Black Box LGB6026A Management Manual

Black Box LGB6026A Management Manual

Gigabit l3 managed switch with 10g uplinks, 24-port or 48-port
Hide thumbs Also See for LGB6026A:
Table of Contents

Advertisement

Quick Links

Gigabit L3 Managed Switch with 10G Uplinks, 24-Port or 48-Port
Management Guide
This smart, stackable switch offers 10-Gbps uplinks plus full SNMP
and Web management.
Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500)
Customer
FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
Support
Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018
Information
Web site: www.blackbox.com • E-mail: info@blackbox.com

BLACK BOX

LGB6026A
LGB6050A
®

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the LGB6026A and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Black Box LGB6026A

  • Page 1: Black Box

    Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) Customer FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Support Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Information Web site: www.blackbox.com • E-mail: info@blackbox.com...
  • Page 2 Trademarks Used in this Manual Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Any other trademarks mentioned in this manual are acknowledged to be the property of the trademark owners. 724-746-5500 | blackbox.com...
  • Page 3 We‘re here to help! If you have any questions about your application or our products, contact Black Box Tech Support at 724-746-5500 or go to blackbox.com and click on “Talk to Black Box.” You’ll be live with one of our technical experts in less than 30 seconds.
  • Page 4 AN AGEMEN T UI D E LGB6026A G IGABIT THERNET WITCH Layer 3 Switch with 20 10/100/1000BASE-T (RJ-45) Ports, 4 Gigabit Combination Ports (RJ-45/SFP), 2 10-Gigabit Extender Module Slots, and 2 Stacking Ports LGB6050A G IGABIT THERNET WITCH Layer 3 Switch...
  • Page 5: About This Guide

    BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
  • Page 6 BOUT UIDE – 4 –...
  • Page 7: Table Of Contents

    ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features Configuration Backup and Restore Authentication Access Control Lists DHCP Port Configuration Port Mirroring Port Trunking Rate Limiting Broadcast Storm Control Static Addresses IEEE 802.1D Bridge Store-and-Forward Switching Spanning Tree Algorithm Virtual LANs...
  • Page 8 ONTENTS Address Resolution Protocol Multicast Filtering Multicast Routing Tunneling System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Enabling SNMP Management Access Managing System Files Saving or Restoring Configuration Settings ECTION ONFIGURATION...
  • Page 9 ONTENTS Showing System Files Setting the System Clock Setting the Time Manually Configuring SNTP Specifying SNTP Time Servers Setting the Time Zone Console Port Settings Telnet Settings Displaying CPU Utilization Displaying Memory Utilization Resetting the System NTERFACE ONFIGURATION Port Configuration Configuring by Port List Configuring by Port Range Displaying Connection Status...
  • Page 10 ONTENTS Private VLANs Creating Private VLANs Associating Private VLANs Configuring Private VLAN Interfaces IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch Adding an Interface to a QinQ Tunnel Protocol VLANs Configuring Protocol VLAN Groups Mapping Protocol Groups to Interfaces Configuring IP Subnet VLANs Configuring MAC-based VLANs DDRESS...
  • Page 11 ONTENTS Creating QoS Policies Attaching a Policy Map to a Port 13 V IP T RAFFIC ONFIGURATION Overview Configuring VoIP Traffic Configuring Telephony OUI Configuring VoIP Traffic Ports 14 S ECURITY EASURES AAA Authorization and Accounting Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization...
  • Page 12 ONTENTS Configuring an Extended IPv6 ACL Configuring a MAC ACL Configuring an ARP ACL Binding a Port to an Access Control List ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Displaying the ARP Inspection Log Filtering IP Addresses for Management Access...
  • Page 13 ONTENTS Simple Network Management Protocol Configuring Global Settings for SNMP Setting the Local Engine ID Specifying a Remote Engine ID Setting SNMPv3 Views Configuring SNMPv3 Groups Setting Community Access Strings Configuring Local SNMPv3 Users Configuring Remote SNMPv3 Users Specifying Trap Managers Remote Monitoring Configuring RMON Alarms Configuring RMON Events...
  • Page 14 ONTENTS Configuring MVR Interface Status Assigning Static Multicast Groups to Interfaces Showing Multicast Groups Assigned to Interfaces 17 IP C ONFIGURATION Setting the Switch’s IP Address (IP Version 4) Setting the Switch’s IP Address (IP Version 6) Configuring the IPv6 Default Gateway Configuring IPv6 Interface Settings Configuring an IPv6 Address Showing IPv6 Addresses...
  • Page 15 ONTENTS 20 IP S ERVICES Domain Name Service Configuring General DNS Service Parameters Configuring a List of Domain Names Configuring a List of Name Servers Configuring Static DNS Host to Address Entries Displaying the DNS Cache Dynamic Host Configuration Protocol Configuring DHCP Relay Service Configuring the DHCP Server Forwarding UDP Service Requests...
  • Page 16 ONTENTS Configuring Area Ranges (Route Summarization for ABRs) Redistributing External Routes Configuring Summary Addresses (for External AS Routes) Configuring OSPF Interfaces Configuring Virtual Links Displaying Link State Database Information Displaying Information on Virtual Links Displaying Information on Neighboring Routers 22 M ULTICAST OUTING Overview...
  • Page 17 ONTENTS Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing CLI Command Groups 24 G ENERAL OMMANDS prompt reload (Global Configuration) enable quit show history...
  • Page 18 ONTENTS Fan Control fan-speed force-full File Management boot system copy delete whichboot Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging...
  • Page 19 ONTENTS logging sendmail source-email show logging sendmail Time sntp client sntp poll sntp server show sntp clock timezone calendar set show calendar Time Range time-range absolute periodic show time-range 26 SNMP C OMMANDS snmp-server snmp-server community snmp-server contact snmp-server location show snmp snmp-server enable traps snmp-server host...
  • Page 20 ONTENTS 27 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection stats show rmon alarm show rmon event show rmon history show rmon statistics 28 F AMPLING OMMANDS sflow destination sflow max-datagram-size sflow max-header-size sflow owner sflow sample sflow source sflow timeout...
  • Page 21 ONTENTS tacacs-server key tacacs-server port show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-server ip http secure-port Telnet Server...
  • Page 22 ONTENTS show ssh 802.1X Port Authentication dot1x default dot1x eapol-pass-through dot1x system-auth-control dot1x intrusion-action dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate show dot1x Management IP Filter management show management 30 G...
  • Page 23 ONTENTS network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCP Snooping ip dhcp snooping ip dhcp snooping database flash...
  • Page 24 ONTENTS ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust show ip arp inspection configuration show ip arp inspection interface show ip arp inspection log show ip arp inspection statistics show ip arp inspection vlan 31 A...
  • Page 25 ONTENTS ACL Information show access-group show access-list 32 I NTERFACE OMMANDS interface alias capabilities description flowcontrol media-type negotiation shutdown speed-duplex switchport packet-rate clear counters show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver test loop internal show loop internal 33 L GGREGATION OMMANDS...
  • Page 26 ONTENTS 36 A DDRESS ABLE OMMANDS mac-address-table aging-time mac-address-table static clear mac-address-table dynamic show mac-address-table show mac-address-table aging-time show mac-address-table count 37 S PANNING OMMANDS spanning-tree spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree transmission-limit max-hops mst priority...
  • Page 27 ONTENTS spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 38 VLAN C OMMANDS GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan...
  • Page 28 ONTENTS switchport mode private-vlan switchport private-vlan host-association switchport private-vlan mapping show vlan private-vlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs...
  • Page 29 ONTENTS map ip precedence (Global Configuration) map ip dscp (Interface Configuration) map ip port (Interface Configuration) map ip precedence (Interface Configuration) show map ip dscp show map ip port show map ip precedence 40 Q UALITY OF ERVICE OMMANDS class-map description match rename...
  • Page 30 ONTENTS ip igmp snooping vlan general-query-suppression ip igmp snooping vlan immediate-leave ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static show ip igmp snooping show ip igmp snooping group...
  • Page 31 ONTENTS ip igmp query-interval ip igmp robustval ip igmp static-group ip igmp version clear ip igmp group show ip igmp groups show ip igmp interface 1000 IGMP Proxy Routing 1001 ip igmp proxy 1001 ip igmp proxy unsolicited-report-interval 1002 MLD (Layer 3) 1003 ipv6 mld 1003...
  • Page 32 ONTENTS lldp basic-tlv system-name 1022 lldp dot1-tlv proto-ident 1023 lldp dot1-tlv proto-vid 1023 lldp dot1-tlv pvid 1024 lldp dot1-tlv vlan-name 1024 lldp dot3-tlv link-agg 1025 lldp dot3-tlv mac-phy 1025 lldp dot3-tlv max-frame 1026 lldp notification 1026 show lldp config 1027 show lldp info local-device 1028 show lldp info remote-device...
  • Page 33 ONTENTS bootfile 1049 client-identifier 1050 default-router 1051 dns-server 1051 domain-name 1052 hardware-address 1052 host 1053 lease 1054 netbios-name-server 1055 netbios-node-type 1056 network 1056 next-server 1057 clear ip dhcp binding 1058 show ip dhcp binding 1058 show ip dhcp 1059 45 VRRP C 1061 OMMANDS vrrp authentication...
  • Page 34 ONTENTS ARP Configuration 1077 1078 arp timeout 1079 ip proxy-arp 1079 clear arp-cache 1080 show arp 1080 UDP Helper Configuration 1081 ip forward-protocol udp 1081 ip helper 1082 ip helper-address 1083 show ip helper 1084 IPv6 Interface 1085 ipv6 default-gateway 1086 ipv6 address 1087...
  • Page 35 ONTENTS show ip traffic 1113 ipv6 route 1114 show ipv6 route 1116 Routing Information Protocol (RIP) 1117 router rip 1118 default-information originate 1118 default-metric 1119 distance 1120 maximum-prefix 1121 neighbor 1121 network 1122 passive-interface 1123 redistribute 1124 timers basic 1125 version 1126 ip rip authentication mode...
  • Page 36 ONTENTS redistribute 1145 summary-address 1146 area nssa 1147 area stub 1149 area virtual-link 1150 network area 1152 ip ospf authentication 1153 ip ospf authentication-key 1155 ip ospf cost 1156 ip ospf dead-interval 1157 ip ospf hello-interval 1158 ip ospf message-digest-key 1158 ip ospf priority 1159...
  • Page 37 ONTENTS ipv6 router ospf area 1189 ipv6 router ospf tag area 1190 ipv6 ospf cost 1191 ipv6 ospf dead-interval 1192 ipv6 ospf hello-interval 1193 ipv6 ospf priority 1193 ipv6 ospf retransmit-interval 1194 ipv6 ospf transmit-delay 1195 passive-interface 1196 show ipv6 ospf 1197 show ipv6 ospf database 1198...
  • Page 38 ONTENTS show ip pim neighbor 1222 ip pim graft-retry-interval 1222 ip pim max-graft-retries 1223 ip pim state-refresh origination-interval 1223 ip pim bsr-candidate 1224 ip pim register-rate-limit 1225 ip pim register-source 1226 ip pim rp-address 1227 ip pim rp-candidate 1228 ip pim spt-threshold 1230 ip pim dr-priority 1231...
  • Page 39 ONTENTS Management Features 1251 Standards 1251 Management Information Bases 1252 1255 ROUBLESHOOTING Problems Accessing the Management Interface 1255 Using System Logs 1256 1257 ICENSE NFORMATION The GNU General Public License 1257 1261 LOSSARY 1269 OMMAND 1277 NDEX – 37 –...
  • Page 40 ONTENTS – 38 –...
  • Page 41: Figures

    IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Manually Setting the System Clock...
  • Page 42 IGURES Figure 32: Creating Static Trunks Figure 33: Adding Static Trunks Members Figure 34: Configuring Connection Parameters for a Static Trunk Figure 35: Displaying Connection Parameters for Static Trunks Figure 36: Configuring Dynamic Trunks Figure 37: Configuring the LACP Aggregator Admin Key Figure 38: Enabling LACP on a Port Figure 39: Configuring LACP Parameters on a Port Figure 40: Showing Members of a Dynamic Trunk...
  • Page 43 IGURES Figure 68: QinQ Operational Concept Figure 69: Enabling QinQ Tunneling Figure 70: Adding an Interface to a QinQ Tunnel Figure 71: Configuring Protocol VLANs Figure 72: Displaying Protocol VLANs Figure 73: Assigning Interfaces to Protocol VLANs Figure 74: Showing the Interface to Protocol Group Mapping Figure 75: Configuring IP Subnet VLANs Figure 76: Showing IP Subnet VLANs Figure 77: Configuring MAC-Based VLANs...
  • Page 44 IGURES Figure 104: Configuring Rate Limits Figure 105: Configuring Broadcast Storm Control Figure 106: Setting the Default Port Priority Figure 107: Setting the Queue Mode (Strict) Figure 108: Setting the Queue Mode (WRR) Figure 109: Setting the Queue Mode (Strict and WRR) Figure 110: Configuring a Class Map Figure 111: Showing Class Maps Figure 112: Adding Rules to a Class Map...
  • Page 45 IGURES Figure 140: Configuring User Accounts Figure 141: Showing User Accounts Figure 142: Configuring Global Settings for Web Authentication Figure 143: Configuring Interface Settings for Web Authentication Figure 144: Configuring Global Settings for Network Access Figure 145: Configuring Interface Settings for Network Access Figure 146: Configuring Link Detection for Network Access Figure 147: Configuring a MAC Address Filter for Network Access Figure 148: Showing the MAC Address Filter Table for Network Access...
  • Page 46 IGURES Figure 176: Showing IP Addresses Authorized for Management Access Figure 177: Configuring Port Security Figure 178: Configuring Port Security Figure 179: Configuring Global Settings for 802.1X Port Authentication Figure 180: Configuring Interface Settings for 802.1X Port Authenticator Figure 181: Showing Statistics for 802.1X Port Authenticator Figure 182: Setting the Filter Type for IP Source Guard Figure 183: Configuring Static Bindings for IP Source Guard Figure 184: Displaying Static Bindings for IP Source Guard...
  • Page 47 IGURES Figure 212: Setting Community Access Strings Figure 213: Showing Community Access Strings Figure 214: Configuring Local SNMPv3 Users Figure 215: Showing Local SNMPv3 Users Figure 216: Configuring Remote SNMPv3 Users Figure 217: Showing Remote SNMPv3 Users Figure 218: Configuring Trap Managers (SNMPv1) Figure 219: Configuring Trap Managers (SNMPv2c) Figure 220: Configuring Trap Managers (SNMPv3) Figure 221: Showing Trap Managers...
  • Page 48 IGURES Figure 248: Showing the Groups Assigned to an IGMP Filtering Profile Figure 249: Configuring IGMP Filtering and Throttling Interface Settings Figure 250: IGMP Proxy Routing Figure 251: Configuring IGMP Proxy Routing Figure 252: Configuring IGMP Interface Settings Figure 253: Configuring Static IGMP Groups Figure 254: Showing Static IGMP Groups Figure 255: Displaying Multicast Groups Learned from IGMP (Information) Figure 256: Displaying Multicast Groups Learned from IGMP (Detail)
  • Page 49 IGURES Figure 284: Displaying Dynamic ARP Entries Figure 285: Displaying Local ARP Entries Figure 286: Displaying ARP Statistics Figure 287: Configuring Static Routes Figure 288: Displaying Static Routes Figure 289: Displaying the Routing Table Figure 290: Setting the Maximum ECMP Numbeer Figure 291: Master Virtual Router with Backup Routers Figure 292: Several Virtual Master Routers Using Backup Routers Figure 293: Several Virtual Master Routers Configured for Mutual Backup and Load...
  • Page 50 IGURES Figure 320: Specifying UDP Destination Ports Figure 321: Showing the UDP Destination Ports Figure 322: Specifying the Target Server or Subnet for UDP Requests Figure 323: Showing the Target Server or Subnet for UDP Requests Figure 324: Configuring RIP Figure 325: Configuring General Settings for RIP Figure 326: Clearing Entries from the Routing Table Figure 327: Adding Network Interfaces to RIP...
  • Page 51 IGURES Figure 356: Displaying Information on NSSA and Stub Areas Figure 357: Route Summarization for ABRs Figure 358: Configuring Route Summaries for an Area Range Figure 359: Showing Configured Route Summaries Figure 360: Redistributing External Routes Figure 361: Importing External Routes Figure 362: Showing Imported External Route Types Figure 363: Summarizing External Routes Figure 364: Showing Summary Addresses for External Routes...
  • Page 52 IGURES Figure 392: Enabling PIMv6 Multicast Routing Figure 393: Configuring PIMv6 Interface Settings (Dense Mode) Figure 394: Showing PIMv6 Neighbors – 50 –...
  • Page 53: Tables

    ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Port Statistics Table 6: LACP Port Counters Table 7: LACP Internal Configuration Information Table 8: LACP Internal Configuration Information Table 9: Recommended STA Path Cost Range Table 10: Default STA Path Costs Table 11: Dynamic QoS Profiles...
  • Page 54 ABLES Table 32: Keystroke Commands Table 33: Command Group Index Table 34: General Commands Table 35: System Management Commands Table 36: Device Designation Commands Table 37: System Status Commands Table 38: Frame Size Commands Table 39: Fan Control Commands Table 40: Flash/File Commands Table 41: File Directory Information Table 42: Line Commands Table 43: Event Logging Commands...
  • Page 55 ABLES Table 68: show ssh - display description Table 69: 802.1X Port Authentication Commands Table 70: Management IP Filter Commands Table 71: General Security Commands Table 72: Management IP Filter Commands Table 73: Network Access Commands Table 74: Dynamic QoS Profiles Table 75: Web Authentication Table 76: DHCP Snooping Commands Table 77: IP Source Guard Commands...
  • Page 56 ABLES Table 104: 802.1Q Tunneling Commands Table 105: Commands for Configuring Traffic Segmentation Table 106: Private VLAN Commands Table 107: Protocol-based VLAN Commands Table 108: IP Subnet VLAN Commands Table 109: MAC Based VLAN Commands Table 110: Voice VLAN Commands Table 111: Priority Commands Table 112: Priority Commands (Layer 2) Table 113: Default CoS Priority Levels...
  • Page 57 ABLES Table 140: DHCP Server Commands 1047 Table 141: VRRP Commands 1061 Table 142: show vrrp - display description 1067 Table 143: show vrrp brief - display description 1068 Table 144: IP Interface Commands 1071 Table 145: IPv4 Interface Commands 1071 Table 146: Basic IP Configuration Commands 1072...
  • Page 58 ABLES Table 176: General Multicast Routing Commands 1205 Table 177: show ip mroute - display description 1207 Table 178: show ip mroute - display description 1210 Table 179: Static Multicast Routing Commands 1211 Table 180: IPv4 and IPv6 PIM Commands 1213 Table 181: PIM-DM and PIM-SM Multicast Routing Commands 1213...
  • Page 59: Sectioni

    ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 59 "Initial Switch Configuration"...
  • Page 60 | Getting Started ECTION – 58 –...
  • Page 61: Key Features

    NTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
  • Page 62: Description Of Software Features

    | Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 256 using IEEE 802.1Q, port-based, protocol-based, private...
  • Page 63: Access Control Lists

    | Introduction HAPTER Description of Software Features TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
  • Page 64: Rate Limiting

    | Introduction HAPTER Description of Software Features This feature controls the maximum rate for traffic transmitted or received IMITING on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
  • Page 65: Virtual Lans

    | Introduction HAPTER Description of Software Features 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
  • Page 66: Traffic Prioritization

    | Introduction HAPTER Description of Software Features This switch prioritizes each packet based on the required level of service, RAFFIC using eight priority queues with strict priority, Weighted Round Robin RIORITIZATION (WRR), or a combination of strict and weighted queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application.
  • Page 67: Equal-Cost Multipath Load Balancing

    | Introduction HAPTER Description of Software Features When multiple paths to the same destination and with the same path cost QUAL COST are found in the routing table, the Equal-cost Multipath (ECMP) algorithm ULTIPATH first checks if the cost is lower than that of any other routing entries. If the ALANCING cost is the lowest in the table, the switch will use up to eight paths having the lowest path cost to balance traffic forwarded to the destination.
  • Page 68: Tunneling

    | Introduction HAPTER System Defaults designed for network areas, such as the Wide Area Network, where the probability of multicast clients is low. PIM-DM and PIM-SM are supported for IPv4 and PIM-SM for IPv6. Configures tunnels for customer traffic crossing the service provider’s UNNELING network using IEEE 802.1Q.
  • Page 69 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Disabled HTTP Secure Server Redirect Disabled SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled...
  • Page 70 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Strict Weighted Round Robin Queue: 0 1 2 3 4 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled...
  • Page 71: Initial Switch Configuration

    NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
  • Page 72: Required Connections

    | Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 4093 IEEE 802.1Q VLANs Enable GVRP automatic VLAN registration Configure IP routing for unicast or multicast traffic Configure router redundancy Configure IGMP multicast filtering Upload and download system firmware or configuration files via HTTP...
  • Page 73: Remote Connections

    | Initial Switch Configuration HAPTER Connecting to the Switch Make sure the terminal emulation software is set as follows: Select the appropriate serial port (COM port 1 or COM port 2). Set the baud rate to 115200 bps. Set the data format to 8 data bits, 1 stop bit, and no parity. Set flow control to none.
  • Page 74: Basic Configuration

    Press <Enter>. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the LGB6050A/LGB6026A* is opened. To end the CLI session, enter [Exit]. – 72 –...
  • Page 75: Setting An Ip Address

    Console(config)#username admin password 0 [password] Console(config)# * This manual covers the LGB6026A and LGB6050A switches. Other than the difference in the number of ports, there are no significant differences. Therefore nearly all of the screen display examples are based on the LGB6026A.
  • Page 76 | Initial Switch Configuration HAPTER Basic Configuration To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask”...
  • Page 77 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): Joined group address(es): FF01::1/16 FF02::1/16 FF02::1:FF11:6700/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 1.
  • Page 78 | Initial Switch Configuration HAPTER Basic Configuration To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::/64 Console(config-if)#exit...
  • Page 79 | Initial Switch Configuration HAPTER Basic Configuration At the interface-configuration mode prompt, use one of the following commands: To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>. To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.
  • Page 80: Enabling Snmp Management Access

    | Initial Switch Configuration HAPTER Basic Configuration FF01::1/16 FF02::1/16 FF02::1:FF90:0/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 1. ND retransmit interval is 1000 milliseconds Console# Address for Multi-segment Network — An IPv6 address for use in a network containing more than one subnet must be manually configured as described in "Assigning an IPv6 Address"...
  • Page 81 | Initial Switch Configuration HAPTER Basic Configuration To configure a community string, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only).
  • Page 82: Managing System Files

    | Initial Switch Configuration HAPTER Managing System Files SNMP V ONFIGURING CCESS FOR ERSION LIENTS To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group.
  • Page 83: Saving Or Restoring Configuration Settings

    | Initial Switch Configuration HAPTER Managing System Files Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.
  • Page 84 | Initial Switch Configuration HAPTER Managing System Files To restore configuration settings from a backup server, enter the following command: From the Privileged Exec mode prompt, type “copy tftp startup-config” and press <Enter>. Enter the address of the TFTP server. Press <Enter>. Enter the name of the startup file stored on the server.
  • Page 85: Ection

    ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 85 "Basic Management Tasks" on page 105 "Interface Configuration"...
  • Page 86 | Web Configuration ECTION "Unicast Routing" on page 517 "Multicast Routing" on page 575 – 84 –...
  • Page 87: Using The Web Interface

    SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
  • Page 88: Navigating The Web Browser Interface

    Ethernet switches. Other than the number of ports supported by these models, there are no significant differences. Therefore nearly all of the screen display examples are based on the LGB6026A. The panel graphics for both switch types are shown on the following page.
  • Page 89: Configuration Options

    ISPLAY set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Figure 2: Front Panel Indicators LGB6026A LGB6050A – 87 –...
  • Page 90: Main Menu

    | Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
  • Page 91 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Trunk Static Configure Trunk Creates a trunk, along with the first port member Show Shows the configured trunk identifiers Add Member Specifies ports to group into static trunks Show Member Shows the port members for the selected trunk...
  • Page 92 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page VLAN Virtual LAN Static Creates VLAN groups Show Displays configured VLAN groups Modify Configures group name and administrative status Edit Member by VLAN Specifies VLAN attributes per VLAN Edit Member by Interface Specifies VLAN attributes per interface...
  • Page 93 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping MAC Address Learning Status Enables MAC address learning on selected interfaces Static...
  • Page 94 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Priority Default Priority Sets the default priority for each port or trunk Queue Sets queue mode for the switch; sets the sevice weight for each queue that will use a weighted or hybrid mode DiffServ Configure Class...
  • Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Accounting Enables accounting of requested services for billing or security purposes Configure Global Specifies the interval at which the local accounting service updates information to the accounting server Configure Method Configures accounting for various service types...
  • Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows the list of exempt MAC addresses Show Information Shows the authenticated MAC address list HTTPS Secure HTTP Configure Global Enables HTTPs, and specifies the UDP port to use Copy Certificate Replaces the default secure-site certificate...
  • Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page IP Filter Sets IP addresses of clients allowed management access via the web, SNMP, and Telnet Show Shows the addresses to be allowed management access Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses...
  • Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page SNMP Simple Network Management Protocol Configure Global Enables SNMP agent status, and sets related trap functions Configure Engine Set Engine ID Sets the SNMP v3 engine ID on this switch Add Remote Engine Sets the SNMP v3 engine ID for a remote device...
  • Page 99 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Interface History Periodically samples statistics on a physical interface Statistics Enables collection of statistics on a physical interface Show History Shows sampling parameters for each entry in the history group Statistics...
  • Page 100 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page VRRP Virtual Router Redundancy Protocol Configure Group ID Adds a VRRP group identifier to a VLAN Show Shows the VRRP group identifier list Add IP Address Sets a virtual interface address for a VRRP group Show IP Addresses...
  • Page 101 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows the list of static mapping entries Modify Modifies the static address mapped to the selected host name Cache Displays cache entries discovered by designated name servers DHCP...
  • Page 102 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Multicast IGMP Snooping General Enables multicast filtering; configures parameters for multicast snooping Multicast Router Add Static Multicast Router Assigns ports that are attached to a neighboring multicast router Show Static Multicast Router Displays ports statically configured as attached to a neighboring multicast router...
  • Page 103 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Detail Shows detailed information on each multicast group associated with a VLAN interface Multicast Routing General Globally enables multicast routing Information Show Summary Shows each multicast route the switch has learned...
  • Page 104 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Redistribute Imports external routing information from other routing domains (that is, protocols) into the autonomous system Show Shows the external routing information to be imported from other routing domains Distance Defines an administrative distance for external routes learned from...
  • Page 105 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows route summaries advertised at an area boundary Modify Modifies route summaries advertised at an area boundary Redistribute Redistributes routes from one routing domain to another Show Shows route types redistributed to another domain Modify...
  • Page 106 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page RP Candidate Advertises the switch as an RP candidate to the BSR for the specified multicast groups Show Shows the multicast groups for which this switch is advertising itself as an RP candidate to the BSR Show Information Show BSR Router...
  • Page 107: Basic Management Tasks

    ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, including contact information. Displaying Switch Hardware/Software Versions – Shows the hardware version, power status, and firmware versions Configuring Support for Jumbo Frames – Enables support for jumbo frames.
  • Page 108 | Basic Management Tasks HAPTER Displaying System Information ARAMETERS These parameters are displayed in the web interface: System Description – Brief description of device type. System Object ID – MIB II object ID for switch’s network management subsystem. System Up Time – Length of time the management agent has been System Name –...
  • Page 109: Displaying Switch Hardware/Software Versions

    | Basic Management Tasks HAPTER Displaying Switch Hardware/Software Versions ISPLAYING WITCH ARDWARE OFTWARE ERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI R EFERENCES "System Management Commands"...
  • Page 110: Configuring Support For Jumbo Frames

    | Basic Management Tasks HAPTER Configuring Support for Jumbo Frames Figure 4: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes for Gigabit Ethernet.
  • Page 111: Displaying Bridge Extension Capabilities

    | Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities Enable or disable support for jumbo frames. Click Apply. Figure 5: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB.
  • Page 112: Managing System Files

    | Basic Management Tasks HAPTER Managing System Files Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch. GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register end stations with multicast groups.
  • Page 113 | Basic Management Tasks HAPTER Managing System Files You can also set the switch to use new firmware or configuration settings without overwriting the current version. Just download the file using a different name from the current version, and then set the new file as the startup file.
  • Page 114 | Basic Management Tasks HAPTER Managing System Files NTERFACE To copy firmware files: Click System, then File. Select Copy from the Action list. Select FTP Upgrade, HTTP Upgrade, or TFTP Upgrade as the file transfer method. If FTP or TFTP Upgrade is used, enter the IP address of the file server. If FTP Upgrade is used, enter the user name and password for your account on the FTP server.
  • Page 115: Saving The Running Configuration To A Local File

    | Basic Management Tasks HAPTER Managing System Files Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch. The configuration settings are not ONFIGURATION TO A automatically saved by the system for subsequent use when the switch is OCAL rebooted.
  • Page 116: Setting The Start-Up File

    | Basic Management Tasks HAPTER Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Set Start-Up) page to specify the firmware or ETTING TART configuration file to use for system initialization.
  • Page 117: Showing System Files

    | Basic Management Tasks HAPTER Setting the System Clock Use the System > File (Show) page to show the files in the system HOWING YSTEM directory, or to delete a file. ILES Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted. CLI R EFERENCES "dir"...
  • Page 118: Setting The Time Manually

    | Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure General - Manually) page to set the ETTING THE system time on the switch manually without using SNTP. ANUALLY CLI R EFERENCES "calendar set" on page 666 "show calendar"...
  • Page 119: Configuring Sntp

    | Basic Management Tasks HAPTER Setting the System Clock SNTP Use the System > Time (Configure General - SNTP) page to configure the ONFIGURING switch to send time synchronization requests to time servers. Set the SNTP polling interval, SNTP servers, and also the time zone. CLI R EFERENCES "Time"...
  • Page 120: Specifying Sntp Time Servers

    | Basic Management Tasks HAPTER Setting the System Clock SNTP Use the System > Time (Configure Time Server) page to specify the IP PECIFYING address for up to three SNTP time servers. ERVERS CLI R EFERENCES "sntp server" on page 664 ARAMETERS The following parameters are displayed in the web interface: SNTP Server IP Address –...
  • Page 121: Setting The Time Zone

    | Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
  • Page 122: Console Port Settings

    | Basic Management Tasks HAPTER Console Port Settings ONSOLE ETTINGS Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
  • Page 123 | Basic Management Tasks HAPTER Console Port Settings The password for the console connection can only be configured through the CLI (see "password" on page 646). Password checking can be enabled or disabled for logging in to the console connection (see "login"...
  • Page 124: Telnet Settings

    | Basic Management Tasks HAPTER Telnet Settings ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
  • Page 125: Displaying Cpu Utilization

    | Basic Management Tasks HAPTER Displaying CPU Utilization NTERFACE To configure parameters for the console port: Click System, then Telnet. Specify the connection parameters as required. Click Apply Figure 16: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization.
  • Page 126: Displaying Memory Utilization

    | Basic Management Tasks HAPTER Displaying Memory Utilization Figure 17: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES "show memory" on page 628 ARAMETERS The following parameters are displayed in the web interface: Free Size –...
  • Page 127: Resetting The System

    | Basic Management Tasks HAPTER Resetting the System ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)" on page 624 "reload (Global Configuration)"...
  • Page 128 | Basic Management Tasks HAPTER Resetting the System Regularly – Specifies a periodic interval at which to reload the switch. Time HH - The hour at which to reload. (Range: 0-23) MM - The minute at which to reload. (Range: 0-59) Period Daily - Every day.
  • Page 129 | Basic Management Tasks HAPTER Resetting the System Figure 20: Restarting the Switch (In) Figure 21: Restarting the Switch (At) – 127 –...
  • Page 130 BasicManagement Tasks CHAPTER Resetting the System Figure 22: Restarting the Switch (Regularly) System > Reset System Reload Information: No configured sett reloading. Refresh Cancel System Reload Configuration: Reset Mode Regularly Time os:30 (HH:M Daily Peri Weekly S nday f.lonthly Warning:You have to setup systemtime...
  • Page 131: Interface Configuration

    NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. Port Mirroring – Sets the source and target ports for mirroring on the local switch.
  • Page 132 | Interface Configuration HAPTER Port Configuration enabled, the only attributes which can be advertised include flow control and symmetric pause frames. When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities. To set the speed, duplex mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface.
  • Page 133 | Interface Configuration HAPTER Port Configuration 1000full (Gigabit ports only) - Supports 1000 Mbps full-duplex operation Sym - Check this item to transmit and receive pause frames. FC - Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill.
  • Page 134: Configuring By Port Range

    | Interface Configuration HAPTER Port Configuration Figure 23: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
  • Page 135: Displaying Connection Status

    | Interface Configuration HAPTER Port Configuration Figure 24: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES "show interfaces status"...
  • Page 136: Configuring Port Mirroring

    | Interface Configuration HAPTER Port Configuration NTERFACE To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 25: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING port to a target port for real-time analysis.
  • Page 137 | Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed in the web interface: Source Port – The port whose traffic will be monitored. (Range: 1-26/50) Target Port – The port that will mirror the traffic on the source port. (Range: 1-26/50) Type –...
  • Page 138: Showing Port Or Trunk Statistics

    | Interface Configuration HAPTER Port Configuration Figure 28: Displaying Local Port Mirror Sessions Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
  • Page 139 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description The total number of packets that higher-level protocols Transmitted Unicast requested be transmitted to a subnetwork-unicast address, Packets including those that were discarded or not sent. The number of inbound packets which were chosen to be Received Discarded discarded even though no errors had been detected to prevent Packets...
  • Page 140 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description Internal MAC Transmit A count of frames for which transmission on a particular Errors interface fails due to an internal MAC sublayer transmit error. RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources.
  • Page 141 | Interface Configuration HAPTER Port Configuration NTERFACE To show a list of port statistics: Click Interface, Port, Statistics. Select the statistics mode to display (Interface, Etherlike or RMON). Select a port from the drop-down list. Use the Refresh button at the bottom of the page if you need to update the screen.
  • Page 142: Trunk Configuration

    | Interface Configuration HAPTER Trunk Configuration Figure 30: Showing Port Statistics (Chart) RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two devices.
  • Page 143: Configuring A Static Trunk

    | Interface Configuration HAPTER Trunk Configuration the web interface or CLI to specify the trunk on the devices at both ends. When using a port trunk, take note of the following points: Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop.
  • Page 144 | Interface Configuration HAPTER Trunk Configuration disconnect the ports before removing a static trunk via the configuration interface. ARAMETERS These parameters are displayed in the web interface: Trunk ID – Trunk identifier. (Range: 1-32) Member – The initial trunk member. Use the Add Member page to configure additional members.
  • Page 145 | Interface Configuration HAPTER Trunk Configuration Click Apply. Figure 33: Adding Static Trunks Members To configure connection parameters for a static trunk: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Configure from the Action list. Modify the required interface settings. (Refer to "Configuring by Port List"...
  • Page 146: Configuring A Dynamic Trunk

    | Interface Configuration HAPTER Trunk Configuration Figure 35: Displaying Connection Parameters for Static Trunks Use the Interface > Trunk > Dynamic (Configure Aggregator) page to set ONFIGURING A the administrative key for an aggregation group, enable LACP on a port, YNAMIC RUNK and configure protocol parameters for local and partner ports.
  • Page 147 | Interface Configuration HAPTER Trunk Configuration If the LACP admin key is not set when a channel group is formed (i.e., it has a null value of 0), the operational value of this key is set to the same value as the port admin key used by the interfaces that joined the group (see the show lacp internal command described on...
  • Page 148 | Interface Configuration HAPTER Trunk Configuration NTERFACE To configure the admin key for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Aggregator from the Step list. Set the Admin Key for the required LACP group. Click Apply. Figure 37: Configuring the LACP Aggregator Admin Key To enable LACP for a port: Click Interface, Trunk, Dynamic.
  • Page 149 | Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 39: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic.
  • Page 150 | Interface Configuration HAPTER Trunk Configuration To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Configure from the Action List. Modify the required interface settings. (See "Configuring by Port List" on page 129 for a description of the interface settings.) Click Apply.
  • Page 151: Displaying Lacp Port Counters

    | Interface Configuration HAPTER Trunk Configuration LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 845 ARAMETERS These parameters are displayed in the web interface: Table 6: LACP Port Counters...
  • Page 152: Displaying Lacp Settings And Status For The Local Side

    | Interface Configuration HAPTER Trunk Configuration Figure 43: Displaying LACP Port Counters LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
  • Page 153 | Interface Configuration HAPTER Trunk Configuration Table 7: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
  • Page 154: Displaying Lacp Settings And Status For The Remote Side

    | Interface Configuration HAPTER Trunk Configuration Figure 44: Displaying LACP Port Internal Information LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation.
  • Page 155: Sampling Traffic Flows

    | Interface Configuration HAPTER Sampling Traffic Flows NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Neighbors. Select a group member from the Port list. Figure 45: Displaying LACP Port Remote Information AMPLING RAFFIC...
  • Page 156: Configuring Sflow Parameters

    | Interface Configuration HAPTER Sampling Traffic Flows As the Collector receives streams from the various sFlow agents (other switches or routers) throughout the network, a timely, network-wide picture of utilization and traffic flows is created. Analysis of the sFlow stream(s) can reveal trends and information that can be leveraged in the following ways: Detecting, diagnosing, and fixing network problems Real-time congestion management...
  • Page 157 | Interface Configuration HAPTER Sampling Traffic Flows Max Datagram Size – Maximum size of the sFlow datagram payload. (Range: 200-1500 bytes; Default: 1400 bytes) Sample Rate – The number of packets out of which one sample will be taken. (Range: 256-16777215 packets, or 0 to disable sampling; Default: Disabled) NTERFACE To configure flow sampling:...
  • Page 158: Traffic Segmentation

    | Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports.
  • Page 159: Configuring Uplink And Downlink Ports

    | Interface Configuration HAPTER Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
  • Page 160: Vlan Trunking

    | Interface Configuration HAPTER VLAN Trunking VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking" on page 897 OMMAND SAGE Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
  • Page 161 | Interface Configuration HAPTER VLAN Trunking ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. Port – Port Identifier. (Range: 1-26/50) VLAN trunking can only be enabled on Gigabit ports. Trunk – Trunk Identifier. (Range: 1-32) VLAN Trunking Status –...
  • Page 162 | Interface Configuration HAPTER VLAN Trunking – 160 –...
  • Page 163: Vlan Configuration

    VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. Private VLANs – Configures private VLANs, using primary for unrestricted upstream access and community groups which are restricted to other local group members or to the ports in the associated primary group.
  • Page 164 | VLAN Configuration HAPTER IEEE 802.1Q VLANs or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4093 VLANs based on the IEEE 802.1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol...
  • Page 165 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
  • Page 166: Configuring Vlan Groups

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 52: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
  • Page 167 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Status – Enables or disables the specified VLAN. Show VLAN ID – ID of configured VLAN. VLAN Name – Name of the VLAN. Status – Operational status of configured VLAN. NTERFACE To create VLAN groups: Click VLAN, Static.
  • Page 168: Adding Static Members To Vlans

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
  • Page 169 | VLAN Configuration HAPTER IEEE 802.1Q VLANs a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. CLI R EFERENCES "Configuring VLAN Interfaces" on page 892 "Displaying VLAN Information" on page 899 ARAMETERS These parameters are displayed in the web interface: Edit Member by VLAN...
  • Page 170 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
  • Page 171 | VLAN Configuration HAPTER IEEE 802.1Q VLANs The PVID, acceptable frame type, and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page. NTERFACE To configure static members by the VLAN index: Click VLAN, Static.
  • Page 172 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 57: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Step list. Set the Interface type to display as Port or Trunk. Enter an interface range.
  • Page 173: Configuring Dynamic Vlan Registration

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES "GVRP and Bridge Extension Commands" on page 886 "Configuring VLAN Interfaces"...
  • Page 174 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN –...
  • Page 175 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 60: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 61: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
  • Page 176: Private Vlans

    | VLAN Configuration HAPTER Private VLANs Figure 62: Showing the Members of a Dynamic VLAN VLAN RIVATE Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other...
  • Page 177: Creating Private Vlans

    | VLAN Configuration HAPTER Private VLANs Use the VLAN > Private (Configure VLAN - Add) page to create primary or REATING RIVATE community VLANs. VLAN CLI R EFERENCES "private-vlan" on page 907 ARAMETERS These parameters are displayed in the web interface: VLAN ID –...
  • Page 178: Associating Private Vlans

    | VLAN Configuration HAPTER Private VLANs Figure 64: Showing Private VLANs All member ports must be removed from the VLAN before it can be deleted. Use the VLAN > Private (Configure VLAN - Add Community VLAN) page to SSOCIATING RIVATE associate each community VLAN with a primary VLAN.
  • Page 179: Configuring Private Vlan Interfaces

    | VLAN Configuration HAPTER Private VLANs Figure 65: Associating Private VLANs To show a list of community VLANs associated with a primary VLAN: Click VLAN, Private. Select Configure VLAN from the Step list. Select Show Community VLAN from the Action list. Select an entry from the Primary VLAN list.
  • Page 180 | VLAN Configuration HAPTER Private VLANs Normal – The port is not assigned to a private VLAN. Host – The port is a community port. A community port can communicate with other ports in its own community VLAN and with designated promiscuous port(s).
  • Page 181: Ieee 802.1Q Tunneling

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
  • Page 182 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 68: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel Access Port Tunnel Access Port Tunnel Uplink Ports...
  • Page 183 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged One tag (CVLAN or SPVLAN) Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
  • Page 184 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.
  • Page 185: Enabling Qinq Tunneling On The Switch

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON THE Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
  • Page 186: Adding An Interface To A Qinq Tunnel

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 69: Enabling QinQ Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.
  • Page 187: Protocol Vlans

    | VLAN Configuration HAPTER Protocol VLANs NTERFACE To add an interface to a QinQ tunnel: Click VLAN, Tunnel. Select Configure Interface from the Step list. Set the mode for any tunnel access port to Tunnel and the tunnel uplink port to Tunnel Uplink. Click Apply.
  • Page 188: Configuring Protocol Vlan Groups

    | VLAN Configuration HAPTER Protocol VLANs OMMAND SAGE To configure protocol-based VLANs, follow these steps: First configure VLAN groups for the protocols you want to use (page 890). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time.
  • Page 189 | VLAN Configuration HAPTER Protocol VLANs NTERFACE To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Add from the Action list. Select an entry from the Frame Type list. Select an entry from the Protocol Type list. Enter an identifier for the protocol group.
  • Page 190: Mapping Protocol Groups To Interfaces

    | VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group. NTERFACES CLI R EFERENCES "protocol-vlan protocol-group (Configuring Interfaces)"...
  • Page 191 | VLAN Configuration HAPTER Protocol VLANs Enter the corresponding VLAN to which the protocol traffic will be forwarded. Click Apply. Figure 73: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list.
  • Page 192: Configuring Ip Subnet Vlans

    | VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
  • Page 193 | VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
  • Page 194: Configuring Mac-Based Vlans

    | VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
  • Page 195 | VLAN Configuration HAPTER Configuring MAC-based VLANs Click Apply. Figure 77: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 78: Showing MAC-Based VLANs – 193 –...
  • Page 196 | VLAN Configuration HAPTER Configuring MAC-based VLANs – 194 –...
  • Page 197: Address Table Settings

    DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
  • Page 198 | Address Table Settings HAPTER Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the following conditions exist: 802.1X Port Authentication has been globally enabled on the switch (see "Configuring 802.1X Global Settings" on page 330).
  • Page 199: Setting Static Addresses

    | Address Table Settings HAPTER Setting Static Addresses ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
  • Page 200: Changing The Aging Time

    | Address Table Settings HAPTER Changing the Aging Time Click Apply. Figure 80: Configuring Static MAC Addresses To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 81: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address >...
  • Page 201: Displaying The Dynamic Address Table

    | Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
  • Page 202: Clearing The Dynamic Address Table

    | Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
  • Page 203 | Address Table Settings HAPTER Clearing the Dynamic Address Table Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. Click Clear.
  • Page 204 | Address Table Settings HAPTER Clearing the Dynamic Address Table – 202 –...
  • Page 205: Spanning Tree Algorithm

    PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback BPDUs. Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
  • Page 206 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 85: STP Root Ports and Designated Ports Designated Root...
  • Page 207 | Spanning Tree Algorithm HAPTER Overview Figure 86: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees"...
  • Page 208: Configuring Loopback Detection

    | Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
  • Page 209: Configuring Global Settings For Sta

    | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Loopback Detection. Click Port or Trunk to display the required interface type. Modify the required loopback detection attributes. Click Apply Figure 88: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR...
  • Page 210 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
  • Page 211 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.) Default: 32768 Range: 0-61440, in steps of 4096 Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the...
  • Page 212 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
  • Page 213 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 89: Configuring Global Settings for STA (STP) Figure 90: Configuring Global Settings for STA (RSTP) – 211 –...
  • Page 214: Displaying Global Settings For Sta

    | Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 91: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
  • Page 215: Configuring Interface Settings For Sta

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
  • Page 216: Table 9: Recommended Sta Path Cost Range

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES "Spanning Tree Commands" on page 861 ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) Priority –...
  • Page 217 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Admin Link Type – The link type attached to this interface. Point-to-Point – A connection to exactly one other bridge. Shared – A connection to two or more bridges. Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
  • Page 218 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA If an interface is in forwarding state and its role changes, the interface cannot continue to function as an edge port even if the edge delay time has expired. If the port does not receive any BPDUs after the edge delay timer expires, its role changes to designated port and it immediately enters forwarding state (see "Displaying Interface Settings for STA"...
  • Page 219: Displaying Interface Settings For Sta

    | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 93: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
  • Page 220 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding.
  • Page 221 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 94: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
  • Page 222: Configuring Multiple Spanning Trees

    | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 861 OMMAND SAGE MSTP generates a unique spanning tree for each instance.
  • Page 223 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
  • Page 224 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
  • Page 225 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
  • Page 226: Configuring Interface Settings For Mstp

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 861 ARAMETERS These parameters are displayed in the web interface: MST Instance ID –...
  • Page 227 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 9 on page 214. The default path costs are listed in Table 10 on page 214. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.
  • Page 228: Configuring Interface Settings For Mstp

    Spanning Tree Algorithm CHAPTER Configuring Interface Settings for MSTP Figure 103: Displaying MSTP Interface Settings Spanning Tree > MSTP LvJI Lv)l Step: ConfigureInterface Action: Sllow lnlormation Interface Port Trunk o..: Spanni Tree Port List !.lax: Totat -1 ..-TJpelir*I .,.PortEdge I PortAc*'l Port DnlgnMedBrldge T..ttlona...
  • Page 229: Rate Limit Configuration

    IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
  • Page 230 Rate Limit Configuration CHAPTER Figure 104: Configuring Rate Limits Traffic >Rate Limit Port Rate Limit List Max:26 Totat Input OUiput Port Type St8lua Rate Slalue (IIIIIWHc) oooooo> Enabled (64-1 Enabled (64-1000000) 1OOOBase-TX 11000000 11000000 oooooo> (64-1000000) 1OOOBase-TX Enabled (64-1 Enabled 11000000 11000000 oooooo>...
  • Page 231: Storm Control Configuration

    TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast storm control thresholds. Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
  • Page 232 Storm Control Configuration CHAPTER Figure 105: Configuring Broadcast Storm Control Traffic > Storm Control Interface Port Trunk -- · ..Port Storm ContrOI List Mox: Total: 26 llroedceat Port Type Enobled (500-262143) OOOBose-TX lj2ooo Enobled (500-262143) 1000Bose-TX Enabled (500-262143) 1000Base-TX Enabled (500-262143) 1000Base-TX...
  • Page 233: Class Of Service

    LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
  • Page 234: Selecting The Queue Mode

    | Class of Service HAPTER Layer 2 Queue Settings ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. CoS – The priority that is assigned to untagged frames received on the specified interface.
  • Page 235 | Class of Service HAPTER Layer 2 Queue Settings moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. If “Strict and WRR” mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues.
  • Page 236 | Class of Service HAPTER Layer 2 Queue Settings NTERFACE To configure the queue mode: Click Traffic, Priority, Queue. Select the interface type to display (Port or Trunk). Set the queue mode. If any of the weighted queue modes is selected, the queue weight can be modified if required.
  • Page 237 Class of Service CHAPTER L.ayer 2 Queue Settings (Strict and WRR) Figure 109: Setting the Queue Mode Traffic > Priority > Queue f'i"""3 Port Trunkß Interface Queue Mode lrict Queue Setting Table Tota l.lax:8 Weight -ti) llode QI-.ID Sirlet ln-.llng order r;-- bled...
  • Page 238 | Class of Service HAPTER Layer 2 Queue Settings – 236 –...
  • Page 239: Quality Of Service

    UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
  • Page 240: Configuring A Class Map

    | Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
  • Page 241 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 characters) Add Rule Class Name – Name of the class map. Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
  • Page 242 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 111: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
  • Page 243: Creating Qos Policies

    | Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 113: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
  • Page 244 | Quality of Service HAPTER Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate”...
  • Page 245 | Quality of Service HAPTER Creating QoS Policies if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B ≥...
  • Page 246 | Quality of Service HAPTER Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
  • Page 247 | Quality of Service HAPTER Creating QoS Policies Add Rule Policy Name – Name of policy map. Class Name – Name of a class map that defines a traffic classification upon which a policy can act. Action – Configures the service provided to ingress traffic. Packets matching the rule settings for a class map can be remarked as follows: Set CoS –...
  • Page 248 | Quality of Service HAPTER Creating QoS Policies Violate – Specifies whether the traffic that exceeds the maximum rate (CIR) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of conformance traffic.
  • Page 249 | Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether traffic that exceeds the maximum rate (CIR) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of conformance traffic.
  • Page 250 | Quality of Service HAPTER Creating QoS Policies Peak Burst Size (BP) – Burst size in bytes. (Range: 64-524288 bytes) The burst size cannot exceed 16 Mbytes. Conform – Specifies whether that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level, or if the DSCP service level will be modified.
  • Page 251 | Quality of Service HAPTER Creating QoS Policies Figure 114: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 115: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
  • Page 252 | Quality of Service HAPTER Creating QoS Policies Figure 116: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 117: Showing the Rules for a Policy Map –...
  • Page 253: Attaching A Policy Map To A Port

    | Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI R EFERENCES "Quality of Service Commands" on page 939 OMMAND SAGE First define a class map, define a policy map, and bind the service...
  • Page 254 | Quality of Service HAPTER Attaching a Policy Map to a Port – 252 –...
  • Page 255: Oip Traffic Configuration

    IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
  • Page 256: V O Ip T Raffic C Onfiguration

    | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES "Configuring Voice VLANs" on page 918 ARAMETERS These parameters are displayed in the web interface: Auto Detection Status – Enables the automatic detection of VoIP traffic on switch ports. (Default: Disabled) Voice VLAN –...
  • Page 257: Configuring Telephony Oui

    | VoIP Traffic Configuration HAPTER Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
  • Page 258: Configuring Voip Traffic Ports

    | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 120: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list. Figure 121: Showing an OUI Telephony List IP T ONFIGURING...
  • Page 259 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or 802.1ab (LLDP). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list.
  • Page 260: Voip Traffic Configuration

    VoiP Traffic Configuration CHAPTER Configuring VoiP Traffic Ports Figure 122: Configuring Port Settingsfora Voice VLAN Traffi c > VoiP Step: Conf gureInterface VoiP Port List Max: Total: Port Prtorttr ... , AernM*IgAge ,..._., .._".._ llocle s-.rtty Enabled LLDP Auto Auto Enabled LLDP Manual...
  • Page 261: Security Measures

    ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
  • Page 262: Aaa Authorization And Accounting

    | Security Measures HAPTER AAA Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
  • Page 263: Configuring Local/Remote Logon Authentication

    | Security Measures HAPTER AAA Authorization and Accounting Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
  • Page 264: Configuring Remote Logon Authentication Servers

    | Security Measures HAPTER AAA Authorization and Accounting [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods). Click Apply.
  • Page 265 | Security Measures HAPTER AAA Authorization and Accounting CLI R EFERENCES "RADIUS Client" on page 710 "TACACS+ Client" on page 714 "AAA" on page 717 OMMAND SAGE If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
  • Page 266 | Security Measures HAPTER AAA Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
  • Page 267 | Security Measures HAPTER AAA Authorization and Accounting Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. To set or modify the authentication key, mark the Set Key box, enter the key, and then confirm it Click Apply.
  • Page 268 | Security Measures HAPTER AAA Authorization and Accounting Select Add from the Action list. Select RADIUS or TACACS+ server type. Enter the group name, followed by the index of the server to use for each priority level. Click Apply. Figure 127: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server.
  • Page 269: Configuring Aaa Accounting

    | Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Accounting page to enable accounting of ONFIGURING requested services for billing or security purposes, and also to display the CCOUNTING configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions.
  • Page 270 | Security Measures HAPTER AAA Authorization and Accounting Configure Service Accounting Type – Specifies the service as 802.1X, Command or Exec as described in the preceding section. 802.1X Method Name – Specifies a user defined accounting method to apply to an interface. This method must be defined in the Configure Method page.
  • Page 271 | Security Measures HAPTER AAA Authorization and Accounting Figure 129: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list.
  • Page 272 | Security Measures HAPTER AAA Authorization and Accounting To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Show from the Action list. Figure 131: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or...
  • Page 273 | Security Measures HAPTER AAA Authorization and Accounting Figure 133: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.
  • Page 274: Configuring Aaa Authorization

    | Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces. CLI R EFERENCES "AAA"...
  • Page 275 | Security Measures HAPTER AAA Authorization and Accounting Interface - Displays the console or Telnet interface to which these rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group:...
  • Page 276 | Security Measures HAPTER AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 138: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization.
  • Page 277: Configuring User Accounts

    | Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 705 OMMAND SAGE The default guest name is “guest”...
  • Page 278: Web Authentication

    | Security Measures HAPTER Web Authentication Figure 140: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 141: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
  • Page 279: Configuring Global Settings For Web Authentication

    | Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 261.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.
  • Page 280: Configuring Interface Settings For Web Authentication

    | Security Measures HAPTER Web Authentication Figure 142: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...
  • Page 281: Network Access (Mac Address Authentication)

    | Security Measures HAPTER Network Access (MAC Address Authentication) Click Apply. Figure 143: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
  • Page 282: Table 11: Dynamic Qos Profiles

    | Security Measures HAPTER Network Access (MAC Address Authentication) must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires.
  • Page 283: Configuring Global Settings For Network Access

    | Security Measures HAPTER Network Access (MAC Address Authentication) For example, if the attribute is “service-policy-in=p1;service-policy- in=p2”, then the switch applies only the DiffServ profile “p1.” Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policy- in=p1,”...
  • Page 284: Configuring Network Access For Ports

    | Security Measures HAPTER Network Access (MAC Address Authentication) regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 332). Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires.
  • Page 285 | Security Measures HAPTER Network Access (MAC Address Authentication) ARAMETERS These parameters are displayed in the web interface: MAC Authentication Status – Enables MAC authentication on a port. (Default: Disabled) Intrusion – Sets the port response to a host MAC authentication failure, to either block access to the port or to pass traffic through.
  • Page 286: Configuring Port Link Detection

    | Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure MAC authentication on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the General button. Make any configuration changes required to enable address authentication on a port, set the maximum number of secure addresses supported, the guest VLAN to use when MAC Authentication or 802.1X Authentication fails, and the dynamic VLAN and QoS assignments.
  • Page 287: Configuring Amac Address Filter

    | Security Measures HAPTER Network Access (MAC Address Authentication) Link up and down – All link up and link down events will trigger the port action. Action – The switch can respond in three ways to a link up or down trigger event.
  • Page 288 | Security Measures HAPTER Network Access (MAC Address Authentication) Up to 65 filter tables can be defined. There is no limitation on the number of entries used in a filter table. ARAMETERS These parameters are displayed in the web interface: Filter ID –...
  • Page 289: Displaying Secure Mac Address Information

    | Security Measures HAPTER Network Access (MAC Address Authentication) Figure 148: Showing the MAC Address Filter Table for Network Access Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected...
  • Page 290: Configuring Https

    | Security Measures HAPTER Configuring HTTPS Select Show Information from the Step list. Use the sort key to display addresses based MAC address, interface, or attribute. Restrict the displayed addresses by entering a specific address in the MAC Address field, specifying a port in the Interface field, or setting the address type to static or dynamic in the Attribute field.
  • Page 291: Table 12: Https System Support

    | Security Measures HAPTER Configuring HTTPS If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] When you start HTTPS, the connection is established in this way: The client authenticates the server using the server’s digital certificate.
  • Page 292: Replacing The Default Secure-Site Certificate

    | Security Measures HAPTER Configuring HTTPS Figure 150: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
  • Page 293 | Security Measures HAPTER Configuring HTTPS Private Key Source File Name – Name of private key file stored on the TFTP server. Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
  • Page 294: Configuring The Secure Shell

    | Security Measures HAPTER Configuring the Secure Shell ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
  • Page 295 | Security Measures HAPTER Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 297, or use the copy tftp public-key command (page 637) to copy a file containing the public key for all the SSH client’s granted management access to the switch.
  • Page 296: Configuring The Ssh Server

    | Security Measures HAPTER Configuring the Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
  • Page 297 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.
  • Page 298: Generating The Host Key Pair

    | Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...
  • Page 299: Importing User Public Keys

    | Security Measures HAPTER Configuring the Secure Shell Figure 153: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
  • Page 300 | Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed in the web interface: User Name – This drop-down box selects the user who’s public key you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...
  • Page 301: Access Control Lists

    | Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
  • Page 302: Settinga Time Range

    | Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 32. The maximum number of rules per ACL is also 32. The maximum number of rules that can be bound to the ports is 96 for each of the following list types: MAC ACLs, IP ACLs (including Standard and Extended ACLs), IPv6 Standard ACLs, and IPv6 Extended ACLs.
  • Page 303 | Security Measures HAPTER Access Control Lists Periodic – Specifies a periodic interval. Start/To – Specifies the days of the week, hours, and minutes at which to start or end. NTERFACE To configure a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Add from the Action list.
  • Page 304 | Security Measures HAPTER Access Control Lists Select Add Rule from the Action list. Select the name of time range from the drop-down list. Select a mode option of Absolute or Periodic. Fill in the required parameters for the selected mode. Click Apply.
  • Page 305: Setting The Acl Name And Type

    | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R EFERENCES "access-list ip" on page 802 "show ip access-list" on page 807 ARAMETERS These parameters are displayed in the web interface: ACL Name –...
  • Page 306: Configuring A Standard Ipv4 Acl

    | Security Measures HAPTER Access Control Lists Figure 161: Creating an ACL To show a list of ACLs: Click Security, ACL. Select Configure ACL from the Step list. Select Show from the Action list. Figure 162: Showing a List of ACLs Use the Security >...
  • Page 307 | Security Measures HAPTER Access Control Lists Source IP Address – Source IP address. Source Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match”...
  • Page 308: Configuring An Extended Ipv4 Acl

    | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv4 ACL)" on page 804 "show ip access-list"...
  • Page 309 | Security Measures HAPTER Access Control Lists where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit. The following bits may be specified: 1 (fin) – Finish 2 (syn) – Synchronize 4 (rst) – Reset 8 (psh) –...
  • Page 310: Configuring A Standard Ipv6 Acl

    | Security Measures HAPTER Access Control Lists Figure 164: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
  • Page 311 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list.
  • Page 312: Configuring An Extended Ipv6 Acl

    | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 810 "show ipv6 access-list"...
  • Page 313 | Security Measures HAPTER Access Control Lists Flow Label – A label for packets belonging to a particular traffic “flow” for which the sender requests special handling by IPv6 routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-1048575) A flow label is assigned to a flow by the flow's source node.
  • Page 314: Configuring Amac Acl

    | Security Measures HAPTER Access Control Lists Figure 166: Configuring an Extended IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and Ethernet type.
  • Page 315 | Security Measures HAPTER Access Control Lists Packet Format – This attribute includes the following packet types: Any – Any Ethernet packet type. Untagged-eth2 – Untagged Ethernet II packets. Untagged-802.3 – Untagged Ethernet 802.3 packets. tagged-eth2 – Tagged Ethernet II packets. Tagged-802.3 –...
  • Page 316: Configuring An Arp Acl

    | Security Measures HAPTER Access Control Lists Figure 167: Configuring a MAC ACL Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
  • Page 317 | Security Measures HAPTER Access Control Lists Source/Destination IP Subnet Mask – Subnet mask for source or destination address. (See the description for Subnet Mask on page 304.) Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields.
  • Page 318: Binding A Port To An Access Control List

    | Security Measures HAPTER Access Control Lists Figure 168: Configuring a ARP ACL After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.
  • Page 319: Arp Inspection

    | Security Measures HAPTER ARP Inspection NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select IP or MAC from the Type list. Select the name of an ACL from the ACL list. Click Apply.
  • Page 320: Configuring Global Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection OMMAND SAGE Enabling & Disabling ARP Inspection ARP Inspection is controlled on a global and VLAN basis. By default, ARP Inspection is disabled both globally and on all VLANs. If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled.
  • Page 321 | Security Measures HAPTER ARP Inspection with different MAC addresses are classified as invalid and are dropped. IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
  • Page 322: Configuring Vlan Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection Src-MAC – Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. Log Message Number – The maximum number of entries saved in a log message.
  • Page 323 | Security Measures HAPTER ARP Inspection ARP Inspection ACLs can be applied to any configured VLAN. ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs.
  • Page 324: Configuring Interface Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection Figure 171: Configuring VLAN Settings for ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate.
  • Page 325: Displaying Arp Inspection Statistics

    | Security Measures HAPTER ARP Inspection Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. Click Apply. Figure 172: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or NSPECTION...
  • Page 326: Displaying The Arp Inspection Log

    | Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Configure Information from the Step list. Select Show Statistics from the Step list. Figure 173: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated NSPECTION...
  • Page 327: Filtering Ip Addresses For Management Access

    | Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Configure Information from the Step list. Select Show Log from the Step list. Figure 174: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
  • Page 328 | Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or by specifying both the start address and end address. ARAMETERS These parameters are displayed in the web interface: Mode Web –...
  • Page 329: Configuring Port Security

    | Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 176: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
  • Page 330 | Security Measures HAPTER Configuring Port Security OMMAND SAGE A secure port has the following restrictions: It cannot be used as a member of a static or dynamic trunk. It should not be connected to a network interconnection device. The default maximum number of MAC addresses allowed on a secure port is zero.
  • Page 331: Configuring 802.1X Port Authentication

    | Security Measures HAPTER Configuring 802.1X Port Authentication Figure 177: Configuring Port Security 802.1X P ONFIGURING UTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
  • Page 332: Configuring 802.1X Global Settings

    | Security Measures HAPTER Configuring 802.1X Port Authentication hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Figure 178: Configuring Port Security 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. RADIUS 3.
  • Page 333 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed in the web interface: Port Authentication Status – Sets the global setting for 802.1X. (Default: Disabled) EAPOL Pass Through – Passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled.
  • Page 334: Configuring Port Settings For 802.1X

    | Security Measures HAPTER Configuring 802.1X Port Authentication Use the Security > Port Authentication (Configure Interface) page to ONFIGURING configure 802.1X port settings for the switch as the local authenticator. 802.1X ETTINGS FOR When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
  • Page 335 | Security Measures HAPTER Configuring 802.1X Port Authentication In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
  • Page 336 | Security Measures HAPTER Configuring 802.1X Port Authentication Intrusion Action – Sets the port’s response to a failed authentication. Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.) Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See "Configuring VLAN Groups"...
  • Page 337 Security Measures CHAPTER Configuring 802.1X Port Authentication Figure 180: Configuring Interface Settings for 802.1X Port Authenticator > Security Port Authentication Step: Configure Interface Port Status Enabled Authorized Suppli cant 00-M-00-00-00-00 Control Mode Au e Operation Mode Single-Host MAC Count (1-1024) Request (1-10) Quiet Period...
  • Page 338: Displaying 802.1X Statistics

    | Security Measures HAPTER Configuring 802.1X Port Authentication 802.1X Use the Security > Port Authentication (Show Statistics) page to display ISPLAYING statistics for dot1x protocol exchanges for any port. TATISTICS CLI R EFERENCES "show dot1x" on page 750 ARAMETERS These parameters are displayed in the web interface: Table 15: 802.1X Statistics Parameter Description...
  • Page 339: Ip Source Guard

    | Security Measures HAPTER IP Source Guard NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 181: Showing Statistics for 802.1X Port Authenticator IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see...
  • Page 340 | Security Measures HAPTER IP Source Guard OMMAND SAGE Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
  • Page 341: Configuring Static Bindings For Ip Source Guard

    | Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see...
  • Page 342 | Security Measures HAPTER IP Source Guard OMMAND SAGE Static addresses entered in the source guard binding table are automatically configured with an infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP server itself. Static bindings are processed as follows: If there is no entry with the same VLAN ID and MAC address, a new entry is added to the binding table using the type “static IP source guard binding.”...
  • Page 343 | Security Measures HAPTER IP Source Guard NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Add from the Action list. Enter the required bindings for each port. Click Apply Figure 183: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration.
  • Page 344: Displaying Information For Dynamic Ip Source Guard Bindings

    | Security Measures HAPTER IP Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface. NFORMATION FOR IP S YNAMIC OURCE CLI R EFERENCES UARD INDINGS "show ip dhcp snooping binding"...
  • Page 345: Dhcp Snooping

    | Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 185: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully...
  • Page 346 | Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
  • Page 347 | Security Measures HAPTER DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
  • Page 348: Dhcp Snooping Configuration

    | Security Measures HAPTER DHCP Snooping DHCP S Use the IP Service > DHCP > Snooping (Configure Global) page to enable NOOPING DHCP Snooping globally on the switch, or to configure MAC Address ONFIGURATION Verification. CLI R EFERENCES "DHCP Snooping" on page 778 ARAMETERS These parameters are displayed in the web interface: DHCP Snooping Status –...
  • Page 349: Dhcp Snooping Vlan Configuration

    | Security Measures HAPTER DHCP Snooping Figure 186: Configuring Global Settings for DHCP Snooping DHCP S Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...
  • Page 350: Configuring Ports For Dhcp Snooping

    | Security Measures HAPTER DHCP Snooping Enable DHCP Snooping on any existing VLAN. Click Apply Figure 187: Configuring DHCP Snooping on a VLAN Use the IP Service > DHCP > Snooping (Configure Interface) page to ONFIGURING ORTS configure switch ports as trusted or untrusted. DHCP S NOOPING CLI R...
  • Page 351: Displaying Dhcp Snooping Binding Information

    | Security Measures HAPTER DHCP Snooping Set any ports within the local network or firewall to trusted. Click Apply Figure 188: Configuring the Port Mode for DHCP Snooping DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display ISPLAYING entries in the binding table.
  • Page 352 | Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for DHCP Snooping: Click Security, IP Source Guard, DHCP Snooping. Select Show Information from the Step list. Use the Store or Clear function if required. Figure 189: Displaying the Binding Table for DHCP Snooping –...
  • Page 353: Basic Administration Protocols

    ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
  • Page 354: Table 16: Logging Levels

    | Basic Administration Protocols HAPTER Configuring Event Logging ARAMETERS These parameters are displayed in the web interface: System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
  • Page 355: Remote Log Configuration

    | Basic Administration Protocols HAPTER Configuring Event Logging Figure 190: Configuring Settings for System Memory Logs To show the error messages logged to system memory: Click Administration, Log, System. Select Show System Logs from the Step list. This page allows you to scroll through the logged system and event messages.
  • Page 356 | Basic Administration Protocols HAPTER Configuring Event Logging Logging Facility – Sets the facility type for remote logging of syslog messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service.
  • Page 357: Sending Simple Mail Transfer Protocol Alerts

    | Basic Administration Protocols HAPTER Configuring Event Logging Use the Administration > Log > SMTP page to alert system administrators ENDING IMPLE of problems by sending SMTP (Simple Mail Transfer Protocol) email RANSFER ROTOCOL messages when triggered by logging events of a specified level. The LERTS messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
  • Page 358: Link Layer Discovery Protocol

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 193: Configuring SMTP Alert Messages AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
  • Page 359 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol This attribute must comply with the following rule: (Transmission Interval * Hold Time Multiplier) ≤ 65536, and Transmission Interval >= (4 * Delay Interval) Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below.
  • Page 360: Configuring Lldp Interface Attributes

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Click Apply. Figure 194: Configuring LLDP Timing Attributes LLDP Use the Administration > LLDP (Configure Interface) page to specify the ONFIGURING message attributes for individual interfaces, including whether messages NTERFACE are transmitted, received, or both transmitted and received, whether SNMP TTRIBUTES notifications are sent, and the type of information advertised.
  • Page 361 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
  • Page 362 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN Name – The name of all VLANs to which this interface has been assigned(see "IEEE 802.1Q VLANs" on page 161 "Protocol VLANs" on page 185). Port And Protocol VLAN ID – The port-based and protocol-based VLANs configured on this interface (the port-based and protocol- based VLANs configured on this interface (see "IEEE 802.1Q VLANs"...
  • Page 363: Displaying Lldp Local Device Information

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 195: Configuring LLDP Interface Attributes LLDP Use the Administration > LLDP (Show Local Device Information) page to ISPLAYING display information about the switch, such as its MAC address, chassis ID, OCAL EVICE management IP address, and port information.
  • Page 364: Table 18: System Capabilities

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. System Name – A string that indicates the system’s administratively assigned name (see "Displaying System Information" on page 105).
  • Page 365: Displaying Lldp Remote Port Information

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 196: Displaying Local Device Information for LLDP (General) Figure 197: Displaying Local Device Information for LLDP (Port) LLDP Use the Administration > LLDP (Show Remote Device Information) page to ISPLAYING display information about devices connected directly to the switch’s ports EMOTE which are advertising information through LLDP, or to display detailed...
  • Page 366: Table 19: Port Id Subtype

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted. System Name – A string that indicates the system’s administratively assigned name. Port Details Local Port –...
  • Page 367: Table 20: Remote Port Auto-Negotiation Advertised Capability

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 18, "System Capabilities," on page 362.) System Capabilities Enabled – The primary function(s) of the system which are currently enabled.
  • Page 368 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 20: Remote Port Auto-Negotiation Advertised Capability Capability Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode 1000BASE-X, -LX, -SX, -CX full duplex mode 1000BASE-T half duplex mode 1000BASE-T full duplex mode Remote Port Auto-Neg Status –...
  • Page 369 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Link Aggregation Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.1), derived from the ifNumber of the ifIndex for the port component associated with the remote system. If the remote port is not in link aggregation state and/or it does not support link aggregation, this value should be zero.
  • Page 370: Displaying Device Statistics

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 199: Displaying Remote Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces.
  • Page 371 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Deleted Count – The number of LLDP neighbors which have been removed from the LLDP remote systems MIB for any reason. Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources.
  • Page 372: Simple Network Management Protocol

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 200: Displaying LLDP Device Statistics (General) Figure 201: Displaying LLDP Device Statistics (Port) IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
  • Page 373: Table 21: Snmpv3 Security Models And Levels

    | Basic Administration Protocols HAPTER Simple Network Management Protocol The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using network management software.
  • Page 374: Configuring Global Settings For Snmp

    | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Use the Administration >...
  • Page 375: Setting The Local Engine Id

    | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Agent Status – Enables SNMP on the switch. (Default: Enabled) Authentication Traps – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process.
  • Page 376: Specifying A Remote Engine Id

    | Basic Administration Protocols HAPTER Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. ARAMETERS These parameters are displayed in the web interface: Engine ID – A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format).
  • Page 377 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Remote Engine ID – The engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.
  • Page 378: Setting Snmpv3 Views

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 205: Showing Remote Engine IDs for SNMP SNMP Use the Administration > SNMP (Configure View) page to configure ETTING SNMPv3 views which are used to restrict user access to specified portions IEWS of the MIB tree.
  • Page 379 | Basic Administration Protocols HAPTER Simple Network Management Protocol Select Add View from the Action list. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view.
  • Page 380 | Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 208: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.
  • Page 381: Configuring Snmpv3 Groups

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Group) page to add an SNMPv3 ONFIGURING group which can be used to set the access policy for its assigned users, SNMP ROUPS restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
  • Page 382 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 22: Supported Notification Messages (Continued) Model Level Group SNMPv2 Traps A coldStart trap signifies that the SNMPv2 coldStart 1.3.6.1.6.3.1.1.5.1 entity, acting in an agent role, is reinitializing itself and that its configuration may have been altered.
  • Page 383 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 22: Supported Notification Messages (Continued) Model Level Group swLoginSucceedTrap 1.3.6.1.4.1.259.10.1.1.2.1.0.67 This trap is sent when login succeeds via console,telnet, or web. swLoopbackDetectionTrap 1.3.6.1.4.1.259.10.1.1.2.1.0.95 This trap will be sent when loopback BPDUs have been detected.
  • Page 384: Setting Community Access Strings

    | Basic Administration Protocols HAPTER Simple Network Management Protocol To show SNMP groups: Click Administration, SNMP. Select Configure Group from the Step list. Select Show from the Action list. Figure 211: Showing SNMP Groups Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access...
  • Page 385 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To set a community access string: Click Administration, SNMP. Select Configure User from the Step list. Select Add Community from the Action list. Add new community strings as required, and select the corresponding access rights from the Access Mode list.
  • Page 386: Configuring Local Snmpv3 Users

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify SNMP SERS the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
  • Page 387 | Basic Administration Protocols HAPTER Simple Network Management Protocol Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified. If the security level is authPriv, a privacy password must also be specified.
  • Page 388: Configuring Remote Snmpv3 Users

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from SNMP SERS the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
  • Page 389 | Basic Administration Protocols HAPTER Simple Network Management Protocol Privacy Password – A minimum of eight plain text characters is required. NTERFACE To configure a remote SNMPv3 user: Click Administration, SNMP. Select Configure User from the Step list. Select Add SNMPv3 Remote User from the Action list. Enter a name and assign it to a group.
  • Page 390: Specifying Trap Managers

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 217: Showing Remote SNMPv3 Users Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers.
  • Page 391 | Basic Administration Protocols HAPTER Simple Network Management Protocol Create a view with the required notification messages (page 376). Create a group that includes the required notify view (page 379). Enable trap informs as described in the following pages. ARAMETERS These parameters are displayed in the web interface: SNMP Version 1 IP Address –...
  • Page 392 | Basic Administration Protocols HAPTER Simple Network Management Protocol Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) SNMP Version 3 IP Address –...
  • Page 393 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. AuthPriv – SNMP communications use both authentication and encryption. NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list.
  • Page 394: Remote Monitoring

    | Basic Administration Protocols HAPTER Remote Monitoring Figure 220: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 221: Showing Trap Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
  • Page 395: Configuring Rmon Alarms

    | Basic Administration Protocols HAPTER Remote Monitoring The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol.
  • Page 396 | Basic Administration Protocols HAPTER Remote Monitoring Rising Threshold – If the current value is greater than or equal to the rising threshold, and the last sample value was less than this threshold, then an alarm will be generated. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold.
  • Page 397 | Basic Administration Protocols HAPTER Remote Monitoring Figure 222: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 223: Showing Configured RMON Alarms –...
  • Page 398: Configuring Rmon Events

    | Basic Administration Protocols HAPTER Remote Monitoring RMON Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
  • Page 399 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.
  • Page 400: Configuring Rmon History Samples

    | Basic Administration Protocols HAPTER Remote Monitoring Figure 225: Showing Configured RMON Events RMON Use the Administration > RMON (Configure Interface - Add - History) page ONFIGURING to collect statistics on a physical interface to monitor network utilization, ISTORY AMPLES packet types, and errors.
  • Page 401 | Basic Administration Protocols HAPTER Remote Monitoring Owner - Name of the person who created this entry. (Range: 1-127 characters) NTERFACE To periodically sample statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click History.
  • Page 402: Configuring Rmon Statistical Samples

    | Basic Administration Protocols HAPTER Remote Monitoring Figure 227: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click History.
  • Page 403 | Basic Administration Protocols HAPTER Remote Monitoring The information collected for each entry includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, CRC alignment errors, jabbers, fragments, collisioins, drop events, and frames of various sizes. ARAMETERS These parameters are displayed in the web interface: Port –...
  • Page 404 | Basic Administration Protocols HAPTER Remote Monitoring Select a port from the list. Click Statistics. Figure 230: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list.
  • Page 405: Ulticast Iltering

    ULTICAST ILTERING This chapter describes how to configure the following multicast servcies: Layer 2 IGMP – Configures snooping and query parameters. Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. Layer 3 IGMP –...
  • Page 406: Igmp Protocol

    | Multicast Filtering HAPTER IGMP Protocol This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
  • Page 407: Layer 2 Igmp (Snooping And Query)

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) across different subnetworks. Therefore, when PIM routing is enabled for a subnet on the switch, IGMP is automatically enabled. Figure 233: IGMP Protocol Network core (multicast routing) Edge switches (snooping and query) Switch to end nodes (snooping on IGMP clients) 2 IGMP (S...
  • Page 408 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. IGMP snooping will not function unless a multicast router port is enabled on the switch.
  • Page 409: Configuring Igmp Snooping And Query Parameters

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Use the Multicast > IGMP Snooping > General page to configure the switch ONFIGURING to forward multicast traffic intelligently. Based on the IGMP query and NOOPING AND UERY report messages, the switch forwards multicast traffic only to the ports ARAMETERS that request it.
  • Page 410 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
  • Page 411 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it immediately issues an IGMP general query.
  • Page 412 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This attribute configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
  • Page 413: Specifying Static Interfaces For A Multicast Router

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add Static PECIFYING TATIC Multicast Router) page to statically attach an interface to a multicast NTERFACES FOR A router/switch. ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
  • Page 414 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information. Figure 236: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet.
  • Page 415: Assigning Interfaces To Multicast Services

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) SSIGNING page to statically assign a multicast service to an interface. NTERFACES TO ULTICAST ERVICES Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters"...
  • Page 416 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 238: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
  • Page 417: Setting Igmp Snooping Status Per Interface

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 240: Showing Current Interfaces Assigned to a Multicast Service IGMP Use the Multicast > IGMP Snooping > Interface (Configure) page to ETTING configure IGMP snooping attributes for a VLAN interface. To configure NOOPING TATUS snooping globally, refer to...
  • Page 418 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) forwarding is enabled. They are sent upon the occurrence of these events: Upon the expiration of a periodic (randomized) timer. As a part of a router's start up procedure. During the restart of a multicast forwarding interface. On receipt of a Solicitation message.
  • Page 419 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Version Exclusive – Discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the IGMP Version attribute.
  • Page 420 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If proxy reporting is disabled, report suppression can still be configured by a separate attribute as described above. Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
  • Page 421 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Query Address – A static source address for locally generated query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
  • Page 422: Displaying Multicast Groups Discovered By Igmp Snooping

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show from the Action list. Figure 242: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping.
  • Page 423: Filtering And Throttling Igmp Groups

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 243: Showing Multicast Groups Learned by IGMP Snooping IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
  • Page 424: Enabling Igmp Filtering And Throttling

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed in the web interface: IGMP Filter Status – Enables IGMP filtering and throttling globally for the switch. (Default: Disabled) NTERFACE To enables IGMP filtering and throttling on the switch: Click Multicast, IGMP Snooping, Filtering.
  • Page 425: Configuring Igmp Filter Profiles

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups When the access mode is set to deny, IGMP join reports are only processed when the multicast group is not in the controlled range. Add Multicast Group Range Profile ID – Selects an IGMP profile to configure. Start Multicast IP Address –...
  • Page 426 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filtering. Select Add Multicast Group Range from the Action list. Select the profile to configure, and add a multicast group address or range of addresses.
  • Page 427: Configuring Igmp Filtering And Throttling For Interfaces

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP Use the Multicast > IGMP Snooping > Configure Interface page to assign ONFIGURING and IGMP filter profile to interfaces on the switch, or to throttle multicast ILTERING AND traffic by limiting the maximum number of multicast groups an interface HROTTLING FOR can join at the same time.
  • Page 428: Layer 3 Igmp (Query Used With Multicast Routing)

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Select a profile to assign to an interface, then set the maximum number of allowed multicast groups and the throttling response. Click Apply. Figure 249: Configuring IGMP Filtering and Throttling Interface Settings 3 IGMP (Q AYER UERY USED WITH...
  • Page 429: Configuring Igmp Proxy Routing

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) IGMP Use the Multicast > IGMP > Proxy page to configure IGMP Proxy Routing. ONFIGURING ROXY OUTING In simple network topologies, it is sufficient for a device to learn multicast requirements from its downstream interfaces and proxy this group membership information to the upstream router.
  • Page 430 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) The IGMP proxy routing tree must be manually configured by designating one upstream interface and multiple downstream interfaces on each proxy device. No other multicast routers except for the proxy devices can exist within the tree, and the root of the tree must be connected to a wider multicast infrastructure.
  • Page 431 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Multicast routing protocols are not supported when IGMP proxy service is enabled. Only one upstream interface is supported on the system. A maximum of 1024 multicast entries are supported. ARAMETERS These parameters are displayed in the web interface: VLAN –...
  • Page 432: Configuring Igmp Interface Parameters

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) that interface from the multicast tree. A host can also submit a join message at any time without waiting for a query from the router. Hosts can also signal when they no longer want to receive traffic for a specific group by sending a leave-group message.
  • Page 433 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Multicast routers send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service. Only the designated multicast router for a subnet sends host query messages, which are addressed to the multicast address 224.0.0.1, and use a time-to-live (TTL) value of 1.
  • Page 434 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Figure 252: Configuring IGMP Interface Settings Use the Multicast > IGMP > Static Group page to manually propagate ONFIGURING TATIC traffic from specific multicast groups onto the specified VLAN interface. IGMP G ROUP EMBERSHIP...
  • Page 435: Configuring Static Igmp Group Membership

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Static Group Address – An IP multicast group address. (The group addresses specified cannot be in the range of 224.0.0.1 - 239.255.255.255.) Source Address – The source address of a multicast server transmitting traffic to the specified multicast group address.
  • Page 436 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > ISPLAYING Group Information pages to display the current multicast groups learned ULTICAST ROUP through IGMP.
  • Page 437: Displaying Multicast Group Information

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Show Detail The following additional information is displayed on this page: VLAN – VLAN identifier. The selected entry must be a configured IP interface. (Range: 1-4093) Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface.
  • Page 438 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 255: Displaying Multicast Groups Learned from IGMP (Information) To display detailed information about the current multicast groups learned through IGMP: Click Multicast, IGMP, Group Information. Select Show Detail from the Action list. Select a VLAN.
  • Page 439: Multicast Vlan Registration

    | Multicast Filtering HAPTER Multicast VLAN Registration 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services). Figure 257: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Layer 2 Switch Source Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE...
  • Page 440 | Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure General) page to enable MVR globally ONFIGURING LOBAL on the switch, and select the VLAN that will serve as the sole channel for MVR S ETTINGS common multicast streams supported by the service provider. CLI R EFERENCES "Multicast VLAN Registration"...
  • Page 441: Configuring Global Mvr Settings

    | Multicast Filtering HAPTER Multicast VLAN Registration Figure 258: Configuring Global Settings for MVR Use the Multicast > MVR (Configure Group Range) page to assign the ONFIGURING THE multicast group address for each service to the MVR VLAN. MVR G ROUP ANGE CLI R...
  • Page 442: Configuring The Mvr Group Range

    | Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure multicast groups for the MVR VLAN: Click Multicast, MVR. Select Configure Group Range from the Step list. Select Add from the Action list. Add the multicast groups that will stream traffic to participating hosts. Click Apply.
  • Page 443: Configuring Mvr Interface Status

    | Multicast Filtering HAPTER Multicast VLAN Registration OMMAND SAGE A port configured as an MVR receiver or source port can join or leave multicast groups configured under MVR. However, note that these ports can also use IGMP snooping to join or leave any other multicast groups using the standard rules for multicast filtering.
  • Page 444 | Multicast Filtering HAPTER Multicast VLAN Registration designated multicast services supported by the MVR VLAN. Just remember that only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned (see "Assigning Static Multicast Groups to Interfaces"...
  • Page 445 | Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term ULTICAST ROUPS multicast streams associated with a stable set of hosts. NTERFACES CLI R EFERENCES...
  • Page 446: Assigning Static Multicast Groups To Interfaces

    | Multicast Filtering HAPTER Multicast VLAN Registration Select the port for which to display this information. Figure 263: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast HOWING ULTICAST groups either statically or dynamically assigned to the MVR VLAN on each ROUPS...
  • Page 447: Showing Multicast Groups Assigned To Interfaces

    Multicast Filtering CHAPTER Multicast VLAN Registration Figure 264: Showing All MVR Groups Assigned to a Port > Multi cast _.:.] Step: Show l.l mber G r o u p · - · MVR l.lember List Total: 224.1.1.1 (VlAN2) Port SourceiP-.a focw.nlng Port VlAII...
  • Page 448 | Multicast Filtering HAPTER Multicast VLAN Registration – 446 –...
  • Page 449: Ip Configuration

    IP C ONFIGURATION This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
  • Page 450 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 481) or use dynamic routing; i.e., RIP, OSPFv2 or OSPFv3 (page 518, 1176...
  • Page 451 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static address for the switch: Click IP, General, Routing Interface. Select Add from the Action list. Select any configured VLAN, set IP Address Mode to “Static,” set IP Address Type to “Primary”...
  • Page 452 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Figure 266: Configuring a Dynamic IPv4 Address The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface”...
  • Page 453: Setting The Switch's Ip Address (Ip Version 6)

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 267: Showing the Configured IP Address for an Interface ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an initial IPv6 interface for management access over the network, or for creating an interface to multiple subnets.
  • Page 454: Configuring Ipv6 Interface Settings

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) If a routing protocol is enabled (page 517), you can still define a static route (page 481) to ensure that traffic to the designated address or subnet passes through a preferred gateway. An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
  • Page 455 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) network segment, and the interval between neighbor solicitations used to verify reachability information. ARAMETERS These parameters are displayed in the web interface: VLAN – ID of a configured VLAN which is to be used for management access, or as a standard interface for a subnet.
  • Page 456 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state. Duplicate address detection is automatically restarted when the interface is administratively re-activated.
  • Page 457: Configuring An Ipv6 Address

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) the MTU size, the maximum number of duplicate address detection messages, and the neighbor solicitation message interval. Click Apply. Figure 269: Configuring General Settings for an IPv6 Interface Use the IP >...
  • Page 458 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) identifier to automatically create the low-order 64 bits in the host portion of the address. You can also manually configure the global unicast address by entering the full address and prefix length. You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface.
  • Page 459 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) 6-byte MAC address (also known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
  • Page 460: Showing Ipv6 Addresses

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface" on page 1093 ARAMETERS These parameters are displayed in the web interface: VLAN –...
  • Page 461: Showing The Ipv6 Neighbor Cache

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the configured IPv6 addresses: Click IP, IPv6 Configuration. Select Show IPv6 Address from the Action list. Select a VLAN from the list. Figure 271: Showing Configured IPv6 Addresses Use the IP >...
  • Page 462 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 23: ShowIPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: Incomplete - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
  • Page 463: Showing Ipv6 Statistics

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 1095 OMMAND SAGE This switch provides statistics for the following traffic types:...
  • Page 464 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 24: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
  • Page 465 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 24: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
  • Page 466 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 24: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages sent Messages by the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface.
  • Page 467 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 273: Showing IPv6 Statistics (IPv6) Figure 274: Showing IPv6 Statistics (ICMPv6) – 465 –...
  • Page 468: Showing The Mtu For Responding Destinations

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 275: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
  • Page 469 IP Configuration CHAPTER 17 Setting the Switch's IP Address (IP Version 6) Figure 276: Showing Reported MTU Values > 1Pv6 Action: lshowloiTU ---· MTUTable l.lax.10 Totat IITU Slnce 1400 00:04:21 5000 1280 00:04:50 FE80::203:AOFFFED6 1410 - 467 -...
  • Page 470 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 468 –...
  • Page 471: General Ip Routing

    IP R ENERAL OUTING This chapter provides information on network functions including: Ping – Sends ping message to another node on the network. Trace – Sends ICMP echo request packets to another node on the network. Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses.
  • Page 472: Ip Routing And Switching

    | General IP Routing HAPTER IP Routing and Switching Figure 277: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP R OUTING AND...
  • Page 473: Routing Path Management

    | General IP Routing HAPTER IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
  • Page 474: Routing Protocols

    | General IP Routing HAPTER Configuring IP Routing Interfaces The switch supports both static and dynamic routing. OUTING ROTOCOLS Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch.
  • Page 475: Using The Ping Function

    | General IP Routing HAPTER Configuring IP Routing Interfaces unknown destinations, i.e., packets that do not match any routing table entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page...
  • Page 476: Using The Trace Route Function

    | General IP Routing HAPTER Configuring IP Routing Interfaces Click Apply. Figure 278: Pnging a Network Device Use the IP > General > Trace Route page to to show the route packets take SING THE RACE to the specified destination. OUTE UNCTION CLI R...
  • Page 477: Address Resolution Protocol

    | General IP Routing HAPTER Address Resolution Protocol NTERFACE To trace the route to another device on the network: Click IP, General, Trace Route. Specify the target device. Click Apply. Figure 279: Tracing the Route to a Network Device DDRESS ESOLUTION ROTOCOL If IP routing is enabled (page 517), the router uses its routing tables to...
  • Page 478: Basic Arp Configuration

    | General IP Routing HAPTER Address Resolution Protocol If there is no entry for an IP address in the ARP cache, the router will broadcast an ARP request packet to all devices on the network. The ARP request contains the following fields similar to that shown in this example: Table 26: Address Resolution Protocol destination IP address 10.1.0.19...
  • Page 479 | General IP Routing HAPTER Address Resolution Protocol ARAMETERS These parameters are displayed in the web interface: Timeout – Sets the aging time for dynamic entries in the ARP cache. (Range: 300 - 86400 seconds; Default: 1200 seconds or 20 minutes) The ARP aging timeout can be set for any configured VLAN.
  • Page 480: Configuring Static Arp Addresses

    | General IP Routing HAPTER Address Resolution Protocol For devices that do not respond to ARP requests or do not respond in a ONFIGURING TATIC timely manner, traffic will be dropped because the IP address cannot be ARP A DDRESSES mapped to a physical address.
  • Page 481: Displaying Dynamic Or Local Arp Entries

    | General IP Routing HAPTER Address Resolution Protocol Figure 282: Configuring Static ARP Entries To display static entries in the ARP cache: Click IP, ARP. Select Configure Static Address from the Step List. Select Show from the Action List. Figure 283: Displaying Static ARP Entries The ARP cache contains static entries, and entries for local interfaces, ISPLAYING YNAMIC...
  • Page 482: Displaying Arp Statistics

    | General IP Routing HAPTER Address Resolution Protocol Figure 284: Displaying Dynamic ARP Entries To display all local entries in the ARP cache: Click IP, ARP. Select Show Information from the Step List. Click Other Address. Figure 285: Displaying Local ARP Entries Use the IP >...
  • Page 483: Configuring Static Routes

    | General IP Routing HAPTER Configuring Static Routes NTERFACE To display ARP statistics: Click IP, ARP. Select Show Information from the Step List. Click Statistics. Figure 286: Displaying ARP Statistics ONFIGURING TATIC OUTES This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP or OSPF).
  • Page 484 | General IP Routing HAPTER Configuring Static Routes Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by RIP or OSPF (see page 555, respectively). ARAMETERS These parameters are displayed in the web interface: Destination IP Address –...
  • Page 485: Displaying The Routing Table

    | General IP Routing HAPTER Displaying the Routing Table Figure 288: Displaying Static Routes ISPLAYING THE OUTING ABLE Use the IP > Routing > Routing Table page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
  • Page 486: Equal-Cost Multipath Routing

    | General IP Routing HAPTER Equal-cost Multipath Routing ARAMETERS These parameters are displayed in the web interface: VLAN – VLAN identifier (i.e., configure as a valid IP subnet). Destination IP Address – IP address of the destination network, subnetwork, or host. Note that the address 0.0.0.0 indicates the default gateway for this router.
  • Page 487 | General IP Routing HAPTER Equal-cost Multipath Routing manually configured in the static routing table, or equal-cost multipaths dynamically generated by the Open Shortest Path Algorithm (OSPF). In other words, it uses either static or OSPF entries, not both. Normal unicast routing simply selects the path to the destination that has the lowest cost.
  • Page 488 | General IP Routing HAPTER Equal-cost Multipath Routing NTERFACE To configure the maximum ECMP number: Click IP, Routing, Routing Table. Select Configure ECMP Number from the Action List. Enter the maximum number of equal-cost paths used to route traffic to the same destination that are permitted on the switch.
  • Page 489: Configuring Router Redundancy

    ONFIGURING OUTER EDUNDANCY Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load.
  • Page 490: Configuring Vrrp Groups

    | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 293: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing Router 1 Router 2 VRID 23 (Master) VRID 23 (Backup) IP(R1) = 192.168.1.3 IP(R1) = 192.168.1.5 IP(VR23) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 VR Priority = 100...
  • Page 491 | Configuring Router Redundancy HAPTER Configuring VRRP Groups priority. In cases where the configured priority is the same on several group members, then the master router with the highest IP address is selected from this group. If you have multiple secondary addresses configured on the current VLAN interface, you can add any of these addresses to the virtual router group.
  • Page 492 | Configuring Router Redundancy HAPTER Configuring VRRP Groups VLAN – ID of a VLAN configured with an IP interface. (Range: 1-4093; Default: 1) Adding a Virtual IP Address VLAN ID – ID of a VLAN configured with an IP interface. (Range: 1-4093) VRID –...
  • Page 493 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Authentication Mode – Authentication mode used to verify VRRP packets received from other routers. (Options: None, Simple Text; Default: None) If simple text authentication is selected, then you must also enter an authentication string.
  • Page 494 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 294: Configuring the VRRP Group ID To show the configured VRRP groups: Click IP, VRRP. Select Configure Group ID from the Step List. Select Show from the Action List. Figure 295: Showing Configured VRRP Groups To configure the virtual router address for a VRRP group: Click IP, VRRP.
  • Page 495 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 296: Setting the Virtual Router Address for a VRRP Group To show the virtual IP address assigned to a VRRP group: Click IP, VRRP. Select Configure Group ID from the Step List. Select Show IP Addresses from the Action List.
  • Page 496: Displaying Vrrp Global Statistics

    | Configuring Router Redundancy HAPTER Displaying VRRP Global Statistics Figure 298: Configuring Detailed Settings for a VRRP Group VRRP G ISPLAYING LOBAL TATISTICS Use the IP > VRRP (Show Statistics – Global Statistics) page to display counters for errors found in VRRP protocol packets. CLI R EFERENCES "show vrrp router counters"...
  • Page 497: Displaying Vrrp Group Statistics

    | Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics Figure 299: Showing Counters for Errors Found in VRRP Packets VRRP G ISPLAYING ROUP TATISTICS Use the IP > VRRP (Show Statistics – Group Statistics) page to display counters for VRRP protocol events and errors that have occurred on a specific VRRP interface.
  • Page 498 | Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics Table 28: VRRP Group Statistics Statistics (Continued) Parameter Description Received Invalid Type Number of VRRP packets received by the virtual router with an VRRP Packets invalid value in the “type” field. Received Error Address Number of packets received for which the address list does not List VRRP Packets...
  • Page 499: Ip Services

    IP S ERVICES This chapter describes the following IP services: – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. DHCP Relay – Enables DHCP relay service, and defines the servers to which client requests are forwarded.
  • Page 500: Configuring A List Of Domain Names

    | IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed in the web interface: Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
  • Page 501 | IP Services HAPTER Domain Name Service When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers"...
  • Page 502: Configuring A List Of Name Servers

    | IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 1037 "show dns"...
  • Page 503: Configuring Static Dns Host To Address Entries

    | IP Services HAPTER Domain Name Service Figure 305: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING TATIC configure static entries in the DNS table that are used to map domain DNS H OST TO names to IP addresses.
  • Page 504: Displaying The Dns Cache

    | IP Services HAPTER Domain Name Service Figure 306: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 307: Showing Static Entries in the DNS Table Use the IP Service >...
  • Page 505: Dynamic Host Configuration Protocol

    | IP Services HAPTER Dynamic Host Configuration Protocol ARAMETERS These parameters are displayed in the web interface: No. – The entry number for each resource record. Flag – The flag is always “4” indicating a cache entry and therefore unreliable. Type –...
  • Page 506: Configuring Dhcp Relay Service

    | IP Services HAPTER Dynamic Host Configuration Protocol DHCP Use the IP Service > DHCP > Relay page to configue DHCP relay service for ONFIGURING attached host devices. If DHCP relay is enabled, and this switch sees a ELAY ERVICE DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.
  • Page 507: Configuring The Dhcp Server

    | IP Services HAPTER Dynamic Host Configuration Protocol Figure 310: Configuring DHCP Relay Service This switch includes a Dynamic Host Configuration Protocol (DHCP) server ONFIGURING THE that can assign temporary IP addresses to any attached host requesting DHCP S ERVER service.
  • Page 508 | IP Services HAPTER Dynamic Host Configuration Protocol CLI R EFERENCES "service dhcp" on page 1049 ARAMETERS These parameters are displayed in the web interface: DHCP Server – Enables or disables the DHCP server on this switch. (Default: Disabled) NTERFACE To enable the DHCP server: Click IP Service, DHCP, Server.
  • Page 509 | IP Services HAPTER Dynamic Host Configuration Protocol NTERFACE To configure IP addresses excluded for DHCP clients: Click IP Service, DHCP, Server. Select Configure Excluded Addresses from the Step list. Select Add from the Action list. Enter a single address or an address range. Click Apply.
  • Page 510 | IP Services HAPTER Dynamic Host Configuration Protocol OMMAND SAGE First configure address pools for the network interfaces. Then you can manually bind an address to a specific client if required. However, note that any static host address must fall within the range of an existing network address pool.
  • Page 511 | IP Services HAPTER Dynamic Host Configuration Protocol Client-Identifier – A unique designation for the client device, either a text string (1-15 characters) or hexadecimal value. The information included in the identifier is based on RFC 2132 Option 60, and must be unique for all clients in the same administrative domain.
  • Page 512 | IP Services HAPTER Dynamic Host Configuration Protocol Click Apply. Figure 315: Configuring DHCP Server Address Pools (Network) Figure 316: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: Click IP Service, DHCP, Server. Select Configure Pool from the Step list. –...
  • Page 513 | IP Services HAPTER Dynamic Host Configuration Protocol Select Show from the Action list. Figure 317: Showing Configured DHCP Server Address Pools ISPLAYING DDRESS INDINGS Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server.
  • Page 514: Forwarding Udp Service Requests

    | IP Services HAPTER Forwarding UDP Service Requests UDP S ORWARDING ERVICE EQUESTS This section describes how this switch can forward UDP broadcast packets originating from host applications to another part of the network when an local application server is not available. OMMAND SAGE Network hosts occasionally use UDP broadcasts to determine...
  • Page 515: Specifying Udp Destination Ports

    | IP Services HAPTER Forwarding UDP Service Requests Figure 319: Enabling the UDP Helper Use the IP Service > UDP Helper > Forwarding page to specify the UDP PECIFYING destination ports for which broadcast traffic will be forwarded when the ESTINATION ORTS UDP helper is enabled.
  • Page 516: Specifying The Target Server Or Subnet

    | IP Services HAPTER Forwarding UDP Service Requests Figure 320: Specifying UDP Destination Ports To show the configured UDP destination ports: Click IP Service, UDP Helper, Forwarding. Select Show from the Action list. Figure 321: Showing the UDP Destination Ports Use the IP Service >...
  • Page 517 | IP Services HAPTER Forwarding UDP Service Requests The IP time-to-live (TTL) value must be at least 2. The IP protocol must be UDP (17). The UDP destination port must be TFTP, Domain Name System (DNS), Time, NetBIOS, BOOTP or DHCP packet, or a UDP port specified on the IP Service >...
  • Page 518 Services CHAPTER Forwarding UDP Service Requests Figure 323: Showing the Target Server or Subnet for UDP Requests IP Service > Helper > Address Act on: Show VLAII ·-· UDP Helper Address List l.lax:1024 Total: 192.168.2.255 - 516 -...
  • Page 519: Unicast Routing

    NICAST OUTING This chapter describes how to configure the following unicast routing protocols: – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. VERVIEW This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol.
  • Page 520: Configuring The Routing Information Protocol

    | Unicast Routing HAPTER Configuring the Routing Information Protocol To coexist with a network built on multilayer switches, the subnetworks for non-IP protocols must follow the same logical boundary as that of the IP subnetworks. A separate multi-protocol router can then be used to link the subnetworks by connecting to one port from each available VLAN on the network.
  • Page 521: Configuring General Protocol Settings

    | Unicast Routing HAPTER Configuring the Routing Information Protocol versions can take a long time to converge on a new route after the failure of a link or router during which time routing loops may occur, and its small hop count limitation of 15 restricts its use to smaller networks.
  • Page 522 | Unicast Routing HAPTER Configuring the Routing Information Protocol RIP send/receive versions set on the RIP Interface settings screen (page 530) always take precedence over the settings for the Global RIP Version. However, when the Global RIP Version is set to “By Interface,” any VLAN interface not previously set to a specific receive or send version is set to the following default values: Receive: Accepts RIPv1 or RIPv2 packets.
  • Page 523 | Unicast Routing HAPTER Configuring the Routing Information Protocol access list that filters networks according to the IP address of the router supplying the routing information. Number of Route Changes – The number of route changes made to the IP route database by RIP. Number of Queries –...
  • Page 524: Clearing Entries From The Routing Table

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 325: Configuring General Settings for RIP Use the Routing Protocol > RIP > General (Clear Route) page to clear LEARING NTRIES entries from the routing table based on route type or a specific network FROM THE OUTING address.
  • Page 525: Specifying Network Interfaces

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Clear Route By Network – Clears a specific route based on its IP address and prefix length. Network IP Address – Deletes all related entries for the specified network address. Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
  • Page 526 | Unicast Routing HAPTER Configuring the Routing Information Protocol ARAMETERS These parameters are displayed in the web interface: By Address – Adds a network to the RIP routing process. Subnet Address – IP address of a network directly connected to this router.
  • Page 527: Specifying Passive Interfaces

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 328: Showing Network Interfaces Using RIP Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP PECIFYING ASSIVE from sending routing updates on the specified interface. NTERFACES CLI R EFERENCES...
  • Page 528: Specifying Static Neighbors

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 329: Specifying a Passive RIP Interface To show the passive RIP interfaces: Click Routing Protocol, RIP, Passive Interface. Select Show from the Action list. Figure 330: Showing Passive RIP Interfaces Use the Routing Protocol >...
  • Page 529: Configuring Route Redistribution

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Add the address of any static neighbors which may not readily to discovered through RIP. Click Apply. Figure 331: Specifying a Static RIP Neighbor To show static RIP neighbors: Click Routing Protocol, RIP, Neighbor Address. Select Show from the Action list.
  • Page 530 | Unicast Routing HAPTER Configuring the Routing Information Protocol Metric – Metric assigned to all external routes for the specified protocol. (Range: 0-16; Default: the default metric as described under "Configuring General Protocol Settings" on page 519.) A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
  • Page 531: Specifying An Administrative Distance

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 334: Showing External Routes Redistributed into RIP Use the Routing Protocol > RIP > Distance (Add) page to define an PECIFYING AN administrative distance for external routes learned from other routing DMINISTRATIVE protocols.
  • Page 532: Configuring Network Interfaces For Rip

    | Unicast Routing HAPTER Configuring the Routing Information Protocol NTERFACE To define an administrative distance for external routes learned from other routing protocols: Click Routing Protocol, RIP, Distance. Select Add from the Action list. Enter the distance, the external route, and optionally enter the name of an ACL to filter networks according to the IP address of the router supplying the routing information.
  • Page 533 | Unicast Routing HAPTER Configuring the Routing Information Protocol "ip rip authentication mode" on page 1127 "ip rip authentication string" on page 1128 "ip rip split-horizon" on page 1131 OMMAND SAGE Specifying Receive and Send Protocol Types Specify the protocol message type accepted (that is, RIP version) and the message type sent (that is, RIP version or compatibility mode) for each RIP interface.
  • Page 534 | Unicast Routing HAPTER Configuring the Routing Information Protocol password. If any incoming protocol messages do not contain the correct password, they are simply dropped. For authentication to function properly, both the sending and receiving interface must be configured with the same password or authentication key.
  • Page 535 | Unicast Routing HAPTER Configuring the Routing Information Protocol Authentication Type – Specifies the type of authentication required for exchanging RIPv2 protocol messages. (Default: No Authentication) No Authentication: No authentication is required. Simple Password: Requires the interface to exchange routing information with other routers based on an authorized password.
  • Page 536: Displaying Rip Interface Settings

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 337: Configuring a Network Interface for RIP To show the network interface settings configured for RIP: Click Routing Protocol, RIP, Interface. Select Show from the Action list. Figure 338: Showing RIP Network Interface Settings Use the Routing Protocol >...
  • Page 537: Displaying Peer Router Information

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Rcv Bad Routes – Number of bad routes received. Send Updates – Number of route changes. NTERFACE To display RIP interface configuration settings: Click Routing Protocol, RIP, Statistics. Select Show Interface Information from the Action list. Figure 339: Showing RIP Interface Settings Use the Routing Protocol >...
  • Page 538: Resetting Rip Statistics

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 340: Showing RIP Peer Information Use the Routing Protocol > RIP > Statistics (Reset Statistics) page to reset ESETTING all statistics for RIP protocol messages. TATISTICS CLI R EFERENCES no comparable command...
  • Page 539 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 342: Configuring OSPF isolated stub area virtual link backbone normal area ASBR NSSA Autonomous System A ASBR ASBR Router external network Autonomous System B OMMAND SAGE OSPF looks at more than just the simple hop count.
  • Page 540: Defining Network Areas Based On Addresses

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) You can further optimize the exchange of OSPF traffic by specifying an area range that covers a large number of subnetwork addresses. This is an important technique for limiting the amount of traffic exchanged between Area Border Routers (ABRs).
  • Page 541 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1136 "network area" on page 1152 OMMAND SAGE Specify an Area ID and the corresponding network address range for each OSPF broadcast area. Each area identifies a logical group of OSPF routers that actively exchange Link State Advertisements (LSAs) to ensure that they share an identical view of the network topology.
  • Page 542 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) NTERFACE To define an OSPF area and the interfaces that operate within this area: Click Routing Protocol, OSPF, Network Area. Select Add from the Action list. Configure a backbone area that is contiguous with all the other areas in the network, and configure an area for all of the other OSPF interfaces.
  • Page 543: Configuring General Protocol Settings

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 346: Showing OSPF Process Identifiers To implement dynamic OSPF routing, first assign VLAN groups to each IP ONFIGURING subnet to which this router will be attached (as described in the preceding ENERAL ROTOCOL section), then use the Routing Protocol >...
  • Page 544 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Auto Cost – Calculates the cost for an interface by dividing the reference bandwidth by the interface bandwidth. The reference bandwidth is defined in Mbits per second. (Range: 1-4294967) By default, the cost is 0.1 for Gigabit ports, and 0.01 for 10 Gigabit ports.
  • Page 545 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 347: AS Boundary Router AS 1 AS 2 ASBR ASBR Advertise Default Route – The router can advertise a default external route into the autonomous system (AS). (Options: Not Always, Always;...
  • Page 546: Displaying Adminstrative Settings And Statistics

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 348: Configure General Settings for OSPF Use the Routing Protocol > OSPF > System (Show) page to display general ISPLAYING administrative settings and statistics for OSPF. DMINSTRATIVE ETTINGS AND CLI R...
  • Page 547 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Table 29: OSPF System Information (Continued) Parameter Description Indicates if this router connects directly to networks in two or ABR Status more areas. An area border router runs a separate copy of the (Area Border Router) Shortest Path First algorithm, maintaining a separate routing database for each area.
  • Page 548: Adding An Nssa Or Stub

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) NSSA Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page DDING AN to add a not-so-stubby area (NSSA) or a stubby area (Stub). CLI R EFERENCES "router ospf"...
  • Page 549: Configuring Nssa Settings

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show the NSSA or stubs added to the specified OSPF domain: Click Routing Protocol, OSPF, Area. Select Configure Area from the Step list. Select Show Area from the Action list. Select a Process ID.
  • Page 550 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1136 "area default-cost" on page 1141 "area nssa" on page 1147 OMMAND SAGE Before creating an NSSA, first specify the address range for the area (see "Defining Network Areas Based on Addresses"...
  • Page 551 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Redistribute – Disable this option when the router is an NSSA Area Border Router (ABR) and routes only need to be imported into normal areas (see "Redistributing External Routes" on page 555), but not into the NSSA.
  • Page 552: Configuring Stub Settings

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Click Apply Figure 353: Configuring Protocol Settings for an NSSA Use the Routing Protocol > OSPF > Area (Configure Area – Configure Stub ONFIGURING Area) page to configure protocol settings for a stub. ETTINGS A stub does not accept external routing information.
  • Page 553 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) A stub can have multiple ABRs or exit points. However, all of the exit points and local routers must contain the same external routing data so that the exit point does not need to be determined for each external destination.
  • Page 554: Displaying Information On Nssa And Stub Areas

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 355: Configuring Protocol Settings for a Stub Use the Routing Protocol > OSPF > Area (Show Information) page to ISPLAYING protocol information on NSSA and Stub areas. NFORMATION ON NSSA CLI R...
  • Page 555: Configuring Area Ranges (Route Summarization For Abrs)

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 356: Displaying Information on NSSA and Stub Areas An OSPF area can include a large number of nodes. If the Area Border ONFIGURING Router (ABR) has to advertise route information for each of these nodes, ANGES OUTE this wastes a lot of bandwidth and processor time.
  • Page 556 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area configuration screen (see page 538). Area ID – Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address, or also as a four octet unsigned integer ranging from 0-4294967295.
  • Page 557: Redistributing External Routes

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select the process ID. Figure 359: Showing Configured Route Summaries Use the Routing Protocol > OSPF > Redistribute (Add) page to import EDISTRIBUTING external routing information from other routing protocols, static routes, or XTERNAL OUTES directly connected routes into the autonomous system, and to generate...
  • Page 558 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Protocol Type – Specifies the external routing protocol type for which routing information is to be redistributed into the local routing domain. (Options: RIP, Static; Default: RIP) Metric Type –...
  • Page 559: Configuring Summary Addresses For External As Routes

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 361: Importing External Routes To show the imported external route types: Click Routing Protocol, OSPF, Redistribute. Select Show from the Action list. Select the process ID. Figure 362: Showing Imported External Route Types Redistributing routes from other protocols into OSPF normally requires the ONFIGURING...
  • Page 560 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1136 "summary-address" on page 1146 OMMAND SAGE If you are not sure what address ranges to consolidate, first enable external route redistribution via the Redistribute configuration screen, view the routes imported into the routing table, and then configure one or more summary addresses to reduce the size of the routing table and consolidate these external routes for advertising into the local domain.
  • Page 561: Configuring Ospf Interfaces

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show the summary addresses for external routes: Click Routing Protocol, OSPF, Summary Address. Select Show from the Action list. Select the process ID. Figure 364: Showing Summary Addresses for External Routes OSPF You should specify a routing interface for any local subnet that needs to ONFIGURING...
  • Page 562 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) IP Address – Address of the interfaces assigned to a VLAN on the Network Area (Add) page. This parameter only applies to the Configure by Address page. Cost –...
  • Page 563 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Transmit Delay – Sets the estimated time to send a link-state update packet over an interface. (Range: 1-65535 seconds; Default: 1 second) LSAs have their age incremented by this delay before transmission. You should consider both the transmission and propagation delays for an interface when estimating this delay.
  • Page 564 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) the OSPF header when routing protocol packets are originated by this device. A different password can be assigned to each network interface, but the password must be used consistently on all neighboring routers throughout a network (that is, autonomous system).
  • Page 565 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 365: Configuring Settings for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN: Click Routing Protocol, OSPF, Interface. Select Configure by Address from the Action list.
  • Page 566 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 366: Configuring Settings for a Specific Area Assigned to a VLAN To show the configuration settings for OSPF interfaces: Click Routing Protocol, OSPF, Interface. Select Show from the Action list. Select the VLAN ID.
  • Page 567: Configuring Virtual Links

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 368: Showing MD5 Authentication Keys Use the Routing Protocol > OSPF > Virtual Link (Add) and (Configure ONFIGURING IRTUAL Detailed Settings) pages to configure a virtual link from an area that does INKS not have a direct physical connection to the OSPF backbone.
  • Page 568 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1136 "area virtual-link" on page 1150 OMMAND SAGE Use the Add page to create a virtual link, and then use the Configure Detailed Settings page to set the protocol timers and authentication settings for the link.
  • Page 569 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show virtual links: Click Routing Protocol, OSPF, Virtual Link. Select Show from the Action list. Select the process ID. Figure 371: Showing Virtual Links To configure detailed settings for a virtual link: Click Routing Protocol, OSPF, Virtual Link.
  • Page 570: Displaying Link State Database Information

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 373: Showing MD5 Authentication Keys Use the Routing Protocol > OSPF > Information (LSDB) page to show the ISPLAYING Link State Advertisements (LSAs) sent by OSPF routers advertising routes. TATE ATABASE The full collection of LSAs collected by a router interface from the attached...
  • Page 571 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area configuration screen (see page 538). Query by – The LSA database can be searched using the following criteria: Self-Originate –...
  • Page 572: Displaying Information On Virtual Links

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 374: Displaying Information in the Link State Database Use the Routing Protocol > OSPF > Information (Virtual Link) page to show ISPLAYING the Link State Advertisements (LSAs) stored in the link state database for NFORMATION ON virtual links.
  • Page 573 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Transit Area – Common area the virtual link crosses to reach the target router. This identifier is in the form of an IP address. Router ID – Virtual neighbor’s router ID. Status –...
  • Page 574: Displaying Information On Neighboring Routers

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Use the Routing Protocol > OSPF > Information (Neighbor) page to display ISPLAYING information about neighboring routers on each interface. NFORMATION ON EIGHBORING CLI R EFERENCES OUTERS "show ip ospf neighbor"...
  • Page 575 Unicast Routing CHAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select the process identifier. Figure 376: Displaying Neighbor Routers Stored in the Link State Database Routing Protocol> OSPF > Information Type LSOB Virtuallink Neighbor Proeess tJelghbor Information Totat Addre8a lnlerfece Pltolttr...
  • Page 576 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) – 574 –...
  • Page 577: Multicast Routing

    ULTICAST OUTING This chapter describes the following multicast routing topics: Enabling Multicast Routing Globally – Describes how to globally enable multicast routing. Displaying the Multicast Routing Table – Describes how to display the multicast routing table. Configuring PIM for IPv4 –...
  • Page 578 | Multicast Routing HAPTER Overview PIM-DM is a simple multicast routing protocol that uses flood and prune to build a source-routed multicast delivery tree for each multicast source- group pair. As mentioned above, it does not maintain it’s own routing table, but instead, uses the routing table provided by whatever unicast routing protocol is enabled on the router interface.
  • Page 579 | Multicast Routing HAPTER Overview group addresses. The BSR places information about all of the candidate RPs in subsequent bootstrap messages. The BSR and all the routers receiving these messages use the same hash algorithm to elect an RP for each multicast group.
  • Page 580: Configuring Global Settings For Multicast Routing

    | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing data transmission delays. The switch can also be configured to use SPT only for specific multicast groups, or to disable the change over to SPT for specific groups. ONFIGURING LOBAL ETTINGS FOR ULTICAST OUTING...
  • Page 581 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing or prune messages. The routing table therefore does not indicate that the router has processed multicast traffic from any particular source listed in the table. It uses these routes to forward multicast traffic only if group members appear on directly-attached subnetworks or on subnetworks attached to downstream routers.
  • Page 582 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Upstream Neighbor – The multicast router (RPF Neighbor) immediately upstream for this group. Upstream Interface – Interface leading to the upstream neighbor. Up Time – Time since this entry was created. Owner –...
  • Page 583 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing NTERFACE To display the multicast routing table: Click Multicast, Multicast Routing, Information. Select Show Summary from the Action List. Figure 378: Displaying the Multicast Routing Table To display detailed information on a specific flow in multicast routing table: Click Multicast, Multicast Routing, Information.
  • Page 584: Configuring Pim For Ipv4

    | Multicast Routing HAPTER Configuring PIM for IPv4 ONFIGURING This section describes how to configure PIM-DM and PIM-SM for IPv4. Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing NABLING globally on the router. LOBALLY CLI R EFERENCES "router pim"...
  • Page 585 | Multicast Routing HAPTER Configuring PIM for IPv4 PIM and IGMP proxy cannot be used at the same time. When an interface is set to use PIM Dense mode or Sparse mode, IGMP proxy cannot be enabled on any interface of the device (see "Configuring IGMP Snooping and Query Parameters"...
  • Page 586 | Multicast Routing HAPTER Configuring PIM for IPv4 Hello messages are sent to neighboring PIM routers from which this device has received probes, and are used to verify whether or not these neighbors are still active members of the multicast tree. PIM-SM routers use these messages not only to inform neighboring routers of their presence, but also to determine which router for each LAN segment will serve as the Designated Router (DR).
  • Page 587 | Multicast Routing HAPTER Configuring PIM for IPv4 The override interval and the propogation delay are used to calculate the LAN prune delay. If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message, then the override interval represents the time required for the downstream router to process the message and then respond by sending a Join message back to the upstream router to ensure that the...
  • Page 588 | Multicast Routing HAPTER Configuring PIM for IPv4 topology changes (sources joining or leaving a multicast group) before the default three-minute state timeout expires. This command is only effectively for interfaces of first hop, PIM-DM routers that are directly connected to the sources of multicast groups. Sparse-Mode Attributes DR Priority –...
  • Page 589 | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 381: Configuring PIM Interface Settings (Dense Mode) Figure 382: Configuring PIM Interface Settings (Sparse Mode) – 587 –...
  • Page 590: Displaying Neighbor Information

    | Multicast Routing HAPTER Configuring PIM for IPv4 Use the Routing Protocol > PIM > Neighbor page to display all neighboring ISPLAYING EIGHBOR PIM routers. NFORMATION CLI R EFERENCES "show ip pim neighbor" on page 1222 ARAMETERS These parameters are displayed in the web interface: Address –...
  • Page 591 | Multicast Routing HAPTER Configuring PIM for IPv4 Register Source – Configures the IP source address of a register message to an address other than the outgoing interface address of the DR that leads back toward the RP. (Range: VLAN 1-4094; Default: The IP address of the DR’s outgoing interface that leads back to the RP) When the source address of a register message is filtered by intermediate network devices, or is not a uniquely routed address to...
  • Page 592: Configuring Absr Candidate

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 384: Configuring Global Settings for PIM-SM Use the Routing Protocol > PIM > SM (BSR Candidate) page to configure ONFIGURING A the switch as a Bootstrap Router (BSR) candidate. ANDIDATE CLI R EFERENCES "ip pim bsr-candidate"...
  • Page 593: Configuring A Static Rendezvous Point

    | Multicast Routing HAPTER Configuring PIM for IPv4 with the same seed hash will be mapped to the same RP. If the mask length is less than 32, then only the first portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32; Default: 10) Priority –...
  • Page 594 | Multicast Routing HAPTER Configuring PIM for IPv4 If an IP address is specified that was previously used for an RP, then the older entry is replaced. Multiple RPs can be defined for different groups or group ranges. If a group is matched by more than one entry, the router will use the RP associated with the longer group prefix length.
  • Page 595: Configuring An Rp Candidate

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 386: Configuring a Static Rendezvous Point To display static rendezvous points: Click Multicast, Multicast Routing, SM. Select RP Address from the Step list. Select Show from the Action list. Figure 387: Showing Static Rendezvous Points Use the Routing Protocol >...
  • Page 596 | Multicast Routing HAPTER Configuring PIM for IPv4 The election process for each group is based on the following criteria: Find all RPs with the most specific group range. Select those with the highest priority (lowest priority value). Compute hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages.
  • Page 597: Displaying The Bsr Router

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 388: Configuring an RP Candidate To display settings for an RP candidate: Click Multicast, Multicast Routing, PIM-SM. Select RP Candidate from the Step list. Select Show from the Action list. Select an interface from the VLAN list. Figure 389: Showing Settings for an RP Candidate Use the Routing Protocol >...
  • Page 598 | Multicast Routing HAPTER Configuring PIM for IPv4 Priority – Priority value used by this BSR candidate. Hash Mask Length – The number of significant bits used in the multicast group comparison mask by this BSR candidate. Expire – The time before the BSR is declared down. Role –...
  • Page 599: Displaying Rp Mapping

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 390: Showing Information About the BSR Use the Routing Protocol > PIM > SM (Show Information – Show RP ISPLAYING Mapping) page to display active RPs and associated multicast routing APPING entries.
  • Page 600: Configuring Pimv6 For Ipv6

    | Multicast Routing HAPTER Configuring PIMv6 for IPv6 Figure 391: Showing RP Mapping ONFIGURING This section describes how to configure PIM-DM for IPv6. Use the Routing Protocol > PIM6 > General page to enable IPv6 PIM NABLING routing globally on the router. LOBALLY CLI R EFERENCES...
  • Page 601: Configuring Pim Interface Settings

    | Multicast Routing HAPTER Configuring PIMv6 for IPv6 Use the Routing Protocol > PIM6 > Interface page configure the routing ONFIGURING protocol’s functional attributes for each interface. NTERFACE ETTINGS CLI R EFERENCES "IPv6 PIM Commands" on page 1236 OMMAND SAGE PIM-DM functions similar to DVMRP by periodically flooding the network with traffic from any active multicast server.
  • Page 602 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 a router does not hear from a neighbor for the period specified by the Hello Holdtime, that neighbor is dropped. This hold time is included in each hello message received from a neighbor. Also note that hello messages also contain the DR priority of the router sending the message.
  • Page 603 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 Propagation Delay – The time required for a LAN prune delay message to reach downstream routers. (Range: 100-5000 milliseconds; Default: 500 milliseconds) The override interval and propogation delay are used to calculate the LAN prune delay.
  • Page 604: Displaying Neighbor Information

    | Multicast Routing HAPTER Configuring PIMv6 for IPv6 NTERFACE To configure PIMv6 interface settings: Click Routing Protocol, PIM6, Interface. Modify any of the protocol parameters as required. Click Apply. Figure 393: Configuring PIMv6 Interface Settings (Dense Mode) Use the Routing Protocol > PIM6 > Neighbor page to display all ISPLAYING EIGHBOR neighboring PIMv6 routers.
  • Page 605 Multicast Routing CHAPTER Configuring PIMv6 for 1Pv6 WEB INTERFACE To display neighboring PIMv6 routers: Click Routing Protocol, PIM6, Neighbor. Figure 394: Showing PIMv6 Neighbors Routing Protocol > PIM6 > Neighbor -· Neighbor Information rax:128 Total: 2 Vl.AII Uplime Expire 10.1.2.50 00:01:23 00:01:23 10 .1.2.51...
  • Page 606 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 – 604 –...
  • Page 607: Ection

    ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "General Commands" on page 619 "System Management Commands" on page 627 "SNMP Commands" on page 671 "Remote Monitoring Commands"...
  • Page 608: Table 175: Multicast Routing Commands

    | Command Line Interface ECTION "LLDP Commands" on page 1015 "Domain Name Service Commands" on page 1033 "DHCP Commands" on page 1043 "VRRP Commands" on page 1061 "IP Interface Commands" on page 1071 "IP Routing Commands" on page 1109 "Multicast Routing Commands" on page 1205 –...
  • Page 609: Using The Command Line Interface

    When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the LGB6050A/LGB6026A is opened. To end the CLI session, enter [Exit]. Console# – 607 –...
  • Page 610: Telnet Connection

    When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the LGB6050A/LGB6026A is opened. To end the CLI session, enter [Exit]. Vty-0# – 608 –...
  • Page 611: Entering Commands

    | Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
  • Page 612: Getting Help On Commands

    | Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
  • Page 613: Partial Keyword Lookup

    | Using the Command Line Interface HAPTER Entering Commands subnet-vlan IP subnet-based VLAN information system System information tacacs-server TACACS server information tech-support Technical information time-range Time range traffic-segmentation Traffic segmentation information users Information about users logged in version System hardware and software versions vlan Shows virtual LAN settings voice...
  • Page 614: Understanding Command Modes

    “super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the LGB6050A/LGB6026A is opened. To end the CLI session, enter [Exit]. Console# – 612 –...
  • Page 615: Configuration Commands

    | Using the Command Line Interface HAPTER Entering Commands Username: guest Password: [guest login password] CLI session with the LGB6050A/LGB6026A is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration commands are privileged level commands used to modify ONFIGURATION switch settings.
  • Page 616: Table 31: Configuration Command Modes

    | Using the Command Line Interface HAPTER Entering Commands VLAN Configuration - Includes the command to create VLAN groups. To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands.
  • Page 617: Command Line Processing

    | Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
  • Page 618: Cli Command Groups

    | Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 33: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
  • Page 619 | Using the Command Line Interface HAPTER CLI Command Groups Table 33: Command Group Index (Continued) Command Group Description Page Quality of Service Configures Differentiated Services Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router;...
  • Page 620 | Using the Command Line Interface HAPTER CLI Command Groups – 618 –...
  • Page 621: General Commands

    ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 34: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
  • Page 622: Reload (Global Configuration)

    | General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
  • Page 623: Enable

    | General Commands HAPTER OMMAND SAGE This command resets the entire system. Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
  • Page 624: Quit

    | General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (624) enable password (706) quit This command exits the configuration program. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
  • Page 625: Configure

    | General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
  • Page 626: Disable

    | General Commands HAPTER disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
  • Page 627: Show Reload

    | General Commands HAPTER show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
  • Page 628 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 626 –...
  • Page 629: System Management Commands

    YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 35: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...
  • Page 630: Hostname

    | System Management Commands HAPTER System Status hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
  • Page 631: Show Process Cpu

    | System Management Commands HAPTER System Status OMMAND SAGE This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, and the total amount of system memory. XAMPLE Console#show memory Status Bytes ------ ---------- Free 134946816...
  • Page 632 | System Management Commands HAPTER System Status Routing protocol configuration settings Spanning tree settings Interface settings Any configured settings for the console port and Telnet XAMPLE Console#show running-config Building running configuration. Please wait... !<stackingDB>0000000000000000</stackingDB> !<stackingMac>01_00-00-e8-93-82-a0_01</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac>...
  • Page 633: Show Startup-Config

    | System Management Commands HAPTER System Status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. OMMAND Privileged Exec OMMAND SAGE Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory.
  • Page 634: Show Users

    No information will be displayed under POST Result, unless there is a problem with the unit. If any POST test indicates “FAIL,” contact your distributor for assistance. XAMPLE Console#show system System Description : LGB6050A/LGB6026A System OID String : 1.3.6.1.4.1.259.10.1.1 System Information System Up Time : 0 days, 0 hours, 21 minutes, and 47.6 seconds...
  • Page 635: Show Version

    | System Management Commands HAPTER System Status XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key --------- --------- ---------- admin 15 None guest 0 None steve Online Users: Line User Name Idle time (h:m:s) Remote IP addr ------- -------------------------------- ----------------- --------------- * Console admin 0:00:00 SSH 0...
  • Page 636: Frame Size

    | System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 38: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames jumbo frame This command enables support for jumbo frames for Gigabit Ethernet ports.
  • Page 637: Fan Control

    | System Management Commands HAPTER Fan Control ONTROL This section describes the command used to force fan speed. Table 39: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed show system Shows if full fan speed is enabled NE, PE fan-speed force-full This command sets all fans to full speed.
  • Page 638: Boot System

    | System Management Commands HAPTER File Management The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg”...
  • Page 639: Copy

    | System Management Commands HAPTER File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
  • Page 640 | System Management Commands HAPTER File Management The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate"...
  • Page 641 | System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
  • Page 642: Delete

    | System Management Commands HAPTER File Management delete This command deletes a file or image. YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE If the file type is used for system startup, then this file cannot be deleted.
  • Page 643: Whichboot

    | System Management Commands HAPTER File Management OMMAND SAGE If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 41: File Directory Information Column Heading Description File Name The name of the file. Type File types: Boot-Rom, Operation Code, and Config file.
  • Page 644: Line

    | System Management Commands HAPTER Line XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------- Unit 1:...
  • Page 645: Line

    | System Management Commands HAPTER Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. YNTAX line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING There is no default line.
  • Page 646: Exec-Timeout

    | System Management Commands HAPTER Line OMMAND SAGE The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
  • Page 647: Login

    | System Management Commands HAPTER Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
  • Page 648: Parity

    | System Management Commands HAPTER Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. YNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING...
  • Page 649: Password-Thresh

    | System Management Commands HAPTER Line OMMAND SAGE When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns...
  • Page 650: Silent-Time

    | System Management Commands HAPTER Line XAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# ELATED OMMANDS silent-time (648) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
  • Page 651: Stopbits

    | System Management Commands HAPTER Line EFAULT ETTING 115200 bps OMMAND Line Configuration OMMAND SAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
  • Page 652: Timeout Login Response

    | System Management Commands HAPTER Line timeout login This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. response YNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
  • Page 653: Show Line

    | System Management Commands HAPTER Line XAMPLE Console#disconnect 1 Console# ELATED OMMANDS show ssh (741) show users (632) show line This command displays the terminal line’s parameters. YNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING Shows all lines...
  • Page 654: Event Logging

    | System Management Commands HAPTER Event Logging VENT OGGING This section describes commands used to configure event logging on the switch. Table 43: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory...
  • Page 655: Logging History

    | System Management Commands HAPTER Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
  • Page 656: Logging Host

    | System Management Commands HAPTER Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. EFAULT ETTING None...
  • Page 657: Logging Trap

    | System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (653) logging trap (655) clear log (655) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
  • Page 658: Show Log

    | System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (656) show log This command displays the log messages stored in local memory. YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
  • Page 659: Show Logging

    | System Management Commands HAPTER Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
  • Page 660: Smtp Alerts

    | System Management Commands HAPTER SMTP Alerts Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console# Table 46: show logging trap - display description Field...
  • Page 661: Logging Sendmail

    | System Management Commands HAPTER SMTP Alerts logging sendmail This command enables SMTP event handling. Use the no form to disable this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# logging sendmail This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
  • Page 662: Logging Sendmail Level

    | System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# logging sendmail This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
  • Page 663: Logging Sendmail Source-Email

    | System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command sets the email address used for the “From”...
  • Page 664: Time

    | System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- 1. ted@this-company.com SMTP Source E-mail Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
  • Page 665: Sntp Poll

    | System Management Commands HAPTER Time OMMAND SAGE The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
  • Page 666: Sntp Server

    | System Management Commands HAPTER Time ELATED OMMANDS sntp client (662) sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
  • Page 667: Clock Timezone

    | System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 137.92.140.81 Console# clock timezone This command sets the time zone for the switch’s internal clock. YNTAX clock timezone name hour hours minute minutes {before-utc | after-utc}...
  • Page 668: Calendar Set

    | System Management Commands HAPTER Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
  • Page 669: Time Range

    | System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 49: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
  • Page 670: Absolute

    | System Management Commands HAPTER Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
  • Page 671: Show Time-Range

    | System Management Commands HAPTER Time Range monday - Monday saturday - Saturday sunday - Sunday thursday - Thursday tuesday - Tuesday wednesday - Wednesday weekdays - Weekdays weekend - Weekends hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) EFAULT ETTING None...
  • Page 672 | System Management Commands HAPTER Time Range – 670 –...
  • Page 673: Snmp Commands

    SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
  • Page 674: Snmp-Server

    | SNMP Commands HAPTER Table 50: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter Displays the configured notification logs...
  • Page 675: Snmp-Server Contact

    | SNMP Commands HAPTER EFAULT ETTING public - Read-only access. Authorized management stations are only able to retrieve MIB objects. private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. OMMAND Global Configuration XAMPLE Console(config)#snmp-server community alpha rw Console(config)# snmp-server...
  • Page 676: Show Snmp

    | SNMP Commands HAPTER EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (673) show snmp This command can be used to check the status of SNMP communications. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command provides information on the community access strings,...
  • Page 677: Snmp-Server Enable Traps

    | SNMP Commands HAPTER 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# snmp-server enable This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to traps disable SNMP notifications.
  • Page 678: Snmp-Server Host

    | SNMP Commands HAPTER ELATED OMMANDS snmp-server host (676) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. YNTAX snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr...
  • Page 679 | SNMP Commands HAPTER OMMAND SAGE If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
  • Page 680: Snmp-Server Engine-Id

    | SNMP Commands HAPTER If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. The user name must first be defined with the snmp-server user command. Otherwise, an SNMPv3 group will be automatically created by the snmp-server host command using the name of the specified community string, and default settings for the read, write, and notify view.
  • Page 681: Snmp-Server Group

    | SNMP Commands HAPTER therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID.
  • Page 682 | SNMP Commands HAPTER EFAULT ETTING Default groups: public (read only), private (read/write) readview - Every object belonging to the Internet OID space (1). writeview - Nothing is defined. notifyview - Nothing is defined. OMMAND Global Configuration OMMAND SAGE A group sets the access policy for the assigned users. When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user...
  • Page 683: Snmp-Server User

    | SNMP Commands HAPTER snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. YNTAX snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]...
  • Page 684: Snmp-Server View

    | SNMP Commands HAPTER Before you configure a remote user, use the snmp-server engine-id command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/ privacy digests from the user’s password.
  • Page 685: Show Snmp Engine-Id

    | SNMP Commands HAPTER XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
  • Page 686: Show Snmp Group

    | SNMP Commands HAPTER show snmp group Four default groups are provided – SNMPv1 read-only access and read/ write access, and SNMPv2c read-only access and read/write access. OMMAND Privileged Exec XAMPLE Console#show snmp group Group Name : r&d Security Model : v3 Read View : defaultview Write View...
  • Page 687: Show Snmp User

    | SNMP Commands HAPTER Table 52: show snmp group - display description (Continued) Field Description Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
  • Page 688: Show Snmp View

    | SNMP Commands HAPTER show snmp view This command shows information on the SNMP views. OMMAND Privileged Exec XAMPLE Console#show snmp view View Name : mib-2 Subtree OID : 1.2.2.3.6.2.1 View Type : included Storage Type : nonvolatile Row Status : active View Name : defaultview...
  • Page 689: Snmp-Server Notify-Filter

    | SNMP Commands HAPTER Disabling logging with this command does not delete the entries stored in the notification log. XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server notify- This command creates an SNMP notification log. Use the no form to remove this log.
  • Page 690: Show Nlm Oper-Status

    | SNMP Commands HAPTER To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
  • Page 691: Show Snmp Notify-Filter

    | SNMP Commands HAPTER show snmp notify- This command displays the configured notification logs. filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23 Console# –...
  • Page 692 | SNMP Commands HAPTER – 690 –...
  • Page 693: Remote Monitoring Commands

    EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
  • Page 694: Rmon Alarm

    | Remote Monitoring Commands HAPTER rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. YNTAX rmon alarm index variable interval seconds {absolute | delta} rising-threshold threshold event event-index falling-threshold threshold event event-index [owner name] no rmon event index index –...
  • Page 695: Rmon Event

    | Remote Monitoring Commands HAPTER such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. XAMPLE Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.1 interval 15 delta rising-threshold 100 event 1 falling-threshold 30 event 1 owner mike Console(config)# rmon event...
  • Page 696: Rmon Collection History

    | Remote Monitoring Commands HAPTER OMMAND SAGE If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. The specified events determine the action to take when an alarm triggers this event.
  • Page 697: Rmon Collection Stats

    | Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethenet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# rmon collection This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection. stats YNTAX rmon collection stats index [owner name]...
  • Page 698: Show Rmon Alarm

    | Remote Monitoring Commands HAPTER show rmon alarm This command shows the settings for all configured alarms. OMMAND Privileged Exec XAMPLE Console#show rmon alarm Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 show rmon event...
  • Page 699: Show Rmon Statistics

    | Remote Monitoring Commands HAPTER show rmon This command shows the information collected for all configured entries in the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets,...
  • Page 700 | Remote Monitoring Commands HAPTER – 698 –...
  • Page 701: Flow Sampling Commands

    AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
  • Page 702: Sflow Max-Datagram-Size

    | Flow Sampling Commands HAPTER One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. destination-udp-port - The UDP port on which the Collector is listening for sFlow streams. (Range: 0-65534) EFAULT ETTING IP Address: null...
  • Page 703: Sflow Max-Header-Size

    | Flow Sampling Commands HAPTER sflow max-header- This command configures the maximum size of the sFlow datagram header. Use the no form to restore the default setting. size YNTAX sflow max-header-size max-header-size no max-header-size max-header-size - The maximum size of the sFlow datagram header.
  • Page 704: Sflow Sample

    | Flow Sampling Commands HAPTER sflow sample This command configures the packet sampling rate. Use the no form to restore the default rate. YNTAX sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken.
  • Page 705: Sflow Timeout

    | Flow Sampling Commands HAPTER sflow timeout This command configures the length of time samples are sent to the Collector before resetting all sFlow port parameters. Use the no form to restore the default time out. YNTAX sflow timeout seconds no sflow timeout seconds - The length of time the sFlow process continuously sends samples to the Collector before resetting all sFlow port parameters.
  • Page 706 | Flow Sampling Commands HAPTER OMMAND Privileged Exec XAMPLE Console#show sflow interface ethernet 1/9 Interface of Ethernet Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.4 Owner socket port : 6343 Time out : 9994 Maximum header size : 256 Maximum datagram size : 1500 Sample rate...
  • Page 707: Authentication Commands

    UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
  • Page 708: Enable Password

    | Authentication Commands HAPTER User Accounts enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
  • Page 709: Username

    | Authentication Commands HAPTER User Accounts username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
  • Page 710: Authentication Sequence

    | Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 60: Authentication Sequence Commands Command Function Mode...
  • Page 711: Authentication Login

    | Authentication Commands HAPTER Authentication Sequence If the TACACS+ server is not available, the local user name and password is checked. XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (706) authentication login This command defines the login authentication method and precedence.
  • Page 712: Radius Client

    | Authentication Commands HAPTER RADIUS Client XAMPLE Console(config)#authentication login radius Console(config)# ELATED OMMANDS username - for setting the local user names and passwords (707) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
  • Page 713: Radius-Server Auth-Port

    | Authentication Commands HAPTER RADIUS Client XAMPLE Console(config)#radius-server acct-port 181 Console(config)# radius-server auth- This command sets the RADIUS server network port. Use the no form to restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
  • Page 714: Radius-Server Key

    | Authentication Commands HAPTER RADIUS Client retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) EFAULT ETTING auth-port - 1812...
  • Page 715: Radius-Server Retransmit

    | Authentication Commands HAPTER RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit YNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
  • Page 716: Show Radius-Server

    | Authentication Commands HAPTER TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout...
  • Page 717: Tacacs-Server

    | Authentication Commands HAPTER TACACS+ Client tacacs-server This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. YNTAX tacacs-server index host host-ip-address [key key] [port port-number] no tacacs-server index index - The index for this server.
  • Page 718: Tacacs-Server Key

    | Authentication Commands HAPTER TACACS+ Client tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. YNTAX tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
  • Page 719: Show Tacacs-Server

    | Authentication Commands HAPTER show tacacs-server This command displays the current settings for the TACACS+ server. EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number: 49 Server 1: Server IP Address : 10.11.12.13 Server Port Number : 49 Tacacs Server Group:...
  • Page 720: Aaa Accounting Commands

    | Authentication Commands HAPTER Table 63: AAA Commands (Continued) Command Function Mode authorization exec Applies an authorization method to local console, Line Telnet or SSH connections show accounting Displays all accounting information aaa accounting This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service.
  • Page 721: Aaa Accounting Dot1X

    | Authentication Commands HAPTER XAMPLE Console(config)#aaa accounting commands 15 default start-stop group tacacs+ Console(config)# aaa accounting This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. dot1x YNTAX aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} default - Specifies the default accounting method for service...
  • Page 722: Aaa Accounting Exec

    | Authentication Commands HAPTER aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. YNTAX aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
  • Page 723: Aaa Accounting Update

    | Authentication Commands HAPTER aaa accounting This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. update YNTAX aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
  • Page 724: Aaa Group Server

    | Authentication Commands HAPTER EFAULT ETTING Authorization is not enabled No servers are specified OMMAND Global Configuration OMMAND SAGE This command performs authorization to determine if a user is allowed to run an Exec shell. AAA authentication must be enabled before authorization is enabled. If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method...
  • Page 725: Server

    | Authentication Commands HAPTER server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. YNTAX [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server.
  • Page 726: Accounting Exec

    | Authentication Commands HAPTER XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. YNTAX accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the accounting exec...
  • Page 727: Show Accounting

    | Authentication Commands HAPTER OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information.
  • Page 728: Web Server

    | Authentication Commands HAPTER Web Server Group List : radius Interface : Eth 1/2 Accounting Type : EXEC Method List : default Group List : tacacs+ Interface : vty Console# ERVER This section describes commands used to configure web browser management access to the switch.
  • Page 729: Ip Http Server

    | Authentication Commands HAPTER Web Server ELATED OMMANDS ip http server (727) show system (631) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT ETTING...
  • Page 730: Table 65: Https System Support

    | Authentication Commands HAPTER Web Server When you start HTTPS, the connection is established in this way: The client authenticates the server using the server’s digital certificate. The client and server negotiate a set of security protocols to use for the connection.
  • Page 731: Ip Http Secure-Port

    | Authentication Commands HAPTER Telnet Server ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. YNTAX ip http secure-port port_number no ip http secure-port port_number –...
  • Page 732: Ip Telnet Max-Sessions

    | Authentication Commands HAPTER Telnet Server This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. ip telnet max- This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system.
  • Page 733: Ip Telnet Server

    | Authentication Commands HAPTER Telnet Server OMMAND Global Configuration XAMPLE Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. YNTAX [no] ip telnet server EFAULT ETTING Enabled...
  • Page 734: Secure Shell

    | Authentication Commands HAPTER Secure Shell ECURE HELL This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. The switch supports both SSH Version 1.5 and 2.0 clients.
  • Page 735 | Authentication Commands HAPTER Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
  • Page 736 | Authentication Commands HAPTER Secure Shell To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.
  • Page 737: Ip Ssh Authentication-Retries

    | Authentication Commands HAPTER Secure Shell ip ssh This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. authentication- retries YNTAX ip ssh authentication-retries count no ip ssh authentication-retries count –...
  • Page 738: Ip Ssh Server-Key Size

    | Authentication Commands HAPTER Secure Shell XAMPLE Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# ELATED OMMANDS ip ssh crypto host-key generate (737) show ssh (741) ip ssh server-key This command sets the SSH server key size. Use the no form to restore the default setting.
  • Page 739: Delete Public-Key

    | Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
  • Page 740: Ip Ssh Crypto Zeroize

    | Authentication Commands HAPTER Secure Shell EFAULT ETTING Generates both the DSA and RSA key pairs. OMMAND Privileged Exec OMMAND SAGE The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory.
  • Page 741: Ip Ssh Save Host-Key

    | Authentication Commands HAPTER Secure Shell The SSH server must be disabled before you can execute this command. XAMPLE Console#ip ssh crypto zeroize dsa Console# ELATED OMMANDS ip ssh crypto host-key generate (737) ip ssh save host-key (739) ip ssh server (735) ip ssh save host-key This command saves the host key from RAM to flash memory.
  • Page 742: Show Public-Key

    | Authentication Commands HAPTER Secure Shell show public-key This command shows the public key for the specified user or for the host. YNTAX show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) EFAULT ETTING Shows all public keys.
  • Page 743: Show Ssh

    | Authentication Commands HAPTER 802.1X Port Authentication show ssh This command displays the current SSH server connections. OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 68: show ssh - display description Field Description Session...
  • Page 744: Dot1X Default

    | Authentication Commands HAPTER 802.1X Port Authentication Table 69: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client dot1x timeout re- Sets the time period after which a connected client authperiod...
  • Page 745: Dot1X System-Auth-Control

    | Authentication Commands HAPTER 802.1X Port Authentication When this device is functioning as an edge switch but does not require any attached clients to be authenticated, the no dot1x eapol-pass- through command can be used to discard unnecessary EAPOL traffic. XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state.
  • Page 746: Dot1X Max-Req

    | Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
  • Page 747: Dot1X Operation-Mode

    | Authentication Commands HAPTER 802.1X Port Authentication dot1x operation- This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single mode host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
  • Page 748: Dot1X Port-Control

    | Authentication Commands HAPTER 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
  • Page 749: Dot1X Timeout Quiet-Period

    | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# ELATED OMMANDS dot1x timeout re-authperiod (747) dot1x timeout quiet- This command sets the time that a switch port waits after the maximum request count (see page 744) has been exceeded before attempting to period acquire a new client.
  • Page 750: Dot1X Timeout Supp-Timeout

    | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout supp- This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re-transmitting an EAP timeout packet.
  • Page 751: Dot1X Re-Authenticate

    | Authentication Commands HAPTER 802.1X Port Authentication EFAULT 30 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re- This command forces re-authentication on all ports or a specific interface. authenticate YNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Stack unit.
  • Page 752: Show Dot1X

    | Authentication Commands HAPTER 802.1X Port Authentication show dot1x This command shows general port authentication related settings on the switch or a specific interface. YNTAX show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Stack unit.
  • Page 753 | Authentication Commands HAPTER 802.1X Port Authentication Operation Mode– Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port. Port Control–Shows the dot1x mode on a port as auto, force- authorized, or force-unauthorized (page 746). Intrusion Action– Sets the port response to intrusion when authentication fails (page 743).
  • Page 754: Management Ip Filter

    | Authentication Commands HAPTER Management IP Filter Quiet Period : 60 TX Period : 30 Supplicant Timeout : 30 Server Timeout : 10 Reauth Max Retries Max Request Operation Mode : Multi-host Port Control : Auto Intrusion Action : Block traffic Supplicant : 00-e0-29-94-34-65 Authenticator PAE State Machine...
  • Page 755: Management

    | Authentication Commands HAPTER Management IP Filter management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. YNTAX [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] all-client - Adds IP address(es) to all groups.
  • Page 756: Show Management

    | Authentication Commands HAPTER Management IP Filter show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. YNTAX show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group.
  • Page 757: General Security Measures

    ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
  • Page 758: Port Security

    | General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
  • Page 759: Port Security

    | General Security Measures HAPTER Port Security The mac-learning commands cannot be used if 802.1X Port Authentication has been globally enabled on the switch with the dot1x system-auth-control command, or if MAC Address Security has been enabled by the port security command on the same interface.
  • Page 760 | General Security Measures HAPTER Port Security addresses when it reaches a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.
  • Page 761: Network Access (Mac Address Authentication)

    | General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
  • Page 762: Network-Access Aging

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
  • Page 763: Mac-Authentication Reauth-Time

    | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. This command is different from configuring static addresses with the mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
  • Page 764: Network-Access Dynamic-Qos

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
  • Page 765: Network-Access Dynamic-Vlan

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan EFAULT ETTING Enabled OMMAND Interface Configuration OMMAND...
  • Page 766: Network-Access Link-Detection

    | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The VLAN to be used as the guest VLAN must be defined and set as active (See the vlan database command). When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan”...
  • Page 767: Network-Access Link-Detection Link-Down

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.
  • Page 768: Network-Access Link-Detection Link-Up-Down

    | General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.
  • Page 769: Network-Access Mode Mac-Authentication

    | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
  • Page 770: Network-Access Port-Mac-Filter

    | General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
  • Page 771: Mac-Authentication Intrusion-Action

    | General Security Measures HAPTER Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...
  • Page 772: Show Network-Access

    | General Security Measures HAPTER Network Access (MAC Address Authentication) show network- Use this command to display the MAC authentication settings for port interfaces. access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
  • Page 773: Show Network-Access Mac-Address-Table

    | General Security Measures HAPTER Network Access (MAC Address Authentication) show network- Use this command to display secure MAC address table entries. access mac- address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries.
  • Page 774: Show Network-Access Mac-Filter

    | General Security Measures HAPTER Web Authentication show network- Use this command to display information for entries in the MAC filter tables. access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
  • Page 775: Web-Auth Login-Attempts

    | General Security Measures HAPTER Web Authentication Table 75: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port (Port) and forces the users to re-authenticate web-auth re-authenticate (IP)
  • Page 776: Web-Auth Quiet-Period

    | General Security Measures HAPTER Web Authentication web-auth quiet- This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
  • Page 777: Web-Auth System-Auth-Control

    | General Security Measures HAPTER Web Authentication web-auth system- This command globally enables web authentication for the switch. Use the auth-control no form to restore the default. YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
  • Page 778: Web-Auth Re-Authenticate (Port)

    | General Security Measures HAPTER Web Authentication web-auth re- This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
  • Page 779: Show Web-Auth

    | General Security Measures HAPTER Web Authentication show web-auth This command displays global web authentication parameters. OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# show web-auth This command displays interface-specific web authentication parameters...
  • Page 780: Show Web-Auth Summary

    | General Security Measures HAPTER DHCP Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters Syst m Auth Control : Enabled Port Status Authenticated Host Count ---- ------...
  • Page 781: Ip Dhcp Snooping

    | General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are received from an outside source.
  • Page 782 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the...
  • Page 783: Ip Dhcp Snooping Database Flash

    | General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
  • Page 784: Ip Dhcp Snooping Information Policy

    | General Security Measures HAPTER DHCP Snooping Use the ip dhcp snooping information option command to specify how to handle DHCP client request packets which already contain Option 82 information. XAMPLE This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping This command sets the DHCP snooping information option policy for DHCP...
  • Page 785: Ip Dhcp Snooping Verify Mac-Address

    | General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no verify mac-address form to disable this function. YNTAX [no] ip dhcp binding verify mac-address EFAULT...
  • Page 786: Ip Dhcp Snooping Trust

    | General Security Measures HAPTER DHCP Snooping When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. When DHCP snooping is globally enabled, configuration changes for specific VLANs have the following effects: If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
  • Page 787: Clear Ip Dhcp Snooping Database Flash

    | General Security Measures HAPTER DHCP Snooping When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
  • Page 788: Show Ip Dhcp Snooping

    | General Security Measures HAPTER DHCP Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface...
  • Page 789: Ip Source Guard

    | General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
  • Page 790 | General Security Measures HAPTER IP Source Guard OMMAND Global Configuration OMMAND SAGE Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command...
  • Page 791: Ip Source-Guard

    | General Security Measures HAPTER IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...
  • Page 792: Ip Source-Guard Max-Binding

    | General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: If DHCP snooping is disabled (see page 779), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
  • Page 793: Show Ip Source-Guard

    | General Security Measures HAPTER IP Source Guard OMMAND SAGE This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
  • Page 794: Arp Inspection

    | General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
  • Page 795: Ip Arp Inspection

    | General Security Measures HAPTER ARP Inspection Table 78: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL...
  • Page 796: Ip Arp Inspection Filter

    | General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
  • Page 797: Ip Arp Inspection Log-Buffer Logs

    | General Security Measures HAPTER ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
  • Page 798: Ip Arp Inspection Validate

    | General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies additional validation of address components in an validate ARP packet. Use the no form to restore the default setting. YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
  • Page 799: Ip Arp Inspection Limit

    | General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
  • Page 800: Ip Arp Inspection Trust

    | General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
  • Page 801: Show Ip Arp Inspection Interface

    | General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number Need Additional Validation(s) : Yes Additional Validation Type : Destination MAC address Console# show ip arp...
  • Page 802: Show Ip Arp Inspection Statistics

    | General Security Measures HAPTER ARP Inspection show ip arp This command shows statistics about the number of ARP packets processed, or dropped for various reasons. inspection statistics OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
  • Page 803: Access Control Lists

    CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
  • Page 804: Access-List Ip

    | Access Control Lists HAPTER IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
  • Page 805: Permit, Deny (Standard Ip Acl)

    | Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
  • Page 806: Permit, Deny (Extended Ipv4 Acl)

    | Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
  • Page 807 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
  • Page 808: Ip Access-Group

    | Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
  • Page 809: Show Ip Access-Group

    | Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
  • Page 810: Ipv6 Acls

    | Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (803) ip access-group (806) 6 ACL The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label.
  • Page 811: Permit, Deny (Standard Ipv6 Acl)

    | Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
  • Page 812: Permit, Deny (Extended Ipv6 Acl)

    | Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
  • Page 813 | Access Control Lists HAPTER IPv6 ACLs routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-16777215) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) time-range-name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING...
  • Page 814: Show Ipv6 Access-List

    | Access Control Lists HAPTER IPv6 ACLs XAMPLE This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the flow label is 43.”...
  • Page 815: Ipv6 Access-Group

    | Access Control Lists HAPTER IPv6 ACLs ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. YNTAX ipv6 access-group acl-name in [time-range time-range-name] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
  • Page 816: Mac Acls

    | Access Control Lists HAPTER MAC ACLs ELATED OMMANDS ipv6 access-group (813) MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
  • Page 817: Permit, Deny (Mac Acl)

    | Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED OMMANDS permit, deny (815) mac access-group (817) show mac access-list (818) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
  • Page 818 | Access Control Lists HAPTER MAC ACLs {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3...
  • Page 819: Mac Access-Group

    | Access Control Lists HAPTER MAC ACLs The ethertype option can only be used to filter Ethernet II formatted packets. A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: 0800 - IP 0806 - ARP 8137 - IPX...
  • Page 820: Show Mac Access-Group

    | Access Control Lists HAPTER MAC ACLs ELATED OMMANDS show mac access-list (818) Time Range (667) show mac access- This command shows the ports assigned to MAC ACLs. group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS...
  • Page 821: Arp Acls

    | Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
  • Page 822: Permit, Deny (Arp Acl)

    | Access Control Lists HAPTER ARP ACLs permit, deny (ARP This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
  • Page 823: Show Arp Access-List

    | Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (819) show arp access-list This command displays the rules for configured ARP ACLs.
  • Page 824: Acl Information

    | Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 84: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules show access-group This command shows the port assignments of ACLs.
  • Page 825: Interface Commands

    NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 85: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
  • Page 826: Interface

    | Interface Commands HAPTER interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface.
  • Page 827: Capabilities

    | Interface Commands HAPTER OMMAND SAGE The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the (Telco's) circuit number/identifier of the interface. XAMPLE The following example adds an alias to port 4.
  • Page 828: Description

    | Interface Commands HAPTER 10GBASE connections are fixed at 10G, full duplex. When auto- negotiation is enabled, the only attributes which can be advertised include flow control and symmetric pause frames. XAMPLE The following example configures Ethernet port 5 capabilities to include 100half and 100full.
  • Page 829: Flowcontrol

    | Interface Commands HAPTER flowcontrol This command enables flow control. Use the no form to disable flow control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
  • Page 830: Media-Type

    | Interface Commands HAPTER media-type This command forces the port type selected for combination ports 25-26. Use the no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed).
  • Page 831: Shutdown

    | Interface Commands HAPTER When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto- negotiation is disabled, you must manually specify the link attributes with the speed-duplex flowcontrol commands. If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports.
  • Page 832: Speed-Duplex

    | Interface Commands HAPTER speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex 1000full - Forces 1 Gbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
  • Page 833: Switchport Packet-Rate

    | Interface Commands HAPTER ELATED OMMANDS negotiation (828) capabilities (825) switchport packet- This command configures broadcast storm control. Use the no form to restore the default setting. rate YNTAX switchport broadcast packet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., packets per second. (Range: 500-262143) EFAULT ETTING...
  • Page 834: Clear Counters

    | Interface Commands HAPTER clear counters This command clears statistics on an interface. YNTAX clear counters interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (EC-S4626F: 1-26, EC-S4650F: 1-50) port-channel channel-id (Range: 1-32) EFAULT ETTING None OMMAND Privileged Exec...
  • Page 835 | Interface Commands HAPTER OMMAND Normal Exec, Privileged Exec OMMAND SAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" on page 136.
  • Page 836: Show Interfaces Status

    | Interface Commands HAPTER ===== Port Utilization ===== 35 Octets Input per seconds 0 Packets Input per seconds 0.00 % Input Utilization 56 Octets Output per seconds 0 Packets Output per second 0.00 % Output Utilization Console# show interfaces This command displays the status for an interface. status YNTAX show interfaces status [interface]...
  • Page 837: Show Interfaces Switchport

    | Interface Commands HAPTER : 1518 Current Status: Link Status : Up Port Operation Status : Up Operation Speed-duplex : 100full Flow Control Type : None Console# show interfaces This command displays the administrative and operational status of the specified interfaces. switchport YNTAX show interfaces switchport [interface]...
  • Page 838: Show Interfaces Transceiver

    | Interface Commands HAPTER Console# Table 86: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled Threshold it also shows the threshold level (page 831). LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 841).
  • Page 839: Test Loop Internal

    | Interface Commands HAPTER EFAULT ETTING Shows all SFP interfaces. OMMAND Privileged Exec OMMAND SAGE The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices.
  • Page 840: Show Loop Internal

    | Interface Commands HAPTER makes it possible to check that an interface is working properly without having to make any network connections. XAMPLE Console#test loop internal interface ethernet 1/1 Internal loopback test: succeeded Console# show loop internal This command shows the results of a loop back test. YNTAX show loop internal interface [interface] interface...
  • Page 841: Link Aggregation Commands

    GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
  • Page 842: Channel-Group

    | Link Aggregation Commands HAPTER Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
  • Page 843: Lacp

    | Link Aggregation Commands HAPTER XAMPLE The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. YNTAX [no] lacp EFAULT...
  • Page 844: Lacp Admin-Key (Ethernet Interface)

    | Link Aggregation Commands HAPTER Mac Address : 12-34-12-34-12-3F Configuration: Name Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Flow Control : Disabled Port Security : Disabled Max MAC Count Current status: Created By : LACP Link Status : Up...
  • Page 845: Lacp Port-Priority

    | Link Aggregation Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link.
  • Page 846: Lacp System-Priority

    | Link Aggregation Commands HAPTER lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
  • Page 847: Show Lacp

    | Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
  • Page 848: Table 88: Show Lacp Counters - Display Description

    | Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent : 12 LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 88: show lacp counters - display description Field Description LACPDUs Sent...
  • Page 849: Table 90: Show Lacp Neighbors - Display Description

    | Link Aggregation Commands HAPTER Table 89: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired –...
  • Page 850: Table 91: Show Lacp Sysid - Display Description

    | Link Aggregation Commands HAPTER Table 90: show lacp neighbors - display description (Continued) Field Description Port Admin Current administrative value of the port priority for the protocol Priority partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner.
  • Page 851: Port Mirroring Commands

    IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
  • Page 852: Show Port Monitor

    | Port Mirroring Commands HAPTER Local Port Mirroring Commands When enabled for an interface, default mirroring is for both received and transmitted packets. OMMAND Interface Configuration (Ethernet, destination port) OMMAND SAGE You can mirror traffic from any source port to a destination port for real-time analysis.
  • Page 853 | Port Mirroring Commands HAPTER Local Port Mirroring Commands OMMAND SAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). XAMPLE The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end...
  • Page 854 | Port Mirroring Commands HAPTER Local Port Mirroring Commands – 852 –...
  • Page 855: Rate Limit Commands

    IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
  • Page 856 | Rate Limit Commands HAPTER 500 pps limit set by the storm control command. It is therefore not advisable to use both of these commands on the same interface. Rate limits are not supported for the 10 Gigabit Ethernet ports. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64...
  • Page 857: Address Table Commands

    DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 95: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time Maps a static address to a port in a VLAN mac-address-table...
  • Page 858: Mac-Address-Table Static

    | Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
  • Page 859: Clear Mac-Address-Table Dynamic

    | Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
  • Page 860: Show Mac-Address-Table Aging-Time

    | Address Table Commands HAPTER Learn - Dynamic address entries Config - Static entry The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0”...
  • Page 861 | Address Table Commands HAPTER EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show mac-address-table count Compute the number of MAC Address... Maximum number of MAC Address which can be created in the system: Total Number of MAC Address : 16384 Number of Static MAC Address : 1024 Current number of entries which have been created in the system:...
  • Page 862 | Address Table Commands HAPTER – 860 –...
  • Page 863: Spanning Tree Commands

    PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 96: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time...
  • Page 864: Spanning-Tree

    | Spanning Tree Commands HAPTER Table 96: Spanning Tree Commands (Continued) Command Function Mode spanning-tree port-priority Configures the spanning tree priority of an interface spanning-tree root-guard Prevents a designated port from passing superior BPDUs spanning-tree spanning- Disables spanning tree for an interface disabled spanning-tree loopback- Manually releases a port placed in discarding state by...
  • Page 865: Spanning-Tree Forward-Time

    | Spanning Tree Commands HAPTER spanning-tree This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. forward-time YNTAX spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
  • Page 866: Spanning-Tree Max-Age

    | Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree hello-time 5 Console(config)# ELATED OMMANDS spanning-tree forward-time (863) spanning-tree max-age (864) spanning-tree max- This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age...
  • Page 867: Spanning-Tree Mode

    | Spanning Tree Commands HAPTER spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. YNTAX spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s) EFAULT...
  • Page 868: Spanning-Tree Pathcost Method

    | Spanning Tree Commands HAPTER restarts the system in the new mode, temporarily disrupting user traffic. XAMPLE The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree This command configures the path cost method used for Rapid Spanning pathcost method Tree and Multiple Spanning Tree.
  • Page 869: Spanning-Tree Priority

    | Spanning Tree Commands HAPTER spanning-tree This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. priority YNTAX spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) EFAULT...
  • Page 870: Spanning-Tree Transmission-Limit

    | Spanning Tree Commands HAPTER revision (871) max-hops (868) spanning-tree This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. transmission-limit YNTAX spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) EFAULT ETTING OMMAND...
  • Page 871: Mst Priority

    | Spanning Tree Commands HAPTER Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. XAMPLE Console(config-mstp)#max-hops 30 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default.
  • Page 872: Mst Vlan

    | Spanning Tree Commands HAPTER mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. YNTAX [no] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree.
  • Page 873: Revision

    | Spanning Tree Commands HAPTER OMMAND MST Configuration OMMAND SAGE The MST region name and revision number (page 871) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
  • Page 874: Spanning-Tree Bpdu-Filter

    | Spanning Tree Commands HAPTER spanning-tree bpdu- This command filters all BPDUs received on an edge port. Use the no form to disable this feature. filter YNTAX [no] spanning-tree bpdu-filter EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This command filters all Bridge Protocol Data Units (BPDUs) received on an interface to save CPU processing time.
  • Page 875: Spanning-Tree Cost

    | Spanning Tree Commands HAPTER OMMAND SAGE An edge port should only be connected to end nodes which do not generate BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker.
  • Page 876: Spanning-Tree Edge-Port

    | Spanning Tree Commands HAPTER EFAULT ETTING By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
  • Page 877: Spanning-Tree Link-Type

    | Spanning Tree Commands HAPTER OMMAND SAGE You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
  • Page 878: Spanning-Tree Loopback-Detection

    | Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree This command enables the detection and response to Spanning Tree loopback BPDU packets on the port. Use the no form to disable this loopback-detection feature. YNTAX [no] spanning-tree loopback-detection EFAULT ETTING Enabled...
  • Page 879: Spanning-Tree Loopback-Detection Trap

    | Spanning Tree Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: The port receives any other BPDU except for it’s own, or;...
  • Page 880: Spanning-Tree Mst Cost

    | Spanning Tree Commands HAPTER spanning-tree mst This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto- cost configuration mode. YNTAX spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree.
  • Page 881: Spanning-Tree Mst Port-Priority

    | Spanning Tree Commands HAPTER spanning-tree mst This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. port-priority YNTAX spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree.
  • Page 882: Spanning-Tree Root-Guard

    | Spanning Tree Commands HAPTER OMMAND SAGE This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
  • Page 883: Spanning-Tree Spanning-Disabled

    | Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# spanning-tree This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the spanning-disabled specified interface.
  • Page 884: Spanning-Tree Protocol-Migration

    | Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree loopback-detection release ethernet 1/1 Console# spanning-tree This command re-checks the appropriate BPDU format to send on the selected interface. protocol-migration YNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
  • Page 885: Show Spanning-Tree

    | Spanning Tree Commands HAPTER show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
  • Page 886: Show Spanning-Tree Mst Configuration

    | Spanning Tree Commands HAPTER Root Forward Delay (sec.) : 15 Max. Hops : 20 Remaining Hops : 20 Designated Root : 32768.0.0001ECF8D8C6 Current Root Port : 21 Current Root Cost : 100000 Number of Topology Changes Last Topology Change Time (sec.): 11409 Transmission Limit Path Cost Method : Long...
  • Page 887: Vlan Commands

    VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
  • Page 888: Gvrp And Bridge Extension Commands

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
  • Page 889: Garp Timer

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
  • Page 890: Switchport Forbidden Vlan

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
  • Page 891: Show Bridge-Ext

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" on page 109 for a description of the displayed items.
  • Page 892: Show Gvrp Configuration

    | VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# ELATED OMMANDS garp timer (887) show gvrp This command shows if GVRP is enabled.
  • Page 893: Vlan Database

    | VLAN Commands HAPTER Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete VLANs.
  • Page 894: Configuring Vlan Interfaces

    | VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING By default only VLAN 1 exists and is active. OMMAND VLAN Database Configuration OMMAND SAGE no vlan vlan-id deletes the VLAN. no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active).
  • Page 895: Interface Vlan

    | VLAN Commands HAPTER Configuring VLAN Interfaces interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Use the no form to change a Layer 3 normal VLAN back to a Layer 2 interface. YNTAX [no] interface vlan vlan-id vlan-id - ID of the configured VLAN.
  • Page 896: Switchport Allowed Vlan

    | VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING All frame types OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. XAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1...
  • Page 897: Switchport Ingress-Filtering

    | VLAN Commands HAPTER Configuring VLAN Interfaces Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress. If none of the intermediate network devices nor the host at the other end of the connection supports VLANs, the interface should be added to these VLANs as an untagged member.
  • Page 898: Switchport Mode

    | VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
  • Page 899: Switchport Native Vlan

    | VLAN Commands HAPTER Configuring VLAN Interfaces switchport native This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. vlan YNTAX switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) EFAULT ETTING...
  • Page 900 | VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE Use this command to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong. The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E.
  • Page 901: Displaying Vlan Information

    | VLAN Commands HAPTER Displaying VLAN Information Console(config-if)#vlan-trunking Console(config-if)# VLAN I ISPLAYING NFORMATION This section describes commands used to display VLAN information. Table 103: Commands for Displaying VLAN Information Command Function Mode show interfaces status Displays status for the specified VLAN interface NE, PE vlan NE, PE...
  • Page 902: Configuring Ieee 802.1Q Tunneling

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling IEEE 802.1Q T ONFIGURING UNNELING IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer- specific VLAN IDs.
  • Page 903: Dot1Q-Tunnel System-Tunnel-Control

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Limitations for QinQ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types. IGMP Snooping should not be enabled on a tunnel access port.
  • Page 904: Switchport Dot1Q-Tunnel Tpid

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE QinQ tunneling must be enabled on the switch using the dot1q-tunnel system-tunnel-control command before the switchport dot1q-tunnel mode interface command can take effect. When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the...
  • Page 905: Show Dot1Q-Tunnel

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND SAGE Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
  • Page 906: Configuring Port-Based Traffic Segmentation

    | VLAN Commands HAPTER Configuring Port-based Traffic Segmentation ONFIGURING BASED RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
  • Page 907: Show Traffic-Segmentation

    | VLAN Commands HAPTER Configuring Private VLANs Enter no traffic-segmentation to disable traffic segmentation and clear the configuration settings for segmented groups. XAMPLE This example enables traffic segmentation, and then sets port 12 as the uplink and ports 5-8 as downlinks. Console(config)#traffic-segmentation Console(config)#traffic-segmentation uplink ethernet 1/12 downlink ethernet 1/5-8...
  • Page 908: Table 106: Private Vlan Commands

    | VLAN Commands HAPTER Configuring Private VLANs Table 106: Private VLAN Commands Command Function Mode Edit Private VLAN Groups private-vlan Adds or deletes primary or community VLANs private vlan association Associates a community VLAN with a primary VLAN Configure Private VLAN Interfaces switchport mode private- Sets an interface to host mode or promiscuous mode vlan...
  • Page 909: Private-Vlan

    | VLAN Commands HAPTER Configuring Private VLANs private-vlan Use this command to create a primary or community private VLAN. Use the no form to remove the specified private VLAN. YNTAX private-vlan vlan-id {community | primary} no private-vlan vlan-id vlan-id - ID of private VLAN. (Range: 1-4093, no leading zeroes). community - A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN.
  • Page 910: Private Vlan Association

    | VLAN Commands HAPTER Configuring Private VLANs private vlan Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the association specified primary VLAN. YNTAX private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association primary-vlan-id - ID of primary VLAN.
  • Page 911: Switchport Private-Vlan Host-Association

    | VLAN Commands HAPTER Configuring Private VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the switchport private-vlan host-association command.
  • Page 912: Switchport Private-Vlan Mapping

    | VLAN Commands HAPTER Configuring Private VLANs switchport private- Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. vlan mapping YNTAX switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4093, no leading zeroes).
  • Page 913: Configuring Protocol-Based Vlans

    | VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
  • Page 914: Protocol-Vlan Protocol-Group (Configuring Groups)

    | VLAN Commands HAPTER Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.
  • Page 915: Show Protocol-Vlan Protocol-Group

    | VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
  • Page 916: Show Interfaces Protocol-Vlan Protocol-Group

    | VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the selected interfaces.
  • Page 917: Configuring Ip Subnet Vlans

    | VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
  • Page 918: Show Subnet-Vlan

    | VLAN Commands HAPTER Configuring IP Subnet VLANs mapping is found, the PVID of the receiving port is assigned to the frame. The IP subnet cannot be a broadcast or multicast IP address. When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
  • Page 919: Configuring Mac Based Vlans

    | VLAN Commands HAPTER Configuring MAC Based VLANs MAC B VLAN ONFIGURING ASED When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
  • Page 920: Show Mac-Vlan

    | VLAN Commands HAPTER Configuring Voice VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. XAMPLE The following example assigns traffic from source MAC address 00-00-00- 11-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10 Console(config)# show mac-vlan...
  • Page 921: Voice Vlan

    | VLAN Commands HAPTER Configuring Voice VLANs Table 110: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings voice vlan This command enables VoIP traffic detection and defines the Voice VLAN...
  • Page 922: Voice Vlan Aging

    | VLAN Commands HAPTER Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. YNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) EFAULT ETTING...
  • Page 923: Switchport Voice Vlan

    | VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
  • Page 924: Switchport Voice Vlan Priority

    | VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# switchport voice This command specifies a CoS priority for VoIP traffic on a port. Use the no vlan priority form to restore the default priority on a port.
  • Page 925: Switchport Voice Vlan Security

    | VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING OUI: Enabled LLDP: Disabled OMMAND Interface Configuration OMMAND SAGE When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command.
  • Page 926: Show Voice Vlan

    | VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables security filtering on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan security Console(config-if)# show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list.
  • Page 927: Class Of Service Commands

    LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
  • Page 928: Queue Cos-Map

    | Class of Service Commands HAPTER Priority Commands (Layer 2) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values.
  • Page 929: Queue Mode

    | Class of Service Commands HAPTER Priority Commands (Layer 2) ELATED OMMANDS show queue cos-map (930) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
  • Page 930: Queue Weight

    | Class of Service Commands HAPTER Priority Commands (Layer 2) A weight can be assigned to each of the weighted queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
  • Page 931: Switchport Priority Default

    | Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ge1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# ELATED OMMANDS...
  • Page 932: Show Queue Cos-Map

    | Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# ELATED OMMANDS show interfaces switchport (835) show queue cos- This command shows the class of service priority map.
  • Page 933: Show Queue Weight

    | Class of Service Commands HAPTER Priority Commands (Layer 2) OMMAND Privileged Exec XAMPLE Console#show queue mode ethernet 1/1 Unit Port queue mode ---- ---- --------------- Weighted Round Robin Console# show queue weight This command displays the weights used for the weighted queues. YNTAX show queue mode interface interface...
  • Page 934: Priority Commands (Layer 3 And 4)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 114: Priority Commands (Layer 3 and 4) Command Function Mode...
  • Page 935: Map Ip Port (Global Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map ip port (Global This command enables IP port mapping (i.e., class of service mapping for Configuration) TCP/UDP sockets). Use the no form to disable IP port mapping. YNTAX [no] map ip port EFAULT...
  • Page 936: Map Ip Dscp (Interface Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip dscp This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority).
  • Page 937: Map Ip Port (Interface Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following example shows how to map IP DSCP value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# map ip port This command sets IP port priority (i.e., TCP/UDP port priority).
  • Page 938: Map Ip Precedence (Interface Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map ip precedence This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. (Interface Configuration) YNTAX map ip precedence ip-precedence-value cos cos-value no map ip precedence precedence-value - 3-bit precedence value.
  • Page 939: Show Map Ip Dscp

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show map ip dscp This command shows the IP DSCP priority map. YNTAX show map ip dscp [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) EFAULT ETTING...
  • Page 940: Show Map Ip Precedence

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port IP Port --------- -------- --- Eth 1/ 5 Console# show map ip...
  • Page 941: Quality Of Service Commands

    UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
  • Page 942: Class-Map

    | Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specifc type of traffic based on an...
  • Page 943: Description

    | Quality of Service Commands HAPTER One or more class maps can be assigned to a policy map (page 943). The policy map is then bound by a service policy to an interface (page 953). A service policy defines packet classification, service tagging, and bandwidth policing.
  • Page 944: Match

    | Quality of Service Commands HAPTER match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. YNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list.
  • Page 945: Rename

    | Quality of Service Commands HAPTER This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
  • Page 946: Class

    | Quality of Service Commands HAPTER OMMAND SAGE Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. A policy map can contain multiple class statements that can be applied to the same interface with the service-policy...
  • Page 947: Police Flow

    | Quality of Service Commands HAPTER set cos command sets the class of service value in matching packets. (This modifies packet priority in the VLAN tag.) police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
  • Page 948 | Quality of Service Commands HAPTER EFAULT ETTING None OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the...
  • Page 949: Police Srtcm-Color

    | Quality of Service Commands HAPTER police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. YNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp}...
  • Page 950 | Quality of Service Commands HAPTER The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
  • Page 951: Police Trtcm-Color

    | Quality of Service Commands HAPTER XAMPLE This example creates a policy called "rd-policy," uses the class command to specify the previously defined "rd-class," uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst...
  • Page 952 | Quality of Service Commands HAPTER violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) transmit - Transmits without taking any action. drop - Drops packet as required by exceed-action or violate-action.
  • Page 953: Set Cos

    | Quality of Service Commands HAPTER When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
  • Page 954: Set Phb

    | Quality of Service Commands HAPTER OMMAND SAGE The set cos command is used to set the CoS value in the VLAN tag for matching packets. The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command.
  • Page 955: Service-Policy

    | Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
  • Page 956: Show Class-Map

    | Quality of Service Commands HAPTER show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. YNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) EFAULT ETTING Displays all class maps. OMMAND Privileged Exec XAMPLE...
  • Page 957: Show Policy-Map Interface

    | Quality of Service Commands HAPTER Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface YNTAX show policy-map interface interface input interface...
  • Page 958 | Quality of Service Commands HAPTER – 956 –...
  • Page 959: Multicast Filtering Commands

    ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
  • Page 960: Igmp Snooping

    | Multicast Filtering Commands HAPTER IGMP Snooping IGMP S NOOPING This section describes commands used to configure IGMP snooping on the switch. Table 119: IGMP Snooping Commands Command Function Mode ip igmp snooping Enables IGMP snooping Enables IGMP Snooping with Proxy Reporting ip igmp snooping proxy- reporting ip igmp snooping querier...
  • Page 961: Ip Igmp Snooping

    | Multicast Filtering Commands HAPTER IGMP Snooping Table 119: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Configures the IGMP version for snooping vlan version ip igmp snooping Discards received IGMP messages which use a version GC different to that currently configured vlan version-exclusive show ip igmp snooping Shows the IGMP snooping, proxy, and query...
  • Page 962: Ip Igmp Snooping Proxy-Reporting

    | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to restore the default setting. proxy-reporting YNTAX [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4093) enable - Enable on the specified VLAN.
  • Page 963: Ip Igmp Snooping Router-Alert-Option-Check

    | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE IGMP snooping querier is not supported for IGMPv3 snooping (see igmp snooping version). If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. XAMPLE Console(config)#ip igmp snooping querier Console(config)#...
  • Page 964: Ip Igmp Snooping Router-Port-Expire-Time

    | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore the default. router-port-expire- time YNTAX ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
  • Page 965: Ip Igmp Snooping Tcn-Query-Solicit

    | Multicast Filtering Commands HAPTER IGMP Snooping If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
  • Page 966: Ip Igmp Snooping Unregistered-Data-Flood

    | Multicast Filtering Commands HAPTER IGMP Snooping tree change occurred. When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
  • Page 967: Ip Igmp Snooping Unsolicited-Report-Interval

    | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited IGMP reports when report suppression/proxy reporting is unsolicited-report- enabled. Use the no form to restore the default value. interval YNTAX ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping version-exclusive...
  • Page 968: Ip Igmp Snooping Version-Exclusive

    | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
  • Page 969: Ip Igmp Snooping Vlan General-Query-Suppression

    | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command suppresses general queries except for ports attached to downstream multicast hosts. Use the no form to flood general queries to vlan general-query- all ports except for the multicast router port. suppression YNTAX [no] ip igmp snooping vlan vlan-id general-query-suppression...
  • Page 970: Ip Igmp Snooping Vlan Last-Memb-Query-Count

    | Multicast Filtering Commands HAPTER IGMP Snooping (The timeout for this release is currently defined by ip igmp snooping vlan last-memb-query-intvl ip igmp robustval. If immediate-leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
  • Page 971: Ip Igmp Snooping Vlan Last-Memb-Query-Intvl

    | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command configures the last-member-query interval. Use the no form to restore the default. vlan last-memb- query-intvl YNTAX ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The interval to wait for a response to a group-specific or group-and-source-specific query message.
  • Page 972: Ip Igmp Snooping Vlan Proxy-Address

    | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
  • Page 973: Ip Igmp Snooping Vlan Query-Interval

    | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
  • Page 974: Ip Igmp Snooping Vlan Query-Resp-Intvl

    | Multicast Filtering Commands HAPTER IGMP Snooping This command applies when the switch is serving as the querier (page 960), or as a proxy host when IGMP snooping proxy reporting is enabled (page 960). XAMPLE Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# ip igmp snooping This command configures the maximum time the system waits for a...
  • Page 975: Ip Igmp Snooping Vlan Static

    | Multicast Filtering Commands HAPTER IGMP Snooping ip igmp snooping This command adds a port to a multicast group. Use the no form to remove the port. vlan static YNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface ethernet unit/port...
  • Page 976: Show Ip Igmp Snooping Group

    | Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP snooping : Enabled Router port expire time : 300 s Router alert check : Disabled Tcn flood : Disabled Tcn query solicit : Disabled Unregistered data flood...
  • Page 977: Show Mac-Address-Table Multicast

    | Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE Member types displayed include IGMP or USER, depending on selected options. XAMPLE The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 VLAN Group Source...
  • Page 978: Static Multicast Routing

    | Multicast Filtering Commands HAPTER Static Multicast Routing TATIC ULTICAST OUTING This section describes commands used to configure static multicast routing on the switch. Table 120: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
  • Page 979: Igmp Filtering And Throttling

    | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling show ip igmp This command displays information on statically configured and dynamically learned multicast router ports. snooping mrouter YNTAX show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Displays multicast router ports for all configured VLANs.
  • Page 980: Ip Igmp Filter (Global Configuration)

    | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling Table 121: IGMP Filtering and Throttling Commands (Continued) Command Function Mode ip igmp max-groups Sets the IGMP throttling action for an interface action show ip igmp filter Displays the IGMP filtering status show ip igmp profile Displays IGMP profiles and settings show ip igmp throttle...
  • Page 981: Ip Igmp Profile

    | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. YNTAX [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
  • Page 982: Range

    | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. YNTAX [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
  • Page 983: Ip Igmp Max-Groups

    | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. Only one profile can be assigned to an interface. A profile can also be assigned to a trunk interface.
  • Page 984: Ip Igmp Max-Groups Action

    | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling action for an interface on the switch. action YNTAX ip igmp max-groups action {replace | deny} replace - The new multicast group replaces an existing group. deny - The new multicast group join report is dropped.
  • Page 985: Show Ip Igmp Profile

    | Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
  • Page 986: Multicast Vlan Registration

    | Multicast Filtering Commands HAPTER Multicast VLAN Registration EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Using this command without specifying an interface displays all interfaces. XAMPLE Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console#...
  • Page 987: Mvr

    | Multicast Filtering Commands HAPTER Multicast VLAN Registration This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
  • Page 988: Mvr Immediate-Leave

    | Multicast Filtering Commands HAPTER Multicast VLAN Registration IGMP snooping and MVR share a maximum number of 255 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN. XAMPLE The following example enables MVR globally, and configures a range of MVR group addresses: Console(config)#mvr Console(config)#mvr group 228.1.23.1 10...
  • Page 989: Mvr Type

    | Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. YNTAX [no] mvr type {receiver | source} receiver - Configures the interface as a subscriber port that can receive multicast data.
  • Page 990: Mvr Vlan Group

    | Multicast Filtering Commands HAPTER Multicast VLAN Registration mvr vlan group This command statically binds a multicast group to a port which will receive long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. YNTAX [no] mvr vlan vlan-id group ip-address vlan-id - Receiver VLAN to which the specified multicast traffic is...
  • Page 991: Show Mvr

    | Multicast Filtering Commands HAPTER Multicast VLAN Registration show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
  • Page 992: Table 124: Show Mvr Interface - Display Description

    | Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 123: show mvr - display description (Continued) Field Description MVR Group Address A multicast service sent to all attached subscribers MVR Group Count The number of contiguous MVR group addresses. The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port...
  • Page 993: Igmp (Layer 3)

    | Multicast Filtering Commands HAPTER IGMP (Layer 3) Table 125: show mvr members - display description (Continued) Field Description Source Address Indicates the source address of the multicast service, or displays an asterisk if the group address has been statically assigned. VLAN Indicates the MVR VLAN receiving the multicast service.
  • Page 994: Ip Igmp Last-Member-Query-Interval

    | Multicast Filtering Commands HAPTER IGMP (Layer 3) OMMAND SAGE IGMP (including query functions) can be enabled for specific VLAN interfaces at Layer 3 through the ip igmp command. When a multicast routing protocol, such as PIM - Dense Mode, is enabled, IGMP is also enabled.
  • Page 995: Ip Igmp Max-Resp-Interval

    | Multicast Filtering Commands HAPTER IGMP (Layer 3) OMMAND SAGE When the switch receives an IGMPv2 or IGMPv3 leave message from a host that wants to leave a multicast group, source or channel, it sends a number of group-specific or group-source-specific query messages at intervals defined by this command.
  • Page 996: Ip Igmp Query-Interval

    | Multicast Filtering Commands HAPTER IGMP (Layer 3) ELATED OMMANDS ip igmp version (997) ip igmp query-interval (994) ip igmp query- This command configures the frequency at which host query messages are sent. Use the no form to restore the default. interval YNTAX ip igmp query-interval seconds...
  • Page 997: Ip Igmp Robustval

    | Multicast Filtering Commands HAPTER IGMP (Layer 3) ip igmp robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. YNTAX ip igmp robustval robust-value no ip igmp robustval robust-value - The robustness of this interface.
  • Page 998 | Multicast Filtering Commands HAPTER IGMP (Layer 3) EFAULT ETTING None OMMAND Interface Configuration (VLAN) OMMAND SAGE Group addresses within the entire multicast group address range can be specified with this command. However, if any address within the source-specific multicast (SSM) address range (default 232/8) is specified, but no source address is included in the command, the request to join the multicast group will fail unless the next node up the reverse path tree has statically mapped this group to a specific source...
  • Page 999: Ip Igmp Version

    | Multicast Filtering Commands HAPTER IGMP (Layer 3) ip igmp version This command configures the IGMP version used on an interface. Use the no form of this command to restore the default. YNTAX ip igmp version {1 | 2 | 3} no ip igmp version 1 - IGMP Version 1 2 - IGMP Version 2...
  • Page 1000: Show Ip Igmp Groups

    | Multicast Filtering Commands HAPTER IGMP (Layer 3) OMMAND Privileged Exec OMMAND SAGE Enter the address for a multicast group to delete all entries for the specified group. Enter the interface option to delete all multicast groups for the specified interface. Enter no options to clear all multicast groups from the cache.

This manual is also suitable for:

Lgb6050a

Table of Contents