100BASE-T2 full duplex mode PAUSE for full-duplex links Asymmetric PAUSE for full-duplex links Symmetric PAUSE for full-duplex links Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode...
Page 439 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol points and others, will be classified according to their power requirements. Port Details – 802.3 Extension Trunk Information Remote Link Aggregation Capable – Shows if the remote port is not ◆ in link aggregation state and/or it does not support link aggregation.
Page 440 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Current Capabilities – The set of capabilities that define the primary ◆ function(s) of the port which are currently enabled. Port Details – Network Policy Application Type – The primary application(s) defined for this ◆...
Page 441 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol the other items and described under “Configuring LLDP Interface Civic-Address.” ECS ELIN – Emergency Call Service Emergency Location ■ Identification Number supports traditional PSAP-based Emergency Call Service in North America. Country Code – The two-letter ISO 3166 country code in capital ASCII ◆...
Page 442 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To display LLDP information for a remote port: Click Administration, LLDP. Select Show Remote Device Information from the Step list. Select Port, Port Details, Trunk, or Trunk Details. When the next page opens, select a port on this switch and the index for a remote device attached to this port.
Page 443 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 243: Displaying Remote Device Information for LLDP (Port Details) – 443 –...
Page 444 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 244: Displaying Remote Device Information for LLDP (End Node) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING statistics for LLDP-capable devices attached to the switch, and for LLDP EVICE...
Page 445 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Dropped Count – The number of times which the ◆ remote database on this switch dropped an LLDPDU because of insufficient resources. Neighbor Entries Age-out Count – The number of times that a ◆...
Page 446: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 245: Displaying LLDP Device Statistics (General) Figure 246: Displaying LLDP Device Statistics (Port) IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Page 447: Table 30: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol as well as the traffic passing through its ports. A network management station can access this information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings.
Page 448 | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Use the Administration >...
Page 449: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Agent Status – Enables SNMP on the switch. (Default: Enabled) ◆ Authentication Traps – Issues a notification message to specified IP ◆ trap managers whenever an invalid community string is submitted during the SNMP access authentication process.
Page 450 | Basic Administration Protocols HAPTER Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. ARAMETERS These parameters are displayed: Engine ID – A new engine ID can be specified by entering 9 to 64 ◆...
Page 451 | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE ◆ SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.
Page 452 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 250: Showing Remote Engine IDs for SNMP Use the Administration > SNMP (Configure View) page to configure ETTING SNMPv3 views which are used to restrict user access to specified portions SNMP IEWS of the MIB tree.
Page 453 | Basic Administration Protocols HAPTER Simple Network Management Protocol Select Add View from the Action list. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view.
Page 454 | Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 253: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.
Page 455 | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Group) page to add an SNMPv3 ONFIGURING group which can be used to set the access policy for its assigned users, SNMP ROUPS restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Page 456: Table 31: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election.
Page 457 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.22.2.1.0.40 This trap is sent when an incorrect IP address is rejected by the IP Filter. swAtcBcastStormAlarmFireTrap 1.3.6.1.4.1.259.10.1.22.2.1.0.70 When broadcast traffic is detected as a storm, this trap is fired.
Page 458 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group swMemoryUtiFallingThreshold 1.3.6.1.4.1.259.10.1.22.2.1.0.110 This notification indicates that the memory Notification utilization has fallen from memoryUtiRisingThreshold to memoryUtiFallingThreshold. dhcpRougeServerAttackTrap 1.3.6.1.4.1.259.10.1.22.2.1.0.114 This trap is sent when receiving a DHCP packet from a rouge server.
Page 459 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 460: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 461 | Basic Administration Protocols HAPTER Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 258: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify...
Page 462: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters ◆...
Page 463 | Basic Administration Protocols HAPTER Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 260: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from...
Page 464 | Basic Administration Protocols HAPTER Simple Network Management Protocol Security Level – The following security levels are only used for the ◆ groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in ■ SNMP communications.
Page 465: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 261: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 262: Showing Remote SNMPv3 Users –...
Page 466 | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 467 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 468 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 469 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 263: Configuring Trap Managers (SNMPv1) Figure 264: Configuring Trap Managers (SNMPv2c)
Page 470 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 265: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 266: Showing Trap Managers Use the Administration >...
Page 471 | Basic Administration Protocols HAPTER Simple Network Management Protocol The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged. Given the service provided by the NLM, individual MIBs can now bear ◆...
Page 472 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 267: Creating SNMP Notification Logs To show configured SNMP notification logs: Click Administration, SNMP. Select Configure Notify Filter from the Step list. Select Show from the Action list. Figure 268: Showing SNMP Notification Logs Use the Administration >...
Page 473 | Basic Administration Protocols HAPTER Simple Network Management Protocol represented an SNMP operation which was not allowed by the SNMP community named in the message. Encoding errors – The total number of ASN.1 or BER errors ◆ encountered by the SNMP entity when decoding received SNMP messages.
Page 474: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring To show SNMP statistics: Click Administration, SNMP. Select Show Statistics from the Step list. Figure 269: Showing SNMP Statistics EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 475 | Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Alarm) page to ONFIGURING define specific criteria that will generate response events. Alarms can be RMON A LARMS set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
Page 476 | Basic Administration Protocols HAPTER Remote Monitoring Falling Threshold – If the current value is less than or equal to the ◆ falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 477 | Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 271: Showing Configured RMON Alarms Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered.
Page 478 | Basic Administration Protocols HAPTER Remote Monitoring Type – Specifies the type of event to initiate: ◆ None – No event is generated. ■ Log – Generates an RMON log entry when the event is triggered. ■ Log messages are processed based on the current configuration settings for event logging (see "System Log Configuration"...
Page 479 | Basic Administration Protocols HAPTER Remote Monitoring Figure 272: Configuring an RMON Event To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 273: Showing Configured RMON Events Use the Administration >...
Page 480 | Basic Administration Protocols HAPTER Remote Monitoring OMMAND SAGE ◆ Each index number equates to a port on the switch. If history collection is already enabled on an interface, the entry must ◆ be deleted before any changes can be made. ◆...
Page 481 | Basic Administration Protocols HAPTER Remote Monitoring Click Apply Figure 274: Configuring an RMON History Sample To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History.
Page 482 | Basic Administration Protocols HAPTER Remote Monitoring Select a port from the list. Click History. Figure 276: Showing Collected RMON History Samples Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates.
Page 483 | Basic Administration Protocols HAPTER Remote Monitoring Select Add from the Action list. Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 277: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON.
Page 484: Switch Clustering
| Basic Administration Protocols HAPTER Switch Clustering To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics. Figure 279: Showing Collected RMON Statistical Samples WITCH LUSTERING Switch clustering is a method of grouping switches together to enable...
Page 485 | Basic Administration Protocols HAPTER Switch Clustering information between the Commander and potential Candidates or active Members through VLAN 4093. Once a switch has been configured to be a cluster Commander, it ◆ automatically discovers other cluster-enabled switches in the network. These “Candidate”...
Page 486 | Basic Administration Protocols HAPTER Switch Clustering Number of Members – The current number of Member switches in the ◆ cluster. Number of Candidates – The current number of Candidate switches ◆ discovered in the network that are available to become Members. NTERFACE To configure a switch cluster: Click Administration, Cluster.
Page 487 | Basic Administration Protocols HAPTER Switch Clustering NTERFACE To configure cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Add from the Action list. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate.
Page 488 | Basic Administration Protocols HAPTER Switch Clustering Figure 283: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING LUSTER switch in the cluster. EMBERS CLI R EFERENCES "Switch Clustering" on page 766 ◆ ARAMETERS These parameters are displayed: Member ID –...
Page 489: Ethernet Ring Protection Switching
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate. Figure 284: Managing a Cluster Member THERNET ROTECTION WITCHING...
Page 490 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching blocking traffic over the RPL. When a ring failure occurs, the RPL owner is responsible for unblocking the RPL, allowing this link to be used for traffic. Ring nodes may be in one of two states: Idle –...
Page 491 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology. This arrangement consists of conjoined rings connected by one or more interconnection points, and is based on the following criteria: The R-APS channels are not shared across Ethernet Ring ◆...
Page 492 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 286: Ring Interconnection Architecture (Multi-ring/Ladder Network) Normal Condition Signal Fail Condition RPL Owner RPL Owner Node Node for ERP1 for ERP1 ring node B ring node A ring node B ring node A ERP1 ERP1...
Page 493 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Enable ERPS (Configure Global): Before enabling a ring as described in the next step, first globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled, no ERPS rings will work. Enable an ERPS ring (Configure Domain –...
Page 494: Erps Global Configuration
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To globally enable ERPS on the switch: Click Administration, ERPS. Select Configure Global from the Step list. Mark the ERPS Status check box. Click Apply. Figure 287: Setting ERPS Global Status Use the Administration >...
Page 495 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Show Domain Name – Name of a configured ERPS ring. ◆ ID – ERPS ring identifier used in R-APS messages. ◆ Admin Status – Shows whether ERPS is enabled on the switch. ◆...
Page 496 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Local FS – Shows if a forced switch command was issued on this ◆ interface. Local MS – Shows if a manual switch command was issued on this ◆ interface. MEP – The CFM MEP used to monitor the status on this link. ◆...
Page 497 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently. If set to version 1, MS and FS operator commands are filtered, and the switch set to revertive mode.
Page 498 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Only one RPL owner can be configured on a ring. The owner ■ blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the Forced Switch or Manual Switch commands on the Configure Operation page).
Page 499 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching over both ring ports, informing that no request is present at this ring node and initiates a guard timer. When another recovered ring node (or nodes) holding the link block receives this message, it compares the Node ID information with its own Node ID.
Page 500 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Recovery for Forced Switching – A Forced Switch command is ■ removed by issuing the Clear command (Configure Operation page) to the same ring node where Forced Switch mode is in effect.
Page 501 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB.
Page 502 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Recovery with non-revertive mode is handled as follows: ■ The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. Then, after the operator issues the Clear command (Configure Operation page) at the RPL Owner Node, this ring node blocks the ring port attached to the RPL,...
Page 503 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching A sub-ring may be attached to a primary ring with or without a ■ virtual channel. A virtual channel is used to connect two interconnection points on the sub-ring, tunneling R-APS control messages across an arbitrary Ethernet network topology.
Page 504 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching No R-APS messages are inserted or extracted by other rings or sub- rings at the interconnection nodes where a sub-ring is attached. Hence there is no need for either additional bandwidth or for different VIDs/Ring IDs for the ring interconnection.
Page 505 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The RPL owner node detects a failed link when it receives R-APS ■ (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL. However, using this standard recovery procedure may cause a non- EPRS device to become isolated when the ERPS device adjacent to it detects a continuity check message (CCM) loss event and blocks the...
Page 506 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching that defect will be reported to the protection switching mechanism. The reported defect need not be the same one that started the timer. Guard Timer – The guard timer is used to prevent ring nodes from ◆...
Page 507 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching West/East – Connects to next ring node to the west/east. ◆ Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports.
Page 508 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching NTERFACE To create an ERPS ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Add from the Action list. Enter a name and optional identifier for the ring. Click Apply.
Page 509 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 291: Creating an ERPS Ring To show the configure ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 292: Showing Configured ERPS Rings –...
Page 510 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Operation) page to block a ring ERPS F ORCED AND port using Forced Switch or Manual Switch commands. ANUAL PERATIONS CLI R EFERENCES "erps forced-switch" on page 1115 ◆...
Page 511: Table 32: Erps Request/State Priority
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Page 512 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Manual Switch – Blocks specified ring port, in the absence of a ■ failure or an FS command. A ring with no request has a logical topology with the traffic ■...
Page 513 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request.
Page 514: Connectivity Fault Management
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 293: Blocking an ERPS Ring Port ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 515 | Basic Administration Protocols HAPTER Connectivity Fault Management A Maintenance Level allows maintenance domains to be nested in a ◆ hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution.
Page 516 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 295: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 517 | Basic Administration Protocols HAPTER Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent.
Page 518 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1319 ARAMETERS These parameters are displayed: Global Configuration CFM Status – Enables CFM processing globally on the switch. ◆ (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
Page 519 | Basic Administration Protocols HAPTER Connectivity Fault Management Link Trace Cache Hold Time – The hold time for CFM link trace cache ◆ entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field.
Page 520: Configuring Global Settings For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management Cross Check MEP Unknown – Sends a trap if an unconfigured MEP ◆ comes up. A MEP Unknown trap is sent if cross-checking is enabled , and a CCM is received from a remote MEP that is not configured in the static list NTERFACE To configure global settings for CFM: Click Administration, CFM.
Page 521: Configuring Interfaces For Cfm
| Basic Administration Protocols HAPTER Connectivity Fault Management CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings. CLI R EFERENCES "ethernet cfm port-enable"...
Page 522: Configuring Cfm Maintenance Domains
| Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1319 OMMAND SAGE Configuring General Settings Where domains are nested, an upper-level hierarchical domain must ◆ have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Page 523: Table 33: Remote Mep Priority Levels
| Basic Administration Protocols HAPTER Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification A fault alarm can generate an SNMP notification. It is issued when the ◆...
Page 524 | Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: Creating a Maintenance Domain MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric ◆ characters) MD Level – Authorized maintenance level for this domain. ◆...
Page 525 | Basic Administration Protocols HAPTER Connectivity Fault Management Select Add from the Action list. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). Specify the manner in which MIPs can be created within each domain. Click Apply.
Page 526 | Basic Administration Protocols HAPTER Connectivity Fault Management To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters. Click Apply Figure 300: Configuring Detailed Settings for Maintenance Domains Use the Administration >...
Page 527 | Basic Administration Protocols HAPTER Connectivity Fault Management Multiple domains at the same maintenance level cannot have an MA on ◆ the same VLAN (see "Configuring CFM Maintenance Domains" on page 521). Before removing an MA, first remove the MEPs assigned to it (see ◆...
Page 528 | Basic Administration Protocols HAPTER Connectivity Fault Management MIP Creation Type – Specifies the CFM protocol’s creation method for ◆ maintenance intermediate points (MIPs) in this MA: Default – MIPs can be created for this MA on any bridge port ■...
Page 529 | Basic Administration Protocols HAPTER Connectivity Fault Management AIS Transmit Level – Configure the AIS maintenance level in an MA. ◆ (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level AIS Suppress Alarm – Enables/disables suppression of the AIS. ◆...
Page 530 | Basic Administration Protocols HAPTER Connectivity Fault Management To show the configured maintenance associations: Click Administration, CFM. Select Configure MA from the Step list. Select Show from the Action list. Select an entry from the MD Index list. Figure 302: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM.
Page 531: Configuring Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 303: Configuring Detailed Settings for Maintenance Associations Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.
Page 532 | Basic Administration Protocols HAPTER Connectivity Fault Management and receives them from, the direction of the internal bridge relay mechanism. If the Up option is not selected, then the MEP is facing away from the switch, and transmits CFM messages towards, and receives them from, the direction of the physical medium.
Page 533 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 305: Showing Maintenance End Points Use the Administration > CFM (Configure Remote MEP – Add) page to ONFIGURING EMOTE specify remote maintenance end points (MEPs) set on other CFM-enabled AINTENANCE devices within a common MA. Remote MEPs can be added to a static list in OINTS this manner to verify that each entry has been properly configured and is operational.
Page 534: Configuring Remote Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management MEP ID – Identifier for a maintenance end point which exists on ◆ another CFM-enabled device within the same MA. (Range: 1-8191) NTERFACE To configure a remote maintenance end point: Click Administration, CFM. Select Configure Remote MEP from the Step list.
Page 535 | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Transmit Link Trace) page to transmit link RANSMITTING trace messages (LTMs). These messages can isolate connectivity faults by RACE ESSAGES tracing the path through a network to the designated target node (i.e., a remote maintenance end point).
Page 536: Transmitting Loop Back Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management MAC Address – MAC address of a remote MEP that is the target of ■ a link trace message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx TTL –...
Page 537 | Basic Administration Protocols HAPTER Connectivity Fault Management or initiation of connectivity. The receiving maintenance point should respond to the loop back message with a loopback reply. The point from which the loopback message is transmitted (i.e., a local ◆ DSAP) and the target maintenance point must be within the same MA.
Page 538: Transmitting Delay-Measure Requests
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 309: Transmitting Loopback Messages Use the Administration > CFM (Transmit Delay Measure) page to send RANSMITTING periodic delay-measure requests to a specified MEP within a maintenance ELAY EASURE association. EQUESTS CLI R EFERENCES "ethernet cfm delay-measure two-way"...
Page 539 | Basic Administration Protocols HAPTER Connectivity Fault Management The MEP can also make two-way frame delay variation measurements ◆ based on its ability to calculate the difference between two subsequent two-way frame delay measurements. ARAMETERS These parameters are displayed: MD Index – Domain index. (Range: 1-65535) ◆...
Page 540: Displaying Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 310: Transmitting Delay-Measure Messages Use the Administration > CFM > Show Information (Show Local MEP) page ISPLAYING to show information for the MEPs configured on this device. OCAL CLI R EFERENCES "show ethernet cfm maintenance-points local"...
Page 541: Displaying Details For Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management MAC Address – MAC address of this MEP entry. ◆ NTERFACE To show information for the MEPs configured on this device: Click Administration, CFM. Select Show Information from the Step list. Select Show Local MEP from the Action list. Figure 311: Showing Information on Local MEPs Use the Administration >...
Page 542 | Basic Administration Protocols HAPTER Connectivity Fault Management CC Status – Shows if the MEP will generate CCM messages. ◆ MAC Address – MAC address of the local maintenance point. (If a CCM ◆ for the specified remote MEP has never been received or the local MEP record times out, the address will be set to the initial value of all Fs.) Defect Condition –...
Page 543: Displaying Local Mips
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 312: Showing Detailed Information on Local MEPs Use the Administration > CFM > Show Information (Show Local MIP) page ISPLAYING to show the MIPs on this device discovered by the CFM protocol. (For a OCAL description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance...
Page 544: Displaying Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show information for the MIPs discovered by the CFM protocol: Click Administration, CFM. Select Show Information from the Step list. Select Show Local MIP from the Action list. Figure 313: Showing Information on Local MIPs Use the Administration >...
Page 545: Displaying Details For Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show information for remote MEPs: Click Administration, CFM. Select Show Information from the Step list. Select Show Remote MEP from the Action list. Figure 314: Showing Information on Remote MEPs Use the Administration >...
Page 546 | Basic Administration Protocols HAPTER Connectivity Fault Management Age of Last CC Message – Length of time the last CCM message ◆ about this MEP has been in the CCM database. Frame Loss – Percentage of transmitted frames lost. ◆ CC Packet Statistics –...
Page 547: Displaying The Link Trace Cache
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 315: Showing Detailed Information on Remote MEPs Use the Administration > CFM > Show Information (Show Link Trace ISPLAYING THE Cache) page to show information about link trace operations launched from RACE ACHE this device.
Page 548 | Basic Administration Protocols HAPTER Connectivity Fault Management Ingress Action – Action taken on the ingress port: ◆ IngOk – The target data frame passed through to the MAC Relay ■ Entity. IngDown – The bridge port’s MAC_Operational parameter is false. ■...
Page 549: Displaying Fault Notification Settings
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 316: Showing the Link Trace Cache Use the Administration > CFM > Show Information (Show Fault Notification ISPLAYING AULT Generator) page to display configuration settings for the fault notification OTIFICATION generator. ETTINGS CLI R EFERENCES...
Page 550: Displaying Continuity Check Errors
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM. Select Show Information from the Step list. Select Show Fault Notification Generator from the Action list. Figure 317: Showing Settings for the Fault Notification Generator Use the Administration >...
Page 551: Oam Configuration
| Basic Administration Protocols HAPTER OAM Configuration VIDS – MA x is associated with a specific VID list , an MEP is ■ configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port.
Page 552: Table 35: Oam Operation State
| Basic Administration Protocols HAPTER OAM Configuration CLI R EFERENCES ◆ "OAM Commands" on page 1361 ARAMETERS These parameters are displayed: Port – Port identifier. (Range: 1-28) ◆ Admin Status – Enables or disables OAM functions. ◆ (Default: Disabled) Operation State – Shows the operational state between the local and ◆...
Page 553 | Basic Administration Protocols HAPTER OAM Configuration Critical Link Event – Controls reporting of critical link events to its ◆ OAM peer. Dying Gasp – If an unrecoverable condition occurs, the local OAM ■ entity (i.e., this switch) indicates this by immediately sending a trap message.
Page 554: Displaying Statistics For Oam Messages
| Basic Administration Protocols HAPTER OAM Configuration Click Apply. Figure 319: Enabling OAM for Local Ports Use the Administration > OAM > Counters page to display statistics for the ISPLAYING various types of OAM messages passed across each port. TATISTICS FOR OAM M ESSAGES CLI R...
Page 555: Displaying The Oam Event Log
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display statistics for OAM messages: Click Administration, OAM, Counters. Figure 320: Displaying Statistics for OAM Messages Use the Administration > OAM > Event Log page to display link events for ISPLAYING THE the selected port.
Page 556: Displaying The Status Of Remote Interfaces
| Basic Administration Protocols HAPTER OAM Configuration Figure 321: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING information about attached OAM-enabled devices. TATUS OF EMOTE NTERFACES CLI R EFERENCES ◆ "show efm oam status remote interface" on page 1372 ARAMETERS These parameters are displayed: Port –...
Page 557: Configuring A Remote Loop Back Test
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display information about attached OAM-enabled devices: Click Administration, OAM, Remote Interface. Figure 322: Displaying Status of Remote Interfaces Use the Administration > OAM > Remote Loopback (Remote Loopback ONFIGURING Test) page to initiate a loop back test to the peer device attached to the EMOTE selected port.
Page 558: Table 36: Oam Operation State
| Basic Administration Protocols HAPTER OAM Configuration ARAMETERS These parameters are displayed: Loopback Mode of Remote Device Port – Port identifier. (Range: 1-28) ◆ Loopback Mode – Shows if loop back mode is enabled on the peer. ◆ This attribute must be enabled before starting the loopback test. Loopback Status –...
Page 559: Displaying Results Of Remote Loop Back Testing
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To initiate a loop back test to the peer device attached to the selected port: Click Administration, OAM, Remote Loop Back. Select Remote Loopback Test from the Action list. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply.
Page 560 | Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display the results of remote loop back testing for each port for which this information is available: Click Administration, OAM, Remote Loop Back. Select Show Test Result from the Action list. Figure 324: Displaying the Results of Remote Loop Back Testing –...
Page 561: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 562 | IP Configuration HAPTER Using the Ping Function OMMAND SAGE ◆ Use the ping command to see if another site on the network can be reached. The following are some results of the ping command: ◆ Normal response - The normal response occurs in one to ten ■...
Page 563: Using The Trace Route Function
| IP Configuration HAPTER Using the Trace Route Function SING THE RACE OUTE UNCTION Use the IP > General > Trace Route page to show the route packets take to the specified destination. CLI R EFERENCES "traceroute" on page 1400 ◆...
Page 564: Address Resolution Protocol
| IP Configuration HAPTER Address Resolution Protocol Figure 326: Tracing the Route to a Network Device DDRESS ESOLUTION ROTOCOL The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Page 565: Setting The Arp Timeout
| IP Configuration HAPTER Address Resolution Protocol address and corresponding MAC address into its cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the switch will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request.
Page 566: Displaying Arp Entries
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Use the IP > ARP (Show Information) page to display dynamic entries in ISPLAYING the ARP cache. The ARP cache contains entries for local interfaces, including ARP E NTRIES subnet, host, and broadcast addresses.
Page 567: Configuring Ipv4 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) An IP default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. NTERFACE To configure an IPv4 default gateway for the switch: Click System, IP.
Page 568 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP/BOOTP responses can include the IP address, subnet mask, and default gateway.
Page 569 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Figure 330: Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: Click System, IP. Select Configure Interface from the Action list. Select Add Address from the Step list.
Page 570: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.
Page 571: Configuring The Ipv6 Default Gateway
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Configure Global) page to configure an ONFIGURING THE IPv6 default gateway for the switch. EFAULT ATEWAY CLI R EFERENCES "ipv6 default-gateway" on page 1405 ◆...
Page 572 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) link-local address, as well as an IPv6 global address if router advertisements are detected on the local interface. The option to explicitly enable IPv6 will also create a link-local address, ◆...
Page 573 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) IPv6 routers do not fragment IPv6 packets forwarded from other ■ routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented. All devices on the same physical medium must use the same MTU in ■...
Page 574 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ND Reachable-Time – The amount of time that a remote IPv6 node is ◆ considered reachable after some reachability confirmation event has occurred. (Range: 0-3600000 milliseconds; Default: 30000 milliseconds) Restart DHCPv6 –...
Page 575 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To general IPv6 settings for the switch: Click IP, IPv6 Configuration. Select Configure Interface from the Action list. Specify the VLAN to configure, enable address auto-configuration, or enable IPv6 explicitly to automatically configure a link-local address and enable IPv6 on the selected interface.
Page 576: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 335: Configuring RA Guard for an IPv6 Interface Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an ONFIGURING AN IPv6 interface for management access over the network. DDRESS CLI R EFERENCES...
Page 577 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) You can also manually configure the global unicast address by ■ entering the full address and prefix length. You can configure multiple IPv6 global unicast addresses per interface, ◆...
Page 578 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address. For example, if a device had an EUI-48 address of 28-9F-18-1C- 82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A.
Page 579: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface" on page 1414 ◆...
Page 580: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the configured IPv6 addresses: Click IP, IPv6 Configuration. Select Show IPv6 Address from the Action list. Select a VLAN from the list. Figure 337: Showing Configured IPv6 Addresses Use the IP >...
Page 581: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 38: Show IPv6 Neighbors - display description (Continued) Field Description State Delay - More than the ReachableTime interval has elapsed since the ◆ (continued) last positive confirmation was received that the forward path was functioning.
Page 582: Table 39: Show Ipv6 Statistics - Display Description
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ICMPv6 – Internet Control Message Protocol for Version 6 addresses is ◆ a network layer protocol that transmits message packets to report errors in processing IPv6 packets. ICMP is therefore an integral part of the Internet Protocol.
Page 583 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Delivers The total number of datagrams successfully delivered to IPv6 user-protocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
Page 584 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages received Messages by the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages received by the interface.
Page 585 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Solicit Messages The number of ICMP Neighbor Solicit messages sent by the interface. Neighbor Advertisement The number of ICMP Router Advertisement messages sent by the Messages interface.
Page 586 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 339: Showing IPv6 Statistics (IPv6) Figure 340: Showing IPv6 Statistics (ICMPv6) –...
Page 587: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 341: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 588 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 588 –...
Page 589: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "IPv6 Source Guard" on page 404. This chapter provides information on the following IP services, including: ◆...
Page 590: Configuring A List Of Domain Names
| IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed: Domain Lookup – Enables DNS host name-to-address translation. ◆ (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 591 | IP Services HAPTER Domain Name Service through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers" on page 592).
Page 592: Configuring A List Of Name Servers
| IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 1377 ◆...
Page 593: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Domain Name Service Figure 347: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING configure static entries in the DNS table that are used to map domain DNS H TATIC names to IP addresses.
Page 594: Displaying The Dns Cache
| IP Services HAPTER Domain Name Service Figure 348: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 349: Showing Static Entries in the DNS Table Use the IP Service >...
Page 595: Dynamic Host Configuration Protocol
| IP Services HAPTER Dynamic Host Configuration Protocol Type – This field includes CNAME which specifies the host address for ◆ the owner, and ALIAS which specifies an alias. IP – The IP address associated with this record. ◆ TTL – The time to live reported by the name server. ◆...
Page 596: Configuring Dhcp Relay Option
◆ Vendor Class ID – The following options are supported when the ◆ check box is marked to enable this feature: Default – The default string is ES3528MV2. ◆ Text – A text string. (Range: 1-32 characters) ◆ Hex – A hexadecimal value. (Range: 1-64 characters) ◆...
Page 597 | IP Services HAPTER Dynamic Host Configuration Protocol These fields identify the requesting device by indicating the interface through which the relay agent received the request. If DHCP relay is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.
Page 598 | IP Services HAPTER Dynamic Host Configuration Protocol the management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server. If a DHCP relay server has been set on the switch, when the switch ■...
Page 599 | IP Services HAPTER Dynamic Host Configuration Protocol A DHCP relay server has been set on the switch, when the switch ■ receives a DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). A DHCP relay server has been set on the switch, when the switch ■...
Page 600: Configuring The Pppoe Intermediate Agent
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Server IP Address – Addresses of DHCP servers or relay servers to be ◆ used by the switch’s DHCP relay agent in order of preference. NTERFACE To configure DHCP relay service: Click IP Service, DHCP, Relay Option 82.
Page 601 | IP Services HAPTER Configuring the PPPoE Intermediate Agent "show pppoe intermediate-agent info" on page 870 ◆ OMMAND SAGE When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
Page 602: Configuring Pppoe Ia Interface Settings
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 354: Configuring Global Settings for PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page ONFIGURING to enable PPPoE IA on an interface, set trust status, enable vendor tag E IA I NTERFACE stripping, and set the circuit ID and remote ID.
Page 603 | IP Services HAPTER Configuring the PPPoE Intermediate Agent The switch intercepts PPPoE discovery frames from the client and ■ inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server.
Page 604: Showing Pppoe Ia Statistics
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to E IA HOWING show statistics on PPPoE IA protocol messages. TATISTICS CLI R EFERENCES "clear pppoe intermediate-agent statistics" on page 869 ◆...
Page 605 | IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 356: Showing PPPoE Intermediate Agent Statistics – 605 –...
Page 606 | IP Services HAPTER Configuring the PPPoE Intermediate Agent – 606 –...
Page 607: Multicast
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling IGMP Groups – Filters specified multicast ◆ service, or throttling the maximum of multicast groups allowed on an interface.
Page 608: Layer 2 Igmp (Snooping And Query For Ipv4)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 357: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop”...
Page 609 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) network segments where no node has expressed interest in receiving a specific multicast service. For switches that do not support multicast routing, or where multicast routing is already enabled on other switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering.
Page 610: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 616).
Page 611 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Multicast routers use this information from IGMP snooping and query reports, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. ARAMETERS These parameters are displayed: IGMP Snooping Status –...
Page 612 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) multicast traffic will be flooded to all VLAN ports. If many ports have subscribed to different multicast groups, flooding may cause excessive packet loss on the link between the switch and the end host. Flooding may be disabled to avoid this, causing multicast traffic to be delivered only to those ports on which multicast group members have been learned.
Page 613 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Forwarding Priority – Assigns a CoS priority to all multicast traffic. ◆ (Range: 0-7, where 7 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency.
Page 614: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 358: Configuring General Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Multicast Router (Add) page to PECIFYING TATIC statically attach an interface to a multicast router/switch. NTERFACES FOR A ULTICAST OUTER...
Page 615 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Type – Shows if this entry is static or dynamic. ◆ Expire – Time until this dynamic entry expires. ◆ NTERFACE To specify a static interface attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router.
Page 616: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/ switch are displayed.
Page 617 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Port or Trunk – Specifies the interface assigned to a multicast group. ◆ Multicast IP – The IP address for a specific multicast service. ◆ NTERFACE To statically assign an interface to a multicast service: Click Multicast, IGMP Snooping, IGMP Member.
Page 618: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to IGMP ETTING configure IGMP snooping attributes for a VLAN. To configure snooping NOOPING TATUS globally, refer to "Configuring IGMP Snooping and Query Parameters"...
Page 619 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Multicast Router Termination – These messages are sent when a router ◆ stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: Multicast forwarding is disabled on an interface.
Page 620 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period.
Page 621 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) in report and leave messages sent upstream from the multicast router port. Interface Version – Sets the protocol version for compatibility with ◆ other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
Page 622 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Proxy Query Address – A static source address for locally generated ◆ query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as...
Page 623: Filtering Igmp Query Packets And Multicast Data
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show VLAN Information from the Action list. Figure 365: Showing Interface Settings for IGMP Snooping Use the Multicast >...
Page 624: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 366: Dropping IGMP Query or Multicast Data Packets Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS IGMP...
Page 625: Displaying Igmp Snooping Statistics
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) NTERFACE To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 367: Showing Multicast Groups Learned by IGMP Snooping Use the Multicast >...
Page 626 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Specific Query Received – The number of specific queries received ◆ on this interface. Specific Query Sent – The number of specific queries sent from this ◆ interface. Number of Reports Sent –...
Page 627 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) NTERFACE To display statistics for IGMP snooping query-related messages: Click Multicast, IGMP Snooping, Statistics. Select Show Query Statistics from the Action list. Select a VLAN. Figure 368: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics.
Page 628 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 369: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.
Page 629: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Page 630: Configuring Igmp Filter Profiles
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 371: Enabling IGMP Filtering and Throttling Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page IGMP ONFIGURING to create an IGMP profile and set its access mode. Then use the (Add ILTER ROFILES Multicast Group Range) page to configure the multicast groups to filter.
Page 631 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode. Click Apply.
Page 632: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Select the profile to configure, and add a multicast group address or range of addresses. Click Apply. Figure 374: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter.
Page 633 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Page 634: Mld Snooping (Snooping And Query For Ipv6)
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 376: Configuring IGMP Filtering and Throttling Interface Settings MLD S NOOPING NOOPING AND UERY FOR Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Page 635 | Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network.
Page 636: Setting Immediate Leave Status For Mld Snooping Per Interface
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Click Apply. Figure 377: Configuring General Settings for MLD Snooping Use the Multicast > MLD Snooping > Interface page to configure ETTING MMEDIATE Immediate Leave status for a VLAN. EAVE TATUS FOR MLD S...
Page 637: Specifying Static Interfaces For An Ipv6 Multicast Router
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 378: Configuring Immediate Leave for MLD Snooping Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast PECIFYING TATIC Router) page to statically attach an interface to an IPv6 multicast router/ NTERFACES FOR AN switch.
Page 638 | Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 379: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: Click Multicast, MLD Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 639: Assigning Interfaces To Ipv6 Multicast Services
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Use the Multicast > MLD Snooping > MLD Member (Add Static Member) SSIGNING page to statically assign an IPv6 multicast service to an interface. NTERFACES TO ULTICAST ERVICES Multicast filtering can be dynamically configured using MLD snooping and query messages (see "Configuring MLD Snooping and Query Parameters"...
Page 640 | Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 382: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: Click Multicast, MLD Snooping, MLD Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
Page 641: Showing Mld Snooping Groups And Source List
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 384: Showing Current Interfaces Assigned to an IPv6 Multicast Service Use the Multicast > MLD Snooping > Group Information page to display HOWING known multicast groups, member ports, the means by which each group NOOPING ROUPS was learned, and the corresponding source list.
Page 642: Multicast Vlan Registration For Ipv4
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Request List – Sources included on the router’s request list. ◆ Exclude List – Sources included on the router’s exclude list. ◆ NTERFACE To display known MLD multicast groups: Click Multicast, MLD Snooping, Group Information. Select the port or trunk, and then select a multicast service assigned to that interface.
Page 643: Configuring Mvr Global Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 386: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE General Configuration Guidelines for MVR: ◆ Enable MVR for a domain on the switch, and select the MVR VLAN (see "Configuring MVR Domain Settings"...
Page 644 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 ARAMETERS These parameters are displayed: Proxy Switching – Configures MVR proxy switching, where the source ◆ port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Page 645 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Proxy Query Interval – Configures the interval at which the receiver ◆ port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) This parameter sets the general query interval at which active ■...
Page 646: Configuring Mvr Domain Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Use the Multicast > MVR (Configure Domain) page to enable MVR globally ONFIGURING on the switch, and select the VLAN that will serve as the sole channel for OMAIN ETTINGS common multicast streams supported by the service provider. CLI R EFERENCES "MVR for IPv4"...
Page 647: Configuring Mvr Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To configure settings for an MVR domain: Click Multicast, MVR. Select Configure Domain from the Step list. Select a domain from the scroll-down list. Enable MVR for the selected domain, select the MVR VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required.
Page 648 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 ARAMETERS These parameters are displayed: Configure Profile Profile Name – The name of a profile containing one or more MVR ◆ group addresses. (Range: 1-21 characters) Start IP Address – Starting IP address for an MVR multicast group. ◆...
Page 649 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To show the configured MVR group address profiles: Click Multicast, MVR. Select Configure Profile from the Step list. Select Show from the Action list. Figure 390: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: Click Multicast, MVR.
Page 650: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 392: Showing the MVR Group Address Profiles Assigned to a Domain Use the Multicast > MVR (Configure Interface) page to configure each ONFIGURING interface that participates in the MVR protocol as a source port or receiver NTERFACE TATUS port.
Page 651 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 remaining subscribers for that multicast group before removing the port from the group list. Using immediate leave can speed up leave latency, but should only ■ be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Page 652: Assigning Static Mvr Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To configure interface settings for MVR: Click Multicast, MVR. Select Configure Interface from the Step list. Select Configure Port or Configure Trunk from the Action list. Select an MVR domain. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached.
Page 653 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 The MVR VLAN cannot be specified as the receiver VLAN for static ◆ bindings. ARAMETERS These parameters are displayed: Domain ID – An independent multicast domain. (Range: 1-5) ◆ ◆ Interface – Port or trunk identifier. VLAN –...
Page 654: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Select an MVR domain. Select the port or trunk for which to display this information. Figure 395: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast ISPLAYING groups either statically or dynamically assigned to the MVR receiver groups ECEIVER...
Page 655: Displaying Mvr Statistics
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To display the interfaces assigned to the MVR receiver groups: Click Multicast, MVR. Select Show Member from the Step list. Select an MVR domain. Figure 396: Displaying MVR Receiver Groups Use the Multicast >...
Page 656 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 General Query Sent – The number of general queries sent from this ◆ interface. Specific Query Received – The number of specific queries received ◆ on this interface. Specific Query Sent – The number of specific queries sent from this ◆...
Page 657 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To display statistics for MVR query-related messages: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list. Select an MVR domain. Figure 397: Displaying MVR Statistics – Query –...
Page 658 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain. Select a VLAN. Figure 398: Displaying MVR Statistics –...
Page 659: Multicast Vlan Registration For Ipv6
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR domain. Select a Port. Figure 399: Displaying MVR Statistics –...
Page 660: Configuring Mvr6 Global Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see "Assigning Static MVR6 Multicast Groups to Interfaces"...
Page 661 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 groups, and the number of times group-specific queries are sent to downstream receiver ports. This parameter only takes effect when MVR6 proxy switching is ■ enabled. Proxy Query Interval – Configures the interval at which the receiver ◆...
Page 662: Configuring Mvr6 Domain Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 400: Configuring Global Settings for MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 MVR6 ONFIGURING globally on the switch, and select the VLAN that will serve as the sole OMAIN ETTINGS channel for common multicast streams supported by the service provider.
Page 663: Configuring Mvr6 Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Upstream Source IPv6 – The source IPv6 address assigned to all ◆ MVR6 control packets sent upstream on the specified domain. This parameter must be a full IPv6 address including the network prefix and host address bits.
Page 664 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 OMMAND SAGE ◆ Use the Configure Profile page to statically configure all multicast group addresses that will join the MVR6 VLAN. Any multicast data associated with an MVR6 group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group.
Page 665 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts. Click Apply. Figure 402: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: Click Multicast, MVR6.
Page 666: Configuring Mvr6 Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 404: Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: Click Multicast, MVR6. Select Associate Profile from the Step list. Select Show from the Action list.
Page 667 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Receiver ports should not be statically configured as a member of the MVR6 VLAN. If so configured, its MVR6 status will be inactive. Also, note that VLAN membership for MVR6 receiver ports cannot be set to access mode (see"Adding Static Members to VLANs"...
Page 668 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 MVR6 Status – Shows the MVR6 status. MVR6 status for source ports ◆ is “Active” if MVR6 is globally enabled on the switch. MVR6 status for receiver ports is “Active” only if there are subscribers receiving multicast traffic from one of the MVR6 groups, or a multicast group has been statically assigned to an interface.
Page 669: Assigning Static Mvr6 Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term MVR6 M ULTICAST multicast streams associated with a stable set of hosts. ROUPS TO NTERFACES CLI R...
Page 670: Displaying Mvr6 Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 407: Assigning Static MVR6 Groups to a Port To show the static MVR6 groups assigned to an interface: Click Multicast, MVR6. Select Configure Static Group Member from the Step list. Select Show from the Action list.
Page 671: Displaying Mvr6 Statistics
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 VLAN – The VLAN through which the service is received. Note that this ◆ may be different from the MVR6 VLAN if the group address has been statically assigned. Port – Indicates the source address of the multicast service, or ◆...
Page 672 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Port – Port identifier. (Range: 1-28) ◆ Trunk – Trunk identifier. (Range: 1-12) ◆ Query Statistics Querier IPv6 Address – The IP address of the querier on this ◆ interface. Querier Expire Time – The time after which this querier is assumed to ◆...
Page 673 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Output Statistics Report – The number of MLD membership reports sent from this ◆ interface. Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this ◆...
Page 674 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR6 domain. Select a VLAN. Figure 411: Displaying MVR6 Statistics –...
Page 675 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR6 domain. Select a Port. Figure 412: Displaying MVR6 Statistics –...
Page 676 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 – 676 –...
Page 677: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 679 ◆ "General Commands" on page 691 ◆...
Page 678 | Command Line Interface ECTION "Class of Service Commands" on page 1169 ◆ "Quality of Service Commands" on page 1183 ◆ "Multicast Filtering Commands" on page 1203 ◆ "LLDP Commands" on page 1295 ◆ "CFM Commands" on page 1319 ◆ "OAM Commands"...
Page 679: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the ES3528MV2 is opened. To end the CLI session, enter [Exit]. Console# – 679 –...
Page 680: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the ES3528MV2 is opened. To end the CLI session, enter [Exit]. Vty-0# – 680 –...
Page 681: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to eight sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 682: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 683 | Using the Command Line Interface HAPTER Entering Commands privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server RADIUS server information reload Shows the reload settings rmon Remote Monitoring Protocol rspan...
Page 684: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands If you terminate a partial keyword with a question mark, alternatives that ARTIAL EYWORD match the initial letters are provided. (Remember not to leave a space OOKUP between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...
Page 685: Exec Commands
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ES3528MV2 is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the ES3528MV2 is opened.
Page 686: Configuration Commands
| Using the Command Line Interface HAPTER Entering Commands Configuration commands are privileged level commands used to modify ONFIGURATION switch settings. These commands modify the running configuration only OMMANDS and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
Page 687: Table 42: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the...
Page 688: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 689: Cli Command Groups
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 44: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
Page 690 | Using the Command Line Interface HAPTER CLI Command Groups Table 44: Command Group Index (Continued) Command Group Description Page ERPS Configures Ethernet Ring Protection Switching for 1093 increased availability of Ethernet rings commonly used in service provider networks VLANs Configures VLAN settings, and defines port membership 1125 for VLAN groups;...
Page 691: General Commands
ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 45: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 692: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload delay, or at a periodic interval. You can reboot the system immediately, or (Global Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 693 | General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 694: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (696) enable password (810) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 695: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 696: Disable
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 697: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 698 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 698 –...
Page 699: Table 46: System Management Commands
YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 46: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 700: Table 48: Banner Commands
| System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 701: Banner Configure
If, for example, a mistake is made in the company name, it can be corrected with the banner configure company command. XAMPLE Console(config)#banner configure Company: Edge-Core Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr.
Page 702: Banner Configure Company
| System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
Page 703: Banner Configure Dc-Power-Info
| System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 704: Banner Configure Equipment-Info
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 705: Banner Configure Equipment-Location
HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id ES3528MV2 floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting.
Page 706: Banner Configure Lp-Number
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 707: Banner Configure Manager-Info
| System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 708: Banner Configure Note
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 709: Table 49: System Status Commands
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ES3528MV2 Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 710: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status Table 49: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly This command shows utilization parameters for TCAM (Ternary Content show access-list...
Page 711: Show Process Cpu
| System Management Commands HAPTER System Status Alarm Configuration Rising Threshold : 90% Falling Threshold : 70% Console# ELATED OMMANDS memory (793) This command shows the CPU utilization parameters, alarm status, and show process cpu alarm configuration. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 18%...
Page 712: Interface Settings
VLAN 1 name DefaultVlan media ethernet state active spanning-tree mst configuration interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 switchport allowed vlan add 4094 tagged interface vlan 1 ip address dhcp ip dhcp client class-id text Edge-Core – 712 –...
Page 713: Show Startup-Config
| System Management Commands HAPTER System Status line console line vty Console# ELATED OMMANDS show startup-config (713) This command displays the configuration file stored in non-volatile memory show startup-config that is used to start up the system. OMMAND Privileged Exec OMMAND SAGE Use this command in conjunction with the show running-config...
Page 714: Show Tech-Support
For a description of the items shown by this command, refer to "Displaying System Information" on page 117. XAMPLE Console#show system System Description : ES3528MV2 System OID String : 1.3.6.1.4.1.259.10.1.22.101 System Information System Up Time : 0 days, 0 hours, 52 minutes, and 2.21 seconds...
Page 715: Show Users
| System Management Commands HAPTER System Status Shows all active console and Telnet sessions, including user name, idle show users time, and IP address of Telnet client. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 716: Show Watchdog
| System Management Commands HAPTER System Status XAMPLE Console#show version Unit 1 Serial Number : V11149000072 Hardware Version : R0C EPLD Version : 0.00 Number of Ports : 28 Main Power Status : Up Role : Master Loader Version : 1.0.0.0 Linux Kernel Version : 2.6.22.18 Boot ROM Version...
Page 717: Frame Size
| System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 50: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames This command enables support for layer 2 jumbo frames for Gigabit jumbo frame Ethernet ports.
Page 718: File Management
| System Management Commands HAPTER File Management ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 719: General Commands
| System Management Commands HAPTER File Management General Commands This command specifies the file or image used to start up the system. boot system YNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code.
Page 720: Copy
| System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 721 | System Management Commands HAPTER File Management To replace the startup configuration, you must use startup-config as ◆ the destination. The Boot ROM and Loader cannot be uploaded or downloaded from the ◆ FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
Page 722 | System Management Commands HAPTER File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
Page 723: Delete
| System Management Commands HAPTER File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# This command deletes a file or image.
Page 724: Dir
| System Management Commands HAPTER File Management ELATED OMMANDS dir (724) delete public-key (844) This command displays a list of files in flash memory. YNTAX dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file.
Page 725: Whichboot
| System Management Commands HAPTER File Management This command displays which files were booted when the system powered whichboot YNTAX whichboot EFAULT ETTING None OMMAND Privileged Exec XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Page 726: Upgrade Opcode Path
| System Management Commands HAPTER File Management stored on the TFTP server must be es3528mv2.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
Page 727: Upgrade Opcode Reload
The name for the new image stored on the TFTP server must be ◆ es3528mv2.bix. However, note that file name is not to be included in this command. When specifying a TFTP server, the following syntax must be used, ◆...
Page 728: Show Upgrade
Status : Disabled Reload Status : Disabled Path File Name : es3528mv2.bix Console# You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 729: Line
| System Management Commands HAPTER Line Table 53: Line Commands (Continued) Command Function Mode silent-time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password- thresh command Sets the terminal baud rate speed...
Page 730: Databits
| System Management Commands HAPTER Line This command sets the number of data bits per character that are databits interpreted and generated by the console port. Use the no form to restore the default value. YNTAX databits {7 | 8} no databits 7 - Seven data bits per character.
Page 731: Login
| System Management Commands HAPTER Line OMMAND SAGE ◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. This command applies to both the local console and Telnet connections. ◆ ◆...
Page 732: Parity
| System Management Commands HAPTER Line This command controls login authentication via the switch itself. To ◆ configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. XAMPLE Console(config-line)#login local Console(config-line)# ELATED OMMANDS...
Page 733: Password
| System Management Commands HAPTER Line This command specifies the password for a line. Use the no form to password remove the password. YNTAX password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password.
Page 734: Password-Thresh
| System Management Commands HAPTER Line This command sets the password intrusion threshold which limits the password-thresh number of failed logon attempts. Use the no form to remove the threshold value. YNTAX password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120;...
Page 735: Speed
| System Management Commands HAPTER Line OMMAND Line Configuration XAMPLE To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# ELATED OMMANDS password-thresh (734) This command sets the terminal line’s baud rate. This command sets both speed the transmit (to terminal) and receive (from terminal) speeds.
Page 736: Stopbits
| System Management Commands HAPTER Line This command sets the number of the stop bits transmitted per byte. Use stopbits the no form to restore the default setting. YNTAX stopbits {1 | 2} no stopbits 1 - One stop bit 2 - Two stop bits EFAULT ETTING...
Page 737: Disconnect
| System Management Commands HAPTER Line XAMPLE To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# This command terminates an SSH, Telnet, or console connection. disconnect YNTAX disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
Page 738: Show Line
| System Management Commands HAPTER Line length - The number of lines displayed on the screen. (Range: 0-512, where 0 means not to pause) terminal-type - The type of terminal emulation used. ansi-bbs - ANSI-BBS vt-100 - VT-100 vt-102 - VT-102 width - The number of character columns displayed on the terminal.
Page 739: Event Logging
| System Management Commands HAPTER Event Logging History Size : 10 Escape Character(ASCII-number) : 27 Terminal Type : VT100 Console Configuration: Password Threshold : 3 times EXEC Timeout : 600 seconds Login Timeout : 300 seconds Silent Time : Disabled Baud Rate : 115200 Data Bits...
Page 740: Logging History
| System Management Commands HAPTER Event Logging EFAULT ETTING OMMAND Global Configuration OMMAND SAGE The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch.
Page 741: Logging Host
| System Management Commands HAPTER Event Logging EFAULT ETTING Flash: errors (level 3 - 0) RAM: debugging (level 7 - 0) OMMAND Global Configuration OMMAND SAGE The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. XAMPLE Console(config)#logging history ram 0 Console(config)#...
Page 742: Logging Trap
| System Management Commands HAPTER Event Logging EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use logging trap command to control the type of error messages that are sent to specified syslog servers.
Page 743: Clear Log
| System Management Commands HAPTER Event Logging XAMPLE Console(config)#logging trap 4 Console(config)# This command clears messages from the log buffer. clear log YNTAX clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 744: Show Logging
| System Management Commands HAPTER Event Logging OMMAND SAGE ◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface). All log messages are retained in Flash and purged from RAM after a ◆...
Page 745: Table 56: Show Logging Flash/Ram - Display Description
| System Management Commands HAPTER Event Logging History Logging in Flash : Level Errors (3) Console# Table 56: show logging flash/ram - display description Field Description Syslog Logging Shows if system logging has been enabled via the logging on command. History Logging in Flash The message level(s) reported based on the logging history...
Page 746: Table 58: Event Logging Commands
| System Management Commands HAPTER SMTP Alerts SMTP A LERTS These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 58: Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling logging sendmail host SMTP servers to receive alert messages logging sendmail level...
Page 747: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to three SMTP servers for event handing. However, ◆ you must enter a separate command to specify each server. To send email alerts, the switch first opens a connection, sends all the ◆...
Page 748: Logging Sendmail Destination-Email
| System Management Commands HAPTER SMTP Alerts XAMPLE This example will send email alerts for system errors from level 3 through Console(config)#logging sendmail level 3 Console(config)# This command specifies the email recipients of alert messages. Use the no logging sendmail form to remove a recipient.
Page 749: Table 59: Time Commands
| System Management Commands HAPTER Time OMMAND SAGE You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. XAMPLE Console(config)#logging sendmail source-email bill@this-company.com Console(config)# This command displays the settings for the SMTP event handler. show logging sendmail OMMAND...
Page 750: Sntp Commands
| System Management Commands HAPTER Time Table 59: Time Commands (Continued) Command Function Mode NTP Commands ntp authenticate Enables authentication for NTP traffic ntp authentication-key Configures authentication keys ntp client Enables the NTP client for time updates from specified servers ntp server Specifies NTP servers to poll for time updates show ntp...
Page 751: Sntp Poll
| System Management Commands HAPTER Time XAMPLE Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2002 Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# ELATED OMMANDS...
Page 752: Sntp Server
| System Management Commands HAPTER Time This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 753: Ntp Commands
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# NTP Commands This command enables authentication for NTP client-server ntp authenticate...
Page 754: Ntp Client
| System Management Commands HAPTER Time md5 - Specifies that authentication is provided by using the message digest algorithm 5. key - An MD5 authentication key string. The key string can be up to 32 case-sensitive printable ASCII characters (no spaces). EFAULT ETTING None...
Page 755: Ntp Server
| System Management Commands HAPTER Time OMMAND SAGE ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command. The time acquired from time servers is used to record accurate dates ◆...
Page 756: Show Ntp
| System Management Commands HAPTER Time NTP authentication is optional. If enabled with the ntp authenticate ◆ command, you must also configure at least one key number using the ntp authentication-key command. Use the no form of this command without an argument to clear all ◆...
Page 757: Manual Configuration Commands
| System Management Commands HAPTER Time Manual Configuration Commands This command sets the start, end, and offset times of summer time clock summer-time (daylight savings time) for the switch on a one-time basis. Use the no form (date) to disable summer time. YNTAX clock summer-time name date b-date b-month b-year b-hour b-minute e-date e-month e-year e-hour e-minute [offset]...
Page 758: Clock Summertime (Predefined)
| System Management Commands HAPTER Time This command sets the summer-time time zone relative to the ◆ currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone (that is, the offset).
Page 759: Table 60: Predefined Summer-Time Parameters
| System Management Commands HAPTER Time Table 60: Predefined Summer-Time Parameters Region Start Time, Day, End Time, Day, Rel. Week, & Month Week, & Month Offset Australia 00:00:00, Sunday, 23:59:59, Sunday, 60 min Week 5 of October Week 5 of March Europe 00:00:00, Sunday, 23:59:59, Sunday,...
Page 760: Clock Timezone
| System Management Commands HAPTER Time e-day - The day of the week summer time will end. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-hour - The hour when summer time will end.
Page 761: Calendar Set
| System Management Commands HAPTER Time hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC. after-utc - Sets the local time zone after (west) of UTC.
Page 762: Table 61: Time Range Commands
| System Management Commands HAPTER Time Range OMMAND Privileged Exec OMMAND SAGE Note that when SNTP is enabled, the system clock cannot be manually configured. XAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2011. Console#calendar set 15:12:34 1 February 2011 Console# This command displays the system clock.
Page 763: Time-Range
| System Management Commands HAPTER Time Range This command specifies the name of a time range, and enters time range time-range configuration mode. Use the no form to remove a previously specified time range. YNTAX [no] time-range name name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING None...
Page 764: Periodic
| System Management Commands HAPTER Time Range OMMAND Time Range Configuration OMMAND SAGE If a time range is already configured, you must use the no form of this ◆ command to remove the current entry prior to configuring a new time range.
Page 765: Show Time-Range
| System Management Commands HAPTER Time Range EFAULT ETTING None OMMAND Time Range Configuration OMMAND SAGE If a time range is already configured, you must use the no form of this ◆ command to remove the current entry prior to configuring a new time range.
Page 766: Switch Clustering
| System Management Commands HAPTER Switch Clustering WITCH LUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 767: Cluster
| System Management Commands HAPTER Switch Clustering This command enables clustering on the switch. Use the no form to disable cluster clustering. YNTAX [no] cluster EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE To create a switch cluster, first be sure that clustering is enabled on the ◆...
Page 768: Cluster Ip-Pool
| System Management Commands HAPTER Switch Clustering OMMAND SAGE ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
Page 769: Cluster Member
| System Management Commands HAPTER Switch Clustering This command configures a Candidate switch as a cluster Member. Use the cluster member no form to remove a Member switch from the cluster. YNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch.
Page 770: Show Cluster
| System Management Commands HAPTER Switch Clustering XAMPLE Console#rcommand id 1 CLI session with the ES3528MV2 is opened. To end the CLI session, enter [Exit]. Vty-0# This command shows the switch clustering configuration. show cluster OMMAND Privileged Exec XAMPLE Console#show cluster...
Page 771: Show Cluster Candidates
This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec XAMPLE Console#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Active member 00-E0-0C-00-00-FE ES3528MV2 CANDIDATE 00-12-CF-0B-47-A0 ES3528MV2 Console# – 771 –...
Page 772 | System Management Commands HAPTER Switch Clustering – 772 –...
Page 773: Snmp Commands
SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 774 | SNMP Commands HAPTER Table 63: SNMP Commands (Continued) Command Function Mode show snmp view Shows the SNMP views Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs...
Page 775: General Snmp Commands
| SNMP Commands HAPTER General SNMP Commands Table 63: SNMP Commands (Continued) Command Function Mode Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm process cpu Sets the rising and falling threshold for the CPU utilization alarm show memory Shows memory utilization parameters...
Page 776: Snmp-Server Contact
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. private - Read/write access. Authorized management stations are able ◆ to both retrieve and modify MIB objects. OMMAND Global Configuration XAMPLE...
Page 777: Show Snmp
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (776) This command can be used to check the status of SNMP communications. show snmp EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND...
Page 778: Snmp Target Host Commands
| SNMP Commands HAPTER SNMP Target Host Commands 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# SNMP Target Host Commands This command enables this device to send Simple Network Management snmp-server Protocol traps or informs (i.e., SNMP notifications).
Page 779: Snmp-Server Host
| SNMP Commands HAPTER SNMP Target Host Commands send notifications, you must configure at least one snmp-server host command. The authentication, link-up, and link-down traps are legacy ◆ notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
Page 780 | SNMP Commands HAPTER SNMP Target Host Commands privacy. See "Simple Network Management Protocol" on page 446 for further information about these authentication and encryption options. port - Host UDP port to use. (Range: 1-65535; Default: 162) EFAULT ETTING Host Address: None Notification Type: Traps SNMP Version: 1 UDP Port: 162...
Page 781: Snmp-Server Enable Port-Traps Mac-Notification
| SNMP Commands HAPTER SNMP Target Host Commands To send an inform to a SNMPv3 host, complete these steps: Enable the SNMP agent (page 775). Create a local SNMPv3 user to use in the message exchange process (page 785). Create a view with the required notification messages (page 786).
Page 782: Show Snmp-Server Enable Port-Traps
| SNMP Commands HAPTER SNMPv3 Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# This command shows if SNMP traps are enabled or disabled for the show snmp-server specified interfaces. enable port-traps YNTAX show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier.
Page 783 | SNMP Commands HAPTER SNMPv3 Commands EFAULT ETTING A unique engine ID is automatically generated by the switch based on its MAC address. OMMAND Global Configuration OMMAND SAGE An SNMP engine is an independent SNMP agent that resides either on ◆...
Page 784: Snmp-Server Group
| SNMP Commands HAPTER SNMPv3 Commands This command adds an SNMP group, mapping SNMP users to SNMP views. snmp-server group Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.
Page 785: Snmp-Server User
| SNMP Commands HAPTER SNMPv3 Commands XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Page 786: Snmp-Server View
| SNMP Commands HAPTER SNMPv3 Commands Remote users (i.e., the command specifies a remote engine identifier) ◆ must be configured to identify the source of SNMPv3 inform messages sent from the local switch. The SNMP engine ID is used to compute the authentication/privacy ◆...
Page 787: Show Snmp Engine-Id
| SNMP Commands HAPTER SNMPv3 Commands OMMAND SAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB ◆ tree. XAMPLES This view includes MIB-2.
Page 788: Show Snmp Group
| SNMP Commands HAPTER SNMPv3 Commands Table 64: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine.
Page 789: Show Snmp User
| SNMP Commands HAPTER SNMPv3 Commands Table 65: show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 790: Show Snmp View
| SNMP Commands HAPTER Notification Log Commands This command shows information on the SNMP views. show snmp view OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included...
Page 791: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Notification Log Commands Disabling logging with this command does not delete the entries stored ◆ in the notification log. XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# This command creates an SNMP notification log. Use the no form to snmp-server remove this log.
Page 792: Show Nlm Oper-Status
| SNMP Commands HAPTER Notification Log Commands To avoid this problem, notification logging should be configured and ◆ enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 793: Show Snmp Notify-Filter
| SNMP Commands HAPTER Additional Trap Commands This command displays the configured notification logs. show snmp notify-filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23...
Page 794: Process Cpu
| SNMP Commands HAPTER Additional Trap Commands This command sets an SNMP trap based on configured thresholds for CPU process cpu utilization. Use the no form to restore the default setting. YNTAX process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Page 795: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 796: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 797: Rmon Event
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and ◆ the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 798: Rmon Collection History
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm ◆ triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.
Page 799: Rmon Collection Rmon1
| Remote Monitoring Commands HAPTER show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
Page 800: Show Rmon Alarms
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0...
Page 801: Show Rmon Statistics
| Remote Monitoring Commands HAPTER 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 This command shows the information collected for all configured entries in show rmon the statistics group.
Page 802 | Remote Monitoring Commands HAPTER – 802 –...
Page 803: Flow Sampling Commands
AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 804 | Flow Sampling Commands HAPTER timeout-value - The length of time the sFlow interface is available to send samples to a receiver, after which the owner and associated polling and sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector.
Page 805: Sflow Polling Instance
| Flow Sampling Commands HAPTER This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# This command enables an sFlow polling data source, for a specified sflow polling interface, that polls periodically based on a specified time interval.
Page 806: Sflow Sampling Instance
| Flow Sampling Commands HAPTER This command enables an sFlow data source instance for a specific sflow sampling interface that takes samples periodically based on the number of packets instance processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Page 807: Show Sflow
| Flow Sampling Commands HAPTER This command shows the global and interface settings for the sFlow show sflow process. YNTAX show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent. (Range: 1-30 alphanumeric characters) interface ethernet unit/port unit - Stack unit.
Page 808 | Flow Sampling Commands HAPTER – 808 –...
Page 809: Authentication Commands
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 810: User Accounts And Privilege Levels
| Authentication Commands HAPTER User Accounts and Privilege Levels CCOUNTS AND RIVILEGE EVELS The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 728), user authentication via a remote authentication server (page...
Page 811: Username
| Authentication Commands HAPTER User Accounts and Privilege Levels The encrypted password is required for compatibility with legacy ◆ password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Page 812: Privilege
| Authentication Commands HAPTER User Accounts and Privilege Levels OMMAND SAGE The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/TFTP server.
Page 813: Show Privilege
| Authentication Commands HAPTER Authentication Sequence XAMPLE This example sets the privilege level for the ping command to Privileged Exec. Console(config)#privilege exec level 15 ping Console(config)# This command shows the privilege level for the current user, or the show privilege privilege level for commands modified by the privilege command.
Page 814: Authentication Enable
| Authentication Commands HAPTER Authentication Sequence This command defines the authentication method and precedence to use authentication when changing from Exec command mode to Privileged Exec command enable mode with the enable command. Use the no form to restore the default. YNTAX authentication enable {[local] [radius] [tacacs]} no authentication enable...
Page 815: Authentication Login
| Authentication Commands HAPTER Authentication Sequence This command defines the login authentication method and precedence. authentication login Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password.
Page 816: Radius Client
| Authentication Commands HAPTER RADIUS Client RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 817: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client This command sets the RADIUS server network port. Use the no form to radius-server restore the default. auth-port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 818: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS encryption key. Use the no form to restore radius-server key the default.
Page 819: Radius-Server Timeout
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication radius-server requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...
Page 820: Tacacs+ Client
| Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout RADIUS Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C...
Page 821: Tacacs-Server Key
| Authentication Commands HAPTER TACACS+ Client key - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 48 characters) port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Page 822: Tacacs-Server Port
| Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 823: Tacacs-Server Timeout
| Authentication Commands HAPTER TACACS+ Client This command sets the interval between transmitting authentication tacacs-server requests to the TACACS+ server. Use the no form to restore the default. timeout YNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Page 824: Table 76: Aaa Commands
| Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 76: AAA Commands Command Function Mode...
Page 825: Aaa Accounting Dot1X
| Authentication Commands HAPTER group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) EFAULT ETTING Accounting is not enabled...
Page 826: Aaa Accounting Exec
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 827: Aaa Accounting Update
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 828: Aaa Authorization Exec
| Authentication Commands HAPTER Using the command without specifying an interim interval enables ◆ updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service.
Page 829: Aaa Group Server
| Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 830: Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 831: Accounting Exec
| Authentication Commands HAPTER OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# This command applies an accounting method to local console, Telnet or accounting exec SSH connections. Use the no form to disable accounting on the line. YNTAX accounting exec {default | list-name} no accounting exec...
Page 832: Show Accounting
| Authentication Commands HAPTER EFAULT ETTING None OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# This command displays the current accounting settings per function and show accounting per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information.
Page 833: Table 77: Web Server Commands
| Authentication Commands HAPTER Web Server Interface : Eth 1/1 Method List : tps Group List : radius Interface : Eth 1/2 Accounting Type : EXEC Method List : default Group List : tacacs+ Interface : vty Console# ERVER This section describes commands used to configure web browser management access to the switch.
Page 834: Ip Http Server
| Authentication Commands HAPTER Web Server ELATED OMMANDS ip http server (834) show system (713) This command allows this device to be monitored or configured from a ip http server browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT ETTING...
Page 835: Ip Http Secure-Server
| Authentication Commands HAPTER Web Server XAMPLE Console(config)#ip http secure-port 1000 Console(config)# ELATED OMMANDS ip http secure-server (835) show system (713) This command enables the secure hypertext transfer protocol (HTTPS) over ip http the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted secure-server connection) to the switch’s web interface.
Page 836: Table 78: Https System Support
| Authentication Commands HAPTER Telnet Server The following web browsers and operating systems currently support HTTPS: Table 78: HTTPS System Support Web Browser Operating System Internet Explorer 6.x or later Windows 98,Windows NT (with service pack 6a), Windows 2000, XP, Vista, 7, 8 Mozilla Firefox 4 or later Windows 2000, XP, Vista, 7, 8, Linux Google Chrome 29 or later...
Page 837: Ip Telnet Max-Sessions
| Authentication Commands HAPTER Telnet Server This command specifies the maximum number of Telnet sessions that can ip telnet simultaneously connect to this system. Use the no from to restore the max-sessions default setting. YNTAX ip telnet max-sessions session-count no ip telnet max-sessions session-count - The maximum number of allowed Telnet session.
Page 838: Table 80: Secure Shell Commands
| Authentication Commands HAPTER Secure Shell This command allows this device to be monitored or configured from ip telnet server Telnet. Use the no form to disable this function. YNTAX [no] ip telnet server EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#ip telnet server Console(config)#...
Page 839 | Authentication Commands HAPTER Secure Shell Table 80: Secure Shell Commands (Continued) Command Function Mode ip ssh timeout Specifies the authentication timeout for the SSH server copy tftp public-key Copies the user’s public key from a TFTP server to the switch delete public-key Deletes the public key for the specified user...
Page 840 | Authentication Commands HAPTER Secure Shell 93559423035774130980227370877945452408397175264635805817671670 9574804776117 Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch with the username command.)
Page 841: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
Page 842: Ip Ssh Server
| Authentication Commands HAPTER Secure Shell XAMPLE Console(config)#ip ssh authentication-retires 2 Console(config)# ELATED OMMANDS show ip ssh (846) This command enables the Secure Shell (SSH) server on this switch. Use ip ssh server the no form to disable this service. YNTAX [no] ip ssh server EFAULT...
Page 843: Ip Ssh Server Key Size
| Authentication Commands HAPTER Secure Shell This command sets the SSH server key size. Use the no form to restore the ip ssh server default setting. key size YNTAX ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-896 bits) EFAULT ETTING 768 bits...
Page 844: Delete Public-Key
| Authentication Commands HAPTER Secure Shell XAMPLE Console(config)#ip ssh timeout 60 Console(config)# ELATED OMMANDS exec-timeout (730) show ip ssh (846) This command deletes the specified user’s public key. delete public-key YNTAX delete public-key username [dsa | rsa] username – Name of an SSH user. (Range: 1-8 characters) dsa –...
Page 845: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell This command stores the host key pair in memory (i.e., RAM). Use the ◆ ip ssh save host-key command to save the host key pair to flash memory. Some SSH client programs automatically add the public key to the ◆...
Page 846: Ip Ssh Save Host-Key
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (844) ip ssh save host-key (846) no ip ssh server (842) This command saves the host key from RAM to flash memory. ip ssh save host-key YNTAX ip ssh save host-key EFAULT ETTING...
Page 847: Show Ssh
| Authentication Commands HAPTER Secure Shell OMMAND Privileged Exec OMMAND SAGE If no parameters are entered, all keys are displayed. If the user ◆ keyword is entered, but no user name is specified, then the public keys for all users are displayed. When an RSA key is displayed, the first field indicates the size of the ◆...
Page 848: Table 81: Show Ssh - Display Description
| Authentication Commands HAPTER 802.1X Port Authentication Table 81: show ssh - display description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that...
Page 849: General Commands
| Authentication Commands HAPTER 802.1X Port Authentication Table 82: 802.1X Port Authentication Commands (Continued) Command Function Mode Supplicant Commands dot1x identity profile Configures dot1x supplicant user name and password GC dot1x max-start Sets the maximum number of times that a port supplicant will send an EAP start frame to the client dot1x pae supplicant Enables dot1x supplicant mode on an interface...
Page 850: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network. When this device is functioning as an edge switch but does not require ◆...
Page 851: Dot1X Max-Reauth-Req
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT block-traffic OMMAND Interface Configuration OMMAND SAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
Page 852: Dot1X Operation-Mode
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# This command allows hosts (clients) to connect to an 802.1X-authorized dot1x operation- port. Use the no form with no keywords to restore the default to single mode host.
Page 853: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto –...
Page 854: Dot1X Timeout Quiet-Period
| Authentication Commands HAPTER 802.1X Port Authentication transparently by the dot1x client software. Only if re-authentication fails is the port blocked. The connected client is re-authenticated after the interval specified by ◆ dot1x timeout re-authperiod command. The default is 3600 seconds.
Page 855: Dot1X Timeout Supp-Timeout
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT 3600 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout response to an EAP request from a client before re-transmitting an EAP supp-timeout packet.
Page 856: Dot1X Timeout Tx-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that an interface on the switch waits during an dot1x timeout authentication session before re-transmitting an EAP packet. Use the no tx-period form to reset to the default value. YNTAX dot1x timeout tx-period seconds no dot1x timeout tx-period...
Page 857: Supplicant Commands
| Authentication Commands HAPTER 802.1X Port Authentication Supplicant Commands This command sets the dot1x supplicant user name and password. Use the dot1x identity no form to delete the identity settings. profile YNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.
Page 858: Dot1X Pae Supplicant
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# This command enables dot1x supplicant mode on a port. Use the no form dot1x pae to disable dot1x supplicant mode on a port. supplicant YNTAX [no] dot1x pae supplicant...
Page 859: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits for a response dot1x timeout from the authenticator. Use the no form to restore the default setting. auth-period YNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Page 860: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits before resending dot1x timeout an EAPOL start frame to the authenticator. Use the no form to restore the start-period default setting. YNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Page 861 | Authentication Commands HAPTER 802.1X Port Authentication Supplicant Parameters – Shows the supplicant user name used when ◆ the switch responds to an MD5 challenge from an authenticator (page 857). 802.1X Port Summary – Displays the port access control parameters ◆...
Page 862: X Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication Request Count– Number of EAP Request packets sent to the ■ Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP ■ Success, Failure or Request packet received from the Authentication Server.
Page 863: Table 83: Management Ip Filter Commands
| Authentication Commands HAPTER Management IP Filter Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch. Table 83: Management IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management...
Page 864: Show Management
| Authentication Commands HAPTER Management IP Filter IP address can be configured for SNMP, web, and Telnet access ◆ respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. When entering addresses for the same group (i.e., SNMP, web, or ◆...
Page 865: Table 84: Pppoe Intermediate Agent Commands
| Authentication Commands HAPTER PPPoE Intermediate Agent TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# NTERMEDIATE GENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Page 866: Pppoe Intermediate-Agent Format-Type
| Authentication Commands HAPTER PPPoE Intermediate Agent OMMAND Global Configuration OMMAND SAGE The switch inserts a tag identifying itself as a PPPoE Intermediate Agent ◆ residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS). The switch extracts access-loop information from the client’s PPPoE Active Discovery Request, and forwards this information to all trusted ports designated by the...
Page 867: Pppoe Intermediate-Agent Port-Enable
| Authentication Commands HAPTER PPPoE Intermediate Agent the source or destination MAC address of these PPPoE discovery packets. These messages are forwarded to all trusted ports designated by the ◆ pppoe intermediate-agent trust command. XAMPLE Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# This command enables the PPPoE IA on an interface.
Page 868: Pppoe Intermediate-Agent Trust
| Authentication Commands HAPTER PPPoE Intermediate Agent EFAULT ETTING circuit-id: unit/port:vlan-id or 0/trunk-id:vlan-id remote-id: port MAC address OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The PPPoE server extracts the Line-Id tag from PPPoE discovery stage ◆ messages, and uses the Circuit-Id field of that tag as a NAS-Port-Id attribute in AAA access and accounting requests.
Page 869: Pppoe Intermediate-Agent Vendor-Tag Strip
| Authentication Commands HAPTER PPPoE Intermediate Agent At least one trusted interface must be configured on the switch for the ◆ PPPoE IA to function. XAMPLE Console(config)#int ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# This command enables the stripping of vendor tags from PPPoE Discovery pppoe packets sent from a PPPoE server.
Page 870: Show Pppoe Intermediate-Agent Info
PPPoE Discover packet too large to process. Try reducing the number of tags added. Consoleshow pppoe intermediate-agent info interface ethernet 1/1 Interface PPPoE IA Trusted Vendor-Tag Strip Admin Circuit-ID Admin Remote-ID Oper Circuit-ID Oper Remote-ID --------- -------- ------- ---------------- ------------ ---------------- Eth 1/2 ECS4500-28 ES3528MV2 ECS4500-28 ES3528MV2 Console# – 870 –...
Page 871: Show Pppoe Intermediate-Agent Statistics
| Authentication Commands HAPTER PPPoE Intermediate Agent This command displays statistics for the PPPoE Intermediate Agent. show pppoe intermediate-agent statistics YNTAX show pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-12) OMMAND Privileged Exec...
Page 872 | Authentication Commands HAPTER PPPoE Intermediate Agent – 872 –...
Page 873: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 874: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 875: Port Security
| General Security Measures HAPTER Port Security traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 876 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE The default maximum number of MAC addresses allowed on a secure ◆ port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 877: Port Security Mac-Address-As-Permanent
| General Security Measures HAPTER Port Security ELATED OMMANDS show interfaces status (987) shutdown (982) mac-address-table static (1060) Use this command to save the MAC addresses that port security has port security learned as static entries. mac-address-as- permanent YNTAX port security mac-address-as-permanent [interface interface] interface - Specifies a port interface.
Page 878: Table 88: Show Port Security - Display Description
| General Security Measures HAPTER Port Security XAMPLE This example shows the port security settings and number of secure addresses for all ports. Console#show port security Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Port Summary Port Port Security Port Status Intrusion Action...
Page 879: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) Current MAC Count MAC Filter ID : Disabled Last Intrusion MAC : NA Last Time Detected Intrusion MAC : NA Console# This example shows information about a detected intrusion. Console#show port security interface ethernet 1/2 Global Port Security Parameters Secure MAC aging mode : Disabled Port Security Details...
Page 880: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Table 89: Network Access Commands Command Function Mode network-access link-detection Configures the link detection feature to detect and link-up act upon link-up events network-access link-detection Configures the link detection feature to detect and link-up-down act upon both link-up and link-down events network-access...
Page 881: Network-Access Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 852). The maximum number of secure MAC addresses supported for the ◆ switch system is 1024. XAMPLE Console(config-if)#network-access aging Console(config-if)#...
Page 882: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the time period after which a connected MAC mac-authentication address must be re-authenticated. Use the no form of this command to reauth-time restore the default value. YNTAX mac-authentication reauth-time seconds no mac-authentication reauth-time...
Page 883: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 90: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate rate-limit-input=100 (Kbps) 802.1p...
Page 884: Network-Access Guest-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND SAGE ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs.
Page 885: Network-Access Link-Detection
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# Use this command to enable link detection for the selected port. Use the network-access no form of this command to restore the default. link-detection YNTAX [no] network-access link-detection...
Page 886: Network-Access Link-Detection Link-Up
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# Use this command to detect link-up events. When detected, the switch can network-access shut down the port, send an SNMP trap, or both. Use the no form of this link-detection command to disable this feature.
Page 887: Network-Access Max-Mac-Count
| General Security Measures HAPTER Network Access (MAC Address Authentication) trap-and-shutdown - Issue SNMP trap message and disable the port. EFAULT ETTING Disabled OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# Use this command to set the maximum number of MAC addresses that can network-access be authenticated on a port interface via all forms of authentication.
Page 888: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable network access authentication on a port. Use network-access the no form of this command to disable network access authentication. mode mac-authentication YNTAX [no] network-access mode mac-authentication EFAULT ETTING Disabled...
Page 889: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the specified MAC address filter. Use the no network-access form of this command to disable the specified MAC address filter. port-mac-filter YNTAX network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
Page 890: Mac-Authentication Max-Mac-Count
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the maximum number of MAC addresses that can mac-authentication be authenticated on a port via MAC authentication. Use the no form of this max-mac-count command to restore the default. YNTAX mac-authentication max-mac-count count no mac-authentication max-mac-count...
Page 891: Show Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display the MAC authentication settings for port show interfaces. network-access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 892: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display secure MAC address table entries. show network-access mac-address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 893: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication Use this command to display information for entries in the MAC filter show tables. network-access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 894: Web-Auth Login-Attempts
| General Security Measures HAPTER Web Authentication Table 91: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port and (Port) forces the users to re-authenticate web-auth re-authenticate (IP)
Page 895: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication This command defines the amount of time a host must wait after exceeding web-auth the limit for failed login attempts, before it may attempt web quiet-period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 896: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication This command globally enables web authentication for the switch. Use the web-auth no form to restore the default. system-auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 897: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth and forces the users to re-authenticate. re-authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 898: Show Web-Auth
| General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
Page 899: Table 92: Dhcp Snooping Commands
| General Security Measures HAPTER DHCPv4 Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 900 | General Security Measures HAPTER DHCPv4 Snooping Table 92: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping database Writes all dynamically learned snooping entries to flash flash memory show ip dhcp snooping Shows the DHCP snooping configuration settings show ip dhcp snooping Shows the DHCP snooping binding table entries binding...
Page 901 | General Security Measures HAPTER DHCPv4 Snooping If DHCP snooping is enabled globally, and also enabled on the VLAN ■ where the DHCP packet is received, but the port is not trusted, it is processed as follows: If the DHCP packet is a reply packet from a DHCP server ■...
Page 902: Ip Dhcp Snooping Information Option
| General Security Measures HAPTER DHCPv4 Snooping This command enables the use of DHCP Option 82 information for the ip dhcp snooping switch, and specifies the frame format to use for the remote-id when information option Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no- subtype keyword to enable use of sub-type and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to...
Page 903: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCPv4 Snooping just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. DHCP snooping must be enabled for the DHCP Option 82 information to ◆...
Page 904: Ip Dhcp Snooping Limit Rate
| General Security Measures HAPTER DHCPv4 Snooping OMMAND SAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Page 905: Ip Dhcp Snooping Vlan
| General Security Measures HAPTER DHCPv4 Snooping OMMAND SAGE If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. XAMPLE This example enables MAC address verification.
Page 906: Table 93: Option 82 Information
| General Security Measures HAPTER DHCPv4 Snooping XAMPLE This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# ELATED OMMANDS ip dhcp snooping (900) ip dhcp snooping trust (907) This command enables the use of DHCP Option 82 information circuit-id ip dhcp snooping suboption.
Page 907: Ip Dhcp Snooping Trust
| General Security Measures HAPTER DHCPv4 Snooping access node identifier - ASCII string. Default is the MAC address of ■ the switch’s CPU. This field is set by the ip dhcp snooping information option command, eth - The second field is the fixed string “eth” ■...
Page 908: Clear Ip Dhcp Snooping Binding
| General Security Measures HAPTER DHCPv4 Snooping configured for an interface with the no ip dhcp snooping trust command. When an untrusted port is changed to a trusted port, all the dynamic ◆ DHCP snooping bindings associated with this port are removed. Additional considerations when the switch itself is a DHCP client –...
Page 909: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCPv4 Snooping XAMPLE Console(config)#clear ip dhcp snooping database flash Console(config)# This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 910: Table 94: Dhcp Snooping Commands
| General Security Measures HAPTER DHCPv6 Snooping This command shows the DHCP snooping binding table entries. show ip dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- ------ 11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5...
Page 911: Ipv6 Dhcp Snooping
| General Security Measures HAPTER DHCPv6 Snooping This command enables DHCPv6 snooping globally. Use the no form to ipv6 dhcp snooping restore the default setting. YNTAX [no] ipv6 dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCPv6 messages are ◆...
Page 912 | General Security Measures HAPTER DHCPv6 Snooping Solicit: Add new entry in binding cache, recording client’s DUID, ■ IA type, IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port. Decline: If no matching entry is found in binding cache, drop ■...
Page 913: Ipv6 Dhcp Snooping Option Remote-Id
| General Security Measures HAPTER DHCPv6 Snooping XAMPLE This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# ELATED OMMANDS ipv6 dhcp snooping vlan (915) ipv6 dhcp snooping trust (916) This command enables the insertion of remote-id option 37 information ipv6 dhcp snooping into DHCPv6 client messages.
Page 914: Ipv6 Dhcp Snooping Option Remote-Id Policy
| General Security Measures HAPTER DHCPv6 Snooping either drop, keep or remove option 37 information in incoming DCHPv6 packets. Packets are processed as follows: If an incoming packet is a DHCPv6 request packet with option 37 ■ information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Page 915: Ipv6 Dhcp Snooping Vlan
| General Security Measures HAPTER DHCPv6 Snooping OMMAND Global Configuration OMMAND SAGE When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
Page 916: Ipv6 Dhcp Snooping Max-Binding
| General Security Measures HAPTER DHCPv6 Snooping When DHCPv6 snooping is enabled globally, and then disabled on a ◆ VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. XAMPLE This example enables DHCP6 snooping for VLAN 1. Console(config)#ipv6 dhcp snooping vlan 1 Console(config)# ELATED...
Page 917: Clear Ipv6 Dhcp Snooping Binding
| General Security Measures HAPTER DHCPv6 Snooping OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE A trusted interface is an interface that is configured to receive only ◆ messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Page 918: Show Ipv6 Dhcp Snooping
| General Security Measures HAPTER DHCPv6 Snooping colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. OMMAND Privileged Exec XAMPLE Console(config)#clear ipv6 dhcp snooping binding 00-12-cf-01-02-03 2001::1 Console(config)# This command shows the DHCPv6 snooping configuration settings. show ipv6 dhcp snooping OMMAND...
Page 919: Table 95: Ipv4 Source Guard Commands
| General Security Measures HAPTER IPv4 Source Guard 2001:b000::1 2591912 1 Eth 1/3 Console# This command shows statistics for DHCPv6 snooping client, server and show ipv6 dhcp relay packets. snooping statistics OMMAND Privileged Exec XAMPLE Console#show ipv6 dhcp snooping statistics DHCPv6 Snooping Statistics: Client Packet: Solicit, Request, Confirm, Renew, Rebind, Decline, Release, Information-request...
Page 920: Ip Source-Guard Binding
| General Security Measures HAPTER IPv4 Source Guard Table 95: IPv4 Source Guard Commands (Continued) Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface show ip source-guard Shows the source guard binding table PE, NE binding This command adds a static address to the source-guard ACL or MAC...
Page 921: Ip Source-Guard
| General Security Measures HAPTER IPv4 Source Guard Static bindings are processed as follows: ◆ If there is no entry with same VLAN ID and MAC address, a new ■ entry is added to binding table using the type of static IP source guard binding.
Page 922 | General Security Measures HAPTER IPv4 Source Guard OMMAND SAGE ◆ Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 923: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IPv4 Source Guard XAMPLE This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# ELATED OMMANDS ip source-guard binding (920) ip dhcp snooping (900) ip dhcp snooping vlan (905) This command sets the maximum number of entries that can be bound to ip source-guard an interface.
Page 924: Ip Source-Guard Mode
| General Security Measures HAPTER IPv4 Source Guard This command sets the source-guard learning mode to search for ip source-guard addresses in the ACL binding table or the MAC address binding table. Use mode the no form to restore the default setting. YNTAX ip source-guard mode {acl | mac} no ip source-guard mode...
Page 925: Show Ip Source-Guard
| General Security Measures HAPTER IPv4 Source Guard XAMPLE This command clears the blocked record table. Console(config)#clear ip source-guard binding blocked Console(config)# This command shows whether source guard is enabled or disabled on each show ip interface. source-guard OMMAND Privileged Exec XAMPLE Console#show ip source-guard ACL Table...
Page 926: Table 96: Ipv6 Source Guard Commands
| General Security Measures HAPTER IPv6 Source Guard XAMPLE Console#show ip source-guard binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------- --------- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# OURCE UARD IPv6 Source Guard is a security feature that filters IPv6 traffic on non- routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is...
Page 927 | General Security Measures HAPTER IPv6 Source Guard interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) EFAULT ETTING No configured entries OMMAND Global Configuration OMMAND SAGE Table entries include an associated MAC address, IPv6 global unicast ◆...
Page 928: Ipv6 Source-Guard
| General Security Measures HAPTER IPv6 Source Guard ELATED OMMANDS ipv6 source-guard (928) ipv6 dhcp snooping (911) ipv6 dhcp snooping vlan (915) This command configures the switch to filter inbound traffic based on the ipv6 source-guard source IP address stored in the binding table. Use the no form to disable this function.
Page 929: Ipv6 Source-Guard Max-Binding
| General Security Measures HAPTER IPv6 Source Guard Filtering rules are implemented as follows: ◆ If ND snooping and DHCPv6 snooping are disabled, IPv6 source ■ guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded.
Page 930: Show Ipv6 Source-Guard
| General Security Measures HAPTER IPv6 Source Guard OMMAND SAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command.
Page 931: Table 97: Arp Inspection Commands
| General Security Measures HAPTER ARP Inspection This command shows the IPv6 source guard binding table. show ipv6 source-guard binding YNTAX show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 910) static - Shows static entries configured with the...
Page 932: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 97: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection show ip arp inspection Displays the global configuration settings for ARP...
Page 933: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection When ARP Inspection is disabled globally, it is still possible to configure ◆ ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. XAMPLE Console(config)#ip arp inspection Console(config)# This command specifies an ARP ACL to apply to one or more VLANs.
Page 934: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings.
Page 935: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate...
Page 936: Ip Arp Inspection Vlan
| General Security Measures HAPTER ARP Inspection This command enables ARP Inspection for a specified VLAN or range of ip arp inspection VLANs. Use the no form to disable this function. vlan YNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Page 937: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection This command sets a rate limit for the ARP packets received on a port. Use ip arp inspection the no form to restore the default setting. limit YNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
Page 938: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# This command displays the global configuration settings for ARP show ip arp Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval...
Page 939: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip arp the associated VLAN, port, and address components. inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 940: Table 98: Dos Protection Commands
| General Security Measures HAPTER Denial of Service Protection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# ENIAL OF ERVICE ROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 941: Dos-Protection Smurf
| General Security Measures HAPTER Denial of Service Protection EFAULT ETTING Disabled, 1000 kbits/second OMMAND Global Configuration XAMPLE Console(config)#dos-protection echo-chargen 65 Console(config)# This command protects against DoS smurf attacks in which a perpetrator dos-protection generates a large amount of spoofed ICMP Echo Request traffic to the smurf broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Page 942: Dos-Protection Tcp-Null-Scan
| General Security Measures HAPTER Denial of Service Protection OMMAND Global Configuration XAMPLE Console(config)#dos-protection tcp-flooding 65 Console(config)# This command protects against DoS TCP-null-scan attacks in which a TCP dos-protection NULL scan message is used to identify listening TCP ports. The scan uses a tcp-null-scan series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Page 943: Dos-Protection Tcp-Xmas-Scan
| General Security Measures HAPTER Denial of Service Protection XAMPLE Console(config)#dos-protection syn-fin-scan Console(config)# This command protects against DoS TCP-xmas-scan in which a so-called dos-protection TCP XMAS scan message is used to identify listening TCP ports. This scan tcp-xmas-scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Page 944: Dos-Protection Win-Nuke
| General Security Measures HAPTER Denial of Service Protection XAMPLE Console(config)#dos-protection udp-flooding 65 Console(config)# This command protects against DoS WinNuke attacks in which affected the dos-protection Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, win-nuke the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.”...
Page 945: Table 99: Commands For Configuring Traffic Segmentation
| General Security Measures HAPTER Port-based Traffic Segmentation WinNuke Attack : Disabled, 1000 kilobits per second Console# BASED RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 946: Table 100: Traffic Segmentation Forwarding
| General Security Measures HAPTER Port-based Traffic Segmentation Traffic segmentation and normal VLANs can exist simultaneously within ◆ the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs. When traffic segmentation is enabled, the forwarding state for the ◆...
Page 947: Traffic-Segmentation Uplink/Downlink
| General Security Measures HAPTER Port-based Traffic Segmentation EFAULT ETTING None OMMAND Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. Using the no form of this command will remove any assigned uplink or ◆...
Page 948: Traffic-Segmentation Uplink-To-Uplink
| General Security Measures HAPTER Port-based Traffic Segmentation When specifying an uplink or downlink, a list of ports may be entered ◆ by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field. A downlink port can only communicate with an uplink port in the same ◆...
Page 949: Show Traffic-Segmentation
| General Security Measures HAPTER Port-based Traffic Segmentation This command displays the configured traffic segments. show traffic-segmentation OMMAND Privileged Exec XAMPLE Console#show traffic-segmentation Private VLAN Status Enabled Uplink-to-Uplink Mode : Forwarding Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------- Ethernet Ethernet Ethernet Ethernet...
Page 950 | General Security Measures HAPTER Port-based Traffic Segmentation – 950 –...
Page 951: Table 101: Access Control List Commands
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 952: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 953 | Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 954: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 955 | Access Control Lists HAPTER IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING...
Page 956: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 957: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND Interface Configuration (Ethernet) OMMAND SAGE If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 958: Table 103: Ipv6 Acl Commands
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (953) ip access-group (956) 6 ACL The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
Page 959: Permit, Deny (Standard Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 960: Permit, Deny (Extended Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 961 | Access Control Lists HAPTER IPv6 ACLs to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
Page 962: Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (958) Time Range (762) This command binds a port to an IPv6 ACL. Use the no form to remove the ipv6 access-group port.
Page 963: Show Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs This command shows the ports assigned to IPv6 ACLs. show ipv6 access-group OMMAND Privileged Exec XAMPLE Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# ELATED OMMANDS ipv6 access-group (962) This command displays the rules for configured IPv6 ACLs.
Page 964: Table 104: Mac Acl Commands
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports.
Page 965 | Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED OMMANDS permit, deny (965) mac access-group (968) show mac access-list (969) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 966 | Access Control Lists HAPTER MAC ACLs {permit | deny} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol]...
Page 967 | Access Control Lists HAPTER MAC ACLs no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3...
Page 968: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs EFAULT ETTING None OMMAND MAC ACL OMMAND SAGE New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted ◆ packets. A detailed listing of Ethernet protocol types can be found in RFC 1060.
Page 969: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs OMMAND Interface Configuration (Ethernet) OMMAND SAGE If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in...
Page 970: Table 105: Arp Acl Commands
| Access Control Lists HAPTER ARP ACLs ELATED OMMANDS permit, deny (965) mac access-group (968) ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp...
Page 971 | Access Control Lists HAPTER ARP ACLs ELATED OMMANDS permit, deny (971) show access-list arp (972) This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny a specified source or destination address in ARP messages. Use the no (ARP ACL) form to remove a rule.
Page 972: Show Access-List Arp
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (970) This command displays the rules for configured ARP ACLs.
Page 973: Table 106: Acl Information Commands
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 106: ACL Information Commands Command Function Mode clear access-list Clears hit counter for rules in all ACLs, or in a specified hardware counters ACL.
Page 974: Show Access-List
| Access Control Lists HAPTER ACL Information MAC access-list jerry Console# This command shows all ACLs and associated rules. show access-list YNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp –...
Page 975: Table 107: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 107: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 976: Interface Configuration
| Interface Commands HAPTER Interface Configuration Table 107: Interface Commands (Continued) Command Function Mode transceiver-threshold Sets thresholds for the transceiver temperature which can temperature be used to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver power level of the tx-power transmitted signal which can be used to trigger an alarm or warning message...
Page 977: Alias
| Interface Commands HAPTER Interface Configuration XAMPLE To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 978: Description
| Interface Commands HAPTER Interface Configuration 10full - Supports 10 Mbps full-duplex operation 10half - Supports 10 Mbps half-duplex operation flowcontrol - Supports flow control EFAULT ETTING 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND...
Page 979: Discard
| Interface Commands HAPTER Interface Configuration EFAULT ETTING None OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 980: Flowcontrol
| Interface Commands HAPTER Interface Configuration This command enables flow control. Use the no form to disable flow flowcontrol control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 981: Media-Type
| Interface Commands HAPTER Interface Configuration This command forces the port type selected for combination ports. Use the media-type no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed).
Page 982: Shutdown
| Interface Commands HAPTER Interface Configuration OMMAND SAGE ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. When auto-negotiation is enabled the switch will negotiate the best ◆...
Page 983: Speed-Duplex
| Interface Commands HAPTER Interface Configuration This command configures the speed and duplex mode of a given interface speed-duplex when auto-negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex 1000full - Forces 1000 Mbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
Page 984: Clear Counters
| Interface Commands HAPTER Interface Configuration ELATED OMMANDS negotiation (981) capabilities (977) This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-12) EFAULT ETTING...
Page 985: Show Interfaces Brief
| Interface Commands HAPTER Interface Configuration XAMPLE In this example, “Default” means that the packets are not discarded. Console#show discard Port PVST -------- ------- ------- Eth 1/ 1 Default Default Eth 1/ 2 Default Default Eth 1/ 3 Default Default Eth 1/ 4 Default Default Eth 1/ 5 Default Default Eth 1/ 6 Default Default...
Page 986: Interface Commands
| Interface Commands HAPTER Interface Configuration OMMAND Normal Exec, Privileged Exec OMMAND SAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" on page 160.
Page 987: Show Interfaces Status
| Interface Commands HAPTER Interface Configuration ===== Port Utilization ===== 111 Octets Input in kbits per second 0 Packets Input per second 0.00 % Input Utilization 606 Octets Output in kbits per second 1 Packets Output per second 0.00 % Output Utilization Console# This command displays the status for an interface.
Page 988: Show Interfaces Switchport
| Interface Commands HAPTER Interface Configuration MAC Learning : Enabled Media Type : None Current Status: Link Status : Up Port Operation Status : Up Operation Speed-duplex : 100full Up Time : 0w 0d 3h 18m 18s (11898 seconds) Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames)
Page 989: Transceiver Threshold Configuration
| Interface Commands HAPTER Transceiver Threshold Configuration 802.1Q Tunnel Mode : Normal 802.1Q Tunnel TPID : 8100 (Hex) Layer 2 Protocol Tunnel : None Console# Table 108: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled Threshold it also shows the threshold level (page...
Page 990: Transceiver-Monitor
| Interface Commands HAPTER Transceiver Threshold Configuration EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet) XAMPLE Console(config)interface ethernet 1/25 Console(config-if)#transceiver-threshold-auto Console# This command sends a trap when any of the transceiver’s operational transceiver-monitor values fall outside of specified thresholds. Use the no form to disable trap messages.
Page 991 | Interface Commands HAPTER Transceiver Threshold Configuration EFAULT ETTING High Alarm: 100 mA HIgh Warning: 90 mA Low Warning: 7 mA Low Alarm: 6 mA OMMAND Interface Configuration (Ethernet) OMMAND SAGE If trap messages are enabled with the transceiver-monitor command, ◆...
Page 992 | Interface Commands HAPTER Transceiver Threshold Configuration This command sets thresholds for the transceiver power level of the transceiver- received signal which can be used to trigger an alarm or warning message. threshold rx-power YNTAX transceiver-threshold rx-power {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm –...
Page 993: Transceiver-Threshold Temperature
| Interface Commands HAPTER Transceiver Threshold Configuration This command sets thresholds for the transceiver temperature which can transceiver- be used to trigger an alarm or warning message. threshold temperature YNTAX transceiver-threshold temperature {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm –...
Page 994: Transceiver-Threshold Tx-Power
| Interface Commands HAPTER Transceiver Threshold Configuration This command sets thresholds for the transceiver power level of the transceiver- transmitted signal which can be used to trigger an alarm or warning threshold tx-power message. YNTAX transceiver-threshold tx-power {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm –...
Page 995: Transceiver-Threshold Voltage
| Interface Commands HAPTER Transceiver Threshold Configuration This command sets thresholds for the transceiver voltage which can be transceiver- used to trigger an alarm or warning message. threshold voltage YNTAX transceiver-threshold voltage {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm –...
Page 996: Show Interfaces Transceiver
| Interface Commands HAPTER Transceiver Threshold Configuration This command displays identifying information for the specified transceiver, show interfaces including connector type and vendor-related parameters, as well as the transceiver temperature, voltage, bias current, transmit power, and receive power. YNTAX show interfaces transceiver [interface] interface ethernet unit/port unit - Unit identifier.
Page 997: Show Interfaces Transceiver-Threshold
| Interface Commands HAPTER Transceiver Threshold Configuration This command Displays the alarm/warning thresholds for temperature, show interfaces voltage, bias current, transmit power, and receive power. transceiver- YNTAX threshold YNTAX show interfaces transceiver-threshold [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 998: Cable Diagnostics
| Interface Commands HAPTER Cable Diagnostics Cable Diagnostics This command performs cable diagnostics on the specified port to diagnose test cable- any cable faults (short, open, etc.) and report the cable length. diagnostics YNTAX test cable-diagnostics interface interface interface ethernet unit/port unit - Unit identifier.
Page 999: Show Cable-Diagnostics
| Interface Commands HAPTER Cable Diagnostics XAMPLE Console#test cable-diagnostics interface ethernet 1/24 Console#show cable-diagnostics interface ethernet 1/24 Port Type Link Status Pair A (meters) Pair B (meters) Last Update -------- ---- ----------- ---------------- ---------------- ----------------- Eth 1/25 OK (21) OK (21) 2009-11-13 09:44:19 Console# This command shows the results of a cable diagnostics test.
Page 1000: Power Savings
| Interface Commands HAPTER Power Savings Power Savings This command enables power savings mode on the specified port. power-save YNTAX [no] power-save OMMAND Interface Configuration (Ethernet) OMMAND SAGE IEEE 802.3 defines the Ethernet standard and subsequent power ◆ requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Page 1001: Show Power-Save
| Interface Commands HAPTER Power Savings Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters. XAMPLE Console(config)#interface ethernet 1/28 Console(config-if)#power-save...
Page 1002 | Interface Commands HAPTER Power Savings – 1002 –...

This manual is also suitable for:

Es3528mv2-dc

Edge-Core ES3528MV2 Management Manual

Table of Contents

About this Guide

Contents

Figures

Tables

Getting Started

Sectioni

1 Introduction

2 Initial Switch Configuration

Ection

Web Configuration

3 Using the Web Interface

4 Basic

5 Interface Configuration

6 Vlan Configuration

7 Address Table Settings

8 Spanning Tree Algorithm

9 Congestion Control

10 Class of Service

11 Quality of Service

12 Oip Traffic Configuration

13 Security Measures

14 Basic Administration Protocols

15 Ip Configuration

16 Ip Services

17 Multicast

Using the Command Line Interface

19 General Commands

21 Snmp Commands

22 Remote Monitoring Commands

23 Flow Sampling Commands

24 Authentication Commands

25 General Security Measures

Quick Links

Chapters

Related Manuals for Edge-Core ES3528MV2

Summary of Contents for Edge-Core ES3528MV2