Download Print this page

Sixnet EL 326 User Manual

Gigabit ethernet switch

Hide thumbs Also See for EL 326:

Installation manual (32 pages)

,

Hardware manual (46 pages)

,

Installation manual (29 pages)

page of 1296

/ 1296
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual

S

|

ECTION

EL 326 Gigabit Ethernet Switch

User Manual

July 28, 2011

– 1 –

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the EL 326 and is the answer not in the manual?

Questions and answers

Summary of Contents for Sixnet EL 326

Page 1 ECTION EL 326 Gigabit Ethernet Switch User Manual July 28, 2011 – 1 –...
Page 2 ECTION – 2 –...
Page 3 ECTION EL326 G IGABIT THERNET WITCH Layer 3 Switch with 20 10/100/1000BASE-T (RJ-45) Ports, 4 Gigabit Combination Ports (RJ-45/SFP), 2 10-Gigabit Extender Module Slots, and 2 Stacking Ports EL326 EL326 E122010/ST-R03 149100000077A – 3 –...
Page 4 ECTION – 4 –...
Page 5: About This Guide
BOUT UIDE BOUT UIDE Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 BOUT UIDE 2010 R UGUST ELEASE This is the second release of this guide. This guide is valid for software release v1.2.2.0. It includes information on the following changes to web pages or command line interface: Added information for stacking throughout the manual, including "Initial Switch Configuration"...
Page 7 BOUT UIDE Removed the Routing Protocol > OSPF > Information (Virtual Link) page. Added the command "switch all renumber" on page 650. Added the command "show access-list tcam-utilization" on page 651. Added an “interface” parameter to the command "show running-config" on page 652.
Page 8 BOUT UIDE Updated Command Usage section for the commands "ipv6 address" on page 1137 "ipv6 address eui-64" on page 1138. Table 157, "show ipv6 traffic - display description," on page 1147. Updated Added the section "IPv6 to IPv4 Tunnels" on page 1158.
Page 9: Table Of Contents
ONTENTS ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features Configuration Backup and Restore Authentication Access Control Lists DHCP Port Configuration Rate Limiting Port Mirroring Port Trunking Broadcast Storm Control Static Addresses IP Address Filtering IEEE 802.1D Bridge Store-and-Forward Switching Spanning Tree Algorithm...
Page 10: Contents
ONTENTS Address Resolution Protocol Multicast Filtering Multicast Routing System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Stack Operations Selecting the Stack Master Selecting the Backup Unit Recovering from Stack Failure or Topology Change Renumbering the Stack Ensuring Consistent Code is Used Across the Stack Basic Configuration...
Page 11 ONTENTS Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting The Start-Up File Showing System Files Setting the System Clock Setting the Time Manually Configuring SNTP Specifying SNTP Time Servers Setting the Time Zone Console Port Settings Telnet Settings...
Page 12 ONTENTS VLAN Trunking 6 VLAN C ONFIGURATION IEEE 802.1Q VLANs Configuring VLAN Groups Adding Static Members to VLANs Configuring Dynamic VLAN Registration Private VLANs Creating Private VLANs Associating Private VLANs Configuring Private VLAN Interfaces IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch Adding an Interface to a QinQ Tunnel Protocol VLANs Configuring Protocol VLAN Groups...
Page 13 ONTENTS Layer 2 Queue Settings Setting the Default Priority for Interfaces Selecting the Queue Mode Mapping CoS Values to Egress Queues Layer 3/4 Priority Settings Mapping DSCP Priority Mapping IP Precedence Mapping IP Port Priority 12 Q UALITY OF ERVICE Overview Configuring a Class Map Creating QoS Policies...
Page 14 ONTENTS Replacing the Default Secure-site Certificate Configuring the Secure Shell Configuring the SSH Server Generating the Host Key Pair Importing User Public Keys Access Control Lists Setting A Time Range Showing TCAM Utilization Setting the ACL Name and Type Configuring a Standard IPv4 ACL Configuring an Extended IPv4 ACL Configuring a Standard IPv6 ACL Configuring an Extended IPv6 ACL...
Page 15 ONTENTS Displaying DHCP Snooping Binding Information 15 B ASIC DMINISTRATION ROTOCOLS Configuring Event Logging System Log Configuration Remote Log Configuration Sending Simple Mail Transfer Protocol Alerts Link Layer Discovery Protocol Setting LLDP Timing Attributes Configuring LLDP Interface Attributes Displaying LLDP Local Device Information Displaying LLDP Remote Port Information Displaying Device Statistics Simple Network Management Protocol...
Page 16 ONTENTS Displaying Multicast Groups Discovered by IGMP Snooping Filtering and Throttling IGMP Groups Enabling IGMP Filtering and Throttling Configuring IGMP Filter Profiles Configuring IGMP Filtering and Throttling for Interfaces Layer 3 IGMP (Query used with Multicast Routing) Configuring IGMP Proxy Routing Configuring IGMP Interface Parameters Configuring Static IGMP Group Membership Displaying Multicast Group Information...
Page 17 ONTENTS Address Resolution Protocol Basic ARP Configuration Configuring Static ARP Addresses Displaying Dynamic or Local ARP Entries Displaying ARP Statistics Configuring Static Routes Displaying the Routing Table Equal-cost Multipath Routing 19 C ONFIGURING OUTER EDUNDANCY Configuring VRRP Groups Displaying VRRP Global Statistics Displaying VRRP Group Statistics 20 IP S ERVICES...
Page 18 ONTENTS Specifying an Administrative Distance Configuring Network Interfaces for RIP Displaying RIP Interface Settings Displaying Peer Router Information Resetting RIP Statistics Configuring the Open Shortest Path First Protocol (Version 2) Defining Network Areas Based on Addresses Configuring General Protocol Settings Displaying Administrative Settings and Statistics Adding an NSSA or Stub Configuring NSSA Settings...
Page 19 ONTENTS Enabling PIM Globally Configuring PIM Interface Settings Displaying Neighbor Information ECTION OMMAND NTERFACE 23 U SING THE OMMAND NTERFACE Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History...
Page 20 ONTENTS Device Designation hostname switch all renumber System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show tech-support show users show version Frame Size jumbo frame Fan Control fan-speed force-full File Management boot system copy delete whichboot...
Page 21 ONTENTS show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time sntp client sntp poll...
Page 22 ONTENTS snmp-server enable traps snmp-server host snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view snmp-server notify-filter show nlm oper-status show snmp notify-filter 27 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection rmon1...
Page 23 ONTENTS Authentication Sequence authentication enable authentication login RADIUS Client radius-server acct-port radius-server auth-port radius-server host radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server tacacs-server host tacacs-server key tacacs-server port show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec...
Page 24 ONTENTS ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh...
Page 25 ONTENTS port security Network Access (MAC Address Authentication) network-access aging network-access mac-filter mac-authentication reauth-time network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access link-detection network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count show network-access show network-access mac-address-table...
Page 26 ONTENTS ip dhcp snooping verify mac-address ip dhcp snooping vlan ip dhcp snooping trust clear ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding show ip source-guard show ip source-guard binding ARP Inspection...
Page 27 ONTENTS permit, deny (Extended IPv6 ACL) show ipv6 access-list ipv6 access-group show ipv6 access-group MAC ACLs access-list mac permit, deny (MAC ACL) mac access-group show mac access-group show mac access-list ARP ACLs access-list arp permit, deny (ARP ACL) show arp access-list ACL Information show access-group show access-list...
Page 28 ONTENTS show loop internal 33 L GGREGATION OMMANDS channel-group lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) show lacp 34 P IRRORING OMMANDS Local Port Mirroring Commands port monitor show port monitor 35 R IMIT OMMANDS rate-limit 36 A...
Page 29 ONTENTS mac-address-table static clear mac-address-table dynamic show mac-address-table show mac-address-table aging-time show mac-address-table count 38 S PANNING OMMANDS spanning-tree spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree system-bpdu-flooding spanning-tree transmission-limit max-hops mst priority mst vlan name...
Page 30 ONTENTS spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 39 VLAN C OMMANDS GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan...
Page 31 ONTENTS private vlan association switchport mode private-vlan switchport private-vlan host-association switchport private-vlan mapping show vlan private-vlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan...
Page 32 ONTENTS map ip port (Global Configuration) map ip precedence (Global Configuration) map ip dscp (Interface Configuration) map ip port (Interface Configuration) map ip precedence (Interface Configuration) show map ip dscp show map ip port show map ip precedence 41 Q UALITY OF ERVICE OMMANDS...
Page 33 ONTENTS ip igmp snooping vlan general-query-suppression 1013 ip igmp snooping vlan immediate-leave 1013 ip igmp snooping vlan last-memb-query-count 1014 ip igmp snooping vlan last-memb-query-intvl 1015 ip igmp snooping vlan mrd 1015 ip igmp snooping vlan proxy-address 1016 ip igmp snooping vlan query-interval 1017 ip igmp snooping vlan query-resp-intvl 1018...
Page 34 ONTENTS show mvr 1038 IGMP (Layer 3) 1040 ip igmp 1040 ip igmp last-member-query-interval 1041 ip igmp max-resp-interval 1042 ip igmp query-interval 1043 ip igmp robustval 1044 ip igmp static-group 1044 ip igmp version 1046 clear ip igmp group 1046 show ip igmp groups 1047 show ip igmp interface...
Page 35 ONTENTS lldp admin-status 1069 lldp basic-tlv management-ip-address 1070 lldp basic-tlv port-description 1071 lldp basic-tlv system-capabilities 1071 lldp basic-tlv system-description 1072 lldp basic-tlv system-name 1072 lldp dot1-tlv proto-ident 1073 lldp dot1-tlv proto-vid 1073 lldp dot1-tlv pvid 1074 lldp dot1-tlv vlan-name 1074 lldp dot3-tlv link-agg 1075 lldp dot3-tlv mac-phy...
Page 36 ONTENTS ip dhcp relay server 1096 ip dhcp restart relay 1097 DHCP Server 1098 ip dhcp excluded-address 1099 ip dhcp pool 1099 service dhcp 1100 bootfile 1100 client-identifier 1101 default-router 1102 dns-server 1102 domain-name 1103 hardware-address 1103 host 1104 lease 1105 netbios-name-server 1106...
Page 37 ONTENTS ip address 1122 ip default-gateway 1124 show ip interface 1125 traceroute 1125 ping 1126 ARP Configuration 1127 1128 arp timeout 1129 ip proxy-arp 1129 clear arp-cache 1130 show arp 1130 UDP Helper Configuration 1131 ip forward-protocol udp 1131 ip helper 1132 ip helper-address 1133...
Page 38 ONTENTS interface tunnel 1161 tunnel destination 1161 tunnel mode ipv6ip 1163 tunnel source vlan 1165 tunnel ttl 1165 show ipv6 tunnel 1166 48 IP R 1169 OUTING OMMANDS Global Routing Configuration 1169 ip route 1170 maximum-paths 1171 show ip route 1171 show ip route database 1173...
Page 39 ONTENTS show ip rip 1194 Open Shortest Path First (OSPFv2) 1195 router ospf 1196 compatible rfc1583 1197 default-information originate 1198 router-id 1199 timers spf 1200 clear ip ospf process 1201 area default-cost 1201 area range 1202 auto-cost reference-bandwidth 1203 default-metric 1204 redistribute 1205...
Page 40 ONTENTS Open Shortest Path First (OSPFv3) 1236 router ipv6 ospf 1238 abr-type 1239 max-current-dd 1240 router-id 1241 timers spf 1242 area default-cost 1242 area range 1243 default-metric 1244 redistribute 1245 area stub 1246 area virtual-link 1247 ipv6 router ospf area 1249 ipv6 router ospf tag area 1250...
Page 41 ONTENTS PIM Multicast Routing 1273 IPv4 PIM Commands 1273 router pim 1274 ip pim 1275 ip pim hello-holdtime 1276 ip pim hello-interval 1277 ip pim join-prune-holdtime 1277 ip pim lan-prune-delay 1278 ip pim override-interval 1279 ip pim propagation-delay 1280 ip pim trigger-hello-delay 1280 show ip pim interface 1281...
Page 42 ONTENTS ipv6 pim max-graft-retries 1301 ipv6 pim override-interval 1302 ipv6 pim propagation-delay 1302 ipv6 pim state-refresh origination-interval 1303 ipv6 pim trigger-hello-delay 1304 show ipv6 pim interface 1305 show ipv6 pim neighbor 1305 1307 ECTION PPENDICES 1309 OFTWARE PECIFICATIONS Software Features 1309 Management Features 1311...
Page 43: Figures
IGURES IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Manually Setting the System Clock...
Page 44 IGURES Figure 33: Configuring Static Trunks Figure 34: Creating Static Trunks Figure 35: Adding Static Trunks Members Figure 36: Configuring Connection Parameters for a Static Trunk Figure 37: Displaying Connection Parameters for Static Trunks Figure 38: Configuring Dynamic Trunks Figure 39: Configuring the LACP Aggregator Admin Key Figure 40: Enabling LACP on a Port Figure 41: Configuring LACP Parameters on a Port Figure 42: Showing Members of a Dynamic Trunk...
Page 45 IGURES Figure 69: Configuring Interfaces for Private VLANs Figure 70: QinQ Operational Concept Figure 71: Enabling QinQ Tunneling Figure 72: Adding an Interface to a QinQ Tunnel Figure 73: Configuring Protocol VLANs Figure 74: Displaying Protocol VLANs Figure 75: Assigning Interfaces to Protocol VLANs Figure 76: Showing the Interface to Protocol Group Mapping Figure 77: Configuring IP Subnet VLANs Figure 78: Showing IP Subnet VLANs...
Page 46 IGURES Figure 105: Displaying MSTP Interface Settings Figure 106: Configuring Rate Limits Figure 107: Configuring Storm Control Figure 108: Setting the Default Port Priority Figure 109: Setting the Queue Mode (Strict) Figure 110: Setting the Queue Mode (WRR) Figure 111: Setting the Queue Mode (Strict and WRR) Figure 112: Mapping CoS Values to Egress Queues Figure 113: Mapping IP DSCP Priority Values Figure 114: Mapping IP Precedence Priority Values...
Page 47 IGURES Figure 141: Displaying a Summary of Applied AAA Accounting Methods Figure 142: Displaying Statistics for AAA Accounting Sessions Figure 143: Configuring AAA Authorization Methods Figure 144: Showing AAA Authorization Methods Figure 145: Configuring AAA Authorization Methods for Exec Service Figure 146: Displaying the Applied AAA Authorization Method Figure 147: Configuring User Accounts Figure 148: Showing User Accounts...
Page 48 IGURES Figure 177: Binding a Port to an ACL Figure 178: Configuring Global Settings for ARP Inspection Figure 179: Configuring VLAN Settings for ARP Inspection Figure 180: Configuring Interface Settings for ARP Inspection Figure 181: Displaying Statistics for ARP Inspection Figure 182: Displaying the ARP Inspection Log Figure 183: Creating an IP Address Filter for Management Access Figure 184: Showing IP Addresses Authorized for Management Access...
Page 49 IGURES Figure 213: Showing Remote Engine IDs for SNMP Figure 214: Creating an SNMP View Figure 215: Showing SNMP Views Figure 216: Adding an OID Subtree to an SNMP View Figure 217: Showing the OID Subtree Configured for SNMP Views Figure 218: Creating an SNMP Group Figure 219: Showing SNMP Groups Figure 220: Setting Community Access Strings...
Page 50 IGURES Figure 249: Configuring IGMP Snooping on an Interface Figure 250: Showing Interface Settings for IGMP Snooping Figure 251: Dropping IGMP Query or Multicast Data Packets Figure 252: Showing Multicast Groups Learned by IGMP Snooping Figure 253: Enabling IGMP Filtering and Throttling Figure 254: Creating an IGMP Filtering Profile Figure 255: Showing the IGMP Filtering Profiles Created Figure 256: Adding Multicast Groups to an IGMP Filtering Profile...
Page 51 IGURES Figure 285: Showing Reported MTU Values Figure 286: Virtual Interfaces and Layer 3 Routing Figure 287: Pinging a Network Device Figure 288: Tracing the Route to a Network Device Figure 289: Proxy ARP Figure 290: Configuring General Settings for ARP Figure 291: Configuring Static ARP Entries Figure 292: Displaying Static ARP Entries Figure 293: Displaying Dynamic ARP Entries...
Page 52 IGURES Figure 321: DHCP Server Figure 322: Enabling the DHCP Server Figure 323: Configuring Excluded Addresses on the DHCP Server Figure 324: Showing Excluded Addresses on the DHCP Server Figure 325: Configuring DHCP Server Address Pools (Network) Figure 326: Configuring DHCP Server Address Pools (Host) Figure 327: Showing Configured DHCP Server Address Pools Figure 328: Shows Addresses Assigned by the DHCP Server Figure 329: Enabling the UDP Helper...
Page 53 IGURES Figure 357: AS Boundary Router Figure 358: Configure General Settings for OSPF Figure 359: Showing General Settings for OSPF Figure 360: Adding an NSSA or Stub Figure 361: Showing NSSAs or Stubs Figure 362: OSPF NSSA Figure 363: Configuring Protocol Settings for an NSSA Figure 364: OSPF Stub Area Figure 365: Configuring Protocol Settings for a Stub...
Page 54 IGURES Figure 393: Configuring Global Settings for PIM-SM Figure 394: Configuring a BSR Candidate Figure 395: Configuring a Static Rendezvous Point Figure 396: Showing Static Rendezvous Points Figure 397: Configuring an RP Candidate Figure 398: Showing Settings for an RP Candidate Figure 399: Showing Information About the BSR Figure 400: Showing RP Mapping Figure 401: Enabling PIMv6 Multicast Routing...
Page 55: Tables
ABLES ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Port Statistics Table 6: LACP Port Counters Table 7: LACP Internal Configuration Information Table 8: LACP Internal Configuration Information Table 9: Recommended STA Path Cost Range Table 10: Default STA Path Costs Table 11: IEEE 802.1p Egress Queue Priority Mapping...
Page 56 ABLES Table 33: OSPF System Information Table 34: General Command Modes Table 35: Configuration Command Modes Table 36: Keystroke Commands Table 37: Command Group Index Table 38: General Commands Table 39: System Management Commands Table 40: Device Designation Commands Table 41: System Status Commands Table 42: Frame Size Commands Table 43: Fan Control Commands Table 44: Flash/File Commands...
Page 57 ABLES Table 69: HTTPS System Support Table 70: Telnet Server Commands Table 71: Secure Shell Commands Table 72: show ssh - display description Table 73: 802.1X Port Authentication Commands Table 74: Management IP Filter Commands Table 75: General Security Commands Table 76: Management IP Filter Commands Table 77: Network Access Commands Table 78: Dynamic QoS Profiles...
Page 58 ABLES Table 105: GVRP and Bridge Extension Commands Table 106: Commands for Editing VLAN Groups Table 107: Commands for Configuring VLAN Interfaces Table 108: Commands for Displaying VLAN Information Table 109: 802.1Q Tunneling Commands Table 110: Commands for Configuring Traffic Segmentation Table 111: Private VLAN Commands Table 112: Protocol-based VLAN Commands Table 113: IP Subnet VLAN Commands...
Page 59 ABLES Table 141: show hosts - display description 1091 Table 142: DHCP Commands 1093 Table 143: DHCP Client Commands 1093 Table 144: DHCP Relay Commands 1096 Table 145: DHCP Server Commands 1098 Table 146: VRRP Commands 1111 Table 147: show vrrp - display description 1117 Table 148: show vrrp brief - display description 1118...
Page 60 ABLES Table 177: show ip ospf database - display description 1259 Table 178: show ip ospf interface - display description 1259 Table 179: show ipv6 ospf neighbor - display description 1261 Table 180: show ip ospf neighbor - display description 1262 Table 181: Multicast Routing Commands 1265...
Page 61: Sectioni
| Getting Started ECTION ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: ...
Page 62 – 4 –...
Page 63: Introduction
| Introduction HAPTER Key Features NTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 64: Description Of Software Features
| Introduction HAPTER Table 1: Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad frames Switching Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 256 using IEEE 802.1Q, port-based, protocol-based, private VLANs,...
Page 65: Dhcp
| Introduction HAPTER Description of Software Features server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server). Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access.
Page 66: Broadcast Storm Control
| Introduction HAPTER Broadcast Storm Broadcast suppression prevents broadcast traffic from overwhelming the network. Control When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
Page 67: Virtual Lans
| Introduction HAPTER Description of Software Features VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).
Page 68: Quality Of Service
| Introduction HAPTER Quality of Service Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists.
Page 69: Address Resolution Protocol
| Introduction HAPTER Description of Software Features Address Resolution The switch uses ARP and Proxy ARP to convert between IP addresses and MAC Protocol (hardware) addresses. This switch supports conventional ARP, which locates the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Page 70: System Defaults
| Introduction HAPTER YSTEM EFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
Page 71 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Congestion Control Rate Limiting Disabled Storm Control Broadcast: Enabled (500 packets/sec) Address Table Aging Time...
Page 72 | Introduction HAPTER Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN Any VLAN configured with an IP address IP Address DHCP assigned Default Gateway 0.0.0.0 DHCP Client: Enabled Relay: Disabled Server: Disabled Client/Proxy service: Disabled BOOTP Disabled Enabled Cache Timeout: 20 minutes...
Page 73: Initial Switch Configuration
| Initial Switch Configuration HAPTER Connecting to the Switch NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface.
Page 74: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 4093 IEEE 802.1Q VLANs Enable GVRP automatic VLAN registration Configure IP routing for unicast or multicast traffic Configure router redundancy Configure IGMP multicast filtering Upload and download system firmware or configuration files via HTTP (using the...
Page 75: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Make sure the terminal emulation software is set as follows:  Select the appropriate serial port (COM port 1 or COM port 2).  Set the baud rate to 115200 bps. ...
Page 76: Stack Operations
| Initial Switch Configuration HAPTER Stack Operations TACK PERATIONS Up to eight switches can be stacked together as described in the Installation Guide. One unit in the stack acts as the Master for configuration tasks and firmware upgrade. All of the other units function in Slave mode, but can automatically take over management of the stack if the Master unit fails.
Page 77: Recovering From Stack Failure Or Topology Change
| Initial Switch Configuration HAPTER Stack Operations over to the next unit down in the stack, place the Slave unit with the lowest MAC address directly beneath the Master unit in the stack. Recovering from When a link or unit in the stack fails, a trap message is sent and a failure event is Stack Failure or logged.
Page 78: Renumbering The Stack
| Initial Switch Configuration HAPTER Stack Operations IP I ESILIENT NTERFACE FOR ANAGEMENT CCESS The stack functions as one integral system for management and configuration purposes. You can therefore manage the stack through any IP interface configured on the stack. The Master unit does not even have to include an active port member in the VLAN interface used for management access.
Page 79: Basic Configuration
| Initial Switch Configuration HAPTER Basic Configuration and downloads the image to those backup units that are running a different image version. For information on downloading firmware, see "Managing System Files" on page 120. ASIC ONFIGURATION Console Connection The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec).
Page 80 Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the EL 326 is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password]...
Page 81 | Initial Switch Configuration HAPTER Basic Configuration Default gateway for the network To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask,”...
Page 82 | Initial Switch Configuration HAPTER Basic Configuration IPv6 is enable. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): Joined group address(es): FF01::1/16 FF02::1/16 FF02::1:FF11:6700/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 1. ND retransmit interval is 1000 milliseconds Console# Address for Multi-segment Network —...
Page 83 | Initial Switch Configuration HAPTER Basic Configuration Console#show ipv6 interface Vlan 1 is up IPv6 is enable. Link-local address: FE80::200:E8FF:FE93:82A0/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 2005::212:CFFF:FE0B:4600, subnet is :: Joined group address(es): FF02::1:2 FF02::1:FF00:0 FF02::1:FF93:82A0 FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 2.
Page 84 | Initial Switch Configuration HAPTER Basic Configuration Then save your configuration changes by typing “copy running-config startup- config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: DHCP Console#copy running-config startup-config Startup configuration file name []: startup...
Page 85: Enabling Snmp Management Access
| Initial Switch Configuration HAPTER Basic Configuration Enabling SNMP The switch can be configured to accept management commands from Simple Management Network Management Protocol (SNMP) applications such as EdgeCore ECView. You can configure the switch to respond to SNMP requests or generate SNMP traps. Access When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the...
Page 86 | Initial Switch Configuration HAPTER Basic Configuration : If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Page 87: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files ANAGING YSTEM ILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 88 | Initial Switch Configuration HAPTER Managing System Files There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file.
Page 89: Ection
| Web Configuration ECTION ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 95 "Basic Management Tasks"...
Page 90 | Web Configuration ECTION "General IP Routing" on page 491 "Configuring Router Redundancy" on page 509 "IP Services" on page 519 "Unicast Routing" on page 541 "Multicast Routing" on page 597 – 94 –...
Page 91: Using The Web Interface
| Using the Web Interface HAPTER Connecting to the Web Interface SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 92: Navigating The Web Browser Interface
: This manual covers the EL 326 Gigabit Ethernet switch. Other than the number of ports supported by these models, there are no significant differences. Therefore nearly all of the screen display examples are based on the EL 326. The panel graphics for both switch types are shown on the following page.
Page 93: Configuration Options
The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Figure 2: Front Panel Indicators EL 326 EL 326 – 97 –...
Page 94: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Cable Test Performs cable diagnostics for selected port to diagnose any cable faults (short, open etc.) and report the cable length Trunk Static Configure Trunk...
Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page VLAN Virtual LAN Static Creates VLAN groups Show Displays configured VLAN groups Modify Configures group name and administrative status Edit Member by VLAN Specifies VLAN attributes per VLAN Edit Member by Interface Specifies VLAN attributes per interface...
Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping MAC Address Learning Status Enables MAC address learning on selected interfaces Static...
Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Priority Default Priority Sets the default priority for each port or trunk Queue Sets queue mode for the switch; sets the service weight for each queue that will use a weighted or hybrid mode CoS to Queue Specifies the hardware output queues to use for CoS priority tagged traffic...
Page 99 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Group Specifies a group of authentication servers and sets the priority sequence Show Shows the authentication server groups and priority sequence Accounting Enables accounting of requested services for billing or security purposes Configure Global...
Page 100 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure MAC Filter Specifies MAC addresses exempt from authentication Show Shows the list of exempt MAC addresses Show Information Shows the authenticated MAC address list HTTPS Secure HTTP Configure Global...
Page 101 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Information Show Statistics Displays statistics on the inspection process Show Log Shows the inspection log list IP Filter Sets IP addresses of clients allowed management access via the web, SNMP, and Telnet Show Shows the addresses to be allowed management access...
Page 102 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Device Statistics General Displays statistics for all connected remote devices Port/Trunk Displays statistics for remote devices on a selected port or trunk SNMP Simple Network Management Protocol Configure Global...
Page 103 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Alarm Shows all configured alarms Event Shows all configured events Configure Interface History Periodically samples statistics on a physical interface Statistics Enables collection of statistics on a physical interface Show...
Page 104 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure ECMP Number Sets the maximum number of equal-cost paths to the same destination that can be installed in the routing table VRRP Virtual Router Redundancy Protocol Configure Group ID...
Page 105 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Static Host Table Configures static entries for domain name to address mapping Show Shows the list of static mapping entries Modify Modifies the static address mapped to the selected host name Cache...
Page 106 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Multicast IGMP Snooping General Enables multicast filtering; configures parameters for multicast snooping Multicast Router Add Static Multicast Router Assigns ports that are attached to a neighboring multicast router Show Static Multicast Router Displays ports statically configured as attached to a neighboring multicast router...
Page 107 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Detail Shows detailed information on each multicast group associated with a VLAN interface Multicast Routing General Globally enables multicast routing Information Show Summary Shows each multicast route the switch has learned...
Page 108 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows the external routing information to be imported from other routing domains Distance Defines an administrative distance for external routes learned from other routing protocols Show Shows the administrative distances assigned to external routes learned...
Page 109 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Redistributes routes from one routing domain to another Show Shows route types redistributed to another domain Modify Modifies configuration settings for redistributed routes Summary Address Aggregates routes learned from other protocols for advertising into other autonomous systems...
Page 110 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show BSR Router Displays information about the BSR Show RP Mapping Displays the active RPs and associated multicast routing entries PIM6 PIM for IPv6 General...
Page 111: Basic Management Tasks
| Basic Management Tasks HAPTER Displaying System Information ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, including contact information. Displaying Switch Hardware/Software Versions – Shows the hardware version, power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 112: Displaying Switch Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Switch Hardware/Software Versions System Object ID – MIB II object ID for switch’s network management subsystem. System Up Time – Length of time the management agent has been up. System Name – Name assigned to the switch system. System Location –...
Page 113 | Basic Management Tasks HAPTER Displaying Switch Hardware/Software Versions Hardware Version – Hardware version of the main board. Internal Power Status – Displays the status of the internal power supply. Management Software Information Role – Shows that this switch is operating as Master or Slave. EPLD Version –...
Page 114: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10KB for Gigabit Ethernet.
Page 115: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 116: Managing System Files
| Basic Management Tasks HAPTER Managing System Files Figure 6: Displaying Bridge Extension Configuration ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via Use the System > File (Copy) page to upload/download firmware or configuration settings using FTP, TFTP or HTTP.
Page 117 | Basic Management Tasks HAPTER Managing System Files  HTTP Upgrade – Copies a file from a management station to the switch.  HTTP Download – Copies a file from the switch to a management station  TFTP Upgrade – Copies a file from a TFTP server to the switch. ...
Page 118: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files Figure 7: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Saving the Running Use the System >...
Page 119: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files Select Copy from the Action list. Select Running-Config from the Copy Type list. Select the current startup file on the switch to overwrite or specify a new file name. Then click Apply. Figure 8: Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System >...
Page 120: Showing System Files
| Basic Management Tasks HAPTER Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Showing System Use the System > File (Show) page to show the files in the system directory, or to Files delete a file.
Page 121: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 122: Configuring Sntp
| Basic Management Tasks HAPTER Setting the System Clock Figure 11: Manually Setting the System Clock Configuring SNTP Use the System > Time (Configure General - SNTP) page to configure the switch to send time synchronization requests to time servers. Set the SNTP polling interval, SNTP servers, and also the time zone.
Page 123: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Figure 12: Setting the Polling Interval for SNTP Specifying SNTP Use the System > Time (Configure Time Server) page to specify the IP address for up to three SNTP time servers. Time Servers CLI R EFERENCES...
Page 124: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings Setting the Time Use the System > Time (Configure Time Server) page to set the time zone. SNTP Zone uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 125 | Basic Management Tasks HAPTER Console Port Settings VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings. Note that these parameters can be configured via the web or CLI interface.
Page 126: Telnet Settings
| Basic Management Tasks HAPTER Telnet Settings NTERFACE To configure parameters for the console port: Click System, then Console. Specify the connection parameters as required. Click Apply Figure 15: Console Port Settings ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection.
Page 127 | Basic Management Tasks HAPTER Telnet Settings Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 0-65535 seconds; Default: 600 seconds) Password Threshold –...
Page 128: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization. CLI R EFERENCES "show process cpu" on page 652 ARAMETERS The following parameters are displayed in the web interface: Time Interval –...
Page 129: Renumbering The Stack
| Basic Management Tasks HAPTER Renumbering the Stack ARAMETERS The following parameters are displayed in the web interface: Free Size – The amount of memory currently free for use. Used Size – The amount of memory allocated to active processes. Total –...
Page 130: Resetting The System
| Basic Management Tasks HAPTER Resetting the System Figure 19: Renumbering the Stack ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)"...
Page 131 | Basic Management Tasks HAPTER Resetting the System DD - The day of the month at which to reload. (Range: 1-31) MM - The month at which to reload. (january ... december) YYYY - The year at which to reload. (Range: 2001-2050) HH - The hour at which to reload.
Page 132 | Basic Management Tasks HAPTER Resetting the System Figure 20: Restarting the Switch (Immediately) Figure 21: Restarting the Switch (In) – 136 –...
Page 133 | Basic Management Tasks HAPTER Resetting the System Figure 22: Restarting the Switch (At) Figure 23: Restarting the Switch (Regularly) – 137 –...
Page 134 | Basic Management Tasks HAPTER Resetting the System – 138 –...
Page 135: Interface Configuration
| Interface Configuration HAPTER Port Configuration NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto-negotiation, or manual setting of speed, duplex mode, and flow control. Port Mirroring – Sets the source and target ports for mirroring on the local switch. Displaying Statistics –...
Page 136 | Interface Configuration HAPTER Port Configuration The 1000BASE-T and 10GBASE-T standard does not support forced mode. Auto- negotiation should always be used to establish a connection over any 1000BASE- T or 10GBASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Page 137 | Interface Configuration HAPTER Port Configuration  FC - Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full-duplex operation.
Page 138: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Configuring by Port Use the Interface > Port > General (Configure by Port Range) page to enable/disable Range an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. For more information on command usage and a description of the parameters, refer to "Configuring by Port List"...
Page 139 | Interface Configuration HAPTER Port Configuration Type – Indicates the port type. (1000Base-T, 1000Base SFP, or 10G) Name – Interface label. Admin – Shows if the port is enabled or disabled. Oper Status – Indicates if the link is Up or Down. Media Type –...
Page 140: Configuring Port Mirroring
| Interface Configuration HAPTER Port Configuration Configuring Port Use the Interface > Port > Mirror page to mirror traffic from any source port to a target Mirroring port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 141: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 28: Configuring Local Port Mirroring To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 29: Displaying Local Port Mirror Sessions Showing Port or Use the Interface > Port/Trunk > Statistics or Chart page to display standard statistics Trunk Statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 142: Table 5: Port Statistics
| Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed in the web interface: Table 5: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Page 143 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. This count does not include frames received with frame-too-long or frame-too-short error.
Page 144 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description Output Packets per second Number of packets leaving this interface per second. Output Utilization The output utilization rate for this interface. NTERFACE To show a list of port statistics: Click Interface, Port, Statistics.
Page 145: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration Figure 31: Showing Port Statistics (Chart) Performing Cable Use the Interface > Port > Cable Test page to test the cable attached to a port. The Diagnostics cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault.
Page 146 | Interface Configuration HAPTER Port Configuration  Impedance mismatch: Terminating impedance is not in the reference range. Ports are linked down while running cable diagnostics. ARAMETERS These parameters are displayed in the web interface: Port – Switch port identifier. (Range: 1-26/50) Test Result –...
Page 147: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 148 | Interface Configuration HAPTER Trunk Configuration Figure 33: Configuring Static Trunks statically configured active links CLI R EFERENCES "Link Aggregation Commands" on page 867 "Interface Commands" on page 849 OMMAND SAGE When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation.
Page 149 | Interface Configuration HAPTER Trunk Configuration Figure 34: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member.
Page 150: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration Figure 36: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 37: Displaying Connection Parameters for Static Trunks Configuring a Use the Interface >...
Page 151 | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
Page 152 | Interface Configuration HAPTER Trunk Configuration System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. (Range: 0-65535; Default: 32768) System priority is combined with the switch’s MAC address to form the LAG identifier.
Page 153 | Interface Configuration HAPTER Trunk Configuration To enable LACP for a port: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click General. Enable LACP on the required ports. Click Apply. Figure 40: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic.
Page 154 | Interface Configuration HAPTER Trunk Configuration Figure 41: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show Member from the Action List. Select a Trunk.
Page 155: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Figure 43: Configuring Connection Settings for Dynamic Trunks To display connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show from the Action List. Figure 44: Displaying Connection Parameters for Dynamic Trunks Displaying LACP Use the Interface >...
Page 156 | Interface Configuration HAPTER Trunk Configuration Table 6: LACP Port Counters (Continued) Parameter Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 157: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information Settings and Status - Internal) page to display the configuration settings and operational state for the local side of a link aggregation. for the Local Side CLI R EFERENCES...
Page 158: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration Figure 46: Displaying LACP Port Internal Information Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information Settings and Status - Neighbors) page to display the configuration settings and operational state for the remote side of a link aggregation.
Page 159: Sampling Traffic Flows
| Interface Configuration HAPTER Sampling Traffic Flows NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Neighbors. Select a group member from the Port list. Figure 47: Displaying LACP Port Remote Information AMPLING RAFFIC...
Page 160: Configuring Sflow Parameters
| Interface Configuration HAPTER Sampling Traffic Flows flows is created. Analysis of the sFlow stream(s) can reveal trends and information that can be leveraged in the following ways: Detecting, diagnosing, and fixing network problems Real-time congestion management Understanding application mix (P2P, Web, DNS, etc.) and changes Identification and tracing of unauthorized network activity Usage accounting Trending and capacity planning...
Page 161: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation Sample Rate – The number of packets out of which one sample will be taken. (Range: 256-16777215 packets, or 0 to disable sampling; Default: Disabled) NTERFACE To configure flow sampling: Click Interface, sFlow. Set the parameters for flow collector, the reset timeout, the payload, and the sampling rate.
Page 162: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation NTERFACE To enable traffic segmentation: Click Interface, Traffic Segmentation. Select Configure Global from the Step list. Mark the Enabled check box. Click Apply. Figure 49: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the downlink and uplink ports to use in the segmented group.
Page 163: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking Select Uplink or Downlink in the Direction list to add a group member. Click Apply. Figure 50: Configuring Members for Traffic Segmentation VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
Page 164 | Interface Configuration HAPTER VLAN Trunking automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. To prevent loops from forming in the spanning tree, all unknown VLANs will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode).
Page 165 | Interface Configuration HAPTER VLAN Trunking – 171 –...
Page 166 | Interface Configuration HAPTER VLAN Trunking – 172 –...
Page 167: Vlan Configuration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. Private VLANs – Configures private VLANs, using primary for unrestricted upstream access and community groups which are restricted to other local group members or to the ports in the associated primary group.
Page 168 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Up to 4093 VLANs based on the IEEE 802.1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol Port overlapping, allowing a port to participate in multiple VLANs End stations can belong to multiple VLANs Passing traffic between VLAN-aware and VLAN-unaware devices Priority tagging...
Page 169 | VLAN Configuration HAPTER IEEE 802.1Q VLANs printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security.
Page 170: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 171 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Select Add from the Action list. Enter a VLAN ID or range of IDs. Mark Enable to configure the VLAN as operational. Click Apply. Figure 55: Creating Static VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static.
Page 172: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: Click VLAN, Static. Select Show from the Action list. Figure 57: Showing Static VLANs Adding Static Use the VLAN > Static page to configure port members for the selected VLAN index, Members to VLANs interface, or a range of interfaces.
Page 173 | VLAN Configuration HAPTER IEEE 802.1Q VLANs  1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames.
Page 174 | VLAN Configuration HAPTER IEEE 802.1Q VLANs : VLAN 1 is the default untagged VLAN containing all ports on the switch, and membership type can only be modified by first assigning a port to another VLAN and then reassigning the default port VLAN ID. Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN.
Page 175 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 58: Configuring Static Members by VLAN Index To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Step list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply.
Page 176 | VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Step list. Set the Interface type to display as Port or Trunk. Enter an interface range. Modify the VLAN parameters as required.
Page 177 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Configure Interface Interface – Displays a list of ports or trunks. Port – Port Identifier. (Range: 1-26/50) Trunk – Trunk Identifier. (Range: 1-32) GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect (using the Configure General page).
Page 178 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Enable or disable GVRP. Click Apply. Figure 61: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: Click VLAN, Dynamic. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk.
Page 179: Private Vlans
| VLAN Configuration HAPTER Private VLANs Figure 63: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN Members from the Action list. Figure 64: Showing the Members of a Dynamic VLAN VLAN RIVATE...
Page 180: Creating Private Vlans
| VLAN Configuration HAPTER Private VLANs Use the Configure VLAN (Add Community VLAN) page to map a community VLAN to the primary VLAN. Use the Configure Interface page to set the port type to promiscuous (i.e., having access to all ports in the primary VLAN), or host (i.e., having access restricted to community VLAN members, and channeling all other traffic through promiscuous ports).
Page 181 | VLAN Configuration HAPTER Private VLANs Figure 65: Configuring Private VLANs To display a list of private VLANs: Click VLAN, Private. Select Configure VLAN from the Step list. Select Show from the Action list. Figure 66: Showing Private VLANs : All member ports must be removed from the VLAN before it can be deleted. Associating Private Use the VLAN >...
Page 182: Associating Private Vlans
| VLAN Configuration HAPTER Private VLANs NTERFACE To associate a community VLAN with a primary VLAN: Click VLAN, Private. Select Configure VLAN from the Step list. Select Add Community VLAN from the Action list. Select an entry from the Primary VLAN list. Select an entry from the Community VLAN list to associate it with the selected primary VLAN.
Page 183: Configuring Private Vlan Interfaces
| VLAN Configuration HAPTER Private VLANs Configuring Private Use the VLAN > Private (Configure Interface) page to set the private VLAN interface VLAN Interfaces type, and assign the interfaces to a private VLAN. CLI R EFERENCES "switchport private-vlan mapping" on page 955 "switchport private-vlan host-association"...
Page 184: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 69: Configuring Interfaces for Private VLANs IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 185 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing. However, the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the customer’s network.
Page 186 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged One tag (CVLAN or SPVLAN) Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
Page 187 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
Page 188: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Enabling QinQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to operate in Tunneling on the IEEE 802.1Q (QinQ) tunneling mode, which is used for passing Layer 2 traffic across a service provider’s metropolitan area network.
Page 189: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Adding an Interface Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. to a QinQ Tunnel Then use the VLAN > Tunnel (Configure Interface) page to set the tunnel mode for any participating interface.
Page 190: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs Figure 72: Adding an Interface to a QinQ Tunnel VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 191: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs Configuring Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. Protocol VLAN Groups CLI R EFERENCES "protocol-vlan protocol-group (Configuring Groups)" on page 957 ARAMETERS These parameters are displayed in the web interface: Frame Type –...
Page 192: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Figure 73: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 74: Displaying Protocol VLANs Mapping Protocol Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group to Groups to Interfaces a VLAN for each interface that will participate in the group.
Page 193 | VLAN Configuration HAPTER Protocol VLANs  If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. Port –...
Page 194: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs Select Show from the Action list. Figure 76: Showing the Interface to Protocol Group Mapping IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 195 | VLAN Configuration HAPTER Configuring IP Subnet VLANs VLAN – VLAN to which matching IP subnet traffic is forwarded. (Range: 1-4093) Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority; Default: 0) NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet.
Page 196: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs Figure 78: Showing IP Subnet VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
Page 197 | VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured.
Page 198 | VLAN Configuration HAPTER Configuring MAC-based VLANs – 204 –...
Page 199: Address Table Settings
| Address Table Settings HAPTER Configuring MAC Address Learning DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 200: Setting Static Addresses
| Address Table Settings HAPTER Setting Static Addresses ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. Port – Port Identifier. (Range: 1-26/50) Trunk – Trunk Identifier. (Range: 1-32) Status – The status of MAC address learning. (Default: Enabled) NTERFACE To enable or disable MAC address learning: Click MAC Address, Learning Status.
Page 201 | Address Table Settings HAPTER Setting Static Addresses OMMAND SAGE The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: Static addresses are bound to the assigned interface and will not be moved.
Page 202: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Figure 82: Configuring Static MAC Addresses To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 83: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address >...
Page 203: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
Page 204: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
Page 205 | Address Table Settings HAPTER Clearing the Dynamic Address Table Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. Click Clear.
Page 206 | Address Table Settings HAPTER Clearing the Dynamic Address Table – 214 –...
Page 207: Spanning Tree Algorithm
| Spanning Tree Algorithm HAPTER Overview PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback BPDUs. Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. Interface Settings for STA –...
Page 208 | Spanning Tree Algorithm HAPTER Overview Figure 87: STP Root Ports and Designated Ports Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 209: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection Tree (CST) interconnects all adjacent MST Regions, and acts as a virtual bridge node for communications with STP or RSTP nodes in the global network. Figure 89: Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree Region 1 Region 1...
Page 210 | Spanning Tree Algorithm HAPTER Configuring Loopback Detection CLI R EFERENCES "Editing VLAN Groups" on page 934 ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. Status – Enables loopback detection on this interface. (Default: Enabled) Trap –...
Page 211: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA ONFIGURING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI R EFERENCES "Spanning Tree Commands"...
Page 212 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA ARAMETERS These parameters are displayed in the web interface: Basic Configuration of Global Settings Spanning Tree Status – Enables/disables STA on this switch. (Default: Enabled) Spanning Tree Type – Specifies the type of spanning tree used on this switch: ...
Page 213 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) When the Switch Becomes Root Hello Time –...
Page 214 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure global STA settings: Click Spanning Tree, STA. Select Configure Global from the Step list. Select Configure from the Action list. Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section.
Page 215 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 92: Configuring Global Settings for STA (RSTP) Figure 93: Configuring Global Settings for STA (MSTP) – 223 –...
Page 216: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch. CLI R EFERENCES "show spanning-tree"...
Page 217: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Figure 94: Displaying Global Settings for STA ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Configure) page to configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
Page 218: Table 9: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Also, not that path cost takes precedence over port priority.
Page 219 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device. (Default: Disabled)  Enabled – Manually configures a port as an Edge Port. ...
Page 220: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA NTERFACE To configure interface settings for STA: Click Spanning Tree, STA. Select Configure Interface from the Step list. Select Configure from the Action list. Modify any of the required attributes. Click Apply.
Page 221 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA  Discarding - Port receives STA configuration messages, but does not forward packets.  Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses.
Page 222 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 96: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 223: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 903 OMMAND SAGE MSTP generates a unique spanning tree for each instance.
Page 224 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 225 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 226 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 227: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 903 ARAMETERS These parameters are displayed in the web interface: MST Instance ID –...
Page 228 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Configure from the Action list. Enter the priority and path cost for an interface Click Apply.
Page 229 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP – 237 –...
Page 230 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP – 238 –...
Page 231: Rate Limit Configuration
| Rate Limit Configuration HAPTER IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 232 | Rate Limit Configuration HAPTER Figure 106: Configuring Rate Limits – 240 –...
Page 233: Storm Control Configuration
| Storm Control Configuration HAPTER TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Page 234 | Storm Control Configuration HAPTER Status – Enables or disables storm control. (Default: Enabled for broadcast storm control, disabled for multicast and unknown unicast storm control) Rate – Threshold level as a rate; i.e., packets per second. (Range: 500-262143 packets per second; Default: 500 pps for broadcast traffic, 262143 pps for unknown unicast and multicast traffic) NTERFACE To configure broadcast storm control:...
Page 235: Class Of Service
| Class of Service HAPTER Layer 2 Queue Settings LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high- priority queue will be transmitted before those in the lower-priority queues.
Page 236: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. CoS – The priority that is assigned to untagged frames received on the specified interface.
Page 237 | Class of Service HAPTER Layer 2 Queue Settings If “Strict and WRR” mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Page 238 | Class of Service HAPTER Layer 2 Queue Settings If any of the weighted queue modes is selected, the queue weight can be modified if required. If any of the queue modes that use a combination of strict and weighted queueing are selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 239: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 111: Setting the Queue Mode (Strict and WRR) Mapping CoS Use the Traffic > Priority > CoS to Queue page to specify the hardware output queues to use for Class of Service (CoS) priority tagged traffic. Values to Egress Queues The switch processes Class of Service (CoS) priority tagged traffic by using eight...
Page 240: Table 11: Ieee 802.1P Egress Queue Priority Mapping
| Class of Service HAPTER Layer 2 Queue Settings Table 11: IEEE 802.1p Egress Queue Priority Mapping Priority Queue The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in Table 12. However, priority levels can be mapped to the switch’s output queues in any way that benefits application traffic for the network.
Page 241: Table 12: Cos Priority Levels
| Class of Service HAPTER Layer 2 Queue Settings Table 12: CoS Priority Levels Priority Level Traffic Type Background (Spare) 0 (default) Best Effort Excellent Effort Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES...
Page 242: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 112: Mapping CoS Values to Egress Queues 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 243 | Class of Service HAPTER Layer 3/4 Priority Settings bits so that non-DSCP compliant devices will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the eight hardware priority queues.
Page 244: Table 13: Mapping Dscp Priority Values
| Class of Service HAPTER Layer 3/4 Priority Settings Table 13: Mapping DSCP Priority Values IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24 26, 28, 30, 32, 34, 36 38, 40, 42 46, 56 : IP DSCP settings apply to all interfaces. ARAMETERS These parameters are displayed: DSCP Mapping Status –...
Page 245: Mapping Ip Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 113: Mapping IP DSCP Priority Values Mapping IP Use the Traffic > Priority > IP Precedence to CoS page to map IP Precedence Precedence priorities found in ingress packets to CoS values for internal priority processing. CLI R EFERENCES "map ip precedence (Global Configuration)"...
Page 246: Table 14: Usage Of Tos Bits
| Class of Service HAPTER Layer 3/4 Priority Settings Table 14: Usage of ToS Bits Priority Level Traffic Type Routine Priority Immediate Flash Flash Override Critical Internetwork Control Network Control : IP Precedence settings apply to all interfaces. ARAMETERS These parameters are displayed: IP Precedence Mapping Status –...
Page 247: Mapping Ip Port Priority
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 114: Mapping IP Precedence Priority Values Mapping IP Port Use the Traffic > Priority > IP Port to CoS page to map network applications Priority designated by a TCP/UDP destination port number in the frame header to CoS values for internal processing.
Page 248 | Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To set the TCP/UDP port number to CoS priority map: Click Traffic, Priority, IP Port to CoS. Select Add from the Action list. Set the CoS priority for any TCP or UDP port. Click Apply.
Page 249: Uality Of Ervice
| Quality of Service HAPTER Overview UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic.
Page 250: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 251 | Quality of Service HAPTER Configuring a Class Map Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Page 252 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 118: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 253: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 120: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 254 | Quality of Service HAPTER Creating QoS Policies be taken for traffic conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
Page 255 | Quality of Service HAPTER Creating QoS Policies  If the packet has been precolored as green and Tc(t)-B0, the packet is green and Tc is decremented by B down to the minimum value of 0, else  If the packet has been precolored as yellow or green and if Te(t)-B 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else ...
Page 256 | Quality of Service HAPTER Creating QoS Policies  if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else  the packet is green and both Tp and Tc are decremented by B. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Aware mode: ...
Page 257 | Quality of Service HAPTER Creating QoS Policies  Set IP DSCP – Configures the service provided to ingress traffic by setting an IP DSCP value for a matching packet (as specified in rule settings for a class map. (Range: 0-63) ...
Page 258 | Quality of Service HAPTER Creating QoS Policies are pre-colored. The functional differences between these modes is described at the beginning of this section under “srTCM Police Meter.” Committed Information Rate (CIR) – Rate in kilobits per second.  (Range: 1-1000000 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed.
Page 259 | Quality of Service HAPTER Creating QoS Policies are pre-colored. The functional differences between these modes is described at the beginning of this section under “trTCM Police Meter.” Committed Information Rate (CIR) – Rate in kilobits per second.  (Range: 1-1000000 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed.
Page 260 | Quality of Service HAPTER Creating QoS Policies Select Add from the Action list. Enter a policy name. Enter a description. Click Apply. Figure 121: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list.
Page 261 | Quality of Service HAPTER Creating QoS Policies excess of the maximum rate but within the peak information rate, or the action to take for a policy violation. Click Apply. Figure 123: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ.
Page 262: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI R EFERENCES  "Quality of Service Commands" on page 985 OMMAND SAGE First define a class map, define a policy map, and bind the service policy to the...
Page 263: Oip Traffic Configuration
| VoIP Traffic Configuration HAPTER Overview IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Page 264: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI ARAMETERS These parameters are displayed in the web interface: Auto Detection Status – Enables the automatic detection of VoIP traffic on switch ports. (Default: Disabled) Voice VLAN – Sets the Voice VLAN ID for the network. Only one Voice VLAN is supported and it must already be created on the switch.
Page 265 | VoIP Traffic Configuration HAPTER Configuring Telephony OUI configured on the switch so that traffic from these devices is recognized as VoIP. Use the Traffic > VoIP (Configure OUI) page to configure this feature. CLI R EFERENCES "Configuring Voice VLANs" on page 963 ARAMETERS These parameters are displayed in the web interface: Telephony OUI –...
Page 266: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Select Configure OUI from the Step list. Select Show from the Action list. Figure 128: Showing an OUI Telephony List IP T ONFIGURING RAFFIC ORTS Use the Traffic > VoIP (Configure Interface) page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority.
Page 267 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Discovery Protocol – Selects a method to use for detecting VoIP traffic on the port. (Default: OUI)  OUI – Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. OUI numbers are assigned to manufacturers and form the first three octets of a device MAC address.
Page 268 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports – 276 –...
Page 269: Security Measures
| Security Measures HAPTER ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: AAA –...
Page 270: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting AAA A UTHORIZATION AND CCOUNTING The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: Authentication —...
Page 271: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting software is beyond the scope of this guide, refer to the documentation provided with the RADIUS or TACACS+ server software. Configuring Local/ Use the Security > AAA > System Authentication page to specify local or remote Remote Logon authentication.
Page 272: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting Figure 130: Configuring the Authentication Sequence Configuring Remote Use the Security > AAA > Server page to configure the message exchange parameters for RADIUS or TACACS+ remote access authentication servers. Logon Authentication Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Servers Access Control System Plus (TACACS+) are logon authentication protocols that use...
Page 273 | Security Measures HAPTER AAA Authorization and Accounting the authentication process must also be configured or negotiated between the authentication server and logon client. This switch can pass authentication messages between the server and client that have been encrypted using MD5 (Message-Digest 5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security).
Page 274 | Security Measures HAPTER AAA Authorization and Accounting  Server IP Address – Address of the TACACS+ server. (A Server Index entry must be selected to display this item.)  Authentication Server TCP Port – Network (TCP) port of TACACS+ server used for authentication messages.
Page 275 | Security Measures HAPTER AAA Authorization and Accounting Figure 132: Configuring Remote Authentication Server (RADIUS) Figure 133: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list.
Page 276: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting Figure 134: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 135: Showing AAA Server Groups Configuring AAA Use the Security >...
Page 277 | Security Measures HAPTER AAA Authorization and Accounting ARAMETERS These parameters are displayed in the web interface: Configure Global Periodic Update - Specifies the interval at which the local accounting service updates information for all users on the system to the accounting server. (Range: 0-2147483647 minutes;...
Page 278 | Security Measures HAPTER AAA Authorization and Accounting Show Information – Summary Accounting Type - Displays the accounting service. Method Name - Displays the user-defined or default accounting method. Server Group Name - Displays the accounting server group. Interface - Displays the port, console or Telnet interface to which these rules apply. (This field is null if the accounting method and associated server group has not been assigned to an interface.) Show Information –...
Page 279 | Security Measures HAPTER AAA Authorization and Accounting Select the accounting type (802.1X, Exec). Specify the name of the accounting method and server group name. Click Apply. Figure 137: Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting.
Page 280 | Security Measures HAPTER AAA Authorization and Accounting Click Apply. Figure 139: Configuring AAA Accounting Service for 802.1X Service Figure 140: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting.
Page 281: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Statistics. Figure 142: Displaying Statistics for AAA Accounting Sessions Configuring AAA Use the Security >...
Page 282 | Security Measures HAPTER AAA Authorization and Accounting Configure Service Console Method Name – Specifies a user defined method name to apply to console connections. Telnet Method Name – Specifies a user defined method name to apply to Telnet connections. Show Information Authorization Type - Displays the authorization service.
Page 283 | Security Measures HAPTER AAA Authorization and Accounting Figure 144: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply.
Page 284: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 731 OMMAND SAGE The default guest name is “guest”...
Page 285: Web Authentication
| Security Measures HAPTER Web Authentication Figure 147: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 148: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 286: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication Configuring Global Use the Security > Web Authentication (Configure Global) page to edit the global Settings for Web parameters for web authentication. Authentication CLI R EFERENCES "Web Authentication" on page 797 ARAMETERS These parameters are displayed in the web interface: Web Authentication Status –...
Page 287: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Configuring Use the Security > Web Authentication (Configure Interface) page to enable web Interface Settings authentication on a port, and display information for any connected hosts. for Web CLI R Authentication EFERENCES "Web Authentication" on page 797 ARAMETERS These parameters are displayed in the web interface: Port –...
Page 288: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Page 289: Table 15: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) The VLAN identifier list is carried in the RADIUS “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,3u” where “u” indicates an untagged VLAN and “t” a tagged VLAN. The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Page 290: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) When the last user logs off on a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port. When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
Page 291: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 151: Configuring Global Settings for Network Access Configuring Use the Security > Network Access (Configure Interface - General) page to configure Network Access for MAC authentication on switch ports, including enabling address authentication, setting the maximum MAC count, and enabling dynamic VLAN or dynamic QoS assignments.
Page 292 | Security Measures HAPTER Network Access (MAC Address Authentication) The VLAN settings specified by the first authenticated MAC address are implemented for a port. Other authenticated MAC addresses on the port must have the same VLAN configuration, or they are treated as authentication failures. If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success, and the host is assigned to the default untagged VLAN.
Page 293: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Configuring Port Use the Security > Network Access (Configure Interface - Link Detection) page to Link Detection send an SNMP trap and/or shut down a port when a link event occurs. CLI R EFERENCES "Network Access (MAC Address Authentication)"...
Page 294: Configuring A Mac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 153: Configuring Link Detection for Network Access Configuring a MAC Use the Security > MAC Authentication (Configure MAC Filter) page to designate Address Filter specific MAC addresses or MAC address ranges as exempt from authentication. MAC addresses present in MAC Filter tables activated on a port are treated as pre- authenticated on that port.
Page 295 | Security Measures HAPTER Network Access (MAC Address Authentication) Enter a filter ID, MAC address, and optional mask. Click Apply. Figure 154: Configuring a MAC Address Filter for Network Access To show the MAC address filter table for MAC authentication: Click Security, Network Access.
Page 296 | Security Measures HAPTER Network Access (MAC Address Authentication)  MAC Address – Specifies a specific MAC address.  Interface – Specifies a port interface.  Attribute – Displays static or dynamic addresses. Authenticated MAC Address List  MAC Address – The authenticated MAC address. ...
Page 297: Configuring Https
| Security Measures HAPTER Configuring HTTPS HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security >...
Page 298 | Security Measures HAPTER Configuring HTTPS ARAMETERS These parameters are displayed in the web interface: HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) HTTPS Port – Specifies the UDP port number used for HTTPS connection to the switch’s web interface.
Page 299 | Security Measures HAPTER Configuring HTTPS : The switch must be reset for the new certificate to be activated. To reset the switch, see "Resetting the System" on page 134 or type “reload” at the command reload prompt: ES-3026# CLI R EFERENCES "Web Server"...
Page 300 | Security Measures HAPTER Configuring the Secure Shell Figure 158: Downloading the Secure-Site Certificate ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments.
Page 301 | Security Measures HAPTER Configuring the Secure Shell Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Page 302 | Security Measures HAPTER Configuring the Secure Shell stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients The client sends its RSA public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client.
Page 303 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.
Page 304 | Security Measures HAPTER Configuring the Secure Shell Generating the Host Use the Security > SSH (Configure Host Key - Generate) page to generate a host Key Pair public/private key pair used to provide secure communications between an SSH client and the switch.
Page 305 | Security Measures HAPTER Configuring the Secure Shell Figure 160: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
Page 306 | Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed in the web interface: User Name – This drop-down box selects the user who’s public key you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...
Page 307: Access Control Lists
| Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 308 | Security Measures HAPTER Access Control Lists The maximum number of rules per ACL is 96. The maximum number of rules that can be bound to the ports is 96 for each of the following list types: MAC ACLs, IP ACLs (including Standard and Extended ACLs), IPv6 Standard ACLs, and IPv6 Extended ACLs.
Page 309 | Security Measures HAPTER Access Control Lists Select Configure Time Range from the Step list. Select Add from the Action list. Enter the name of a time range. Click Apply. Figure 164: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL.
Page 310 | Security Measures HAPTER Access Control Lists Figure 166: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list. Figure 167: Showing the Rules Configured for a Time Range –...
Page 311 | Security Measures HAPTER Access Control Lists Showing TCAM Use the Security > ACL (Configure ACL - Show TCAM) page to show utilization Utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Page 312 | Security Measures HAPTER Access Control Lists Setting the ACL Use the Security > ACL (Configure ACL - Add) page to create an ACL. Name and Type CLI R EFERENCES "access-list ip" on page 828 "show ip access-list" on page 833 ARAMETERS These parameters are displayed in the web interface: ACL Name –...
Page 313 | Security Measures HAPTER Access Control Lists Figure 169: Creating an ACL To show a list of ACLs: Click Security, ACL. Select Configure ACL from the Step list. Select Show from the Action list. Figure 170: Showing a List of ACLs Configuring a Use the Security >...
Page 314 | Security Measures HAPTER Access Control Lists Source IP Address – Source IP address. Source Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.”...
Page 315 | Security Measures HAPTER Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. CLI R EFERENCES "permit, deny (Extended IPv4 ACL)" on page 830 "show ip access-list"...
Page 316 | Security Measures HAPTER Access Control Lists  1 (fin) – Finish  2 (syn) – Synchronize  4 (rst) – Reset  8 (psh) – Push  16 (ack) – Acknowledgement  32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: ...
Page 317 | Security Measures HAPTER Access Control Lists Figure 172: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to configure Standard IPv6 ACL a Standard IPv6ACL. CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
Page 318 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list.
Page 319 | Security Measures HAPTER Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to Extended IPv6 ACL configure an Extended IPv6 ACL. CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 836 "show ipv6 access-list"...
Page 320 | Security Measures HAPTER Access Control Lists A flow label is assigned to a flow by the flow's source node. New flow labels must be chosen pseudo-randomly and uniformly from the range 1 to FFFFF hexadecimal. The purpose of the random allocation is to make any set of bits within the Flow Label field suitable for use as a hash key by routers, for looking up the state associated with the flow.
Page 321 | Security Measures HAPTER Access Control Lists Figure 174: Configuring an Extended IPv6 ACL Configuring a MAC Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)"...
Page 322 | Security Measures HAPTER Access Control Lists  Untagged-802.3 – Untagged Ethernet 802.3 packets.  tagged-eth2 – Tagged Ethernet II packets.  Tagged-802.3 – Tagged Ethernet 802.3 packets. VID – VLAN ID. (Range: 1-4095) VID Bit Mask – VLAN bit mask. (Range: 0-4095) Ethernet Type –...
Page 323 | Security Measures HAPTER Access Control Lists Figure 175: Configuring a MAC ACL Configuring an ARP Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 324 | Security Measures HAPTER Access Control Lists Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) Source/Destination MAC Address –...
Page 325 | Security Measures HAPTER Access Control Lists Figure 176: Configuring a ARP ACL Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface) page to bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access Access Control List list and one MAC access list to any port.
Page 326 | Security Measures HAPTER ARP Inspection NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select IP or MAC from the Type list. Select the name of an ACL from the ACL list. Click Apply.
Page 327 | Security Measures HAPTER ARP Inspection By default, ARP Inspection is disabled both globally and on all VLANs.  If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled.  When ARP Inspection is enabled globally, all ARP request and reply packets on inspection-enabled VLANs are redirected to the CPU and their switching behavior handled by the ARP Inspection engine.
Page 328 | Security Measures HAPTER ARP Inspection  Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
Page 329 | Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 330 | Security Measures HAPTER ARP Inspection If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. ARAMETERS These parameters are displayed in the web interface: ARP Inspection VLAN ID –...
Page 331 | Security Measures HAPTER ARP Inspection CLI R EFERENCES "ARP Inspection" on page 815 ARAMETERS These parameters are displayed in the web interface: Port – Port identifier. Trust Status – Configures the port as trusted or untrusted. (Default: Untrusted) By default, all untrusted ports are subject to ARP packet rate limiting, and all trusted ports are exempt from ARP packet rate limiting.
Page 332: Table 17: Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection Displaying ARP Use the Security > ARP Inspection (Show Information - Show Statistics) page to Inspection Statistics display statistics about the number of ARP packets processed, or dropped for various reasons. CLI R EFERENCES "show ip arp inspection statistics"...
Page 333: Table 18: Arp Inspection Log
| Security Measures HAPTER ARP Inspection Figure 181: Displaying Statistics for ARP Inspection Displaying the ARP Use the Security > ARP Inspection (Show Information - Show Log) page to show Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components.
Page 334 | Security Measures HAPTER Filtering IP Addresses for Management Access Figure 182: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR ANAGEMENT CCESS Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.
Page 335 | Security Measures HAPTER Filtering IP Addresses for Management Access  Telnet – Configures IP address(es) for the Telnet group. Start IP Address – A single IP address, or the starting address of a range. End IP Address – The end address of a range. NTERFACE To create a list of IP addresses authorized for management access: Click Security, IP Filter.
Page 336 | Security Measures HAPTER Configuring Port Security ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 337 | Security Measures HAPTER Configuring 802.1X Port Authentication Security Status – Enables or disables port security on the port. (Default: Disabled) Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0-1024, where 0 means disabled) The maximum address count is effective when port security is enabled or disabled, but can only be set when Security Status is disabled.
Page 338 | Security Measures HAPTER Configuring 802.1X Port Authentication server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server.
Page 339 | Security Measures HAPTER Configuring 802.1X Port Authentication Configuring 802.1X Use the Security > Port Authentication (Configure Global) page to configure IEEE Global Settings 802.1X port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. CLI R EFERENCES "802.1X Port Authentication"...
Page 340 | Security Measures HAPTER Configuring 802.1X Port Authentication Configuring Port Use the Security > Port Authentication (Configure Interface) page to configure 802.1X Settings for 802.1X port settings for the switch as the local authenticator. When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 341 | Security Measures HAPTER Configuring 802.1X Port Authentication  MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
Page 342 | Security Measures HAPTER Configuring 802.1X Port Authentication Authenticator PAE State Machine State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count – Number of times connecting state is re-entered. Current Identifier – Identifier sent in each EAP Success, Failure or Request packet by the Authentication Server.
Page 343 | Security Measures HAPTER Configuring 802.1X Port Authentication Figure 188: Configuring Interface Settings for 802.1X Port Authenticator – 351 –...
Page 344: Table 19: 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication Displaying 802.1X Use the Security > Port Authentication (Show Statistics) page to display statistics for Statistics dot1x protocol exchanges for any port. CLI R EFERENCES "show dot1x" on page 773 ARAMETERS These parameters are displayed in the web interface: Table 19: 802.1X Statistics Parameter Description...
Page 345 | Security Measures HAPTER IP Source Guard NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 189: Showing Statistics for 802.1X Port Authenticator IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see...
Page 346 | Security Measures HAPTER IP Source Guard Use the SIP-MAC option to check these same parameters, plus the source MAC address. If no matching entry is found, the packet is dropped. : Multicast addresses cannot be used by IP Source Guard. When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see "DHCP Snooping"...
Page 347 | Security Measures HAPTER IP Source Guard NTERFACE To set the IP Source Guard filter for ports: Click Security, IP Source Guard, Port Configuration. Set the required filtering type for each port. Click Apply Figure 190: Setting the Filter Type for IP Source Guard Configuring Static Use the Security >...
Page 348 | Security Measures HAPTER IP Source Guard  If there is an entry with the same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Page 349 | Security Measures HAPTER IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Show from the Action list. Figure 192: Displaying Static Bindings for IP Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the source- Information for guard binding table for a selected interface.
Page 350 | Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 193: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled...
Page 351 | Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
Page 352 | Security Measures HAPTER DHCP Snooping DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 353 | Security Measures HAPTER DHCP Snooping DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information.  Drop – Drops the client’s request packet instead of relaying it.  Keep – Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
Page 354 | Security Measures HAPTER DHCP Snooping When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
Page 355: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping When DHCP snooping is enabled both globally and on a VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN. When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed.
Page 356 | Security Measures HAPTER DHCP Snooping IP Address – IP address corresponding to the client. Lease Time (seconds) – The time for which this IP address is leased to the client. Type – Entry types include:  DHCP-Snooping – Dynamically snooped. ...
Page 357 | Basic Administration Protocols HAPTER Configuring Event Logging ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 358: Table 20: Logging Levels
| Basic Administration Protocols HAPTER Configuring Event Logging ARAMETERS These parameters are displayed in the web interface: System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
Page 359: Basic Administration Protocols
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 198: Configuring Settings for System Memory Logs To show the error messages logged to system memory: Click Administration, Log, System. Select Show System Logs from the Step list. Click RAM or Flash. This page allows you to scroll through the logged system and event messages.
Page 360: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging Remote Log Use the Administration > Log > Remote page to send log messages to syslog servers Configuration or other management stations. You can also limit the event messages sent to only those messages below a specified level.
Page 361: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 200: Configuring Settings for Remote Logging of Error Messages Sending Simple Mail Use the Administration > Log > SMTP page to alert system administrators of problems Transfer Protocol by sending SMTP (Simple Mail Transfer Protocol) email messages when triggered by logging events of a specified level.
Page 362: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Enable SMTP, specify a source email address, and select the minimum severity level. Specify the source and destination email addresses, and one or more SMTP servers. Click Apply. Figure 201: Configuring SMTP Alert Messages AYER ISCOVERY ROTOCOL...
Page 363 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) This attribute must comply with the following rule:  (Transmission Interval * Hold Time Multiplier)  65536, and Transmission Interval >= (4 * Delay Interval) Hold Time Multiplier –...
Page 364: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Enable LLDP, and modify any of the timing parameters as required. Click Apply. Figure 202: Configuring LLDP Timing Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface) page to specify the message attributes for individual interfaces, including whether messages are transmitted, Interface Attributes received, or both transmitted and received, whether SNMP notifications are sent, and...
Page 365 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages.  Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Page 366 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol  VLAN Name – The name of all VLANs to which this interface has been assigned (see "IEEE 802.1Q VLANs" on page 173 "Protocol VLANs" on page 196).  Port And Protocol VLAN ID – The port-based and protocol-based VLANs configured on this interface (the port-based and protocol-based VLANs configured on this interface (see "IEEE 802.1Q VLANs"...
Page 367: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Local Device Information) page to display Local Device information about the switch, such as its MAC address, chassis ID, management IP address, and port information. Information CLI R EFERENCES...
Page 368 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 22: System Capabilities (Continued) ID Basis Reference Router IETF RFC 1812 Telephone IETF RFC 2011 DOCSIS cable device IETF RFC 2669 and IETF RFC 2670 End Station Only IETF RFC 2011 System Capabilities Enabled –...
Page 369: Displaying Lldp Remote Port Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 205: Displaying Local Device Information for LLDP (Port) Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display information about devices connected directly to the switch’s ports which are Remote Port advertising information through LLDP, or to display detailed information about an Information...
Page 370: Table 23: Port Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Description – A textual description of the network entity. Management Address – The IPv4 address of the remote device. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Page 371: Table 24: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port Details – 802.3 Extension Port Information Remote Port Auto-Neg Supported – Shows whether the given port (associated with remote system) supports auto-negotiation. Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636) which is associated with a port on the remote system.
Page 372 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Power MDI Supported – Shows whether MDI power is supported on the given port associated with the remote system. Remote Power Pair Controlable – Indicates whether the pair selection can be controlled for sourcing power on the given port associated with the remote system.
Page 373: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 207: Displaying Remote Device Information for LLDP (Port Details) Displaying Device Use the Administration > LLDP (Show Device Statistics) page to display statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages Statistics transmitted or received on all local interfaces.
Page 374 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV. Frames Invalid – A count of all LLDPDUs received with one or more detectable errors.
Page 375: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 209: Displaying LLDP Device Statistics (Port) IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Page 376: Table 25: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol v2c. The following table shows the security models and levels available and the system default settings. Table 25: SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public...
Page 377: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine) page to change the local engine ID. If you want to change the default engine ID, it must be changed before configuring other parameters. Use the Administration >...
Page 378: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 210: Configuring Global Settings for SNMP Setting the Local Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides Engine ID on the switch.
Page 379: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 211: Configuring the Local Engine ID for SNMP Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 380 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 212: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: Click Administration, SNMP. Select Configure Engine from the Step list. Select Show Remote Engine from the Action list. Figure 213: Showing Remote Engine IDs for SNMP Setting SNMPv3 Use the Administration >...
Page 381 | Basic Administration Protocols HAPTER Simple Network Management Protocol View Name – Lists the SNMP views configured in the Add View page. OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
Page 382 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 215: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Add OID Subtree from the Action list. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view.
Page 383: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 217: Showing the OID Subtree Configured for SNMP Views Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views.
Page 384: Table 26: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Table 26: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its...
Page 385 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 26: Supported Notification Messages (Continued) Model Level Group swMainBoardVerMismatchNotificaiton 1.3.6.1.4.1.259.10.1.1.2.1.0.56 This trap is sent when the slave board version is mismatched with the master board version. This trap binds two objects, the first object indicates the master version, whereas the second represents the slave version.
Page 386: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 218: Creating an SNMP Group To show SNMP groups: Click Administration, SNMP. Select Configure Group from the Step list. Select Show from the Action list. Figure 219: Showing SNMP Groups Setting Community Use the Administration >...
Page 387 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Community String – A community string that acts like a password and permits access to the SNMP protocol. Range: 1-32 characters, case sensitive Default strings: “public”...
Page 388: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 221: Showing Community Access Strings Configuring Local Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch.
Page 389 | Basic Administration Protocols HAPTER Simple Network Management Protocol Privacy Password – A minimum of eight plain text characters is required. NTERFACE To configure a local SNMPv3 user: Click Administration, SNMP. Select Configure User from the Step list. Select Add SNMPv3 Local User from the Action list. Enter a name and assign it to a group.
Page 390: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 223: Showing Local SNMPv3 Users Configuring Remote Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page SNMPv3 Users to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
Page 391 | Basic Administration Protocols HAPTER Simple Network Management Protocol Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters is required. Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Page 392: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 225: Showing Remote SNMPv3 Users Specifying Trap Use the Administration >...
Page 393 | Basic Administration Protocols HAPTER Simple Network Management Protocol Create a local SNMPv3 user to use in the message exchange process (page 402). If the user specified in the trap configuration page does not exist, an SNMPv3 group will be automatically created using the name of the specified local user, and default settings for the read, write, and notify view.
Page 394 | Basic Administration Protocols HAPTER Simple Network Management Protocol Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) SNMP Version 3 IP Address –...
Page 395 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 226: Configuring Trap Managers (SNMPv1) Figure 227: Configuring Trap Managers (SNMPv2c)
Page 396: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring Figure 228: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 229: Showing Trap Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
Page 397 | Basic Administration Protocols HAPTER Remote Monitoring The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group.
Page 398 | Basic Administration Protocols HAPTER Remote Monitoring not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. (Range: 1-65535) Rising Event Index – The index of the event to use if an alarm is triggered by monitored variables reaching or crossing above the rising threshold.
Page 399: Configuring Rmon Alarms
| Basic Administration Protocols HAPTER Remote Monitoring Figure 230: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 231: Showing Configured RMON Alarms Configuring RMON Use the Administration >...
Page 400 | Basic Administration Protocols HAPTER Remote Monitoring OMMAND SAGE If an alarm is already defined for an index, the entry must be deleted before any changes can be made. One default event is configured as follows: event Index = 1 Description: RMON_TRAP_LOG Event type: log &...
Page 401 | Basic Administration Protocols HAPTER Remote Monitoring Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event. Click Apply Figure 232: Configuring an RMON Event To show configured RMON events:...
Page 402 | Basic Administration Protocols HAPTER Remote Monitoring CLI R EFERENCES "Remote Monitoring Commands" on page 717 OMMAND SAGE Each index number equates to a port on the switch. If history collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Page 403 | Basic Administration Protocols HAPTER Remote Monitoring Figure 234: Configuring an RMON History Sample To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History.
Page 404: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring Figure 236: Showing Collected RMON History Samples Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to collect statistics on a port, which can subsequently be used to monitor the network for Statistical Samples common errors and overall traffic rates.
Page 405 | Basic Administration Protocols HAPTER Remote Monitoring Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 237: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON.
Page 406 | Basic Administration Protocols HAPTER Remote Monitoring Click Statistics. Figure 239: Showing Collected RMON Statistical Samples – 420 –...
Page 407: Multicast Filtering
| Multicast Filtering HAPTER Overview ULTICAST ILTERING This chapter describes how to configure the following multicast services: Layer 2 IGMP – Configures snooping and query parameters. Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. Layer 3 IGMP –...
Page 408: Igmp Protocol
| Multicast Filtering HAPTER IGMP Protocol router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 409: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) subnetworks. Therefore, when PIM routing is enabled for a subnet on the switch, IGMP is automatically enabled. Figure 241: IGMP Protocol Network core (multicast routing) Edge switches (snooping and query) Switch to end nodes (snooping on IGMP clients) 2 IGMP (S...
Page 410 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) : When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. : IGMP snooping will not function unless a multicast router port is enabled on the switch.
Page 411: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Configuring IGMP Use the Multicast > IGMP Snooping > General page to configure the switch to forward Snooping and multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards multicast traffic only to the ports that request it.
Page 412 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that neither specific queries nor general queries are forwarded from an upstream multicast router to hosts downstream...
Page 413 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source- specific queries, each with a large source list and the Maximum Response Time set to a large value.
Page 414 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Adjust the IGMP settings as required. Click Apply. Figure 242: Configuring General Settings for IGMP Snooping Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch.
Page 415 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To specify a static interface attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Add Static Multicast Router from the Action list. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router.
Page 416: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) switch or statically assigned to an interface on the switch. To show all the interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 417 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast IP – The IP address for a specific multicast service. NTERFACE To statically assign an interface to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Add Static Member from the Action list. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an IGMP-enabled switch or multicast router), and enter the multicast IP address.
Page 418: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To display information about all multicast groups, IGMP Snooping or multicast routing must first be enabled on the switch. To show all of the interfaces statically or dynamically assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member.
Page 419 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Multicast Router Discovery uses the following three message types to discover multicast routers: Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Page 420 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re- enabled globally. Version Exclusive – Discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the IGMP Version attribute.
Page 421 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
Page 422 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Many hosts do not implement RFC 4541, and therefore do not understand query messages with the source address of 0.0.0.0. These hosts will therefore not reply to the queries, causing the multicast router to stop sending traffic to them. To resolve this problem, the source address in proxied IGMP query messages can be replaced with any valid unicast address (other than the router’s own address).
Page 423: Filtering Igmp Query Packets And Multicast Data
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 250: Showing Interface Settings for IGMP Snooping Filtering IGMP Use the Multicast > IGMP Snooping > Interface (Configure Port/Trunk) page to Query Packets and configure an interface to drop IGMP query packets or multicast data packets. Multicast Data CLI R EFERENCES...
Page 424 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 251: Dropping IGMP Query or Multicast Data Packets Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered forwarding entries learned through IGMP Snooping. by IGMP Snooping CLI R EFERENCES...
Page 425 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 252: Showing Multicast Groups Learned by IGMP Snooping IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 426 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To enables IGMP filtering and throttling on the switch: Click Multicast, IGMP Snooping, Filtering. Select Configure General from the Action list. Enable IGMP Filter Status. Click Apply. Figure 253: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast >...
Page 427 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Start Multicast IP Address – Specifies the starting address of a range of multicast groups. End Multicast IP Address – Specifies the ending address of a range of multicast groups. NTERFACE To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filtering.
Page 428 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Click Apply. Figure 256: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filtering. Select Show Multicast Group Range from the Action list. Select the profile for which to display this information.
Page 429 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed in the web interface: Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.
Page 430 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) 3 IGMP (Q AYER UERY USED WITH ULTICAST OUTING IGMP Snooping – IGMP Snooping (page 429) is a key part of the overall set of functions required to support multicast filtering. It is used to passively monitor IGMP service requests from multicast clients, and dynamically configure the switch ports which need to forward multicast traffic.
Page 431 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) CLI R EFERENCES "IGMP Proxy Routing" on page 1048 Figure 259: IGMP Proxy Routing To Internet Router 192.168.1.2 IP IGMP Proxy Upstream Interface 192.168.1.3 Layer3 Switch/Router 192.168.2.1 192.168.3.1 192.168.4.1 Downstream Interfaces...
Page 432 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Enable IP multicasting globally on the router (see "Configuring Global Settings for Multicast Routing" on page 600). Enable IGMP on the downstream interfaces which require proxy multicast service (see "Configuring IGMP Interface Parameters"...
Page 433 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) NTERFACE To configure IGMP Proxy Routing: Click Multicast, IGMP, Proxy. Select the upstream interface, enable the IGMP Proxy Status, and modify the interval for unsolicited IGMP reports if required. Click Apply.
Page 434 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) CLI R EFERENCES "IGMP (Layer 3)" on page 1038 ARAMETERS These parameters are displayed in the web interface: VLAN – VLAN interface bound to a primary IP address. (Range: 1-4093) IGMP Protocol Status –...
Page 435 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) receiving a group-specific or group-source-specific leave message. (Range: 0- 255 tenths of a second; Default: 1 second) When the switch receives an IGMPv2 or IGMPv3 leave message from a host that wants to leave a multicast group, source or channel, it sends a number of group- specific or group-source-specific query messages as defined by the Last Member Query Count at intervals defined by the Last Member Query Interval.
Page 436 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) outside of the SSM address range is specified, and a specific source address is included in the command, the request to join the multicast group will also fail if the next node up the reverse path tree has enabled the PIM-SSM protocol.
Page 437 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) To display configured static IGMP groups: Click Multicast, IGMP, Static Group. Select Show from the Action list. Click Apply. Figure 263: Showing Static IGMP Groups Displaying Multicast When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > Group Group Information Information pages to display the current multicast groups learned through IGMP.
Page 438 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Group Address – IP multicast group address with subscribers directly attached or downstream from the switch. Last Reporter – The IP address of the source of the last membership report received for this multicast group address on this interface.
Page 439 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing)  Up Time – The time elapsed since this entry was created. (Depending on the elapsed time, information may displayed for w:weeks, d:days, h:hours, m:minutes, or s:seconds.)  V3 Expire – The time remaining before this entry will be aged out. The V3 label indicates that the expire time is only provided for sources learned through IGMP Version 3.
Page 440 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 265: Displaying Multicast Groups Learned from IGMP (Detail) VLAN R ULTICAST EGISTRATION Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.
Page 441 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 266: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE General Configuration Guidelines for MVR: Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see "Configuring Global MVR Settings"...
Page 442 | Multicast Filtering HAPTER Multicast VLAN Registration Configuring Global Use the Multicast > MVR (Configure General) page to enable MVR globally on the MVR Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider.
Page 443 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 267: Configuring Global Settings for MVR Configuring the Use the Multicast > MVR (Configure Group Range) page to assign the multicast group MVR Group Range address for each service to the MVR VLAN. CLI R EFERENCES "Multicast VLAN Registration"...
Page 444 | Multicast Filtering HAPTER Multicast VLAN Registration Select Add from the Action list. Add the multicast groups that will stream traffic to participating hosts. Click Apply. Figure 268: Configuring the Group Range for MVR To show the multicast groups assigned to the MVR VLAN: Click Multicast, MVR.
Page 445 | Multicast Filtering HAPTER Multicast VLAN Registration dynamically join or leave multicast groups within an MVR VLAN. Multicast groups can also be statically assigned to a receiver port (see "Assigning Static Multicast Groups to Interfaces" on page 464). Receiver ports should not be statically configured as a member of the MVR VLAN. If so configured, its MVR status will be inactive.
Page 446 | Multicast Filtering HAPTER Multicast VLAN Registration MVR Status – Shows the MVR status. MVR status for source ports is “Active” if MVR is globally enabled on the switch. MVR status for receiver ports is “Active” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Page 447 | Multicast Filtering HAPTER Multicast VLAN Registration Group IP Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR group range configured on the Configure General page. NTERFACE To assign a static MVR group to a port: Click Multicast, MVR.
Page 448 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 272: Showing the Static MVR Groups Assigned to a Port Showing Multicast Use the Multicast > MVR (Show Member) page to show the multicast groups either Groups Assigned to statically or dynamically assigned to the MVR VLAN on each interface. Interfaces CLI R EFERENCES...
Page 449 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 273: Showing All MVR Groups Assigned to a Port – 467 –...
Page 450 | Multicast Filtering HAPTER Multicast VLAN Registration – 468 –...
Page 451: Ip C Onfiguration
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) IP C ONFIGURATION This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types.
Page 452 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) The precedence for configuring IP interfaces is the IP > General > Routing Interface (Add) menu, static routes (page 503), and then dynamic routing. ARAMETERS These parameters are displayed in the web interface: VLAN –...
Page 453 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Figure 274: Configuring a Static IPv4 Address To obtain an dynamic address through DHCP/BOOTP for the switch: Click IP, General, Routing Interface. Select Add from the Action list. Select any configured VLAN, and set IP Address Mode to “BOOTP”...
Page 454 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch.
Page 455 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Configuring the IPv6 Use the IP > IPv6 Configuration (Configure Global) page to configure an IPv6 default Default Gateway gateway for the switch. CLI R EFERENCES "ipv6 default-gateway" on page 1136 ARAMETERS These parameters are displayed in the web interface: Default Gateway –...
Page 456 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) OMMAND SAGE The switch must be configured with a link-local address. The option to explicitly enable IPv6 creates a link-local address, but will not generate a global IPv6 address.
Page 457 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ND DAD Attempts – The number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. (Range: 0-600, Default:  Configuring a value of 0 disables duplicate address detection. ...
Page 458 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Select Enable IPv6 Explicitly to automatically configure a link-local address and enable IPv6 on the selected interface. (To manually configure the link-local address, use the Add IPv6 Address page.) Set the MTU size, the maximum number of duplicate address detection messages, and the neighbor solicitation message interval.
Page 459 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6)  It can be manually configured by specifying the entire network prefix and prefix length, and using the EUI-64 form of the interface identifier to automatically create the low-order 64 bits in the host portion of the address. ...
Page 460 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) For example, if a device had an EUI-48 address of 28-9F-18-1C-82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A.
Page 461 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed in the web interface: VLAN – ID of a configured VLAN which is to be used for management access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1.
Page 462: Table 27: Showipv6 Neighbors - Display Description
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 280: Showing Configured IPv6 Addresses Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the IPv6 Neighbor Cache addresses detected for neighbor devices. CLI R EFERENCES "show ipv6 neighbors"...
Page 463 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 27: ShowIPv6 Neighbors - display description (Continued) Field Description The following states are used for static entries:  Incomplete - The interface for this entry is down. Permanent - Indicates a static entry.
Page 464: Table 28: Show Ipv6 Statistics - Display Description
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) about more suitable routes (that is, the next hop router) to use for a specific destination. UDP – User Datagram Protocol provides a datagram mode of packet switched communications.
Page 465 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 28: Show IPv6 Statistics - display description (Continued) Field Description Reassembled Failed The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.
Page 466 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 28: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement The number of ICMP Neighbor Advertisement messages received by the Messages interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query The number of ICMPv6 Group Membership Query messages received by Messages...
Page 467 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 282: Showing IPv6 Statistics (IPv6) –...
Page 468 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 283: Showing IPv6 Statistics (ICMPv6) Figure 284: Showing IPv6 Statistics (UDP) – 486 –...
Page 469: Table 29: Show Mtu - Display Description
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packet- too-big message along with an acceptable MTU to this switch.
Page 470 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 488 –...
Page 471 | General IP Routing HAPTER Overview IP R ENERAL OUTING This chapter provides information on network functions including: Ping – Sends ping message to another node on the network. Trace – Sends ICMP echo request packets to another node on the network. Address Resolution Protocol –...
Page 472 | General IP Routing HAPTER IP Routing and Switching Figure 286: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP R OUTING AND...
Page 473 | General IP Routing HAPTER IP Routing and Switching If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
Page 474 | General IP Routing HAPTER Configuring IP Routing Interfaces IP R ONFIGURING OUTING NTERFACES Configuring Local Use the IP > General > Routing Interface page to configure routing interfaces for and Remote directly connected IPv4 subnets (see "Setting the Switch’s IP Address (IP Version 4)" on page 469.
Page 475 | General IP Routing HAPTER Configuring IP Routing Interfaces CLI R EFERENCES "ping" on page 1126 ARAMETERS These parameters are displayed in the web interface: IP Address – IP address of the host. Probe Count – Number of packets to send. (Range: 1-16) Packet Size –...
Page 476 | General IP Routing HAPTER Configuring IP Routing Interfaces Figure 287: Pinging a Network Device Using the Trace Use the IP > General > Trace Route page to show the route packets take to the specified destination. Route Function CLI R EFERENCES "traceroute"...
Page 477: Table 30: Address Resolution Protocol
| General IP Routing HAPTER Address Resolution Protocol Specify the target device. Click Apply. Figure 288: Tracing the Route to a Network Device DDRESS ESOLUTION ROTOCOL If IP routing is enabled (page 541), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next.
Page 478 | General IP Routing HAPTER Address Resolution Protocol When devices receive this request, they discard it if their address does not match the destination IP address in the message. However, if it does match, they write their own hardware address into the destination MAC address field and send the message back to the source hardware address.
Page 479 | General IP Routing HAPTER Address Resolution Protocol Proxy ARP – Enables or disables Proxy ARP for specified VLAN interfaces, allowing a non-routing device to determine the MAC address of a host on another subnet or network. (Default: Disabled) End stations that require Proxy ARP must view the entire network as a single network.
Page 480 | General IP Routing HAPTER Address Resolution Protocol A static entry may need to be used if there is no response to an ARP broadcast message. For example, some applications may not respond to ARP requests or the response arrives too late, causing network operations to time out. Static entries will not be aged out or deleted when power is reset.
Page 481 | General IP Routing HAPTER Address Resolution Protocol Figure 292: Displaying Static ARP Entries Displaying Dynamic The ARP cache contains static entries, and entries for local interfaces, including subnet, or Local ARP host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages.
Page 482: Table 31: Arp Statistics
| General IP Routing HAPTER Address Resolution Protocol Figure 294: Displaying Local ARP Entries Displaying ARP Use the IP > ARP (Show Information) page to display statistics for ARP messages crossing all interfaces on this router. Statistics CLI R EFERENCES "show ip traffic"...
Page 483 | General IP Routing HAPTER Configuring Static Routes ONFIGURING TATIC OUTES This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP or OSPF). However, you can also manually enter static routes in the routing table using the IP > Routing > Static Routes (Add) page. Static routes may be required to access network segments where dynamic routing is not supported, or can be set to force the use of a specific route to a subnet, rather than using dynamic routing.
Page 484 | General IP Routing HAPTER Displaying the Routing Table Select Add from the Action List. Enter the destination address, subnet mask, and next hop router. Click Apply. Figure 296: Configuring Static Routes To display static routes: Click IP, Routing, Static Routes. Select Show from the Action List.
Page 485 | General IP Routing HAPTER Displaying the Routing Table OMMAND SAGE  The Forwarding Information Base (FIB) contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
Page 486 | General IP Routing HAPTER Equal-cost Multipath Routing Figure 298: Displaying the Routing Table QUAL COST ULTIPATH OUTING Use the IP > Routing > Routing Table (Configure ECMP Number) page to configure the maximum number of equal-cost paths that can transmit traffic to the same destination.
Page 487 | General IP Routing HAPTER Equal-cost Multipath Routing to 256 total ECMP entries in ASIC for fast switching, with any additional entries handled by software routing. When there are multiple paths toward the same destination with equal-cost, the system chooses one of these paths to forward each packet toward the destination by applying a load-splitting algorithm.
Page 488 | General IP Routing HAPTER Equal-cost Multipath Routing – 508 –...
Page 489 | Configuring Router Redundancy HAPTER ONFIGURING OUTER EDUNDANCY Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
Page 490 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Router 1 Router 2 VRID 23 (Master) VRID 23 (Backup) IP(R1) = 192.168.1.3 IP(R1) = 192.168.1.5 IP(VR23) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 VR Priority = 100 VRID 25 (Backup) VRID 25 (Master) IP(R1) = 192.168.1.3 IP(R1) = 192.168.1.5...
Page 491 | Configuring Router Redundancy HAPTER Configuring VRRP Groups If you have multiple secondary addresses configured on the current VLAN interface, you can add any of these addresses to the virtual router group. The interfaces of all routers participating in a virtual router group must be within the same IP subnet.
Page 492 | Configuring Router Redundancy HAPTER Configuring VRRP Groups IP Address – Virtual IP address for this group. Use the IP address of a real interface on this router to make it the master virtual router for the group. Otherwise, use the virtual address for an existing group to make it a backup router, or to compete as the master based on configured priority if no other members are set as the owner of the group address.
Page 493 | Configuring Router Redundancy HAPTER Configuring VRRP Groups When a VRRP packet is received from another router in the group, its authentication string is compared to the string configured on this router. If the strings match, the message is accepted. Otherwise, the packet is discarded. State –...
Page 494 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 304: Showing Configured VRRP Groups To configure the virtual router address for a VRRP group: Click IP, VRRP. Select Configure Group ID from the Step List. Select Add IP Address from the Action List. Select a VLAN, a VRRP group identifier, and enter the IP address for the virtual router.
Page 495 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 306: Showing the Virtual Addresses Assigned to VRRP Groups To configure detailed settings for a VRRP group: Click IP, VRRP. Select Configure Group ID from the Step List. Select Configure Detail from the Action List. Select a VRRP group identifier, and set any of the VRRP protocol parameters as required.
Page 496 | Configuring Router Redundancy HAPTER Displaying VRRP Global Statistics VRRP G ISPLAYING LOBAL TATISTICS Use the IP > VRRP (Show Statistics – Global Statistics) page to display counters for errors found in VRRP protocol packets. CLI R EFERENCES "show vrrp router counters" on page 1119 ARAMETERS These parameters are displayed in the web interface: VRRP Packets with Invalid Checksum –...
Page 497: Table 32: Vrrp Group Statistics
| Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics ARAMETERS These parameters are displayed in the web interface: VLAN ID – VLAN configured with an IP interface. (Range: 1-4093) VRID – VRRP group identifier. (Range: 1-255) The following statistics are displayed in the web interface: Table 32: VRRP Group Statistics Parameter Description...
Page 498 | Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics Figure 309: Showing Counters for Errors Found in a VRRP Group – 518 –...
Page 499 | IP Services HAPTER Domain Name Service IP S ERVICES This chapter describes the following IP services: DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. DHCP Client – Specifies the DHCP client identifier for an interface. DHCP Relay –...
Page 500 | IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed in the web interface: Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 501 | IP Services HAPTER Domain Name Service When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the "Configuring a List of Name specified name servers for a match (see Servers"...
Page 502 | IP Services HAPTER Domain Name Service Configuring a List of Use the IP Service > DNS - General (Add Name Server) page to configure a list of Name Servers name servers to be tried in sequential order. CLI R EFERENCES "ip name-server"...
Page 503 | IP Services HAPTER Domain Name Service Figure 314: Showing the List of Name Servers for DNS Configuring Static Use the IP Service > DNS - Static Host Table (Add) page to manually configure static DNS Host to entries in the DNS table that are used to map domain names to IP addresses. Address Entries CLI R EFERENCES...
Page 504 | IP Services HAPTER Domain Name Service Figure 315: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 316: Showing Static Entries in the DNS Table Displaying the DNS Use the IP Service >...
Page 505 | IP Services HAPTER Dynamic Host Configuration Protocol ARAMETERS These parameters are displayed in the web interface: No. – The entry number for each resource record. Flag – The flag is always “4” indicating a cache entry and therefore unreliable. Type –...
Page 506 | IP Services HAPTER Dynamic Host Configuration Protocol CLI R EFERENCES "ip dhcp client class-id" on page 1094 OMMAND SAGE The class identifier is used identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
Page 507 | IP Services HAPTER Dynamic Host Configuration Protocol packet to the DHCP server. When the server receives the DHCP request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch). This switch then broadcasts the DHCP response received from the server to the client.
Page 508: Dhcp Server
| IP Services HAPTER Dynamic Host Configuration Protocol Figure 320: Configuring DHCP Relay Service Configuring the This switch includes a Dynamic Host Configuration Protocol (DHCP) server that can assign temporary IP addresses to any attached host requesting service. It can also DHCP Server provide other network settings such as the domain name, default gateway, Domain Name Servers (DNS), Windows Internet Naming Service (WINS) name servers, or...
Page 509 | IP Services HAPTER Dynamic Host Configuration Protocol ARAMETERS These parameters are displayed in the web interface: DHCP Server – Enables or disables the DHCP server on this switch. (Default: Disabled) NTERFACE To enable the DHCP server: Click IP Service, DHCP, Server. Select Configure Global from the Step list.
Page 510 | IP Services HAPTER Dynamic Host Configuration Protocol Select Configure Excluded Addresses from the Step list. Select Add from the Action list. Enter a single address or an address range. Click Apply. Figure 323: Configuring Excluded Addresses on the DHCP Server To show the IP addresses excluded for DHCP clients: Click IP Service, DHCP, Server.
Page 511 | IP Services HAPTER Dynamic Host Configuration Protocol specified in a host address pool must fall within the range of a configured network address pool. When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server).
Page 512 | IP Services HAPTER Dynamic Host Configuration Protocol Setting Optional Parameters Default Router – The IP address of the primary and alternate gateway router. The IP address of the router should be on the same subnet as the client. DNS Server – The IP address of the primary and alternate DNS server. DNS servers must be configured for a DHCP client to map host names to IP addresses.
Page 513 | IP Services HAPTER Dynamic Host Configuration Protocol Figure 325: Configuring DHCP Server Address Pools (Network) Figure 326: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: Click IP Service, DHCP, Server. Select Configure Pool from the Step list. Select Show from the Action list.
Page 514 | IP Services HAPTER Dynamic Host Configuration Protocol Figure 327: Showing Configured DHCP Server Address Pools ISPLAYING DDRESS INDINGS Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server. CLI R EFERENCES "show ip dhcp binding"...
Page 515 | IP Services HAPTER Forwarding UDP Service Requests UDP S ORWARDING ERVICE EQUESTS This section describes how this switch can forward UDP broadcast packets originating from host applications to another part of the network when an local application server is not available. OMMAND SAGE Network hosts occasionally use UDP broadcasts to determine information such as...
Page 516 | IP Services HAPTER Forwarding UDP Service Requests Specifying UDP Use the IP Service > UDP Helper > Forwarding page to specify the UDP destination Destination Ports ports for which broadcast traffic will be forwarded when the UDP helper is enabled. CLI R EFERENCES "ip forward-protocol udp"...
Page 517 | IP Services HAPTER Forwarding UDP Service Requests To show the configured UDP destination ports: Click IP Service, UDP Helper, Forwarding. Select Show from the Action list. Figure 331: Showing the UDP Destination Ports Specifying The Use the IP Service > UDP Helper > Address page to specify the application server or Target Server or subnet (indicated by a directed broadcast address) to which designated UDP broadcast packets are forwarded.
Page 518 | IP Services HAPTER Forwarding UDP Service Requests ARAMETERS These parameters are displayed in the web interface: VLAN ID – VLAN identifier (Range: 1-4093) IP Address – Host address or directed broadcast address to which UDP broadcast packets are forwarded. (Range: 1-65535) NTERFACE To specify the target server or subnet for forwarding UDP request packets: Click IP Service, UDP Helper, Address.
Page 519 | IP Services HAPTER Forwarding UDP Service Requests – 539 –...
Page 520 | IP Services HAPTER Forwarding UDP Service Requests – 540 –...
Page 521 | Unicast Routing HAPTER Overview NICAST OUTING This chapter describes how to configure the following unicast routing protocols: – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. VERVIEW This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol.
Page 522 | Unicast Routing HAPTER Configuring the Routing Information Protocol ONFIGURING THE OUTING NFORMATION ROTOCOL The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost.
Page 523 | Unicast Routing HAPTER Configuring the Routing Information Protocol ONFIGURING Use the Routing Protocol > RIP > General (Configure) page to configure general settings and the basic timers. ENERAL ROTOCOL ETTINGS RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
Page 524 | Unicast Routing HAPTER Configuring the Routing Information Protocol The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. It is advisable to use a low metric when redistributing routes from another protocol into RIP.
Page 525 | Unicast Routing HAPTER Configuring the Routing Information Protocol Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes. (Range: 5-2147483647 seconds; Default: 30 seconds) Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates.
Page 526 | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 335: Configuring General Settings for RIP Use the Routing Protocol > RIP > General (Clear Route) page to clear entries from the LEARING NTRIES routing table based on route type or a specific network address. FROM THE OUTING ABLE...
Page 527 | Unicast Routing HAPTER Configuring the Routing Information Protocol Clear Route By Network – Clears a specific route based on its IP address and prefix length.  Network IP Address – Deletes all related entries for the specified network address. ...
Page 528 | Unicast Routing HAPTER Configuring the Routing Information Protocol  Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. This mask identifies the network address bits used for the associated routing entries.
Page 529 | Unicast Routing HAPTER Configuring the Routing Information Protocol PECIFYING ASSIVE Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP from sending routing updates on the specified interface. NTERFACES CLI R EFERENCES "passive-interface" on page 1182 OMMAND SAGE Network interfaces can be configured to stop RIP broadcast and multicast...
Page 530 | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 340: Showing Passive RIP Interfaces Use the Routing Protocol > RIP > Passive Interface (Add) page to configure this router PECIFYING TATIC to directly exchange routing information with a static neighbor (specifically for point-to- EIGHBORS point links), rather than relying on broadcast or multicast messages generated by the RIP protocol.
Page 531 | Unicast Routing HAPTER Configuring the Routing Information Protocol To show static RIP neighbors: Click Routing Protocol, RIP, Neighbor Address. Select Show from the Action list. Figure 342: Showing Static RIP Neighbors Use the Routing Protocol > RIP > Redistribute (Add) page to import external routing ONFIGURING OUTE information from other routing domains (that is, directly connected routes, protocols,...
Page 532 | Unicast Routing HAPTER Configuring the Routing Information Protocol For example, this can occur if there are multiple redistribution points and the router learns about the same external network with a better metric from a redistribution point other than that derived from the original source. NTERFACE To import external routing information from other routing domains: Click Routing Protocol, RIP, Redistribute.
Page 533 | Unicast Routing HAPTER Configuring the Routing Information Protocol OMMAND SAGE Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols. A smaller administrative distance indicates a more reliable protocol.
Page 534 | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 345: Setting the Distance Assigned to External Routes To show the distance assigned to external routes learned from other routing protocols: Click Routing Protocol, RIP, Distance. Select Show from the Action list. Figure 346: Showing the Distance Assigned to External Routes ONFIGURING Use the Routing Protocol >...
Page 535 | Unicast Routing HAPTER Configuring the Routing Information Protocol  Use “RIPv1” or “RIPv2” if all routers in the local network are based on RIPv1 or RIPv2, respectively.  Use “RIPv1 Compatible” to propagate route information by broadcasting to other routers on the network using the RIPv2 advertisement list, instead of multicasting as normally required by RIPv2.
Page 536 | Unicast Routing HAPTER Configuring the Routing Information Protocol Send Version – The RIP version to send on an interface.  RIPv1: Sends only RIPv1 packets.  RIPv2: Sends only RIPv2 packets.  RIPv1 Compatible: Route information is broadcast to other routers with RIPv2.
Page 537 | Unicast Routing HAPTER Configuring the Routing Information Protocol  Split Horizon – This method never propagate routes back to an interface from which they have been acquired.  Poison Reverse – This method propagates routes back to an interface from which they have been acquired, but sets the distance-vector metrics to infinity.
Page 538 | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 348: Showing RIP Network Interface Settings ISPLAYING Use the Routing Protocol > RIP > Statistics (Show Interface Information) page to display information about RIP interface configuration settings. NTERFACE ETTINGS CLI R EFERENCES "show ip rip"...
Page 539 | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 349: Showing RIP Interface Settings ISPLAYING Use the Routing Protocol > RIP > Statistics (Show Peer Information) page to display information on neighboring RIP routers. OUTER NFORMATION CLI R EFERENCES "show ip protocols rip"...
Page 540 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES no comparable command NTERFACE To reset RIP statistics: Click Routing Protocol, RIP, Statistics. Select Reset Statistics from the Action list. Click Reset. Figure 351: Resetting RIP Statistics ONFIGURING THE HORTEST IRST...
Page 541 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 352: Configuring OSPF isolated stub area virtual link backbone normal area ASBR NSSA Autonomous System A ASBR ASBR Router external network Autonomous System B OMMAND SAGE OSPF looks at more than just the simple hop count.
Page 542 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2)  And finally, you must specify a virtual link to any OSPF area that is not physically attached to the OSPF backbone. Virtual links can also be used to provide a redundant link between contiguous areas to prevent areas from being partitioned, or to merge backbone areas.
Page 543 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) OMMAND SAGE Specify an Area ID and the corresponding network address range for each OSPF broadcast area. Each area identifies a logical group of OSPF routers that actively exchange Link State Advertisements (LSAs) to ensure that they share an identical view of the network topology.
Page 544 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Configure a backbone area that is contiguous with all the other areas in the network, and configure an area for all of the other OSPF interfaces. Click Apply Figure 354: Defining OSPF Network Areas Based on Addresses To to show the OSPF areas and the assigned interfaces: Click Routing Protocol, OSPF, Network Area.
Page 545 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ONFIGURING To implement dynamic OSPF routing, first assign VLAN groups to each IP subnet to which this router will be attached (as described in the preceding section), then use the ENERAL ROTOCOL Routing Protocol >...
Page 546 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Using a low value for the delay and hold time allows the router to switch to a new path faster, but uses more CPU processing time. Default Metric – The default metric for external routes imported from other protocols.
Page 547 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Default External Metric – Metric assigned to the default route. (Range: 0- 16777215; Default: 20) The metric for the default external route is used to calculate the path cost for traffic passed from other routers within the AS out through the ASBR.
Page 548: Table 33: Ospf System Information
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Table 33: OSPF System Information Parameter Description Router ID Type Indicates if the router ID was manually configured or automatically generated by the system.
Page 549 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 359: Showing General Settings for OSPF NSSA Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page to add a DDING AN not-so-stubby area (NSSA) or a stubby area (Stub).
Page 550 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select a Process ID, enter the area identifier, and set the area type to NSSA or Stub. Click Apply Figure 360: Adding an NSSA or Stub To show the NSSA or stubs added to the specified OSPF domain: Click Routing Protocol, OSPF, Area.
Page 551 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) An NSSA can also import external routes from one or more small routing domains that are not part of the AS, such as a RIP domain or locally configured static routes. This external AS routing information is generated by the NSSA’s ASBR and advertised only within the NSSA.
Page 552 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Area ID – Identifier for a not-so-stubby area (NSSA). Translator Role – Indicates NSSA-ABR translator role for converting Type 7 external LSAs into Type 5 external LSAs. These roles include: ...
Page 553 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) NTERFACE To configure protocol settings for an NSSA: Click Routing Protocol, OSPF, Area. Select Configure Area from the Step list. Select Configure NSSA Area from the Action list. Select a Process ID, and modify the routing behavior for an NSSA.
Page 554 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1195 "area default-cost" on page 1200 "area stub" on page 1207 OMMAND SAGE Before creating a stub, first specify the address range for the area (see "Defining Network Areas Based on Addresses"...
Page 555 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select a Process ID, and modify the routing behavior for a stub. Click Apply Figure 365: Configuring Protocol Settings for a Stub Use the Routing Protocol > OSPF > Area (Show Information) page to protocol ISPLAYING information on NSSA and Stub areas.
Page 556 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 366: Displaying Information on NSSA and Stub Areas ONFIGURING An OSPF area can include a large number of nodes. If the Area Border Router (ABR) has to advertise route information for each of these nodes, this wastes a lot of ANGES OUTE bandwidth and processor time.
Page 557 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area configuration screen (see page 562). Area ID – Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address, or also as a four octet unsigned integer ranging from 0-4294967295.
Page 558 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 369: Showing Configured Route Summaries EDISTRIBUTING Use the Routing Protocol > OSPF > Redistribute (Add) page to import external routing information from other routing protocols, static routes, or directly connected routes into XTERNAL OUTES the autonomous system, and to generate AS-external-LSAs.
Page 559 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Metric Type – Indicates the method used to calculate external route costs. (Options: Type 1, Type 2; Default: Type 1) Metric type specifies the way to advertise routes to destinations outside the autonomous system (AS) through External LSAs.
Page 560 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Click Routing Protocol, OSPF, Redistribute. Select Show from the Action list. Select the process ID. Figure 372: Showing Imported External Route Types Redistributing routes from other protocols into OSPF normally requires the router to ONFIGURING advertise each route individually in an external LSA as described in the preceding UMMARY...
Page 561 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) IP Address – Summary address covering a range of addresses. Netmask – Network mask for the summary route. NTERFACE To configure the router to summarize external routing information: Click Routing Protocol, OSPF, Summary Address.
Page 562 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) interfaces), and then use the Network Area configuration page to assign an interface address range to an OSPF area. After assigning a routing interface to an OSPF area, use the Routing Protocol > OSPF >...
Page 563 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) If a DR already exists for an area when this interface comes up, the new router will accept the current DR regardless of its own priority. The DR will not change until the next time the election process is initiated.
Page 564 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) packet is discarded. This method provides very little security as it is possible to learn the authentication key by snooping on routing protocol packets. When using Message-Digest 5 (MD5) authentication, the router uses the MD5 algorithm to verify data integrity by creating a 128-bit message digest from the authentication key.
Page 565 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 375: Configuring Settings for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN: Click Routing Protocol, OSPF, Interface. Select Configure by Address from the Action list.
Page 566 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 376: Configuring Settings for a Specific Area Assigned to a VLAN To show the configuration settings for OSPF interfaces: Click Routing Protocol, OSPF, Interface. Select Show from the Action list. Select the VLAN ID.
Page 567 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 378: Showing MD5 Authentication Keys ONFIGURING IRTUAL Use the Routing Protocol > OSPF > Virtual Link (Add) and (Configure Detailed Settings) pages to configure a virtual link from an area that does not have a direct INKS physical connection to the OSPF backbone.
Page 568 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) "area virtual-link" on page 1208 OMMAND SAGE Use the Add page to create a virtual link, and then use the Configure Detailed Settings page to set the protocol timers and authentication settings for the link. The parameters to be configured on the Configure Detailed Settings page are described under "Configuring OSPF Interfaces"...
Page 569 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select the process ID. Figure 381: Showing Virtual Links To configure detailed settings for a virtual link: Click Routing Protocol, OSPF, Virtual Link. Select Configure Detailed Settings from the Action list. Specify the process ID, then modify the protocol timers and authentication settings as required.
Page 570 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 383: Showing MD5 Authentication Keys ISPLAYING Use the Routing Protocol > OSPF > Information (LSDB) page to show the Link State Advertisements (LSAs) sent by OSPF routers advertising routes. The full collection of TATE ATABASE LSAs collected by a router interface from the attached area is known as a link state...
Page 571 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area configuration screen (see page 562). Query by – The LSA database can be searched using the following criteria: ...
Page 572 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 384: Displaying Information in the Link State Database Use the Routing Protocol > OSPF > Information (Neighbor) page to display ISPLAYING information about neighboring routers on each interface. NFORMATION ON EIGHBORING CLI R...
Page 573 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2)  Attempt – Connection down, but attempting contact (non-broadcast networks)  Init – Have received Hello packet, but communications not yet established  Two-way – Bidirectional communications established ...
Page 574 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) – 594 –...
Page 575 | Multicast Routing HAPTER Overview ULTICAST OUTING This chapter describes the following multicast routing topics: Enabling Multicast Routing Globally – Describes how to globally enable multicast routing. Displaying the Multicast Routing Table – Describes how to display the multicast routing table. Configuring PIM for IPv4 –...
Page 576 | Multicast Routing HAPTER Overview mentioned above, it does not maintain it’s own routing table, but instead, uses the routing table provided by whatever unicast routing protocol is enabled on the router interface. When the router receives a multicast packet for a source-group pair, PIM- DM checks the unicast routing table on the inbound interface to determine if this is the same interface used for routing unicast packets to the multicast source network.
Page 577 | Multicast Routing HAPTER Overview Designated Router (DR) – A DR advertising the highest priority in its hello messages is elected for each subnet. The DR is responsible for collecting information from the subnet about multicast clients that want to join or leave a group. Join messages from the DR (receiver) for each group are sent towards the RP, and data from multicast sources is sent to the RP.
Page 578 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing ONFIGURING LOBAL ETTINGS FOR ULTICAST OUTING To use multicast routing on this router, first globally enable multicast routing as described in this section, then specify the interfaces that will employ multicast routing protocols (PIM-DM or PIM-SM for IPv4 on page 604, or PIM-DM for IPv6 on...
Page 579 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Displaying the Use the Multicast > Multicast Routing > Information page to display information on Multicast Routing each multicast route it has learned through PIM. The router learns multicast routes from neighboring routers, and also advertises these routes to its neighbors.
Page 580 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Source Mask – Network mask for the IP multicast source. Upstream Neighbor – The multicast router (RPF Neighbor) immediately upstream for this group. Upstream Interface – Interface leading to the upstream neighbor. Up Time –...
Page 581 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing NTERFACE To display the multicast routing table: Click Multicast, Multicast Routing, Information. Select Show Summary from the Action List. Figure 387: Displaying the Multicast Routing Table To display detailed information on a specific flow in multicast routing table: Click Multicast, Multicast Routing, Information.
Page 582 | Multicast Routing HAPTER Configuring PIM for IPv4 ONFIGURING This section describes how to configure PIM-DM and PIM-SM for IPv4. Enabling PIM Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing globally on the router. Globally CLI R EFERENCES...
Page 583 | Multicast Routing HAPTER Configuring PIM for IPv4 PIM and IGMP proxy cannot be used at the same time. When an interface is set to use PIM Dense mode or Sparse mode, IGMP proxy cannot be enabled on any interface of the device (see "Configuring IGMP Snooping and Query Parameters"...
Page 584 | Multicast Routing HAPTER Configuring PIM for IPv4 When a router is booted or first configured to use PIM, it sends an initial hello message, and then sets its Hello timer to the configured value. If a router does not hear from a neighbor for the period specified by the Hello Holdtime, that neighbor is dropped.
Page 585 | Multicast Routing HAPTER Configuring PIM for IPv4 The override interval and pro po gat ion delay are used to calculate the LAN prune delay. If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message, then the propagation delay represents the time required for the LAN prune delay message to be propagated down from the upstream router to all downstream routers attached to the same VLAN interface.
Page 586 | Multicast Routing HAPTER Configuring PIM for IPv4 The router with the highest priority configured on an interface is elected as the DR. If more than one router attached to this interface uses the same priority, then the router with the highest IP address is elected to serve as the DR. If a router does not advertise a priority in its hello messages, it is assumed to have the highest priority and is elected as the DR.
Page 587 | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 390: Configuring PIM Interface Settings (Dense Mode) Figure 391: Configuring PIM Interface Settings (Sparse Mode) – 609 –...
Page 588 | Multicast Routing HAPTER Configuring PIM for IPv4 Displaying Neighbor Use the Routing Protocol > PIM > Neighbor page to display all neighboring PIM Information routers. CLI R EFERENCES "show ip pim neighbor" on page 1281 ARAMETERS These parameters are displayed in the web interface: Address –...
Page 589 | Multicast Routing HAPTER Configuring PIM for IPv4 toward the RP. (Range: VLAN 1-4094; Default: The IP address of the DR’s outgoing interface that leads back to the RP) When the source address of a register message is filtered by intermediate network devices, or is not a uniquely routed address to which the RP can send packets, the replies sent from the RP to the source address will fail to reach the DR, resulting in PIM-SM protocol failures.
Page 590 | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 393: Configuring Global Settings for PIM-SM Configuring a BSR Use the Routing Protocol > PIM > SM (BSR Candidate) page to configure the switch Candidate as a Bootstrap Router (BSR) candidate. CLI R EFERENCES "ip pim bsr-candidate"...
Page 591 | Multicast Routing HAPTER Configuring PIM for IPv4 Priority – Priority used by the candidate bootstrap router in the election process. The BSR candidate with the largest priority is preferred. If the priority values are the same, the candidate with the larger IP address is elected to be the BSR. Setting the priority to zero means that this router is not eligible to server as the BSR.
Page 592 | Multicast Routing HAPTER Configuring PIM for IPv4 Static definitions for RP addresses may be used together with RP addresses dynamically learned through the bootstrap router (BSR). If an RP address learned by the BSR and one statically configured using this command are both available for a group range, the RP address learned by the BSR is chosen over the one statically configured.
Page 593 | Multicast Routing HAPTER Configuring PIM for IPv4 Select Show from the Action list. Figure 396: Showing Static Rendezvous Points Configuring an RP Use the Routing Protocol > PIM > SM (RP Candidate) page to configure the switch to Candidate advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR).
Page 594 | Multicast Routing HAPTER Configuring PIM for IPv4 ARAMETERS These parameters are displayed in the web interface: VLAN – Identifier of configured VLAN interface. (Range: 1-4093) Interval – The interval at which this device advertises itself as an RP candidate. (Range: 60-16383 seconds;...
Page 595 | Multicast Routing HAPTER Configuring PIM for IPv4 Select Show from the Action list. Select an interface from the VLAN list. Figure 398: Showing Settings for an RP Candidate Displaying the BSR Use the Routing Protocol > PIM > SM (Show Information – Show BSR Router) page to Router display Information about the bootstrap router (BSR).
Page 596 | Multicast Routing HAPTER Configuring PIM for IPv4 BSR or from a C-BSR with higher weight than the current BSR will be accepted.  Candidate BSR – Bidding in election process.  Pending-BSR – The router is a candidate to be the BSR for the RP-set. Currently, no other router is the preferred BSR, but this router is not yet the elected BSR.
Page 597 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 Uptime – The time this RP has been up and running Expire – The time before this entry will be removed. NTERFACE To display the RPs mapped to multicast groups: Click Multicast, Multicast Routing, SM. Select Show Information from the Step list.
Page 598 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 NTERFACE To enable PIMv6 multicast routing: Click Routing Protocol, PIM6, General. Enable PIM6 Routing Protocol. Click Apply. Figure 401: Enabling PIMv6 Multicast Routing Configuring PIM Use the Routing Protocol > PIM6 > Interface page configure the routing protocol’s Interface Settings functional attributes for each interface.
Page 599 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 than or equal to the value of Hello Interval, otherwise it will be automatically set to 3.5 x the Hello Interval. (Range: 1-65535 seconds; Default: 105 seconds, or 3.5 times the hello interval if set) Hello Interval –...
Page 600 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 receiving the flow referenced in the message. (Range: 500-6000 milliseconds; Default: 2500 milliseconds) The override interval and the propagation delay are used to calculate the LAN prune delay. If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message, then the override interval represents the time required for the downstream router to process the message and then respond by sending a Join message back to the upstream...
Page 601 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 NTERFACE To configure PIMv6 interface settings: Click Routing Protocol, PIM6, Interface. Modify any of the protocol parameters as required. Click Apply. Figure 402: Configuring PIMv6 Interface Settings (Dense Mode) Displaying Neighbor Use the Routing Protocol > PIM6 > Neighbor page to display all neighboring PIMv6 routers.
Page 602 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 NTERFACE To display neighboring PIMv6 routers: Click Routing Protocol, PIM6, Neighbor. Figure 403: Showing PIMv6 Neighbors – 624 –...
Page 603 | Command Line Interface ECTION ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "General Commands" on page 641 "System Management Commands" on page 649 "SNMP Commands"...
Page 604 | Command Line Interface ECTION "VLAN Commands" on page 929 "Class of Service Commands" on page 971 "Quality of Service Commands" on page 985 "Multicast Filtering Commands" on page 1003 "LLDP Commands" on page 1065 "Domain Name Service Commands" on page 1083 "DHCP Commands"...
Page 605 | Using the Command Line Interface HAPTER Accessing the CLI SING THE OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). : You can only access the console interface through the Master unit in the stack. CCESSING THE When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch...
Page 606 | Using the Command Line Interface HAPTER Accessing the CLI ELNET ONNECTION Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 607 | Using the Command Line Interface HAPTER Entering Commands : You can open up to four sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. EYWORDS AND A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters.
Page 608 | Using the Command Line Interface HAPTER Entering Commands ETTING ELP ON You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list keywords or OMMANDS parameters.
Page 609 | Using the Command Line Interface HAPTER Entering Commands Secure shell server connections startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system System information tacacs-server TACACS server information tech-support Technical information time-range Time range traffic-segmentation Traffic segmentation information users Information about users logged in version System hardware and software versions...
Page 610: Table 34: General Command Modes
| Using the Command Line Interface HAPTER Entering Commands SING OMMAND The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command ISTORY displayed in the history list can be executed again, or first modified and then executed.
Page 611: Interface Configuration
| Using the Command Line Interface HAPTER Entering Commands To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the EL326 is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password]...
Page 612: Table 35: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands Time Range - Sets a time range for use by other functions, such as Access Control Lists. VLAN Configuration - Includes the command to create VLAN groups. To enter the Global Configuration mode, enter the command configure in Privileged Exec mode.
Page 613: Table 36: Keystroke Commands
| Using the Command Line Interface HAPTER Entering Commands OMMAND Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently ROCESSING available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 614: Table 37: Command Group Index
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 37: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes of...
Page 615: Multicast Filtering
| Using the Command Line Interface HAPTER CLI Command Groups Table 37: Command Group Index (Continued) Command Group Description Page Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy 1003 parameters; specifies ports attached to a multicast router; also configures multicast VLAN registration Link Layer Discovery Configures LLDP settings to enable information discovery about...
Page 616 | Using the Command Line Interface HAPTER CLI Command Groups – 640 –...
Page 617: Table 38: General Commands
| General Commands HAPTER ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 38: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 618 | General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified delay, or at a Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time.
Page 619 | General Commands HAPTER OMMAND SAGE This command resets the entire system. Any combination of reload options may be specified. If the same option is re- specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 620 | General Commands HAPTER ELATED OMMANDS disable (645) enable password (732) quit This command exits the configuration program. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit Press ENTER to start session...
Page 621 | General Commands HAPTER 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.
Page 622 | General Commands HAPTER OMMAND SAGE The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode. XAMPLE Console#disable Console> ELATED OMMANDS enable (643) reload (Privileged This command restarts the system. Exec) : When the system is restarted, it will always run the Power-On Self-Test.
Page 623 | General Commands HAPTER Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# This command returns to Privileged Exec mode. EFAULT ETTING None OMMAND Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. XAMPLE This example shows how to return to the Privileged Exec mode from the Interface Configuration mode:...
Page 624 | General Commands HAPTER – 648 –...
Page 625: Table 39: System Management Commands
| System Management Commands HAPTER Device Designation YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 39: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch...
Page 626: Table 41: System Status Commands
| System Management Commands HAPTER System Status name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#hostname RD#1 Console(config)# switch all renumber This command resets the switch unit identification numbers in the stack. All stack members are numbered sequentially starting from the top unit for a non-loop stack, or starting from the Master unit for a looped stack.
Page 627 | System Management Commands HAPTER System Status Table 41: System Status Commands Command Function Mode show process cpu Shows CPU utilization parameters NE, PE show running-config Displays the configuration data currently in use show startup-config Displays the contents of the configuration file (stored in flash memory) that is used to start up the system show system Displays system information...
Page 628 | System Management Commands HAPTER System Status XAMPLE Console#show memory Status Bytes ------ ---------- Free 134946816 Used 133488640 Total 268435456 Console# show process cpu This command shows the CPU utilization parameters. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# show running-...
Page 629: Interface Settings
| System Management Commands HAPTER System Status  MAC address for each switch in the stack  SNMP community strings  Users (names, access levels, and encrypted passwords)  VLAN database (VLAN ID, name and state)  VLAN configuration settings for each interface ...
Page 630 | System Management Commands HAPTER System Status interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 queue weight 1 2 4 6 8 10 12 14 Console# ELATED OMMANDS show startup-config (654) show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system.
Page 631 No information will be displayed under POST Result, unless there is a problem with the unit. If any POST test indicates “FAIL,” contact your distributor for assistance. XAMPLE Console#show system System Description : EL 326 System OID String : 1.3.6.1.4.1.259.10.1.1 System Information System Up Time : 0 days, 0 hours, 21 minutes, and 47.6 seconds...
Page 632 It is therefore advisable to direct the output to a file using any suitable output capture function provided with your terminal emulation program. XAMPLE Console#show tech-support show system: System Description : EL 326 System OID String : 1.3.6.1.4.1.259.10.1.1 System Information System Up Time: 0 days, 2 hours, 17 minutes, and 6.23 seconds...
Page 633: Table 42: Frame Size Commands
| System Management Commands HAPTER Frame Size Line User Name Idle time (h:m:s) Remote IP Addr ----- -------------------------------- ----------------- --------------- HTTP admin 0:01:24 192.168.0.61 Console# show version This command displays hardware and software version information for the system. OMMAND Normal Exec, Privileged Exec OMMAND SAGE "Displaying Switch Hardware/Software Versions"...
Page 634: Table 43: Fan Control Commands
| System Management Commands HAPTER Fan Control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames on Gigabit Ethernet ports up to 10K bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 635: Table 44: Flash/File Commands
| System Management Commands HAPTER File Management OMMAND Global Configuration XAMPLE Console(config)#fan-speed force-full Console(config)# ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation.
Page 636 | System Management Commands HAPTER File Management boot system This command specifies the file or image used to start up the system. YNTAX boot system [unit:] {boot-rom: | config: | opcode:} filename unit - Stack unit. (Range: 1-8) boot-rom - Boot ROM. config - Configuration file.
Page 637 | System Management Commands HAPTER File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 638 | System Management Commands HAPTER File Management Use the copy file unit command to copy a local file to another switch in the stack. Use the copy unit file command to copy a file from another switch in the stack. The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server.
Page 639 | System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 640 | System Management Commands HAPTER File Management delete This command deletes a file or image. YNTAX delete [unit:] filename unit - Stack unit. (Range: 1-8) filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE If the file type is used for system startup, then this file cannot be deleted.
Page 641: Table 45: File Directory Information
| System Management Commands HAPTER File Management OMMAND Privileged Exec OMMAND SAGE If you enter the command dir without any parameters, the system displays all files. A colon (:) is required after the specified unit number and file type. File information is shown below: Table 45: File Directory Information Column Heading Description...
Page 642: Table 46: Line Commands
| System Management Commands HAPTER Line XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------- Unit 1:...
Page 643 | System Management Commands HAPTER Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. YNTAX line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING There is no default line.
Page 644 | System Management Commands HAPTER Line OMMAND SAGE The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Page 645 | System Management Commands HAPTER Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 646 | System Management Commands HAPTER Line no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING No parity OMMAND Line Configuration OMMAND SAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Page 647 | System Management Commands HAPTER Line bootup or when downloading the configuration file from an FTP/TFTP server. There is no need for you to manually configure encrypted passwords. XAMPLE Console(config-line)#password 0 secret Console(config-line)# ELATED OMMANDS login (669) password-thresh (671) password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts.
Page 648 | System Management Commands HAPTER Line silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. YNTAX silent-time [seconds] no silent-time...
Page 649 | System Management Commands HAPTER Line XAMPLE To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. YNTAX stopbits {1 | 2} no stopbits 1 - One stop bit...
Page 650 | System Management Commands HAPTER Line OMMAND SAGE If a login attempt is not detected within the timeout interval, the connection is terminated for the session. This command applies to both the local console and Telnet connections. The timeout for Telnet cannot be disabled. Using the command without specifying a timeout restores the default setting.
Page 651: Table 47: Event Logging Commands
| System Management Commands HAPTER Event Logging EFAULT ETTING Shows all lines OMMAND Normal Exec, Privileged Exec XAMPLE To show all lines, enter this command: Console#show line Console Configuration: Password Threshold : 3 times Inactive Timeout : Disabled Login Timeout : Disabled Silent Time : Disabled...
Page 652: Table 48: Logging Levels
| System Management Commands HAPTER Event Logging logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. YNTAX logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Page 653 | System Management Commands HAPTER Event Logging Table 48: Logging Levels (Continued) Level Severity Name Description critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) alerts Immediate action needed emergencies System unusable EFAULT ETTING Flash: errors (level 3 - 0) RAM: debugging (level 7 - 0) OMMAND Global Configuration...
Page 654 | System Management Commands HAPTER Event Logging logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process. YNTAX [no] logging on EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE...
Page 655 | System Management Commands HAPTER Event Logging OMMAND SAGE Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default.
Page 656 | System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
Page 657: Table 49: Show Logging Flash/Ram - Display Description
| System Management Commands HAPTER SMTP Alerts Table 49: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command.
Page 658 | System Management Commands HAPTER SMTP Alerts Table 51: Event Logging Commands (Continued) Command Function Mode logging sendmail source- Email address used for “From” field of alert messages email show logging sendmail Displays SMTP event handler settings NE, PE logging sendmail This command enables SMTP event handling.
Page 659 | System Management Commands HAPTER SMTP Alerts to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.) XAMPLE Console(config)#logging sendmail host 192.168.1.19...
Page 660 | System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command sets the email address used for the “From”...
Page 661: Table 52: Time Commands
| System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- 1. ted@this-company.com SMTP Source E-mail Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 662 | System Management Commands HAPTER Time OMMAND SAGE The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). This command enables client time requests to time servers specified via the sntp server...
Page 663 | System Management Commands HAPTER Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 664 | System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 137.92.140.81 Console# clock timezone This command sets the time zone for the switch’s internal clock. YNTAX clock timezone name hour hours minute minutes {before-utc | after-utc}...
Page 665 | System Management Commands HAPTER Time YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
Page 666: Table 53: Time Range Commands
| System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 53: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
Page 667 | System Management Commands HAPTER Time Range absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month. (Range: 1-31) month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit).
Page 668 | System Management Commands HAPTER Time Range weekdays - Weekdays weekend - Weekends hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) EFAULT ETTING None OMMAND Time Range Configuration XAMPLE This example configures a time range for the periodic occurrance of an event. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)#...
Page 669: Table 54: Snmp Commands
| SNMP Commands HAPTER SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 670 | SNMP Commands HAPTER Table 54: SNMP Commands (Continued) Command Function Mode show snmp notify-filter Displays the configured notification logs ATC Trap Commands snmp-server enable port- Sends a trap when broadcast traffic falls beneath the lower IC (Port) traps atc broadcast-alarm- threshold after a storm control response has been triggered clear snmp-server enable port-...
Page 671 | SNMP Commands HAPTER YNTAX snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive; Maximum number of strings: 5) ro - Specifies read-only access.
Page 672: Location String
| SNMP Commands HAPTER ELATED OMMANDS snmp-server location (700) snmp-server This command sets the system location string. Use the no form to remove the location location string. YNTAX snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) EFAULT ETTING...
Page 673 | SNMP Commands HAPTER SNMP Communities : 1. public, and the access level is read-only 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables...
Page 674 | SNMP Commands HAPTER conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command. XAMPLE Console(config)#snmp-server enable traps link-up-down Console(config)# ELATED OMMANDS snmp-server host (702) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation.
Page 675 | SNMP Commands HAPTER OMMAND Global Configuration OMMAND SAGE If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
Page 676 | SNMP Commands HAPTER XAMPLE Console(config)#snmp-server host 10.1.19.23 batman Console(config)# ELATED OMMANDS snmp-server enable traps (701) snmp-server This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
Page 677 | SNMP Commands HAPTER XAMPLE Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engineID remote 9876543210 192.168.1.19 Console(config)# ELATED OMMANDS snmp-server host (702) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}...
Page 678 | SNMP Commands HAPTER XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. YNTAX snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-...
Page 679 | SNMP Commands HAPTER The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. Before you configure a remote user, use the snmp-server engine-id command to specify the engine ID for the remote device where the user resides.
Page 680: Table 55: Show Snmp Engine-Id - Display Description
| SNMP Commands HAPTER XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Page 681: Table 56: Show Snmp Group - Display Description
| SNMP Commands HAPTER show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. OMMAND Privileged Exec XAMPLE Console#show snmp group Group Name : r&d Security Model : v3 Read View : defaultview Write View...
Page 682: Table 57: Show Snmp User - Display Description
| SNMP Commands HAPTER Table 56: show snmp group - display description (Continued) Field Description Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Page 683: Table 58: Show Snmp View - Display Description
| SNMP Commands HAPTER show snmp view This command shows information on the SNMP views. OMMAND Privileged Exec XAMPLE Console#show snmp view View Name : mib-2 Subtree OID : 1.2.2.3.6.2.1 View Type : included Storage Type : nonvolatile Row Status : active View Name : defaultview Subtree OID : 1...
Page 684 | SNMP Commands HAPTER XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server notify- This command creates an SNMP notification log. Use the no form to remove this log. filter YNTAX [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name.
Page 685 | SNMP Commands HAPTER notification log, and the entry aging time can only be configured using SNMP from a network management station. When a trap host is created with the snmp-server host command, a default notify filter will be created as shown in the example under the show snmp notify-filter command.
Page 686 | SNMP Commands HAPTER – 714 –...
Page 687: Table 59: Rmon Commands
| Remote Monitoring Commands HAPTER EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 688 | Remote Monitoring Commands HAPTER rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event- index] [owner name] no rmon alarm index index –...
Page 689 | Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 690 | Remote Monitoring Commands HAPTER XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface. Use the no form history to disable periodic sampling. YNTAX rmon collection history controlEntry index [[owner name] [buckets number] [interval seconds]] | [buckets number] [interval seconds] | interval seconds no rmon collection history controlEntry index...
Page 691 | Remote Monitoring Commands HAPTER rmon collection This command enables the collection of statistics on a physical interface. Use the no rmon1 form to disable statistics collection. YNTAX rmon collection rmon1 controlEntry index [owner name] no rmon collection rmon1 controlEntry index index –...
Page 692 | Remote Monitoring Commands HAPTER show rmon events This command shows the settings for all configured events. OMMAND Privileged Exec XAMPLE Console#show rmon events Event 2 is valid, owned by mike Description is urgent Event firing causes log and trap to community , last fired 00:00:00 Console# show rmon history This command shows the sampling parameters configured for each entry in the...
Page 693 | Remote Monitoring Commands HAPTER # of packets received of length (in octets): 64: 2245, 65-127: 87, 128-255: 31, 256-511: 5, 512-1023: 2, 1024-1518: 2 – 723 –...
Page 694 | Remote Monitoring Commands HAPTER – 724 –...
Page 695: Table 60: Sflow Commands
| Flow Sampling Commands HAPTER AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 696 | Flow Sampling Commands HAPTER EFAULT ETTING IP Address: null UDP Port: 6343 OMMAND Interface Configuration (Ethernet) XAMPLE This example configures the Collector’s IP address, and uses the default UDP port. Console(config)#interface ethernet 1/9 Console(config-if)#sflow destination ipv4 192.168.0.4 Console(config-if)# sflow max- This command configures the maximum size of the sFlow datagram payload.
Page 697 | Flow Sampling Commands HAPTER EFAULT ETTING 128 bytes OMMAND Interface Configuration (Ethernet) XAMPLE Console(config)#interface ethernet 1/9 Console(config-if)#sflow max-header-size 256 Console(config-if)# sflow owner This command configures the name of the receiver (i.e., sFlow Collector). Use the no form to remove this name. YNTAX sflow owner name no sflow owner...
Page 698 | Flow Sampling Commands HAPTER OMMAND Interface Configuration (Ethernet) XAMPLE This example sets the sample rate to 1 out of every 100 packets. Console(config)#interface ethernet 1/9 Console(config-if)#sflow sample 100 Console(config-if)# sflow source This command enables sFlow on the source ports to be monitored. Use the no form to disable sFlow on the specified ports.
Page 699 | Flow Sampling Commands HAPTER OMMAND SAGE The sFlow parameters affected by this command include the sampling interval, the receiver’s name, address and UDP port, the time out, maximum header size, and maximum datagram size. XAMPLE This example sets the time out to 1000 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow timeout 10000 Console(config-if)#...
Page 700 | Flow Sampling Commands HAPTER – 730 –...
Page 701: Table 61: Authentication Commands
| Authentication Commands HAPTER User Accounts UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 702 | Authentication Commands HAPTER User Accounts enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 703: Table 63: Default Login Settings
| Authentication Commands HAPTER Authentication Sequence name - The name of the user. (Maximum length: 8 characters, case sensitive. Maximum users: 16) access-level level - Specifies the user level. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. nopassword - No password is required for this user to log in.
Page 704 | Authentication Commands HAPTER Authentication Sequence authentication This command defines the authentication method and precedence to use when enable changing from Exec command mode to Privileged Exec command mode with the enable command. Use the no form to restore the default. YNTAX authentication enable {[local] [radius] [tacacs]} no authentication enable...
Page 705: Table 65: Radius Client Commands
| Authentication Commands HAPTER RADIUS Client no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password. EFAULT ETTING Local OMMAND Global Configuration OMMAND SAGE RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport.
Page 706 | Authentication Commands HAPTER RADIUS Client Table 65: RADIUS Client Commands Command Function Mode radius-server host Specifies the RADIUS server radius-server key Sets the RADIUS encryption key radius-server retransmit Sets the number of retries radius-server timeout Sets the interval between sending authentication requests show radius-server Shows the current RADIUS settings radius-server acct-...
Page 707 | Authentication Commands HAPTER RADIUS Client XAMPLE Console(config)#radius-server auth-port 181 Console(config)# radius-server host This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values. YNTAX [no] radius-server index host host-ip-address [auth-port auth-port] [acct- port acct_port] [key key] [retransmit retransmit] [timeout timeout]...
Page 708 | Authentication Commands HAPTER RADIUS Client radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. YNTAX radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
Page 709 | Authentication Commands HAPTER RADIUS Client no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. EFAULT ETTING None...
Page 710: Table 66: Tacacs+ Client Commands
| Authentication Commands HAPTER TACACS+ Client TACACS+ C LIENT Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 711 | Authentication Commands HAPTER TACACS+ Client tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. YNTAX tacacs-server host host-ip-address no tacacs-server host host-ip-address - IP address of a TACACS+ server. EFAULT ETTING 10.11.12.13 OMMAND Global Configuration XAMPLE...
Page 712 | Authentication Commands HAPTER TACACS+ Client no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#tacacs-server port 181 Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. EFAULT ETTING None...
Page 713: Table 67: Aaa Commands
| Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 67: AAA Commands Command Function Mode...
Page 714 | Authentication Commands HAPTER EFAULT ETTING Accounting is not enabled No servers are specified OMMAND Global Configuration OMMAND SAGE The accounting of Exec mode commands is only supported by TACACS+ servers. Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Page 715 | Authentication Commands HAPTER OMMAND SAGE Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use. XAMPLE Console(config)#aaa accounting dot1x default start-stop group radius Console(config)#...
Page 716 | Authentication Commands HAPTER XAMPLE Console(config)#aaa accounting exec default start-stop group tacacs+ Console(config)# aaa accounting This command enables the sending of periodic updates to the accounting server. Use update the no form to disable accounting updates. YNTAX aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Page 717 | Authentication Commands HAPTER group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters) EFAULT ETTING Authorization is not enabled...
Page 718 | Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. YNTAX [no] server {index | ip-address} index - Specifies the server index.
Page 719 | Authentication Commands HAPTER OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. YNTAX accounting exec {default | list-name} no accounting exec...
Page 720 | Authentication Commands HAPTER EFAULT ETTING None OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information.
Page 721: Table 68: Web Server Commands
| Authentication Commands HAPTER Web Server Method List : tps Group List : radius Interface : Eth 1/2 Accounting Type : EXEC Method List : default Group List : tacacs+ Interface : vty Console# ERVER This section describes commands used to configure web browser management access to the switch.
Page 722 | Authentication Commands HAPTER Web Server ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#ip http server Console(config)#...
Page 723: Table 69: Https System Support
| Authentication Commands HAPTER Web Server  The client and server generate session keys for encrypting and decrypting data. The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape Navigator 6.2 or above, and Mozilla Firefox 2.0.0.0 or above.
Page 724: Table 70: Telnet Server Commands
| Authentication Commands HAPTER Telnet Server If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https:// device:port_number XAMPLE Console(config)#ip http secure-port 1000 Console(config)# ELATED OMMANDS ip http secure-server (752)
Page 725 | Authentication Commands HAPTER Telnet Server OMMAND Global Configuration OMMAND SAGE A maximum of four sessions can be concurrently opened for Telnet and Secure Shell (i.e., both Telnet and SSH share a maximum number or four sessions). XAMPLE Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface.
Page 726: Table 71: Secure Shell Commands
| Authentication Commands HAPTER Secure Shell XAMPLE Console(config)#ip telnet server Console(config)# show ip telnet This command displays the configuration settings for the Telnet server. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE...
Page 727 | Authentication Commands HAPTER Secure Shell Table 71: Secure Shell Commands (Continued) Command Function Mode show public-key Shows the public key for the specified user or for the host show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines...
Page 728 | Authentication Commands HAPTER Secure Shell Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) The client sends its password to the server.
Page 729 | Authentication Commands HAPTER Secure Shell : The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch. ip ssh This command configures the number of times the SSH server attempts to authentication- reauthenticate a user. Use the no form to restore the default setting. retries YNTAX ip ssh authentication-retries count...
Page 730 | Authentication Commands HAPTER Secure Shell You must generate DSA and RSA host keys before enabling the SSH server. XAMPLE Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# ELATED OMMANDS ip ssh crypto host-key generate (761) show ssh (765) ip ssh server-key This command sets the SSH server key size.
Page 731 | Authentication Commands HAPTER Secure Shell EFAULT ETTING 10 seconds OMMAND Global Configuration OMMAND SAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 732 | Authentication Commands HAPTER Secure Shell EFAULT ETTING Generates both the DSA and RSA key pairs. OMMAND Privileged Exec OMMAND SAGE The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory.
Page 733 | Authentication Commands HAPTER Secure Shell XAMPLE Console#ip ssh crypto zeroize dsa Console# ELATED OMMANDS ip ssh crypto host-key generate (761) ip ssh save host-key (763) no ip ssh server (759) ip ssh save host-key This command saves the host key from RAM to flash memory. YNTAX ip ssh save host-key EFAULT...
Page 734 | Authentication Commands HAPTER Secure Shell show public-key This command shows the public key for the specified user or for the host. YNTAX show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) EFAULT ETTING Shows all public keys.
Page 735: Table 72: Show Ssh - Display Description
| Authentication Commands HAPTER 802.1X Port Authentication show ssh This command displays the current SSH server connections. OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption 2.0 Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 72: show ssh - display description Field Description Session...
Page 736 | Authentication Commands HAPTER 802.1X Port Authentication Table 73: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client dot1x timeout re-authperiod Sets the time period after which a connected client must be...
Page 737 | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# dot1x system-auth- This command enables IEEE 802.1X port authentication globally on the switch. control Use the no form to restore the default.
Page 738 | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Page 739 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration OMMAND SAGE The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command. In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
Page 740 | Authentication Commands HAPTER 802.1X Port Authentication dot1x re- This command enables periodic re-authentication for a specified port. Use the no form authentication to disable re-authentication. YNTAX [no] dot1x re-authentication OMMAND Interface Configuration OMMAND SAGE The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Page 741 | Authentication Commands HAPTER 802.1X Port Authentication dot1x timeout re- This command sets the time period after which a connected client must be re- authperiod authenticated. Use the no form of this command to reset the default. YNTAX dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Page 742 | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout supp-timeout 300 Console(config-if)# dot1x timeout tx- This command sets the time that an interface on the switch waits during an period authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
Page 743 | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console#dot1x re-authenticate Console# show dot1x This command shows general port authentication related settings on the switch or a specific interface. YNTAX show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Stack unit.
Page 744 | Authentication Commands HAPTER 802.1X Port Authentication  Reauth Max Retries – Maximum number of reauthentication attempts.  Max Request – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 768).
Page 745: Table 74: Management Ip Filter Commands
| Authentication Commands HAPTER Management IP Filter 802.1X Authenticator is enabled on port 26 Reauthentication : Enabled Reauth Period : 3600 Quiet Period : 60 TX Period : 30 Supplicant Timeout : 30 Server Timeout : 10 Reauth Max Retries : 2 Max Request Operation Mode : Multi-host...
Page 746 | Authentication Commands HAPTER Management IP Filter management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. YNTAX [no] management {all-client | http-client | snmp-client | telnet-client} start- address [end-address] all-client - Adds IP address(es) to all groups.
Page 747 | Authentication Commands HAPTER Management IP Filter YNTAX show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group. snmp-client - Displays IP addresses for the SNMP group. telnet-client - Displays IP addresses for the Telnet group.
Page 748 | Authentication Commands HAPTER Management IP Filter – 778 –...
Page 749: Table 75: General Security Commands
| General Security Measures HAPTER ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and Port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 750: Table 76: Management Ip Filter Commands
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 751 | General Security Measures HAPTER Port Security or if MAC Address Security has been enabled by the port security command on the same interface. XAMPLE The following example disables MAC address learning for port 2. Console(config)#interface ethernet 1/2 Console(config-if)#no mac-learning Console(config-if)# ELATED OMMANDS...
Page 752: Table 77: Network Access Commands
| General Security Measures HAPTER Network Access (MAC Address Authentication) First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port. (The specified maximum address count is effective when port security is enabled or disabled.) Use the no port security max-mac-count command to disable port security and reset the maximum number of addresses to the default.
Page 753 | General Security Measures HAPTER Network Access (MAC Address Authentication) Table 77: Network Access Commands Command Function Mode network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN network-access link-detection Enables the link detection feature network-access link-detection Configures the link detection feature to detect and act upon link-down...
Page 754 | General Security Measures HAPTER Network Access (MAC Address Authentication) Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 768). The maximum number of secure MAC addresses supported for the switch system is 1024. XAMPLE Console(config-if)#network-access aging Console(config-if)# network-access Use this command to add a MAC address into a filter table.
Page 755 | General Security Measures HAPTER Network Access (MAC Address Authentication) mac-authentication Use this command to set the time period after which a connected MAC address must reauth-time be re-authenticated. Use the no form of this command to restore the default value. YNTAX mac-authentication reauth-time seconds no mac-authentication reauth-time...
Page 756: Table 78: Dynamic Qos Profiles
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND SAGE The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user. The “Filter-ID” attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 78: Dynamic QoS Profiles Profile Attribute Syntax...
Page 757 | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND SAGE When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs. The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Page 758 | General Security Measures HAPTER Network Access (MAC Address Authentication) Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# network-access Use this command to enable link detection for the selected port. Use the no form of link-detection this command to restore the default. YNTAX [no] network-access link-detection EFAULT...
Page 759 | General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access Use this command to detect link-up events. When detected, the switch can shut down link-detection link- the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Page 760 | General Security Measures HAPTER Network Access (MAC Address Authentication) EFAULT ETTING Disabled OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# network-access Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication.
Page 761 | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
Page 762 | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND Entries in the MAC address filter table can be configured with the network-access mac-filter command. Only one filter table can be assigned to a port. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)#...
Page 763 | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration XAMPLE Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# show network- Use this command to display the MAC authentication settings for port interfaces. access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Stack unit.
Page 764 | General Security Measures HAPTER Network Access (MAC Address Authentication) show network- Use this command to display secure MAC address table entries. access mac- address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries.
Page 765: Table 79: Web Authentication
| General Security Measures HAPTER Web Authentication show network- Use this command to display information for entries in the MAC filter tables. access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 766 | General Security Measures HAPTER Web Authentication Table 79: Web Authentication (Continued) Command Function Mode web-auth re-authenticate (Port) Ends all web authentication sessions on the port and forces the users to re-authenticate web-auth re-authenticate (IP) Ends the web authentication session associated with the designated IP address and forces the user to re- authenticate show web-auth...
Page 767 | General Security Measures HAPTER Web Authentication OMMAND Global Configuration XAMPLE Console(config)#web-auth quiet-period 120 Console(config)# web-auth session- This command defines the amount of time a web-authentication session remains valid. When the session timeout has been reached, the host is logged off and must re- timeout authenticate itself the next time data transmission takes place.
Page 768 | General Security Measures HAPTER Web Authentication XAMPLE Console(config)#web-auth system-auth-control Console(config)# web-auth This command enables web authentication for an interface. Use the no form to restore the default. YNTAX [no] web-auth EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Page 769 | General Security Measures HAPTER Web Authentication XAMPLE Console#web-auth re-authenticate interface ethernet 1/2 Failed to reauth. Console# web-auth re- This command ends the web authentication session associated with the designated authenticate (IP) IP address and forces the user to re-authenticate. YNTAX web-auth re-authenticate interface interface ip interface - Specifies a port interface.
Page 770 | General Security Measures HAPTER Web Authentication show web-auth This command displays interface-specific web authentication parameters and interface statistics. YNTAX show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-26/50) OMMAND Privileged Exec XAMPLE...
Page 771: Table 80: Dhcp Snooping Commands
| General Security Measures HAPTER DHCP Snooping DHCP S NOOPING DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
Page 772 | General Security Measures HAPTER DHCP Snooping When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier. When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second.
Page 773 | General Security Measures HAPTER DHCP Snooping receives any messages from a DHCP server, any packets received from untrusted ports are dropped. XAMPLE This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# ELATED OMMANDS ip dhcp snooping vlan (807) ip dhcp snooping trust (808) ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory.
Page 774 | General Security Measures HAPTER DHCP Snooping When the DHCP Snooping Information Option is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server by the switch port to which they are connected rather than just their MAC address.
Page 775 | General Security Measures HAPTER DHCP Snooping XAMPLE Console(config)#ip dhcp snooping information policy drop Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet verify mac-address against the source MAC address in the Ethernet header. Use the no form to disable this function.
Page 776 | General Security Measures HAPTER DHCP Snooping OMMAND SAGE When DHCP snooping enabled globally using the ip dhcp snooping command, and enabled on a VLAN with this command, DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command.
Page 777 | General Security Measures HAPTER DHCP Snooping default status, or as specifically configured for an interface with the no ip dhcp snooping trust command. When an untrusted port is changed to a trusted port, all the dynamic DHCP  snooping bindings associated with this port are removed. Additional considerations when the switch itself is a DHCP client –...
Page 778: Show Ip Dhcp
| General Security Measures HAPTER DHCP Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface...
Page 779: Table 81: Ip Source Guard Commands
| General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 780 | General Security Measures HAPTER IP Source Guard OMMAND SAGE Table entries include a MAC address, IP address, lease time, entry type (Static-IP- SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command...
Page 781 | General Security Measures HAPTER IP Source Guard OMMAND Interface Configuration (Ethernet) OMMAND SAGE Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 782 | General Security Measures HAPTER IP Source Guard Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# ELATED OMMANDS ip source-guard binding (811) ip dhcp snooping (803) ip dhcp snooping vlan (807) ip source-guard This command sets the maximum number of entries that can be bound to an interface. max-binding Use the no form to restore the default setting.
Page 783 | General Security Measures HAPTER ARP Inspection --------- ----------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 Eth 1/6 DISABLED show ip source- This command shows the source guard binding table. guard binding YNTAX show ip source-guard binding [dhcp-snooping | static] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping...
Page 784: Table 82: Arp Inspection Commands
| General Security Measures HAPTER ARP Inspection This section describes commands used to configure ARP Inspection. Table 82: ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Inspection globally on the switch ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs ip arp inspection log-buffer logs Sets the maximum number of entries saved in a log message, and the rate at these messages are sent...
Page 785 | General Security Measures HAPTER ARP Inspection When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled. When ARP Inspection is disabled, all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets.
Page 786 | General Security Measures HAPTER ARP Inspection If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database. XAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)#...
Page 787 | General Security Measures HAPTER ARP Inspection The switch generates a system message on a rate-controlled basis determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer. XAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an ARP...
Page 788 | General Security Measures HAPTER ARP Inspection YNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. EFAULT ETTING Disabled on all VLANs...
Page 789 | General Security Measures HAPTER ARP Inspection pps - The maximum number of ARP packets that can be processed by the CPU per second. (Range: 0-2048, where 0 means that no ARP packets can be forwarded) none - There is no limit on the number of ARP packets that can be processed by the CPU.
Page 790 | General Security Measures HAPTER ARP Inspection show ip arp This command displays the global configuration settings for ARP Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 791 | General Security Measures HAPTER ARP Inspection Num VLAN Port Src IP Address Dst IP Address Src MAC Address Dst MAC Address --- ---- ---- -------------- -------------- --------------- -------------- 11 192.168.2.2 192.168.2.1 00-04-E2-A0-E2-7C FF-FF-FF-FF-FF-FF Console# show ip arp This command shows statistics about the number of ARP packets processed, or inspection statistics dropped for various reasons.
Page 792 | General Security Measures HAPTER ARP Inspection disabled sales static Console# – 824 –...
Page 793: Table 83: Access Control List Commands
| Access Control Lists HAPTER IPv4 ACLs CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type).
Page 794 | Access Control Lists HAPTER IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 795 | Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 796 | Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes.
Page 797 | Access Control Lists HAPTER IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING...
Page 798 | Access Control Lists HAPTER IPv4 ACLs This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.”...
Page 799 | Access Control Lists HAPTER IPv4 ACLs ELATED OMMANDS show ip access-list (833) Time Range (690) show ip access- This command shows the ports assigned to IP ACLs. group OMMAND Privileged Exec XAMPLE Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# ELATED OMMANDS...
Page 800: Table 85: Ipv4 Acl Commands
| Access Control Lists HAPTER IPv6 ACLs 6 ACL The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 801 | Access Control Lists HAPTER IPv6 ACLs XAMPLE Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# ELATED OMMANDS permit, deny (Standard IPv6 ACL) (835) permit, deny (Extended IPv6 ACL) (836) ipv6 access-group (838) show ipv6 access-list (838) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source.
Page 802 | Access Control Lists HAPTER IPv6 ACLs XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# ELATED OMMANDS access-list ipv6 (834) Time Range (690) permit, deny This command adds a rule to an Extended IPv6 ACL.
Page 803 | Access Control Lists HAPTER IPv6 ACLs OMMAND SAGE All new rules are appended to the end of the list. A flow label is assigned to a flow by the flow's source node. New flow labels must be chosen pseudo-randomly and uniformly from the range 1 to FFFFF hexadecimal. The purpose of the random allocation is to make any set of bits within the Flow Label field suitable for use as a hash key by routers, for looking up the state associated with the flow.
Page 804 | Access Control Lists HAPTER IPv6 ACLs Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 flow-label 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (834) Time Range (690) show ipv6 access- This command displays the rules for configured IPv6 ACLs. list YNTAX show ipv6 access-list {standard | extended} [acl-name] standard –...
Page 805 | Access Control Lists HAPTER IPv6 ACLs OMMAND Interface Configuration (Ethernet) OMMAND SAGE A port can only be bound to one ACL. If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one.
Page 806: Table 86: Mac Acl Commands
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 807 | Access Control Lists HAPTER MAC ACLs ELATED OMMANDS permit, deny (841) mac access-group (843) show mac access-list (844) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching a (MAC ACL) specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 808 | Access Control Lists HAPTER MAC ACLs {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 –...
Page 809 | Access Control Lists HAPTER MAC ACLs Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# ELATED OMMANDS access-list mac (840) Time Range (690) mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port. YNTAX mac access-group acl-name in [time-range time-range-name] acl-name –...
Page 810 | Access Control Lists HAPTER MAC ACLs show mac access- This command shows the ports assigned to MAC ACLs. group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS mac access-group (843) show mac access- This command displays the rules for configured MAC ACLs.
Page 811: Table 87: Arp Acl Commands
| Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command...
Page 812 | Access Control Lists HAPTER ARP ACLs permit, deny (ARP This command adds a rule to an ARP ACL. The rule filters packets matching a ACL) specified source or destination address in ARP messages. Use the no form to remove a rule.
Page 813: Table 88: Acl Information Commands
| Access Control Lists HAPTER ACL Information show arp access-list This command displays the rules for configured ARP ACLs. YNTAX show arp access-list [acl-name] acl-name – Name of the ACL. (Maximum length: 16 characters) OMMAND Privileged Exec XAMPLE Console#show arp access-list ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.0 mac any any Console#...
Page 814 | Access Control Lists HAPTER ACL Information OMMAND Privileged Exec XAMPLE Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2 MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 permit any any...
Page 815: Table 89: Interface Commands
| Interface Commands HAPTER NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 89: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode...
Page 816 | Interface Commands HAPTER interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface. YNTAX [no] interface interface interface...
Page 817 | Interface Commands HAPTER XAMPLE The following example adds an alias to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#alias finance Console(config-if)# capabilities This command advertises the port capabilities of a given interface during auto- negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Page 818 | Interface Commands HAPTER XAMPLE The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# ELATED OMMANDS negotiation (854) speed-duplex (856) flowcontrol (852) description This command adds a description to an interface. Use the no form to remove the description.
Page 819 | Interface Commands HAPTER YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T and 10GBASE-T do not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T and 10GBASE-T port or trunk.
Page 820 | Interface Commands HAPTER media-type This command forces the port type selected for combination ports 25-26. Use the no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if a module not installed). sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link.
Page 821 | Interface Commands HAPTER manually specify the link attributes with the speed-duplex flowcontrol commands. If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. XAMPLE The following example configures port 11 to use auto-negotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)#...
Page 822 | Interface Commands HAPTER speed-duplex This command configures the speed and duplex mode of a given interface when auto- negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex 1000full - Forces 1 Gbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
Page 823 | Interface Commands HAPTER ELATED OMMANDS negotiation (854) capabilities (851) switchport packet- This command configures broadcast, multicast and unknown unicast storm control. Use the no form to restore the default setting. rate YNTAX switchport {broadcast | multicast | unicast} packet-rate rate no switchport {broadcast | multicast | unicast} rate - Threshold level as a rate;...
Page 824 | Interface Commands HAPTER XAMPLE The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# clear counters This command clears statistics on an interface. YNTAX clear counters interface interface ethernet unit/port unit - Stack unit.
Page 825 | Interface Commands HAPTER show interfaces This command displays interface statistics. counters YNTAX show interfaces counters [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-32) EFAULT ETTING Shows the counters for all interfaces. OMMAND Normal Exec, Privileged Exec OMMAND...
Page 826 | Interface Commands HAPTER 0 Drop Events 959114 Octets 3259 Packets 212 Broadcast PKTS 1381 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 2142 Packet Size <= 64 Octets 303 Packet Size 65 to 127 Octets 140 Packet Size 128 to 255 Octets 75 Packet Size 256 to 511 Octets 140 Packet Size 512 to 1023 Octets...
Page 827: Show Interfaces
| Interface Commands HAPTER Port Type : 1000T Mac Address : 00-00-E8-93-82-A1 Configuration: Name Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Broadcast Storm : Enabled Broadcast Storm Limit : 500 packets/second Flow Control : Disabled VLAN Trunking : Disabled...
Page 828: Table 90: Show Interfaces Switchport - Display Description
| Interface Commands HAPTER Ingress Rate Limit : Disabled, 1000M bits per second Egress Rate Limit : Disabled, 1000M bits per second VLAN Membership Mode : Hybrid Ingress Rule : Disabled Acceptable Frame Type : All frames Native VLAN Priority for Untagged Traffic : 0 GVRP Status : Disabled Allowed VLAN...
Page 829 | Interface Commands HAPTER show interfaces This command displays identifying information for the specified transceiver, as well as transceiver the temperature, voltage, bias current, transmit power, and receive power. YNTAX show interfaces transceiver [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
Page 830 | Interface Commands HAPTER : 0.00 V Bias Current : 43.11 mA TX Power : 605 uW RX Power : 3 uW Console# test cable- This command performs cable diagnostics on the specified port to diagnose any cable diagnostics dsp faults (short, open, etc.) and report the cable length.
Page 831 | Interface Commands HAPTER Console# test loop internal This command performs an internal loop back test on the specified port. YNTAX test loop internal interface interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) OMMAND Privileged Exec OMMAND...
Page 832 | Interface Commands HAPTER Pair B OK, length 0 meters Pair C OK, length 1 meters Pair D OK, length 1 meters Last Update 0n 2009-10-21 15:08:20 Console# show loop internal This command shows the results of a loop back test. YNTAX show loop internal interface [interface] interface...
Page 833: Table 91: Link Aggregation Commands
| Link Aggregation Commands HAPTER GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 834 | Link Aggregation Commands HAPTER All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
Page 835 | Link Aggregation Commands HAPTER lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. YNTAX [no] lacp EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet) OMMAND SAGE The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
Page 836 | Link Aggregation Commands HAPTER Member Ports : Eth1/10, Eth1/11, Eth1/12, Console# lacp admin-key This command configures a port's LACP administration key. Use the no form to restore the default setting. (Ethernet Interface) YNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link.
Page 837 | Link Aggregation Commands HAPTER lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 838 | Link Aggregation Commands HAPTER EFAULT ETTING 32768 OMMAND Interface Configuration (Ethernet) OMMAND SAGE Port must be configured with the same system priority to join the same LAG. System priority is combined with the switch’s MAC address to form the LAG identifier.
Page 839: Table 92: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# show lacp This command displays LACP information. YNTAX show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-32) counters - Statistics for LACP protocol messages.
Page 840: Table 93: Show Lacp Internal - Display Description
| Link Aggregation Commands HAPTER Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------- Oper Key : 3 Admin Key : 0 Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Internal : 30 seconds LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key Oper Key Admin State...
Page 841: Table 94: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key Oper Key Admin State: defaulted, distributing, collecting, synchronization, long timeout, Oper State: distributing, collecting, synchronization, aggregation, long timeout, LACP-activity Table 94: show lacp neighbors - display description Field Description Partner Admin...
Page 842 | Link Aggregation Commands HAPTER * The LACP system priority and system MAC address are concatenated to form the LAG system ID. – 876 –...
Page 843: Table 96: Port Mirroring Commands
| Port Mirroring Commands HAPTER Local Port Mirroring Commands IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe.
Page 844 | Port Mirroring Commands HAPTER Local Port Mirroring Commands OMMAND Interface Configuration (Ethernet, destination port) OMMAND SAGE You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 845 | Port Mirroring Commands HAPTER Local Port Mirroring Commands Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination Port (listen port): Eth1/1 Source Port (monitored port): Eth1/6 Mode :RX/TX Console# – 879 –...
Page 846 | Port Mirroring Commands HAPTER Local Port Mirroring Commands – 880 –...
Page 847: Table 98: Rate Limit Commands
| Rate Limit Commands HAPTER IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 848 | Rate Limit Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (861) – 882 –...
Page 849: Table 99: Atc Commands
| Automatic Traffic Control Commands HAPTER UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 99: ATC Commands Command Function Mode...
Page 850 | Automatic Traffic Control Commands HAPTER Table 99: ATC Commands (Continued) Command Function Mode snmp-server enable port- Sends a trap when multicast traffic exceeds the upper IC (Port) traps atc multicast- threshold for automatic storm control and the apply control-apply timer expires snmp-server enable port- Sends a trap when multicast traffic falls beneath the...
Page 851 | Automatic Traffic Control Commands HAPTER  The traffic control response of rate limiting can be released automatically or manually. The control response of shutting down a port can only be released manually. Figure 405: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided.
Page 852 | Automatic Traffic Control Commands HAPTER OMMAND SAGE After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply...
Page 853 | Automatic Traffic Control Commands HAPTER YNTAX [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet) OMMAND SAGE Automatic storm control can be enabled for either broadcast or multicast traffic. It cannot be enabled for both of these traffic types at the same time.
Page 854 | Automatic Traffic Control Commands HAPTER OMMAND Interface Configuration (Ethernet) OMMAND SAGE When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command. When the control response is set to rate limiting by this command, the rate limits are determined by the auto-traffic-control alarm-clear-threshold command.
Page 855 | Automatic Traffic Control Commands HAPTER If rate limiting has been configured as a control response, it will discontinued after the traffic rate has fallen beneath the lower threshold, and the release timer has expired. Note that if a port has been shut down by a control response, it will not be re-enabled by automatic traffic control.
Page 856 | Automatic Traffic Control Commands HAPTER XAMPLE This example sets the trigger threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-fire-threshold 255 Console(config-if)# auto-traffic-control This command automatically releases a control response after the time specified in auto-control-release auto-traffic-control release-timer command has expired.
Page 857 | Automatic Traffic Control Commands HAPTER XAMPLE Console#auto-traffic-control broadcast control-release interface ethernet 1/1 Console# snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower threshold port-traps atc after a storm control response has been triggered. Use the no form to disable this trap.
Page 858 | Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-fire-threshold (889) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for port-traps atc automatic storm control and the apply timer expires. Use the no form to disable this trap.
Page 859 | Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-clear-threshold (888) auto-traffic-control action (887) auto-traffic-control release-timer (886) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold port-traps atc after a storm control response has been triggered. Use the no form to disable this trap.
Page 860 | Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-fire-threshold (889) snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for port-traps atc automatic storm control and the apply timer expires. Use the no form to disable this trap.
Page 861 | Automatic Traffic Control Commands HAPTER ELATED OMMANDS auto-traffic-control alarm-clear-threshold (888) auto-traffic-control action (887) auto-traffic-control release-timer (886) show auto-traffic- This command shows global configuration settings for automatic storm control. control OMMAND Privileged Exec XAMPLE Console#show auto-traffic-control Storm-control: Broadcast Apply-timer (sec) : 300 release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec)
Page 862 | Automatic Traffic Control Commands HAPTER ------------------------------------------------------------------------ Console# – 896 –...
Page 863: Table 100: Address Table Commands
| Address Table Commands HAPTER DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 100: Address Table Commands Command Function Mode mac-address-table aging- Sets the aging time of the address table time...
Page 864 | Address Table Commands HAPTER mac-address-table This command maps a static address to a destination port in a VLAN. Use the no form static to remove an address. YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 865 | Address Table Commands HAPTER clear mac-address- This command removes any learned entries from the forwarding database. table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database. table YNTAX show mac-address-table [address mac-address [mask]] [interface interface]...
Page 866 | Address Table Commands HAPTER and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” The maximum number of address entries is 16K. XAMPLE Console#show mac-address-table Interface MAC Address VLAN Type Life Time...
Page 867 | Address Table Commands HAPTER XAMPLE Console#show mac-address-table count Compute the number of MAC Address... Maximum number of MAC Address which can be created in the system: Total Number of MAC Address : 16384 Number of Static MAC Address : 1024 Current number of entries which have been created in the system: Total Number of MAC Address Number of Static MAC Address...
Page 868 | Address Table Commands HAPTER – 902 –...
Page 869: Table 101: Spanning Tree Commands
| Spanning Tree Commands HAPTER PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 101: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time...
Page 870 | Spanning Tree Commands HAPTER Table 101: Spanning Tree Commands (Continued) Command Function Mode spanning-tree port-bpdu- Floods BPDUs to other ports when global spanning tree is flooding disabled spanning-tree port-priority Configures the spanning tree priority of an interface spanning-tree root-guard Prevents a designated port from passing superior BPDUs spanning-tree spanning- Disables spanning tree for an interface...
Page 871 | Spanning Tree Commands HAPTER spanning-tree This command configures the spanning tree bridge forward time globally for this forward-time switch. Use the no form to restore the default. YNTAX spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Page 872 | Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree hello-time 5 Console(config)# ELATED OMMANDS spanning-tree forward-time (905) spanning-tree max-age (906) spanning-tree max- This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age...
Page 873 | Spanning Tree Commands HAPTER spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. YNTAX spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s) EFAULT...
Page 874 | Spanning Tree Commands HAPTER XAMPLE The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method YNTAX spanning-tree pathcost method {long | short}...
Page 875 | Spanning Tree Commands HAPTER EFAULT ETTING 32768 OMMAND Global Configuration OMMAND SAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device.
Page 876 | Spanning Tree Commands HAPTER spanning-tree This command configures the system to flood BPDUs to all other ports on the switch system-bpdu- or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. flooding YNTAX spanning-tree system-bpdu-flooding {to-all | to-vlan}...
Page 877 | Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. YNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) EFAULT ETTING OMMAND...
Page 878 | Spanning Tree Commands HAPTER EFAULT ETTING 32768 OMMAND MST Configuration OMMAND SAGE MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 879 | Spanning Tree Commands HAPTER treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. XAMPLE Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located.
Page 880 | Spanning Tree Commands HAPTER OMMAND MST Configuration OMMAND SAGE The MST region name (page 913) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 881 | Spanning Tree Commands HAPTER spanning-tree bpdu- This command shuts down an edge port (i.e., an interface set for fast forwarding) if it guard receives a BPDU. Use the no form to disable this feature. YNTAX [no] spanning-tree bpdu-guard EFAULT ETTING Disabled OMMAND...
Page 882: Table 102: Recommended Sta Path Cost Range
| Spanning Tree Commands HAPTER Table 102: Recommended STA Path Cost Range Port Type Short Path Cost Long Path Cost (IEEE 802.1D-1998) (802.1D-2004) Gigabit Ethernet 3-10 2,000-200,000 10G Ethernet 200-20,000 200-20,000 EFAULT ETTING By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
Page 883 | Spanning Tree Commands HAPTER spanning-tree edge- This command specifies an interface as an edge port. Use the no form to restore the port default. YNTAX [no] spanning-tree edge-port EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
Page 884 | Spanning Tree Commands HAPTER OMMAND SAGE Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. When automatic detection is selected, the switch derives the link type from the duplex mode.
Page 885 | Spanning Tree Commands HAPTER YNTAX spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends. manual - The port can only be released from the discarding state manually. EFAULT ETTING auto...
Page 886 | Spanning Tree Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap spanning-tree mst This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode. cost YNTAX spanning-tree mst instance-id cost cost...
Page 887 | Spanning Tree Commands HAPTER XAMPLE Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# ELATED OMMANDS spanning-tree mst port-priority (921) spanning-tree mst This command configures the interface priority on a spanning instance in the Multiple port-priority Spanning Tree. Use the no form to restore the default. YNTAX spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority...
Page 888 | Spanning Tree Commands HAPTER YNTAX [no] spanning-tree port-bpdu-flooding EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command.
Page 889 | Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree port-priority 0 ELATED OMMANDS spanning-tree cost (915) spanning-tree root- This command prevents a designated port from taking superior BPDUs into account and allowing a new STP root port to be elected. Use the no form to disable this guard feature.
Page 890 | Spanning Tree Commands HAPTER spanning-tree This command disables the spanning tree algorithm for the specified interface. Use spanning-disabled the no form to re-enable the spanning tree algorithm for the specified interface. YNTAX [no] spanning-tree spanning-disabled EFAULT ETTING Enabled OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE This example disables the spanning tree algorithm for port 5.
Page 891 | Spanning Tree Commands HAPTER spanning-tree This command re-checks the appropriate BPDU format to send on the selected protocol-migration interface. YNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) OMMAND Privileged Exec OMMAND...
Page 892 | Spanning Tree Commands HAPTER OMMAND SAGE Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Page 893 | Spanning Tree Commands HAPTER Spanning-Tree Status : Enabled Loopback Detection Status : Enabled Loopback Detection Release Mode : Auto Loopback Detection Trap : Disabled Root Guard Status : Disabled BPDU Guard Status : Disabled BPDU Filter Status : Disabled show spanning-tree This command shows the configuration of the multiple spanning tree.
Page 894 | Spanning Tree Commands HAPTER – 928 –...
Page 895: Table 104: Vlan Commands
| VLAN Commands HAPTER VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 896: Table 105: Gvrp And Bridge Extension Commands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 897 | VLAN Commands HAPTER GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 898 | VLAN Commands HAPTER GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the list of forbidden vlan forbidden VLANs. YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 899 | VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" on page 119 for a description of the displayed items.
Page 900: Table 106: Commands For Editing Vlan Groups
| VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# ELATED OMMANDS garp timer (931) show gvrp This command shows if GVRP is enabled.
Page 901 | VLAN Commands HAPTER Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering show vlan command.
Page 902: Table 107: Commands For Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND VLAN Database Configuration OMMAND SAGE no vlan vlan-id deletes the VLAN. no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active). You can configure up to 4093 VLANs on the switch.
Page 903 | VLAN Commands HAPTER Configuring VLAN Interfaces vlan-id - ID of the configured VLAN. (Range: 1-4093, no leading zeroes) EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE  Creating a “normal” VLAN with the vlan command initializes it as a Layer 2 interface.
Page 904 | VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. XAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged...
Page 905 | VLAN Commands HAPTER Configuring VLAN Interfaces untagged member. Otherwise, it is only necessary to add at most one VLAN as untagged, and this should correspond to the native VLAN for the interface. If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
Page 906 | VLAN Commands HAPTER Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. YNTAX switchport mode {hybrid | trunk | private-vlan} no switchport mode hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
Page 907 | VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN, the interface will automatically be added to VLAN 1 as an untagged member. For all other VLANs, an interface must first be configured as an untagged member before you can assign its PVID to that group.
Page 908: Table 108: Commands For Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. VLAN trunking is mutually exclusive with the “access” switchport mode (see the switchport mode command).
Page 909: Table 109: 802.1Q Tunneling Commands
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling name - Keyword to be followed by the VLAN name. vlan-name - ASCII string from 1 to 32 characters. private-vlan - For an explanation of this command see the show vlan private- vlan command.
Page 910 | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Table 109: 802.1Q Tunneling Commands Command Function Mode switchport dot1q-tunnel tpid Sets the Tag Protocol Identifier (TPID) value of a tunnel port show dot1q-tunnel Displays the configuration of QinQ tunnel ports show interfaces switchport Displays port QinQ operational status General Configuration Guidelines for QinQ Configure the switch to QinQ mode...
Page 911 | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. XAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)# ELATED OMMANDS show dot1q-tunnel (949) show interfaces switchport (861) switchport dot1q-...
Page 912 | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)# ELATED OMMANDS show dot1q-tunnel (949) show interfaces switchport (861) switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no form to tunnel service delete a VLAN mapping entry.
Page 913 | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling When the remove-ctag option is specified, the inner-tag containing the customer’s VID is removed, and the outer-tag containing the service provider’s VID remains in place. XAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2.
Page 914 | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling EFAULT ETTING 0x8100 OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Page 915: Table 110: Commands For Configuring Traffic Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100.
Page 916 | VLAN Commands HAPTER Configuring Port-based Traffic Segmentation EFAULT ETTING Disabled globally No segmented port groups are defined. OMMAND Global Configuration OMMAND SAGE Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).
Page 917: Table 111: Private Vlan Commands
| VLAN Commands HAPTER Configuring Private VLANs VLAN ONFIGURING RIVATE Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other hosts within the community VLAN and with any of the...
Page 918 | VLAN Commands HAPTER Configuring Private VLANs Use the switchport private-vlan mapping command to assign a port to a primary VLAN. Use the show vlan private-vlan command to verify your configuration settings. private-vlan Use this command to create a primary or community private VLAN. Use the no form to remove the specified private VLAN.
Page 919 | VLAN Commands HAPTER Configuring Private VLANs private vlan Use this command to associate a primary VLAN with a secondary (i.e., community) association VLAN. Use the no form to remove all associations for the specified primary VLAN. YNTAX private-vlan primary-vlan-id association {secondary-vlan-id | add secondary- vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association primary-vlan-id - ID of primary VLAN.
Page 920 | VLAN Commands HAPTER Configuring Private VLANs OMMAND SAGE To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the switchport private-vlan host-association command. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#switchport mode private-vlan promiscuous Console(config-if)#exit...
Page 921 | VLAN Commands HAPTER Configuring Private VLANs EFAULT ETTING None OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Promiscuous ports assigned to a primary VLAN can communicate with any other promiscuous ports in the same VLAN, and with the group members within any associated secondary VLANs.
Page 922: Table 112: Protocol-Based Vlan Commands
| VLAN Commands HAPTER Configuring Protocol-based VLANs VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 923 | VLAN Commands HAPTER Configuring Protocol-based VLANs protocol - Protocol type. The only option for the llc_other frame type is ipx_raw. The options for all other frames types include: arp, ip, ipv6, rarp. EFAULT ETTING No protocol groups are configured. OMMAND Global Configuration XAMPLE...
Page 924 | VLAN Commands HAPTER Configuring Protocol-based VLANs  If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. XAMPLE The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
Page 925: Table 113: Ip Subnet Vlan Commands
| VLAN Commands HAPTER Configuring IP Subnet VLANs EFAULT ETTING The mapping for all interfaces is displayed. OMMAND Privileged Exec XAMPLE This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID...
Page 926 | VLAN Commands HAPTER Configuring IP Subnet VLANs subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. YNTAX subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address –...
Page 927: Table 114: Mac Based Vlan Commands
| VLAN Commands HAPTER Configuring MAC Based VLANs OMMAND SAGE Use this command to display subnet-to-VLAN mappings. The last matched entry is used if more than one entry can be matched. XAMPLE The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP Address Mask...
Page 928 | VLAN Commands HAPTER Configuring MAC Based VLANs mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. vlan-id – VLAN to which the matching source MAC address traffic is forwarded.
Page 929: Table 115: Voice Vlan Commands
| VLAN Commands HAPTER Configuring Voice VLANs VLAN ONFIGURING OICE The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.
Page 930 | VLAN Commands HAPTER Configuring Voice VLANs Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN. The Voice VLAN ID cannot be modified when the global auto-detection status is enabled (see the switchport voice vlan command.
Page 931 | VLAN Commands HAPTER Configuring Voice VLANs voice vlan mac- This command specifies MAC address ranges to add to the OUI Telephony list. Use address the no form to remove an entry from the list. YNTAX voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the...
Page 932 | VLAN Commands HAPTER Configuring Voice VLANs switchport voice This command specifies the Voice VLAN mode for ports. Use the no form to disable vlan the Voice VLAN feature on the port. YNTAX switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
Page 933 | VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port.
Page 934 | VLAN Commands HAPTER Configuring Voice VLANs YNTAX [no] switchport voice vlan security EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND SAGE Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.
Page 935 | VLAN Commands HAPTER Configuring Voice VLANs (minutes) -------- -------- -------- --------- -------- ------------- Eth 1/ 1 Auto Enabled OUI 6 100 Eth 1/ 2 Disabled Disabled OUI 6 NA Eth 1/ 3 Manual Enabled OUI 5 100 Eth 1/ 4 Auto Enabled OUI 6 100 Eth 1/ 5 Disabled Disabled OUI...
Page 936 | VLAN Commands HAPTER Configuring Voice VLANs – 970 –...
Page 937: Table 116: Priority Commands
| Class of Service Commands HAPTER Priority Commands (Layer 2) LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 938: Table 118: Default Cos Priority Levels
| Class of Service Commands HAPTER Priority Commands (Layer 2) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values.
Page 939 | Class of Service Commands HAPTER Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round- Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Page 940 | Class of Service Commands HAPTER Priority Commands (Layer 2) Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Page 941 | Class of Service Commands HAPTER Priority Commands (Layer 2) ELATED OMMANDS queue mode (973) show queue weight (977) switchport priority This command sets a priority for incoming untagged frames. Use the no form to restore the default value. default YNTAX switchport priority default default-priority-id no switchport priority default...
Page 942 | Class of Service Commands HAPTER Priority Commands (Layer 2) show queue cos- This command shows the class of service priority map. YNTAX show queue cos-map [interface] ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) EFAULT ETTING...
Page 943: Table 119: Priority Commands (Layer 3 And 4)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show queue weight This command displays the weights used for the weighted queues. YNTAX show queue mode interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) OMMAND Privileged Exec...
Page 944 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map ip dscp (Global This command enables IP DSCP mapping (i.e., Differentiated Services Code Point Configuration) mapping). Use the no form to disable IP DSCP mapping. YNTAX [no] map ip dscp EFAULT ETTING Disabled...
Page 945: Table 120: Mapping Ip Dscp To Cos Values
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map ip precedence This command enables IP precedence mapping (i.e., IP Type of Service). Use the no (Global Configuration) form to disable IP precedence mapping. YNTAX [no] map ip precedence EFAULT ETTING Disabled...
Page 946 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) Table 120: Mapping IP DSCP to CoS Values IP DSCP Value CoS Value 26, 28, 30, 32, 34, 36 38, 40, 42 46, 56 OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and...
Page 947: Table 121: Mapping Ip Precedence To Cos Values
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) Up to 8 entries can be specified for IP Port priority mapping. This command sets the IP port priority for all interfaces. XAMPLE The following example shows how to map HTTP traffic to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0 Console(config-if)#...
Page 948 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) Console(config)#interface ethernet 1/5 Console(config-if)#map ip precedence 1 cos 0 Console(config-if)# show map ip dscp This command shows the IP DSCP priority map. YNTAX show map ip dscp [interface] interface ethernet unit/port unit - Stack unit.
Page 949 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show map ip port This command shows the IP port priority map. YNTAX show map ip port [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) OMMAND Privileged Exec...
Page 950 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# – 984 –...
Page 951: Table 122: Quality Of Service Commands
| Quality of Service Commands HAPTER UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 952 | Quality of Service Commands HAPTER Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode. Use the class command to identify the class map, and enter Policy Map Class configuration mode.
Page 953 | Quality of Service Commands HAPTER Console(config)#class-map rd-class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# ELATED OMMANDS show class-map (998) description This command specifies the description of a class map or policy map. YNTAX description string string - Description of the class map or policy map. (Range: 1-64 characters) OMMAND Class Map Configuration...
Page 954 | Quality of Service Commands HAPTER OMMAND SAGE First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the fields within ingress packets that must match to qualify for this class map. If an ingress packet matches an ACL specified by this command, any deny rules included in the ACL will be ignored.
Page 955 | Quality of Service Commands HAPTER OMMAND Class Map Configuration Policy Map Configuration XAMPLE Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9 Console(config-cmap)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. YNTAX [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Page 956 | Quality of Service Commands HAPTER class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map. YNTAX [no] class class-map-name class-map-name - Name of the class map. (Range: 1-16 characters) EFAULT ETTING None...
Page 957 | Quality of Service Commands HAPTER police flow This command defines an enforcer for classified traffic based on the metered flow rate. Use the no form to remove a policer. YNTAX [no] police flow committed-rate committed-burst violate-action {drop| new-dscp} committed-rate - Committed information rate (CIR) in kilobits per second. (Range: 64-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
Page 958 | Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Page 959 | Quality of Service Commands HAPTER OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. The committed-rate cannot exceed the configured interface speed, and the committed-burst and excess-burst cannot exceed 16 Mbytes. The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters –...
Page 960 | Quality of Service Commands HAPTER BC, that is, tokens of a given color are always spent on packets of that color. Refer to RFC 2697 for more information on other aspects of srTCM. XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,”...
Page 961 | Quality of Service Commands HAPTER EFAULT ETTING None OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. The committed-rate and peak-rate cannot exceed the configured interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes. The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates –...
Page 962 | Quality of Service Commands HAPTER  if the packet has been precolored as yellow or if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else  the packet is green and both Tp and Tc are decremented by B. The trTCM can be used to mark a IP packet stream in a service, where different, decreasing levels of assurances (either absolute or relative) are given to packets which are green, yellow, or red.
Page 963 | Quality of Service Commands HAPTER Each of these commands function at the same level of priority. Therefore setting any one of these commands will overwrite the action configured by the last set command. XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,”...
Page 964 | Quality of Service Commands HAPTER show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. YNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) EFAULT ETTING Displays all class maps. OMMAND Privileged Exec XAMPLE...
Page 965 | Quality of Service Commands HAPTER class rd-class set cos 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set cos 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface YNTAX show policy-map interface interface input interface unit/port...
Page 966 | Quality of Service Commands HAPTER – 1000 –...
Page 967: Table 123: Multicast Filtering Commands
| Multicast Filtering Commands HAPTER IGMP Snooping ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 968 | Multicast Filtering Commands HAPTER IGMP Snooping Table 124: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping querier Allows this device to act as the querier for IGMP snooping ip igmp snooping router- Discards any IGMPv2/v3 packets that do not include the alert-option-check Router Alert option ip igmp snooping router-port-...
Page 969 | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it. YNTAX [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Enabled...
Page 970 | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE  When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including report suppression, last leave, and query suppression. Report suppression intercepts, absorbs and summarizes IGMP reports coming from downstream hosts.
Page 971 | Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with a large source list and the Maximum Response Time set to a large value.
Page 972 | Multicast Filtering Commands HAPTER IGMP Snooping YNTAX [no] ip igmp snooping tcn-flood EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE  When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change.
Page 973 | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation tcn-query-solicit when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature. YNTAX [no] ip igmp snooping tcn-query-solicit EFAULT...
Page 974 | Multicast Filtering Commands HAPTER IGMP Snooping VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN. XAMPLE Console(config)#ip igmp snooping unregistered-data-flood Console(config)# ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited unsolicited-report- IGMP reports when report suppression/proxy reporting is enabled.
Page 975 | Multicast Filtering Commands HAPTER IGMP Snooping 2 - IGMP Version 2 3 - IGMP Version 3 EFAULT ETTING Global: IGMP Version 2 VLAN: Not configured, based on global setting OMMAND Global Configuration OMMAND SAGE  This command configures the IGMP report/query version used by IGMP snooping.
Page 976 | Multicast Filtering Commands HAPTER IGMP Snooping When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command. XAMPLE Console(config)#ip igmp snooping version-exclusive Console(config)# ip igmp snooping This command suppresses general queries except for ports attached to downstream vlan general-query- multicast hosts.
Page 977 | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE If immediate-leave is not used, a multicast router (or querier) will send a group- specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period.
Page 978 | Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping This command configures the last-member-query interval. Use the no form to restore vlan last-memb- the default. query-intvl YNTAX ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The interval to wait for a response to a group-specific or group-and-...
Page 979 | Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Enabled OMMAND Global Configuration OMMAND SAGE  Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers.
Page 980 | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 981 | Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# ip igmp snooping This command configures the maximum time the system waits for a response to vlan query-resp- general queries. Use the no form to restore the default. intvl YNTAX ip igmp snooping vlan vlan-id query-resp-intvl interval...
Page 982 | Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE  Static multicast entries are never aged out. When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. XAMPLE The following shows how to statically configure a multicast group on a port.
Page 983 | Multicast Filtering Commands HAPTER IGMP Snooping Last member query count General query suppression : Disabled Query interval : 125 Query response interval : 100 (1/10s) Proxy query address : 0.0.0.0 Proxy reporting : Using global status (Disabled) Multicast Router Discovery : Enabled show ip igmp This command shows known multicast group, source, and host port mappings for the...
Page 984: Table 125: Static Multicast Interface Commands
| Multicast Filtering Commands HAPTER Static Multicast Routing igmp-snooping - Display only entries learned through IGMP snooping. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Member types displayed include IGMP or USER, depending on selected options. XAMPLE The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 VLAN M'cast IP addr.
Page 985 | Multicast Filtering Commands HAPTER Static Multicast Routing EFAULT ETTING No static multicast router ports are configured. OMMAND Global Configuration OMMAND SAGE Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
Page 986: Table 126: Igmp Filtering And Throttling Commands
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling IGMP F ILTERING AND HROTTLING In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 987 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the IGMP join report is forwarded as normal.
Page 988 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling EFAULT ETTING Deny OMMAND IGMP Profile Configuration OMMAND SAGE Each profile has only one access mode; either permit or deny. When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Page 989 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch. Use the (Interface no form to remove a profile from an interface. Configuration) YNTAX [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
Page 990 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Page 991 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet) OMMAND SAGE This command can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier.
Page 992 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information ---------------------------------...
Page 993 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling show ip igmp query- This command shows if the specified interface is configured to drop IGMP query drop packets. YNTAX show ip igmp throttle interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
Page 994 | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE Using this command without specifying an interface displays all interfaces. XAMPLE Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# show ip multicast-...
Page 995: Table 127: Multicast Vlan Registration Commands
| Multicast Filtering Commands HAPTER Multicast VLAN Registration VLAN R ULTICAST EGISTRATION This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Page 996 | Multicast Filtering Commands HAPTER Multicast VLAN Registration The default number of contiguous addresses is 0. MVR VLAN ID is 1. OMMAND Global Configuration OMMAND SAGE Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.
Page 997 | Multicast Filtering Commands HAPTER Multicast VLAN Registration OMMAND Global Configuration XAMPLE Console(config)#mvr upstream-source-ip 192.168.0.3 Console(config)# mvr immediate- This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to leave restore the default settings.
Page 998 | Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. YNTAX [no] mvr type {receiver | source} receiver - Configures the interface as a subscriber port that can receive multicast data.
Page 999 | Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr vlan group This command statically binds a multicast group to a port which will receive long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings.
Page 1000: Table 128: Show Mvr - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.