Edge-Core ES3510 Management Manual
  1. Manuals
  2. Brands
  3. Edge-Core Manuals
  4. Network Router
  5. ES3510
  6. Management manual

Edge-Core ES3510 Management Manual

Edge-core es3510 10-port fast ethernet switch
Hide thumbs Also See for ES3510:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
Table of Contents

Advertisement

Quick Links

See also: Installation Manual
ES3510
10-Port
Fast Ethernet Switch
Powered by Accton
Management Guide
www.edge-core.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ES3510 and is the answer not in the manual?

Questions and answers

Related Manuals for Edge-Core ES3510

Summary of Contents for Edge-Core ES3510

  • Page 1 Powered by Accton ES3510 10-Port Management Guide Fast Ethernet Switch www.edge-core.com...
  • Page 3 Management Guide ES3510 Fast Ethernet Switch Layer 2 Switch with 8 10/100BASE-TX (RJ-45) Ports, and 2 Combination Gigabit (RJ-45/SFP) Ports...
  • Page 4 ES3510 E112007-CS-R01 149100034700A...

  • Page 5: Table Of Contents

    Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
  • Page 6 Contents Saving or Restoring Configuration Settings 3-20 Downloading Configuration Settings from a Server 3-21 Console Port Settings 3-22 Telnet Settings 3-24 Configuring Event Logging 3-26 Displaying Log Messages 3-26 System Log Configuration 3-27 Remote Log Configuration 3-28 Simple Mail Transfer Protocol 3-29 Resetting the System 3-31...
  • Page 7 Contents Configuring Port Security 3-71 Configuring 802.1X Port Authentication 3-72 Displaying 802.1X Global Settings 3-74 Configuring 802.1X Global Settings 3-74 Configuring Port Settings for 802.1X 3-75 Displaying 802.1X Statistics 3-78 Web Authentication 3-79 Configuring Web Authentication 3-80 Configuring Web Authentication for Ports 3-81 Displaying Web Authentication Port Information 3-82...
  • Page 8 Contents Displaying Interface Settings 3-131 Configuring Interface Settings 3-134 Configuring Multiple Spanning Trees 3-136 Displaying Interface Settings for MSTP 3-138 Configuring Interface Settings for MSTP 3-140 VLAN Configuration 3-142 IEEE 802.1Q VLANs 3-142 Enabling or Disabling GVRP (Global Setting) 3-145 Displaying Basic VLAN Information 3-146 Displaying Current VLANs...
  • Page 9 Contents Mapping IP Precedence Priority 3-189 Mapping IP TOS Priority 3-191 Mapping CoS Values to ACLs 3-193 Quality of Service 3-193 Configuring Quality of Service Parameters 3-194 Configuring a Class Map 3-194 Creating QoS Policies 3-197 Attaching a Policy Map to Ingress Queues 3-200 VoIP Traffic Configuration 3-201...
  • Page 10 Contents UPnP Configuration 3-239 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
  • Page 11 Contents System Management Commands 4-24 Device Designation Commands 4-24 prompt 4-24 hostname 4-25 Banner 4-25 banner configure 4-26 banner configure company 4-27 banner configure dc-power-info 4-28 banner configure department 4-28 banner configure equipment-info 4-29 banner configure equipment-location 4-30 banner configure ip-lan 4-30 banner configure lp-number 4-31...
  • Page 12 Contents logging history 4-53 logging host 4-54 logging facility 4-54 logging trap 4-55 clear logging 4-55 show logging 4-56 show log 4-57 SMTP Alert Commands 4-58 logging sendmail host 4-58 logging sendmail level 4-59 logging sendmail source-email 4-60 logging sendmail destination-email 4-60 logging sendmail 4-61...
  • Page 13 Contents radius-server retransmit 4-83 radius-server timeout 4-84 show radius-server 4-84 TACACS+ Client 4-85 tacacs-server host 4-85 tacacs-server port 4-86 tacacs-server key 4-87 tacacs-server retransmit 4-87 tacacs-server timeout 4-88 show tacacs-server 4-88 AAA Commands 4-89 aaa group server 4-89 server 4-90 aaa accounting dot1x 4-90 aaa accounting exec...
  • Page 14 Contents mac-authentication reauth-time 4-112 clear network-access 4-113 show network-access 4-113 show network-access mac-address-table 4-114 Web Authentication 4-115 web-auth login-attempts 4-116 web-auth quiet-period 4-116 web-auth session-timeout 4-117 web-auth system-auth-control 4-117 web-auth 4-118 show web-auth 4-118 show web-auth interface 4-119 web-auth re-authenticate (Port) 4-119 web-auth re-authenticate (IP) 4-120...
  • Page 15 Contents show snmp group 4-145 snmp-server user 4-146 show snmp user 4-148 Interface Commands 4-150 interface 4-150 description 4-151 speed-duplex 4-151 negotiation 4-152 capabilities 4-153 flowcontrol 4-154 shutdown 4-155 broadcast byte-rate 4-156 switchport broadcast 4-156 clear counters 4-157 show interfaces status 4-157 show interfaces counters 4-158...
  • Page 16 Contents lldp notification 4-184 lldp mednotification 4-185 lldp basic-tlv management-ip-address 4-186 lldp basic-tlv port-description 4-186 lldp basic-tlv system-capabilities 4-187 lldp basic-tlv system-description 4-187 lldp basic-tlv system-name 4-188 lldp dot1-tlv proto-ident 4-188 lldp dot1-tlv proto-vid 4-189 lldp dot1-tlv pvid 4-189 lldp dot1-tlv vlan-name 4-190 lldp dot3-tlv link-agg 4-190...
  • Page 17 Contents spanning-tree mst cost 4-214 spanning-tree mst port-priority 4-215 spanning-tree protocol-migration 4-216 show spanning-tree 4-216 show spanning-tree mst configuration 4-218 VLAN Commands 4-219 GVRP and Bridge Extension Commands 4-219 bridge-ext gvrp 4-220 show bridge-ext 4-220 switchport gvrp 4-221 show gvrp configuration 4-221 garp timer 4-222...
  • Page 18 Contents Priority Commands (Layer 2) 4-246 queue mode 4-246 switchport priority default 4-247 queue bandwidth 4-248 queue cos-map 4-248 show queue mode 4-249 show queue bandwidth 4-250 show queue cos-map 4-250 Priority Commands (Layer 3 and 4) 4-251 map ip dscp 4-251 map ip port 4-252...
  • Page 19 Contents ip igmp snooping leave-proxy 4-276 ip igmp snooping immediate-leave 4-277 show ip igmp snooping 4-277 show mac-address-table multicast 4-278 IGMP Query Commands (Layer 2) 4-279 ip igmp snooping querier 4-279 ip igmp snooping query-count 4-280 ip igmp snooping query-interval 4-280 ip igmp snooping query-max-response-time 4-281...
  • Page 20 Contents IP Source Guard Commands 4-308 ip source-guard 4-308 ip source-guard binding 4-310 show ip source-guard 4-311 show ip source-guard binding 4-311 Switch Cluster Commands 4-312 cluster 4-312 cluster commander 4-313 cluster ip-pool 4-313 cluster member 4-314 rcommand 4-314 show cluster 4-315 show cluster members 4-315...
  • Page 21 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-27 Table 3-5 Supported Notification Messages 3-43 Table 3-6 HTTPS System Support 3-64 Table 3-7 802.1X Statistics 3-78 Table 3-8 LACP Port Counters 3-108 Table 3-9...
  • Page 22 Tables Table 4-26 Flash/File Commands 4-73 Table 4-27 File Directory Information 4-77 Table 4-28 Authentication Commands 4-79 Table 4-29 Authentication Sequence 4-79 Table 4-30 RADIUS Client Commands 4-81 Table 4-31 TACACS+ Commands 4-85 Table 4-33 Port Security Commands 4-98 Table 4-34 802.1X Port Authentication 4-99 Table 4-35...
  • Page 23 Tables Table 4-72 IP TOS to CoS Queue 4-254 Table 4-73 Quality of Service Commands 4-259 Table 4-74 Voice VLAN Commands 4-267 Table 4-75 Multicast Filtering Commands 4-274 Table 4-76 IGMP Snooping Commands 4-274 Table 4-77 IGMP Query Commands (Layer 2) 4-279 Table 4-78 Static Multicast Routing Commands...
  • Page 24 Tables...
  • Page 25 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-11 Figure 3-4 Switch Information 3-13 Figure 3-5 Bridge Extension Configuration 3-14 Figure 3-6 Manual IP Configuration 3-16 Figure 3-7 DHCP IP Configuration 3-17 Figure 3-8 Jumbo Frames Configuration 3-18 Figure 3-9 Copy Firmware...
  • Page 26 Figures Figure 3-43 AAA Authorization Settings 3-62 Figure 3-44 AAA Authorization Exec Settings 3-63 Figure 3-45 AAA Authorization Summary 3-64 Figure 3-46 HTTPS Settings 3-65 Figure 3-47 SSH Server Settings 3-68 Figure 3-48 SSH Host-Key Settings 3-70 Figure 3-49 Configuring Port Security 3-72 Figure 3-50 802.1X Global Information...
  • Page 27 Figures Figure 3-88 Displaying MSTP Interface Settings 3-142 Figure 3-89 Globally Enabling GVRP 3-145 Figure 3-90 Displaying Basic VLAN Information 3-146 Figure 3-91 Displaying Current VLANs 3-147 Figure 3-92 Configuring a VLAN Static List 3-149 Figure 3-93 Configuring a VLAN Static Table 3-150 Figure 3-94 VLAN Static Membership by Port...
  • Page 28 Figures Figure 3-133 Displaying Multicast Router Port Information 3-211 Figure 3-134 Static Multicast Router Port Configuration 3-212 Figure 3-135 IP Multicast Registration Table 3-213 Figure 3-136 IGMP Member Port Table 3-214 Figure 3-137 Enabling IGMP Filtering and Throttling 3-215 Figure 3-138 IGMP Profile Configuration 3-217 Figure 3-139 IGMP Filter and Throttling Port Configuration 3-218...

  • Page 29: Chapter 1: Introduction

    Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.

  • Page 30: Description Of Software Features

    Introduction Table 1-1 Key Features Feature Description Quality of Service Supports Differentiated Services (DiffServ) Multicast Filtering Supports IGMP snooping and query, as well as Multicast VLAN Registration Switch Clustering Supports up to 36 Member switches in a cluster Description of Software Features The switch provides a wide range of advanced performance enhancing features.
  • Page 31 Description of Software Features of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard. Rate Limiting – This feature controls the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network.
  • Page 32 Introduction Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.
  • Page 33 Description of Software Features or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. Multicast Filtering –...

  • Page 34: System Defaults

    Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-20). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
  • Page 35 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Broadcast Storm Status Enabled (all ports) Protection Broadcast Limit Rate 5k octets per second...
  • Page 36 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Enabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged Levels 0-6 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization...

  • Page 37: Chapter 2: Initial Configuration

    Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

  • Page 38: Required Connections

    Initial Configuration • Configure up to 5 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.

  • Page 39: Remote Connections

    Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...

  • Page 40: Setting Passwords

    Note: ‘0’ specifies the password in plain text, ‘7’ specifies the password in encrypted form. Username: admin Password: CLI session with the ES3510 is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password]...

  • Page 41: Dynamic Configuration

    Basic Configuration Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...

  • Page 42: Enabling Snmp Management Access

    Initial Configuration Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end...

  • Page 43: Trap Receivers

    Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.

  • Page 44: Configuring Access For Snmp Version 3 Clients

    Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...

  • Page 45: Managing System Files

    Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: •...
  • Page 46 Initial Configuration 2-10...

  • Page 47: Chapter 3: Configuring The Switch

    Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above).

  • Page 48: Navigating The Web Browser Interface

    Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.

  • Page 49: Configuration Options

    Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.

  • Page 50: Main Menu

    Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
  • Page 51 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page SNMPv3 3-38 Engine ID Sets the SNMP v3 engine ID on this switch 3-38 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-39 Users Configures SNMP v3 users on this switch 3-39 Remote Users Configures SNMP v3 users from a remote device...
  • Page 52 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Configuration Configures the global configuration settings 3-74 Port Configuration Sets parameters for individual ports 3-75 Statistics Displays protocol statistics for the selected port 3-78 Web Authentication 3-79 Configuration Configures Web Authentication settings 3-80 Port Configuration Enables Web Authentication for individual ports...
  • Page 53 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Rate Limit 3-116 Input Port Configuration Sets the input rate limit for each port 3-116 Output Port Configuration Sets the output rate limit for ports 3-116 Port Statistics Lists Ethernet and RMON port statistics 3-117 Address Table 3-121...
  • Page 54 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Port Configuration Specifies default PVID and VLAN attributes 3-152 Trunk Configuration Specifies default trunk VID and VLAN attributes 3-152 Tunnel Port Configuration Adds an interface to a QinQ Tunnel 3-159 Tunnel Trunk Configuration Adds an interface to a QinQ Tunnel 3-159...
  • Page 55 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Queue Scheduling Configures Weighted Round Robin queueing 3-183 IP DSCP Priority Status Globally enables DSCP priority 3-185 IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a 3-186 DSCP tag to a class-of-service queue IP Port Priority Status Globally enables IP port priority...
  • Page 56 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page IGMP Filter Profile Configures IGMP Filter Profiles 3-216 Configuration IGMP Filter/Throttling Port Configures IGMP Filtering and Throttling for ports 3-217 Configuration IGMP Filter/Throttling Trunk Configures IGMP Filtering and Throttling for trunks 3-217 Configuration 3-219...

  • Page 57: Basic Configuration

    Basic Configuration Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. •...

  • Page 58: Displaying Switch Hardware/Software Versions

    Console(config)#snmp-server location WC 9 4-136 Console(config)#snmp-server contact Ted 4-136 Console(config)#exit Console#show system 4-70 System Description: Layer2+ Fast Ethernet Standalone Switch ES3510 System OID String: 1.3.6.1.4.1.259.8.1.6 System Information System Up Time: 0 days, 0 hours, 57 minutes, and 56.69 seconds System Name: R&D 5...

  • Page 59: Figure 3-4 Switch Information

    Basic Configuration Web – Click System, Switch Information. Figure 3-4 Switch Information CLI – Use the following command to display version information. Console#show version 4-71 Serial Number: Service Tag: Hardware Version: EPLD Version: 0.00 Number of Ports: Main Power Status: Loader Version: 1.0.0.2 Boot ROM Version:...

  • Page 60: Displaying Bridge Extension Capabilities

    Configuring the Switch Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).

  • Page 61: Setting The Switch's Ip Address

    Basic Configuration CLI – Enter the following command. Console#show bridge-ext 4-220 Max Support VLAN Numbers: Max Support VLAN ID: 4094 Extended Multicast Filtering Services: No Static Entry Individual Port: VLAN Learning: Configurable PVID Tagging: Local VLAN Capable: Traffic Classes: Enabled Global GVRP Status: Disabled GMRP:...

  • Page 62: Manual Configuration

    Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...

  • Page 63: Using Dhcp/Bootp

    Basic Configuration Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.

  • Page 64: Enabling Jumbo Frames

    Configuring the Switch Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...

  • Page 65: Downloading System Software From A Server

    Basic Configuration • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored...

  • Page 66: Saving Or Restoring Configuration Settings

    Configuring the Switch To delete a file select System, File, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-11 Deleting Files CLI –...

  • Page 67: Downloading Configuration Settings From A Server

    Basic Configuration - tftp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a file from a TFTP server to the running config. - tftp to startup-config – Copies a file from a TFTP server to the startup config. •...

  • Page 68: Console Port Settings

    Configuring the Switch Note: You can also select any configuration file as the start-up configuration by using the System/File/Set Start-Up page. Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch.

  • Page 69: Figure 3-14 Console Port Settings

    Basic Configuration system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded.

  • Page 70: Telnet Settings

    Configuring the Switch CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-11 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret 4-12...

  • Page 71: Figure 3-15 Enabling Telnet

    Basic Configuration • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.

  • Page 72: Configuring Event Logging

    Configuring the Switch CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. Console(config)#line vty 4-11 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret...

  • Page 73: System Log Configuration

    Basic Configuration CLI – This example shows the event message stored in RAM. Console#show log ram 4-56 [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:00:25 2001-01-01 "System coldStart notification." level: 6, module: 5, function: 1, and event no.: 1 Console# System Log Configuration...

  • Page 74: Remote Log Configuration

    Configuring the Switch Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-17 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.

  • Page 75: Simple Mail Transfer Protocol

    Basic Configuration • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.

  • Page 76: Figure 3-19 Enabling And Configuring Smtp

    Configuring the Switch • Severity – Specifies the degree of urgency that the message carries. • Debugging – Sends a debugging notification. (Level 7) • Information – Sends informatative notification only. (Level 6) • Notice – Sends notification of a normal but significant condition, such as a cold start.

  • Page 77: Resetting The System

    Basic Configuration CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.19 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email bill@this-company.com...

  • Page 78: Setting The System Clock

    Configuring the Switch Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.

  • Page 79: Setting The Time Zone

    Basic Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-63 Console(config)#sntp poll 60 4-64 Console(config)#sntp client 4-62 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 60...

  • Page 80: Setting The Time Manually

    Configuring the Switch Setting the Time Manually You can set the system time on the switch manually without using SNTP. Web – Select System, Calendar. Set the current date and time using the fields provided. Click the Apply to start using the configured time. Figure 3-23 Setting the Current Date and Time CLI –...
  • Page 81 Simple Network Management Protocol information using SNMP-based network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication. Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption;...

  • Page 82: Setting Community Access Strings

    Configuring the Switch Setting Community Access Strings You may configure up to five community strings authorized for management access. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes •...

  • Page 83: Figure 3-25 Configuring Ip Trap Managers

    Simple Network Management Protocol Command Attributes • Trap Manager Capability – This switch supports up to five trap managers. • Current – Displays a list of the trap managers currently configured. • Trap Manager IP Address – IP address of the host (the targeted recipient). •...

  • Page 84: Enabling Snmp Agent Status

    Configuring the Switch Enabling SNMP Agent Status Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes • SNMP Agent Status – Check the box to enable or disable the SNMP Agent. Web – Click SNMP, Agent Status. Figure 3-26 Enabling SNMP Agent Status Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps:...

  • Page 85: Specifying A Remote Engine Id

    Simple Network Management Protocol Web – Click SNMP, SNMPv3, Engine ID. Figure 3-27 Setting an Engine ID Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
  • Page 86 Configuring the Switch • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3. • Level – The security level used for the user: - noAuthNoPriv –...

  • Page 87: Configuring Remote Snmpv3 Users

    Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.

  • Page 88: Configuring Snmpv3 Groups

    Configuring the Switch user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) •...

  • Page 89: Table 3-5 Supported Notification Messages

    Simple Network Management Protocol Command Attributes • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3. • Level – The security level used for the group: - noAuthNoPriv –...
  • Page 90 Configuring the Switch Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description linkUp 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state).

  • Page 91: Setting Snmpv3 Views

    Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.

  • Page 92: Figure 3-32 Configuring Snmpv3 Views

    Configuring the Switch • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view.

  • Page 93: User Authentication

    User Authentication User Authentication You can restrict management access to this switch using the following options: • User Accounts – Manually configure access rights on the switch for specified users. • Authentication Settings – Use remote authentication to configure access rights. •...

  • Page 94: Figure 3-33 Access Levels

    Configuring the Switch Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.

  • Page 95: Configuring Local/Remote Logon Authentication

    User Authentication Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
  • Page 96 Configuring the Switch Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...

  • Page 97: Figure 3-34 Authentication Settings

    User Authentication Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-34 Authentication Settings 3-51...

  • Page 98: Configuring The Switch

    Configuring the Switch CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-79 Console(config)#radius-server auth-port 181 4-82 Console(config)#radius-server key green 4-83 Console(config)#radius-server retransmit 5 4-83 Console(config)#radius-server timeout 10 4-84 Console(config)#radius-server 1 host 192.168.1.25 4-81 Console(config)#end Console#show radius-server 4-84 Global Settings:...

  • Page 99: Aaa Authorization And Accounting

    User Authentication AAA Authorization and Accounting The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. •...

  • Page 100: Configuring Aaa Radius Group Settings

    Configuring the Switch Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the configured RADIUS servers to use for accounting and authorization. Command Attributes • Group Name - Defines a name for the RADIUS server group. (1-255 characters) •...

  • Page 101: Configuring Aaa Accounting

    User Authentication Web – Click Security, AAA, TACACS+ Group Settings. Enter the TACACS+ group name, followed by the number of the server, then click Add. Figure 3-36 AAA TACACS+ Group Settings CLI – Specify the group name for a list of TACACS+ servers, and then specify the index number of a TACACS+ server to add it to the group.

  • Page 102: Figure 3-37 Aaa Accounting Settings

    Configuring the Switch Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-37 AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius 4-90 Console(config)#...

  • Page 103: Aaa Accounting Update

    User Authentication AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web –...

  • Page 104: Aaa Accounting Exec Command Privileges

    Configuring the Switch Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply. Figure 3-39 AAA Accounting 802.1X Port Settings CLI – Specify the accounting method to apply to the selected interface. Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps-method 4-94 Console(config-if)#...

  • Page 105: Figure 3-40 Aaa Accounting Exec Command Privileges

    User Authentication Web – Click Security, AAA, Accounting, Command Privilges. Enter a defined method name for console and Telnet privilege levels. Click Apply. Figure 3-40 AAA Accounting Exec Command Privileges CLI – Specify the accounting method to use for console and Telnet privilege levels. Console(config)#line console 4-11 Console(config-line)#accounting commands 15 tps-method...

  • Page 106: Aaa Accounting Exec Settings

    Configuring the Switch AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.

  • Page 107: Figure 3-42 Aaa Accounting Summary

    User Authentication Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-97 Accounting Type : dot1x Method List : default Group List : radius Interface...

  • Page 108: Authorization Settings

    Configuring the Switch Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type : exec Username : admin Interface : vty 0 Time elapsed since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services.

  • Page 109: Authorization Exec Settings

    User Authentication Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.

  • Page 110: Configuring Https

    Configuring the Switch Web – Click Security, AAA, Authorization, Summary. Figure 3-45 AAA Authorization Summary Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.

  • Page 111: Replacing The Default Secure-Site Certificate

    User Authentication • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-46 HTTPS Settings CLI –...

  • Page 112: Configuring The Secure Shell

    Configuring the Switch Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
  • Page 113 User Authentication Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-73) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-47.) The clients are subsequently authenticated using these keys.

  • Page 114: Configuring The Ssh Server

    Configuring the Switch Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.

  • Page 115: Generating The Host Key Pair

    User Authentication CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-45 Console(config)#ip ssh timeout 100 4-46 Console(config)#ip ssh authentication-retries 5 4-46...

  • Page 116: Figure 3-48 Ssh Host-Key Settings

    Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-48 SSH Host-Key Settings CLI –...

  • Page 117: Configuring Port Security

    User Authentication Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.

  • Page 118: Configuring 802.1X Port Authentication

    Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-49 Configuring Port Security CLI –...
  • Page 119 User Authentication This switch uses the Extensible Authentication Protocol over LANs (EAPOL) 802.1x to exchange authentication client protocol messages with the client, and a remote RADIUS 1. Client attempts to access a switch port. authentication server to verify 2. Switch sends client an identity request. user identity and access RADIUS 3.

  • Page 120: Displaying 802.1X Global Settings

    Configuring the Switch Displaying 802.1X Global Settings The 802.1X protocol provides client authentication. Command Attributes • 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 3-50 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-105 Global 802.1X Parameters...

  • Page 121: Configuring Port Settings For 802.1X

    User Authentication Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-51 802.1X Global Configuration CLI – This example enables 802.1X globally for the switch. Console(config)#dot1x system-auth-control 4-100 Console(config)# Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the...

  • Page 122: Figure 3-52 802.1X Port Configuration

    Configuring the Switch • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • Tx Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet.
  • Page 123 User Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-105. Console(config)#interface ethernet 1/2 4-150 Console(config-if)#dot1x port-control auto 4-101 Console(config-if)#dot1x re-authentication 4-103 Console(config-if)#dot1x max-req 5 4-101...

  • Page 124: Displaying 802.1X Statistics

    Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.

  • Page 125: Web Authentication

    User Authentication Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-53 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-105 Eth 1/4 Rx: EAPOL...

  • Page 126: Configuring Web Authentication

    Configuring the Switch Notes: 1. MAC authentication, web authentication, 802.1X, and port security cannot be configured together on the same port. Only one security mechanism can be applied. RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication”...

  • Page 127: Configuring Web Authentication For Ports

    User Authentication CLI – This example globally enables the system authentication control, configures the session timeout, quiet period and login attempts, and displays the configured global parameters. Console(config)#mac-authentication reauth-time 3000 4-112 Console(config)#web-auth system-auth-control 4-117 Console(config)#web-auth session-timeout 1800 4-117 Console(config)#web-auth quiet-period 20 4-116 Console(config)#web-auth login-attempts 2 4-116...

  • Page 128: Displaying Web Authentication Port Information

    Configuring the Switch CLI – This example enables web authentication for ethernet port 1/5 and displays a summary of web authentication parameters. Console(config)#interface ethernet 1/5 4-150 Console(config-if)#web-auth 4-118 Console(config-if)#end Console#show web-auth summary 4-120 Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count...

  • Page 129: Re-Authenticating Web Authenticated Ports

    User Authentication CLI – This example displays web authentication parameters for port 1/5. Console#show web-auth interface ethernet 1/5 4-119 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- Console# Re-authenticating Web Authenticated Ports The switch allows an administrator to manually force re-authentication of any web-authenticated host connected to any port.

  • Page 130: Configuring The Mac Authentication Reauthentication Time

    Configuring the Switch The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.

  • Page 131: Configuring Mac Authentication For Ports

    User Authentication Web – Click Security, Network Access, Configuration. Figure 3-58 Network Access Configuration CLI – This example sets and displays the reauthentication time. Console(config)#mac-authentication reauth-time 3000 4-112 Console(config)#exit Console#show network-access interface ethernet 1/1 4-113 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- --------------------------------------------------...

  • Page 132: Figure 3-59 Network Access Port Configuration

    Configuring the Switch Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Network Access Port Configuration page in the “Trunk” column. Web – Click Security, Network Access, Port Configuration. Figure 3-59 Network Access Port Configuration CLI –...

  • Page 133: Displaying Secure Mac Address Information

    User Authentication Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries can be removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table.

  • Page 134: Access Control Lists

    Configuring the Switch CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table 4-114 ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s...

  • Page 135: Setting The Acl Name And Type

    Access Control Lists Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 15 characters) • Type – There are three filtering modes: - Standard –...

  • Page 136: Configuring An Extended Ip Acl

    Configuring the Switch indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP).
  • Page 137 Access Control Lists • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Source/Destination Port – Source/destination port number for the specified protocol type.

  • Page 138: Figure 3-63 Configuring Extended Ip Acls

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.

  • Page 139: Configuring A Mac Acl

    Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.

  • Page 140: Binding A Port To An Access Control List

    Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.

  • Page 141: Filtering Ip Addresses For Management Access

    Access Control Lists Command Attributes • Port – Fixed port or SFP module. (Range: 1-10) • IP – Specifies the IP ACL to bind to a port. • MAC – Specifies the MAC ACL to bind to a port. • IN – ACL for ingress packets. Web –...

  • Page 142: Figure 3-66 Creating An Ip Filter List

    Configuring the Switch addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. •...

  • Page 143: Port Configuration

    Port Configuration CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 4-37 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- SNMP-Client: Start IP address End IP address ----------------------------------------------- 1.

  • Page 144: Figure 3-67 Displaying Port/Trunk Information

    Configuring the Switch Web – Click Port, Port Information or Trunk Information. Figure 3-67 Displaying Port/Trunk Information Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address”...

  • Page 145: Configuring Interface Connections

    Port Configuration • Port Security – Shows if port security is enabled or disabled. • Max MAC count – Shows the maximum number of MAC address that can be learned by a port. (0 - 1024 addresses) • Port security action – Shows the response to take when a security violation is detected.

  • Page 146: Figure 3-68 Port/Trunk Configuration

    Configuring the Switch • Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) • Flow Control – Allows automatic or manual selection of flow control. • Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/ disabled.
  • Page 147 Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/3 4-150 Console(config-if)#description RD SW#13 4-151 Console(config-if)#shutdown 4-155 Console(config-if)#no shutdown Console(config-if)#no negotiation 4-152 Console(config-if)#speed-duplex 100half 4-151 Console(config-if)#flowcontrol 4-154 Console(config-if)#negotiation Console(config-if)#capabilities 100half 4-153 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol 3-101...

  • Page 148: Creating Trunk Groups

    Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.

  • Page 149: Statically Configuring A Trunk

    Port Configuration Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be statically able to link switches of different types, configured depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.

  • Page 150: Enabling Lacp On Selected Ports

    Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-150 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-150 Console(config-if)#channel-group 2 4-166 Console(config-if)#exit...

  • Page 151: Figure 3-70 Lacp Trunk Configuration

    Port Configuration Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-10) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add.

  • Page 152: Configuring Lacp Parameters

    Configuring the Switch Configuring LACP Parameters Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP System Priority. • Ports must have the same LACP port Admin Key. •...

  • Page 153: Figure 3-71 Lacp Port Configuration

    Port Configuration partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply. Figure 3-71 LACP Port Configuration 3-107...

  • Page 154: Displaying Lacp Port Counters

    Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-150 Console(config-if)#lacp actor system-priority 3 4-168 Console(config-if)#lacp actor admin-key 120 4-169 Console(config-if)#lacp actor port-priority 128 4-171 Console(config-if)#exit Console(config)#interface ethernet 1/4...

  • Page 155: Figure 3-72 Lacp - Port Counters Information

    Port Configuration Table 3-8 LACP Port Counters (Continued) Field Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.

  • Page 156: Displaying Lacp Settings And Status For The Local Side

    Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port.

  • Page 157: Figure 3-73 Lacp - Port Internal Information

    Port Configuration Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-73 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-171 Port channel : 1...

  • Page 158: Displaying Lacp Settings And Status For The Remote Side

    Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.

  • Page 159: Setting Broadcast Storm Thresholds

    Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-171 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 3, 00-12-CF-CE-2A-20...

  • Page 160: Figure 3-75 Port Broadcast Control

    Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-75 Port Broadcast Control CLI – Set the threshold, then enable broadcast control on any interface. The following sets broadcast control threshold at 500 kbytes per second, and then enables broadcast storm control for port 1.

  • Page 161: Configuring Port Mirroring

    Port Configuration Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner.

  • Page 162: Configuring Rate Limits

    Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped.

  • Page 163: Showing Port Statistics

    Port Configuration CLI - This example sets the rate limit level for input traffic passing through port 3. Console(config)#interface ethernet 1/3 4-150 Console(config-if)#rate-limit input scale 100k level 5 4-164 Console(config-if)# Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
  • Page 164 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Multicast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. Transmit Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this...
  • Page 165 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.

  • Page 166: Figure 3-78 Port Statistics

    Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-78 Port Statistics 3-120...

  • Page 167: Address Table Settings

    Address Table Settings CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-158 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...

  • Page 168: Displaying The Address Table

    Configuring the Switch Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-79 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.

  • Page 169: Figure 3-80 Configuring A Dynamic Address Table

    Address Table Settings Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-80 Configuring a Dynamic Address Table CLI –...

  • Page 170: Changing The Aging Time

    Configuring the Switch Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-98301 seconds;...

  • Page 171: Displaying Global Settings

    Spanning Tree Algorithm Configuration disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
  • Page 172 Configuring the Switch message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) •...

  • Page 173: Figure 3-82 Displaying Spanning Tree Information

    Spanning Tree Algorithm Configuration • Root Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.

  • Page 174: Configuring Global Settings

    Configuring the Switch Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
  • Page 175 Spanning Tree Algorithm Configuration address will then become the root device. (Note that lower numeric values indicate higher priority.) - Default: 32768 - Range: 0-61440, in steps of 4096 - Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Root Device Configuration •...

  • Page 176: Figure 3-83 Configuring Spanning Tree

    Configuring the Switch Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Region Revision – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name – The name for this MSTI. (Maximum length: 32 characters) •...

  • Page 177: Displaying Interface Settings

    Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-201 Console(config)#spanning-tree mode rstp 4-201 Console(config)#spanning-tree priority 45056 4-204 Console(config)#spanning-tree hello-time 5 4-203 Console(config)#spanning-tree max-age 38 4-203 Console(config)#spanning-tree forward-time 20 4-202...
  • Page 178 Configuring the Switch by auto-detection, as described for Admin Link Type in STA Port Configuration on page 3-134. • Oper Edge Port – This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3-134 (i.e., true or false), but will be set to false if a BPDU is received, indicating that another bridge is attached to this port.

  • Page 179: Figure 3-84 Displaying Spanning Tree Port Information

    Spanning Tree Algorithm Configuration Algorithm is detecting network loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. • Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device.

  • Page 180: Configuring Interface Settings

    Configuring the Switch CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-216 1/ 5 information -------------------------------------------------------------- Admin status: enabled Role: disable State: discarding Path cost: 10000 Priority: Designated cost: Designated port : 128.5 Designated root: 32768.0012CF0B0D00 Designated bridge:...
  • Page 181 Spanning Tree Algorithm Configuration Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 • Path Cost – This parameter is used by the STP to determine the best path between devices.

  • Page 182: Configuring Multiple Spanning Trees

    Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-85 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-150 Console(config-if)#spanning-tree port-priority 0 4-211...

  • Page 183: Figure 3-86 Configuring Multiple Spanning Trees

    Spanning Tree Algorithm Configuration Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440;...

  • Page 184: Displaying Interface Settings For Mstp

    Configuring the Switch CLI – This example sets STA attributes for port 1, followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15...

  • Page 185: Figure 3-87 Displaying Mstp Interface Settings

    Spanning Tree Algorithm Configuration Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values. Figure 3-87 Displaying MSTP Interface Settings 3-139...

  • Page 186: Configuring Interface Settings For Mstp

    Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-231 4-216 Spanning-tree information...
  • Page 187 Spanning Tree Algorithm Configuration - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. - Forwarding –...

  • Page 188: Vlan Configuration

    Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-88 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...

  • Page 189: Assigning Ports To Vlans

    VLAN Configuration This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
  • Page 190 Configuring the Switch Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.

  • Page 191: Enabling Or Disabling Gvrp (Global Setting)

    VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.

  • Page 192: Displaying Basic Vlan Information

    Configuring the Switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard.

  • Page 193: Figure 3-91 Displaying Current Vlans

    VLAN Configuration • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web –...

  • Page 194: Creating Vlans

    Configuring the Switch CLI – Current VLAN information can be displayed with the following command. Console#show vlan id 1 4-231 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Console# Creating VLANs...

  • Page 195: Adding Static Members To Vlans (Vlan Index)

    VLAN Configuration Figure 3-92 Configuring a VLAN Static List CLI – This example creates a new VLAN. Console(config)#vlan database 4-223 Console(config-vlan)#vlan 2 name R&D media ethernet state active 4-224 Console(config-vlan)#end Console#show vlan 4-231 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S)

  • Page 196: Figure 3-93 Configuring A Vlan Static Table

    Configuring the Switch which must be the same as the Port VID. See “Configuring VLAN Behavior for for configuring PVID. Interfaces” on page 3-152 - Forbidden: Interface is forbidden from automatically joining the VLAN via GVRP. For more information, see “Automatic VLAN Registration” on page 3-144.

  • Page 197: Adding Static Members To Vlans (Port Index)

    VLAN Configuration Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...

  • Page 198: Configuring Vlan Behavior For Interfaces

    Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.

  • Page 199: Figure 3-95 Configuring Vlans Per Port

    VLAN Configuration or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group. This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group.

  • Page 200: Configuring Ieee 802.1Q Tunneling

    Configuring the Switch CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-150 Console(config-if)#switchport acceptable-frame-types tagged 4-227...
  • Page 201 VLAN Configuration processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing. However, the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the customer’s network.
  • Page 202 Configuring the Switch 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: •...

  • Page 203: Enabling Qinq Tunneling On The Switch

    VLAN Configuration Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.

  • Page 204: Figure 3-96 802.1Q Tunnel Status And Ethernet Type

    Configuring the Switch Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. Command Usage • Use the TPID field to set a custom 802.1Q ethertype value on the selected interface.

  • Page 205: Adding An Interface To A Qinq Tunnel

    VLAN Configuration CLI – This example sets the switch to operate in QinQ mode. 4-232 Console(config)#dot1q-tunnel system-tunnel-control Console(config)#exit 4-234 Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100.

  • Page 206: Figure 3-97 Tunnel Port Configuration

    Configuring the Switch Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-97 Tunnel Port Configuration CLI –...

  • Page 207: Private Vlans

    VLAN Configuration Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.

  • Page 208: Configuring Private Vlans

    Configuring the Switch • Primary VLAN – The VLAN with which the selected VLAN ID is associated. A primary VLAN displays its own ID, a community VLAN displays the associated primary VLAN, and an isolated VLAN displays the stand-alone VLAN. •...

  • Page 209: Associating Vlans

    VLAN Configuration • Current – Displays a list of the currently configured VLANs. Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove.

  • Page 210: Displaying Private Vlan Interface Information

    Configuring the Switch Non-Association list box, and click Add to associate these entries with the selected primary VLAN. (A community VLAN can only be associated with one primary VLAN.) Figure 3-100 Private VLAN Association CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database 4-223 Console(config-vlan)#private-vlan 5 association 6...

  • Page 211: Configuring Private Vlan Interfaces

    VLAN Configuration Web – Click VLAN, Private VLAN, Port Information or Trunk Information. Figure 3-101 Private VLAN Port Information CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.

  • Page 212: Figure 3-102 Private Vlan Port Configuration

    Configuring the Switch • Primary VLAN – Conveys traffic between promiscuous ports, and between promiscuous ports and community ports within the associated secondary VLANs. If PVLAN type is “Promiscuous,” then specify the associated primary VLAN. • Community VLAN – A community VLAN conveys traffic between community ports, and from community ports to their designated promiscuous ports.

  • Page 213: Protocol Vlans

    VLAN Configuration Protocol VLANs You can configure VLAN behavior to support multiple protocols to allow traffic to pass through different VLANs. When a packet is received at a port, its VLAN membership is determined by the protocol type of the packet. A maximum of 20 Protocol VLAN groups can be configured on the switch.

  • Page 214: Configuring Protocol Vlan Interfaces

    Configuring the Switch Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-103 Protocol VLAN Configuration CLI - This example shows the switch configured with Protocol VLANs 1 and 2. Protocol VLAN 1 has been configured with the fixed and preconfigured IP parameters.

  • Page 215: Link Layer Discovery Protocol

    Link Layer Discovery Protocol Web – Click VLAN, Protocol VLAN, Port Configuration. Figure 3-104 Protocol VLAN Port Configuration CLI - This example shows ethernet interface 1 configured with Protocol VLAN Group 1 mapped to VLAN 5 and Protocol VLAN Group 2 mapped to VLAN 6. Console(config)#interface ethernet 1/1 4-150 Console(config-if)#protocol-vlan protocol-group 1 vlan 5...
  • Page 216 Configuring the Switch Command Attributes • LLDP – Enables LLDP globally on the switch. (Default: Enabled) • Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) This attribute must comply with the following rule: (transmission-interval * holdtime-multiplier) ≤...

  • Page 217: Configuring Lldp Interface Attributes

    Link Layer Discovery Protocol critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service. Web – Click LLDP, Configuration. Enable LLDP, modify any of the timing parameters as required, and click Apply. Figure 3-105 LLDP Configuration CLI –...
  • Page 218 Configuring the Switch Command Attributes • Admin Status – Enables LLDP message transmit and receive modes for LLDP Protocol Data Units. (Options: Tx only, Rx only, TxRx, Disabled; Default: TxRx) • SNMP Notification – Enables the transmission of SNMP trap notifications about LLDP and LLDP-MED changes.

  • Page 219: Figure 3-106 Lldp Port Configuration

    Link Layer Discovery Protocol configure the system name, see “Displaying System Information” on page 3-11. - System Capabilities – The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. •...

  • Page 220: Displaying Lldp Local Device Information

    Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise. Console(config)#interface ethernet 1/1 4-150 Console(config-if)#lldp admin-status tx-rx 4-184 Console(config-if)#lldp notification 4-184...

  • Page 221: Displaying Lldp Remote Port Information

    LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : Layer2+ Fast Ethernet Standalone Switch ES3510 System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information...

  • Page 222: Displaying Lldp Remote Information Details

    Configuring the Switch CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP. Console#show lldp info remote-device 4-198 LLDP Remote Devices Information Interface | ChassisId PortId SysName --------- + ----------------- ----------------- --------------------- Eth 1/1 | 00-01-02-03-04-05 00-01-02-03-04-06 Console#...

  • Page 223: Displaying Device Statistics

    Link Layer Discovery Protocol CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch. Console#show lldp info remote-device detail ethernet 1/1 4-198 LLDP Remote Devices Information Detail --------------------------------------------------------------- Local PortName : Eth 1/1 Chassis Type : MAC Address...

  • Page 224: Displaying Detailed Device Statistics

    Configuring the Switch CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-198 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count...

  • Page 225: Class Of Service Configuration

    Class of Service Configuration CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-198 LLDP Port Statistics Detail PortName : Eth 1/1 Frames Discarded Frames Invalid Frames Received...

  • Page 226: Figure 3-112 Port Priority Configuration

    Configuring the Switch Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port.

  • Page 227: Mapping Cos Values To Egress Queues

    Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on Strict, Weighted Round Robin (WRR), or Hybrid. Up to eight separate traffic priorities are defined in IEEE 802.1p.

  • Page 228: Figure 3-113 Traffic Classes

    Configuring the Switch Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-113 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-150 Console(config-if)#queue cos-map 0 0...

  • Page 229: Selecting The Queue Mode

    Class of Service Configuration Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue, or you can choose a hybrid of these two methods.

  • Page 230: Figure 3-115 Configuring Queue Scheduling

    Configuring the Switch these queues (and thereby to the corresponding traffic priorities). This weight sets the limit for the amount of packets the switch will transmit each time the queue is serviced, and subsequently affects the response time for software applications assigned a specific priority value.

  • Page 231: Layer 3/4 Priority Settings

    Class of Service Configuration Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (TOS) octet or the number of the TCP port.

  • Page 232: Mapping Dscp Priority

    Configuring the Switch Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.

  • Page 233: Mapping Ip Port Priority

    Class of Service Configuration CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS queue 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-251 Console(config)#map ip dscp 0 cos 1 4-251 Console(config)#end Console#show map ip dscp...

  • Page 234: Figure 3-119 Ip Port Priority

    Configuring the Switch Web* – Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS queue in the Class of Queue Service box, and then click Apply. Figure 3-119 IP Port Priority CLI* –...

  • Page 235: Mapping Ip Precedence Priority

    Class of Service Configuration Mapping IP Precedence Priority The Type of Service (TOS) octet in the IPv4 header includes three precedence bits (see page 3-191) defining eight different priority levels ranging from highest priority (7) for network control packets to lowest priority (0) for routine traffic. Bits 6 and 7 are used for network control, and the other bits for various application types.

  • Page 236: Figure 3-121 Mapping Ip Precedence To Class Of Service Queues

    Configuring the Switch Web* – Click Priority, IP Precedence Priority. Select an IP Precedence value in the IP Precedence Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-121 Mapping IP Precedence to Class of Service Queues CLI* –...

  • Page 237: Mapping Ip Tos Priority

    Class of Service Configuration Mapping IP TOS Priority The Type of Service (TOS) octet in the IPv4 header is divided into three parts; Precedence (3 bits), TOS (4 bits), and MBZ (1 bit). The Precedence bits indicate the importance of a packet, whereas the TOS bits indicate how the network should make tradeoffs between throughput, delay, reliability, and cost (as defined in RFC 1394).

  • Page 238: Figure 3-123 Mapping Ip Tos To Class Of Service Queues

    Configuring the Switch Web* – Click Priority, IP TOS Priority. Select an IP TOS value in the IP TOS Priority Table, enter a queue number in the Class of Queue Service Value field, and then click Apply. Figure 3-123 Mapping IP TOS to Class of Service Queues CLI* –...

  • Page 239: Mapping Cos Values To Acls

    Quality of Service Mapping CoS Values to ACLs Use the ACL CoS Priority page to set the output queue for packets matching a configured ACL rule. For information on configuring ACLs, see “Access Control Lists” on page 3-88. Command Usage You must configure an ACL before you can map a CoS queue to the rule.

  • Page 240: Configuring Quality Of Service Parameters

    Configuring the Switch Precedence, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on configured network policies, different kinds of traffic can be marked for different kinds of forwarding.
  • Page 241 Quality of Service based on an access list, a DSCP or IP Precedence value, or a VLAN, and click the Add button next to the field for the selected traffic criteria. You can specify up to 16 items to match when assigning ingress traffic to a class map. •...

  • Page 242: Figure 3-125 Configuring Class Maps

    Configuring the Switch Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-125 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.

  • Page 243: Creating Qos Policies

    Quality of Service Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-194. - Open the Policy Map page, and click Add Policy.
  • Page 244 Configuring the Switch • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-194).

  • Page 245: Figure 3-126 Configuring Policy Maps

    Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-126 Configuring Policy Maps 3-199...

  • Page 246: Attaching A Policy Map To Ingress Queues

    Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 4-262 Console(config-pmap)#class rd_class#3 4-262...

  • Page 247: Voip Traffic Configuration

    VoIP Traffic Configuration VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality.

  • Page 248: Configuring Voip Traffic Port

    Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-128 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.

  • Page 249: Figure 3-129 Voip Traffic Port Configuration

    VoIP Traffic Configuration address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...

  • Page 250: Configuring Telephony Oui

    Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 Console(config-if)#switchport voice vlan auto 4-270 Console(config-if)#switchport voice vlan security 4-271 Console(config-if)#switchport voice vlan rule oui 4-271 Console(config-if)#switchport voice vlan priority 5 4-272 Console(config-if)#exit...

  • Page 251: Figure 3-130 Telephony Oui List

    VoIP Traffic Configuration Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.

  • Page 252: Multicast Filtering

    Configuring the Switch Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.

  • Page 253: Configuring Igmp Snooping And Query Parameters

    Multicast Filtering these sources are all placed in the Include list, and traffic is forwarded to the hosts from each of these sources. IGMPv3 hosts may also request that service be forwarded from all sources except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources.
  • Page 254 Configuring the Switch the multicast filtering table is already full, the switch will continue flooding the traffic into the VLAN. • IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/switch on the LAN performing IP multicasting, one of these devices is elected “querier”...

  • Page 255: Enabling Igmp Immediate Leave

    Multicast Filtering Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 3-131 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.

  • Page 256: Displaying Interfaces Attached To A Multicast Router

    Configuring the Switch is determined by the IGMP Query Report Delay (see “Configuring IGMP Snooping and Query Parameters” on page 3-207). • If immediate leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.

  • Page 257: Specifying Static Interfaces For A Multicast Router

    Multicast Filtering support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch. You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router/switch for each VLAN ID.

  • Page 258: Displaying Port Members Of Multicast Services

    Configuring the Switch • Port or Trunk – Specifies the interface attached to a multicast router. Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add.

  • Page 259: Assigning Ports To Multicast Services

    Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-135 IP Multicast Registration Table CLI –...

  • Page 260: Igmp Filtering And Throttling

    Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add.

  • Page 261: Enabling Igmp Filtering And Throttling

    Multicast Filtering IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.

  • Page 262: Configuring Igmp Filter Profiles

    Configuring the Switch CLI – This example enables IGMP filtering and creates a profile number. It then displays the current status and the existing profile numbers. Console(config)#ip igmp filter 4-284 Console(config)#ip igmp profile 19 4-285 Console(config)#end Console#show ip igmp profile 4-289 IGMP Profile 19 IGMP Profile 25...

  • Page 263: Configuring Igmp Filtering And Throttling For Interfaces

    Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Profile Configuration. Select the profile number you want to configure; then click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list.

  • Page 264: Figure 3-139 Igmp Filter And Throttling Port Configuration

    Configuring the Switch • An IGMP profile or throttling setting can also be applied to a trunk interface. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time.

  • Page 265: Multicast Vlan Registration

    Multicast VLAN Registration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed. Console(config)#interface ethernet 1/1 4-150 Console(config-if)#ip igmp filter 19 4-287 Console(config-if)#ip igmp max-groups 64...

  • Page 266: Configuring Global Mvr Settings

    Configuring the Switch Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box General Configuration Guidelines for MVR Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings”...

  • Page 267: Displaying Mvr Interface Status

    Multicast VLAN Registration • MVR Running Status – Indicates whether or not all necessary conditions in the MVR environment are satisfied. • MVR VLAN – Identifier of the VLAN that serves as the channel for streaming multicast services using MVR. (Range: 1-4093; Default: 1) •...

  • Page 268: Displaying Port Members Of Multicast Groups

    Configuring the Switch • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.

  • Page 269: Configuring Mvr Interface Status

    Multicast VLAN Registration Web – Click MVR, Group IP Information. Figure 3-142 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr interface 4-294 MVR Group IP Status Members ---------------- -------- -------...

  • Page 270: Figure 3-143 Mvr Port Configuration

    Configuring the Switch • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.

  • Page 271: Assigning Static Multicast Groups To Interfaces

    Multicast VLAN Registration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source 4-292 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#mvr type receiver 4-292 Console(config-if)#mvr immediate 4-292 Console(config-if)# Assigning Static Multicast Groups to Interfaces...

  • Page 272: Dhcp Snooping

    Configuring the Switch CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 Console(config-if)#mvr group 228.1.23.1 4-292 Console(config-if)# DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.

  • Page 273: Dhcp Snooping Configuration

    DHCP Snooping If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted.

  • Page 274: Dhcp Snooping Information Option Configuration

    Configuring the Switch Web – Click DHCP Snooping, VLAN Configuration. Figure 3-146 DHCP Snooping VLAN Configuration CLI – This example first enables DHCP Snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 4-303 Console(config)# DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.

  • Page 275: Dhcp Snooping Port Configuration

    DHCP Snooping Web – Click DHCP Snooping, Information Option Configuration. Figure 3-147 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-305 Console(config)#ip dhcp snooping information policy replace 4-306 Console(config)# DHCP Snooping Port Configuration...
  • Page 276 Configuring the Switch CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-304 Console(config-if)# 3-230...

  • Page 277: Ip Source Guard

    IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-226).

  • Page 278: Static Ip Source Guard Binding Configuration

    Configuring the Switch CLI – This example shows how to enable IP source guard on port 5 Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip 4-308 Console(config-if)#end Console#show ip source-guard 4-311 Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED...

  • Page 279: Dynamic Ip Source Guard Binding Information

    IP Source Guard Web – Click IP Source Guard, Static Configuration. Figure 3-150 Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5 Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 4-310 Console(config)#...

  • Page 280: Switch Clustering

    Configuring the Switch Web – Click IP Source Guard, Dynamic Information. Figure 3-151 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5 4-311 Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN...

  • Page 281: Cluster Configuration

    Switch Clustering switches only become cluster Members when manually selected by the administrator through the management station. After the Commander and Members have been configured, any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu.

  • Page 282: Cluster Member Configuration

    Configuring the Switch Web – Click Cluster, Configuration. Figure 3-153 Cluster Configuration CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster 4-312 Console(config)#cluster commander 4-313 Console(config)#cluster ip-pool 10.2.3.4 4-313...

  • Page 283: Cluster Member Information

    Switch Clustering Web – Click Cluster, Member Configuration. Figure 3-154 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-314 Console(config)# Cluster Member Information...

  • Page 284: Cluster Candidate Information

    Configuring the Switch CLI – This example shows information about cluster Member switches. Vty-0#show cluster members 4-315 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.

  • Page 285: Upnp

    UPnP UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. The first step in UPnP networking is discovery.
  • Page 286 Configuring the Switch CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration. Console(config)#upnp device 4-316 Console(config)#upnp device advertise duration 200 4-317 Console(config)#upnp device ttl 6 4-317 Console(config)#end Console#show upnp...

  • Page 287: Chapter 4: Command Line Interface

    When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the ES3510 is opened. To end the CLI session, enter [Exit]. Console#...

  • Page 288: Telnet Connection

    When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the ES3510 is opened. To end the CLI session, enter [Exit]. Vty-0# Note: You can open up to four sessions to the device via Telnet.

  • Page 289: Entering Commands

    Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.

  • Page 290: Showing Commands

    Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.

  • Page 291: Partial Keyword Lookup

    Entering Commands The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information protocol-group Protocol group status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.

  • Page 292: Exec Commands

    “super” (page 4-36). To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ES3510 is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the ES3510 is opened.

  • Page 293: Configuration Commands

    Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command. The configuration commands are organized into different modes: •...

  • Page 294: Command Line Processing

    Command Line Interface For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.

  • Page 295: Command Groups

    Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page Line Sets communication parameters for the serial port and Telnet, 4-10 including baud rate and console time-out General Basic commands for entering privileged access mode, restarting the 4-19...

  • Page 296: Line Commands

    Command Line Interface Table 4-4 Command Groups (Continued) Command Group Description Page IP Cluster Configures switch clustering 4-312 UPnP Configures UPnP settings 4-316 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) MST (Multiple Spanning Tree) CM (Class Map Configuration) NE (Normal Exec)

  • Page 297: Line

    Line Commands line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.

  • Page 298: Password

    Command Line Interface - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. - login local selects authentication via the user name and password specified by the username command (i.e., default setting).

  • Page 299: Timeout Login Response

    Line Commands during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (4-11) password-thresh (4-14) timeout login response This command sets the interval that the system waits for a user to log into the CLI.

  • Page 300: Password-Thresh

    Command Line Interface Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.

  • Page 301: Silent-Time

    Line Commands Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.

  • Page 302: Parity

    Command Line Interface Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.

  • Page 303: Speed

    Line Commands Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting.

  • Page 304: Disconnect

    Command Line Interface Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage...

  • Page 305: General Commands

    General Commands Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# General Commands...

  • Page 306: Disable

    Command Line Interface Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-36.) •...

  • Page 307: Configure

    General Commands configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration. See “Understanding Command Modes”...

  • Page 308: Reload

    Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.

  • Page 309: Exit

    General Commands exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...

  • Page 310: System Management Commands

    Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-24 Banner...

  • Page 311: Hostname

    System Management Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...

  • Page 312: Banner Configure

    Command Line Interface Table 4-9 Banner Commands Command Function Mode Page banner configure Configures the Equipment Location information that is displayed 4-30 equipment-location by banner banner configure Configures the IP and LAN information that is displayed by 4-30 ip-lan banner banner configure Configures the LP Number information that is displayed by 4-31...

  • Page 313: Banner Configure Company

    System Management Commands Example Console(config)#banner configure Company: Edge-corE Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment.

  • Page 314: Banner Configure Dc-Power-Info

    The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure company Edge-corE Console(config)# banner configure dc-power-info This command allows the administrator to configure the DC power information displayed in the banner.

  • Page 315: Banner Configure Equipment-Info

    System Management Commands Syntax banner configure department dept-name no banner configure company dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure department command interprets spaces as data input boundaries.

  • Page 316: Banner Configure Equipment-Location

    ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity. Example Console(config)#banner configure equipment-info manufacturer-id switch35 floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-corE Console(config)# banner configure equipment-location This command allows the administrator to configure the equipment location information displayed in the banner.

  • Page 317: Banner Configure Lp-Number

    System Management Commands ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where whitespace is necessary for clarity.

  • Page 318: Banner Configure Manager-Info

    Command Line Interface banner configure manager-info This command allows the administrator to configure the manager contact information displayed in the banner. Use the no form to remove the manager contact information from the banner display. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...

  • Page 319: Banner Configure Note

    System Management Commands no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage The user-entered data cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries.

  • Page 320: Show Banner

    Steve - 123-555-9876 Lamar - 123-555-3322 Station's information: 710_Network_Path,Indianapolis Edge-corE - switch35 Floor / Row / Rack / Sub-Rack 7 / 10 / 15 / 6 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3 / 15 / 24 / 48V-id_3.15.24.2...

  • Page 321: User Access Commands

    System Management Commands User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-10), user authentication via a remote authentication server (page 4-79), and host access authentication for specific ports (page 4-99).

  • Page 322: Enable Password

    Command Line Interface Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how to set the access level and password for a user.

  • Page 323: Ip Filter Commands

    System Management Commands Related Commands enable (4-19) authentication enable (4-80) IP Filter Commands Table 4-12 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-37 show management Displays the switch to be monitored or configured from a 4-38 browser management...

  • Page 324: Show Management

    Command Line Interface • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management...

  • Page 325: Web Server Commands

    System Management Commands Web Server Commands Table 4-13 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface 4-39 ip http server Allows the switch to be monitored or configured from a browser GC 4-39 ip http secure-server Enables HTTPS for encrypted communications...

  • Page 326: Ip Http Secure-Server

    Command Line Interface Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-39) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server Default Setting...

  • Page 327: Ip Http Secure-Port

    System Management Commands Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-41) copy tftp https-certificate (4-73) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port...

  • Page 328: Telnet Server Commands

    Command Line Interface Telnet Server Commands Table 4-15 Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet interface 4-39 ip telnet server Allows the switch to be monitored or configured from Telnet 4-39 ip telnet port This command specifies the TCP port number used by the Telnet interface.

  • Page 329: Secure Shell Commands

    System Management Commands Related Commands ip telnet port (4-42) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
  • Page 330 Command Line Interface The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-79.

  • Page 331: Ip Ssh Server

    System Management Commands corresponding to the public keys stored on the switch can gain access. The following exchanges take place during this process: The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.

  • Page 332: Ip Ssh Timeout

    Command Line Interface ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds...

  • Page 333: Ip Ssh Server-Key Size

    System Management Commands Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-49) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...

  • Page 334: Ip Ssh Crypto Host-Key Generate

    Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...

  • Page 335: Ip Ssh Save Host-Key

    System Management Commands Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console#...

  • Page 336: Show Ssh

    Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username...

  • Page 337: Show Public-Key

    System Management Commands show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...

  • Page 338: Event Logging Commands

    Command Line Interface Event Logging Commands Table 4-18 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-52 logging history Limits syslog messages saved to switch memory based on 4-53 severity logging host Adds a syslog server host IP address that will receive logging 4-54 messages logging facility...

  • Page 339: Logging History

    System Management Commands logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...

  • Page 340: Logging Host

    Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...

  • Page 341: Logging Trap

    System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.

  • Page 342: Show Logging

    Command Line Interface Related Commands show logging (4-56) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...

  • Page 343: Show Log

    System Management Commands The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...

  • Page 344: Smtp Alert Commands

    Command Line Interface Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [3] 00:00:54 2001-01-01 "STA root change notification."...

  • Page 345: Logging Sendmail Level

    System Management Commands Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.

  • Page 346: Logging Sendmail Source-Email

    Command Line Interface logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 0-41 characters) Default Setting None...

  • Page 347: Logging Sendmail

    System Management Commands logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...

  • Page 348: Time Commands

    Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

  • Page 349: Sntp Server

    System Management Commands Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: Dec 23 02:52:44 2002 Poll interval: 60 Current mode: unicast SNTP status: Enabled SNTP server: 10.1.0.19 0.0.0.0 0.0.0.0 Current server: 10.1.0.19 Console# Related Commands sntp server (4-63) sntp poll (4-64) show sntp (4-64)

  • Page 350: Sntp Poll

    Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...

  • Page 351: Clock Timezone

    System Management Commands clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-12 hours) •...

  • Page 352: Show Calendar

    Command Line Interface Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, April 1st, 2004. Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock. Default Setting None Command Mode...

  • Page 353: Command Usage

    System Management Commands Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!”...

  • Page 354: Show Running-Config

    Command Line Interface Related Commands show running-config (4-68) show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.

  • Page 355: Related Commands

    System Management Commands Example Console#show running-config building startup-config, please wait..phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 clock timezone hours 0 minute 0 after-UTC SNMP-server community private rw SNMP-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4...

  • Page 356: Show System

    • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: Layer2+ Fast Ethernet Standalone Switch ES3510 System OID String: 1.3.6.1.4.1.259.8.1.6 System Information System Up Time: 0 days, 0 hours, 57 minutes, and 56.69 seconds System Name: R&D 5...

  • Page 357: Show Version

    System Management Commands Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users:...

  • Page 358: Frame Size Commands

    Command Line Interface Frame Size Commands Table 4-25 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames 4-72 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled...

  • Page 359: Flash/File Commands

    Flash/File Commands Flash/File Commands These commands are used to manage the system code or configuration files. Table 4-26 Flash/File Commands Command Function Mode Page copy Copies a code image or a switch configuration to or from flash 4-73 memory or a TFTP server delete Deletes a file or code image 4-75...
  • Page 360 Command Line Interface Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.

  • Page 361: Delete

    Flash/File Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.

  • Page 362: Dir

    Command Line Interface Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. • A colon (:) is required after the specified unit number. Example This example shows how to delete the test2.cfg configuration file from flash memory for unit 1.

  • Page 363: Whichboot

    Flash/File Commands • File information is shown below: Table 4-27 File Directory Information Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.

  • Page 364: Boot System

    Command Line Interface boot system This command specifies the image used to start up the system. Syntax boot system [unit:] {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. •...

  • Page 365: Authentication Commands

    Authentication Commands Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X. Table 4-28 Authentication Commands Command Group Function Page...

  • Page 366: Authentication Enable

    Command Line Interface Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. •...

  • Page 367: Radius Client

    Authentication Commands • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. • You can specify three authentication methods in a single command to indicate the authentication sequence.

  • Page 368: Radius-Server Auth-Port

    Command Line Interface • auth_port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) • acct_port - RADIUS server UDP port used for accounting messages. (Range: 1-65535) • timeout - Number of seconds the switch waits for a reply before resending a request.

  • Page 369: Radius-Server Acct-Port

    Authentication Commands radius-server acct-port This command sets the RADIUS server port used for accounting messages. Use the no form to restore the default. Syntax radius-server acct-port port_number no radius-server acct-port port_number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813...

  • Page 370: Radius-Server Timeout

    Command Line Interface number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) Default Setting Command Mode Global Configuration Example Console(config)#radius-server retransmit 5 Console(config)# radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server.

  • Page 371: Tacacs+ Client

    Authentication Commands Example Console#show radius-server Global Settings: Communication Key with RADIUS Server: Auth-Port: 1812 Acct-port: 1813 Retransmit Times: Request Timeout: Server 1: Server IP Address: 10.1.2.3 Communication Key with RADIUS Server: ****** Auth-Port: 1812 Acct-port: 1813 Retransmit Times: Request Timeout: Radius server group: Group Name Member Index...

  • Page 372: Tacacs-Server Port

    Command Line Interface • port_number - The TACACS+ server TCP port used for authentication messages. (Range: 1-65535) • timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-540 seconds) • retransmit - Number of times the switch will resend an authentication request to the TACACS+ server.

  • Page 373: Tacacs-Server Key

    Authentication Commands tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 48 characters) Default Setting None...

  • Page 374: Tacacs-Server Timeout

    Command Line Interface tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.

  • Page 375: Aaa Commands

    Authentication Commands AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-32 AAA Commands Command Function Mode...

  • Page 376: Server

    Command Line Interface Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} •...

  • Page 377: Aaa Accounting Exec

    Authentication Commands - radius - Specifies all RADIUS hosts configure with the radius-server host command described on page 4-81. - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-85. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-89.

  • Page 378: Aaa Accounting Commands

    Command Line Interface - radius - Specifies all RADIUS hosts configure with the radius-server host command described on page 4-81. - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-85. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-89.

  • Page 379: Aaa Accounting Update

    Authentication Commands - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-85. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-89. (Range: 1-255 characters) Default Setting Accounting is not enabled...

  • Page 380: Accounting Dot1X

    Command Line Interface Example Console(config)#aaa accounting update periodic 30 Console(config)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x •...

  • Page 381: Accounting Commands

    Authentication Commands Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# accounting commands This command applies an accounting method to entered CLI commands. Use the no form to disable accounting for entered commands. Syntax accounting commands level {default | list-name} no accounting commands level •...

  • Page 382: Authorization Exec

    Command Line Interface - tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command described on page 4-85. - server-group - Specifies the name of a server group configured with the aaa group server command described on 4-89. (Range: 1-255 characters) Default Setting Authorization is not enabled...

  • Page 383: Show Accounting

    Authentication Commands Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [commands [level] | [dot1x [statistics [username user-name | interface]] | exec [statistics] | statistics] •...

  • Page 384: Port Security Commands

    Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.

  • Page 385: 802.1X Port Authentication

    Authentication Commands Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.

  • Page 386: Dot1X System-Auth-Control

    Command Line Interface Table 4-34 802.1X Port Authentication (Continued) Command Function Mode Page dot1x operation-mode Allows single or multiple hosts on an dot1x port 4-102 dot1x re-authenticate Forces re-authentication on specific ports 4-102 dot1x re-authentication Enables re-authentication for all ports 4-103 dot1x timeout quiet-period Sets the time that a switch port waits after the Max...

  • Page 387: Dot1X Max-Req

    Authentication Commands dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax dot1x max-req count no dot1x max-req count –...

  • Page 388: Dot1X Operation-Mode

    Command Line Interface dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.

  • Page 389: Dot1X Re-Authentication

    Authentication Commands Command Mode Privileged Exec Example Console#dot1x re-authenticate Console# dot1x re-authentication This command enables periodic re-authentication globally for all ports. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# dot1x timeout quiet-period...

  • Page 390: Dot1X Timeout Re-Authperiod

    Command Line Interface dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mode Interface Configuration Example...

  • Page 391: Dot1X Intrusion-Action

    Authentication Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action Default...
  • Page 392 Command Line Interface - Status – Administrative state for port access control. - Operation Mode – Dot1x port control operation mode (page 4-102). - Mode – Dot1x port control mode (page 4-101). - Authorized – Authorization status (yes or n/a - not authorized). •...

  • Page 393: Authentication Server

    Authentication Commands - Identifier(Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. • Reauthentication State Machine - State – Current state (including initialize, reauthenticate). Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name...

  • Page 394: Network Access - Mac Address Authentication

    Command Line Interface Network Access MAC Address Authentication – The Network Access feature controls host access to the network by authenticating its MAC address on the connected switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.

  • Page 395: Network-Access Max-Mac-Count

    Authentication Commands Command Usage • When enabled on a port interface, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The username and password are both equal to the MAC address being authenticated. • On the RADIUS server, PAP username and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).

  • Page 396: Mac-Authentication Intrusion-Action

    Command Line Interface Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed.

  • Page 397: Network-Access Dynamic-Vlan

    Authentication Commands Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage •...

  • Page 398: Mac-Authentication Reauth-Time

    Command Line Interface Command Mode Interface Configuration Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active (“vlan database” on page 4-223). • When used with 802.1x authentication, the intrusion-action configuration must be set for ‘guest-vlan’...

  • Page 399: Clear Network-Access

    Authentication Commands clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • static - Specifies static address entries. • dynamic - Specifies dynamic address entries. •...

  • Page 400: Show Network-Access Mac-Address-Table

    Command Line Interface Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment...

  • Page 401: Web Authentication

    Authentication Commands Example Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s Console# Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.

  • Page 402: Web-Auth Login-Attempts

    Command Line Interface Table 4-36 Web Authentication Command Function Mode Page web-auth re-authenticate (IP) Ends the web authentication session associated with the 4-119 designated IP and forces the user to re-authenticate show web-auth Displays a summary of web authentication port 4-119 summary parameters and statistics...

  • Page 403: Web-Auth Session-Timeout

    Authentication Commands Example Console(config)#web-auth quiet-period 120 Console(config)# web-auth session-timeout This command defines the amount of time a web-authentication session remains valid. When the session-timeout time has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default.

  • Page 404: Web-Auth

    Command Line Interface web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.

  • Page 405: Show Web-Auth Interface

    Authentication Commands show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-20) Default Setting None Command Mode...

  • Page 406: Web-Auth Re-Authenticate (Ip)

    Command Line Interface web-auth re-authenticate (IP) This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1.
  • Page 407 Authentication Commands Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------ 1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled 1/ 6 Disabled 1/ 7 Disabled 1/ 8...

  • Page 408: Access Control List Commands

    Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.

  • Page 409: Ip Acls

    Access Control List Commands IP ACLs Table 4-38 IP ACLs Command Function Mode Page access-list ip Creates an IP ACL and enters configuration mode 4-123 permit, deny Filters packets matching a specified source IP address STD-ACL 4-124 permit, deny Filters packets meeting the specified criteria, including EXT-ACL 4-124 source and destination IP address, TCP/UDP port number,...

  • Page 410: Permit, Deny (Standard Acl)

    Command Line Interface Related Commands permit, deny 4-124 ip access-group (4-126) show ip access-list (4-126) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
  • Page 411 Access Control List Commands Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] •...

  • Page 412: Show Ip Access-List

    Command Line Interface This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# Related Commands access-list ip (4-123) show ip access-list This command displays the rules for configured IP ACLs.

  • Page 413: Show Ip Access-Group

    Access Control List Commands Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one.

  • Page 414: Access-List Mac

    Command Line Interface Table 4-39 MAC ACL Commands Command Function Mode Page mac access-group Adds a port to a MAC ACL 4-131 show mac access-group Shows port assignments for MAC ACLs 4-131 access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL.

  • Page 415: Permit, Deny (Mac Acl)

    Access Control List Commands permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...

  • Page 416: Show Mac Access-List

    Command Line Interface Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP...

  • Page 417: Mac Access-Group

    Access Control List Commands mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...

  • Page 418: Acl Information

    Command Line Interface ACL Information Table 4-40 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-132 show access-group Shows the ACLs assigned to each port 4-132 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.

  • Page 419: Snmp Commands

    SNMP Commands SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...

  • Page 420: Snmp-Server

    Command Line Interface snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp...

  • Page 421: Snmp-Server Community

    SNMP Commands Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables...

  • Page 422: Snmp-Server Contact

    Command Line Interface • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.

  • Page 423: Snmp-Server Host

    SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-136) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}...
  • Page 424 Command Line Interface • SNMP Version: 1 • UDP Port: 162 Command Mode Global Configuration Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.

  • Page 425: Snmp-Server Enable Traps

    SNMP Commands supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications. • If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. If you use the V3 “auth” or “priv” options, the user name must first be defined with the snmp-server user command.

  • Page 426: Snmp-Server Engine-Id

    Command Line Interface conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command (page 4-143). Example Console(config)#snmp-server enable traps link-up-down Console(config)# Related Commands snmp-server host (4-137) snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.

  • Page 427: Show Snmp Engine-Id

    SNMP Commands • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 4-146).

  • Page 428: Snmp-Server View

    Command Line Interface snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...

  • Page 429: Show Snmp View

    SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active...
  • Page 430 Command Line Interface Default Setting • Default groups: public (read only), private (read/write) • readview - Every object belonging to the Internet OID space (1.3.6.1). • writeview - Nothing is defined. • notifyview - Nothing is defined. Command Mode Global Configuration Command Usage •...

  • Page 431: Show Snmp Group

    SNMP Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...

  • Page 432: Snmp-Server User

    Command Line Interface Table 4-44 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.

  • Page 433: Default Setting

    SNMP Commands Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. •...

  • Page 434: Show Snmp User

    Command Line Interface show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
  • Page 435 SNMP Commands 4-149...

  • Page 436: Interface Commands

    Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-46 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-150 mode description...

  • Page 437: Description

    Interface Commands Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.

  • Page 438: Negotiation

    Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.

  • Page 439: Capabilities

    Interface Commands • If autonegotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 11 to use autonegotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# Related Commands capabilities (4-153) speed-duplex (4-151) capabilities This command advertises the port capabilities of a given interface during autonegotiation.

  • Page 440: Flowcontrol

    Command Line Interface Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (4-152) speed-duplex (4-151) flowcontrol (4-154) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting...

  • Page 441: Shutdown

    Interface Commands Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-152) capabilities (flowcontrol, symmetric) (4-153) shutdown This command disables an interface. To restart a disabled interface, use the no form.

  • Page 442: Broadcast Byte-Rate

    Command Line Interface broadcast byte-rate This command configures broadcast storm control threshold. Syntax broadcast byte-rate scale level level • scale – The threshold scale. (Options: 1, 10, 100, 1000 Kbytes per second) • level – The threshold level. (Range: 1-127) Default Setting Threshold Scale: 1000 Kbytes per second Threshold Level: 5...

  • Page 443: Clear Counters

    Interface Commands Example The following shows how to enable broadcast storm control for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.

  • Page 444: Show Interfaces Counters

    Command Line Interface • port-channel channel-id (Range: 1-5) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status”...

  • Page 445: Show Interfaces Switchport

    Interface Commands • port-channel channel-id (Range: 1-5) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics”...
  • Page 446 Command Line Interface - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-10) • port-channel channel-id (Range: 1-5) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 2.

  • Page 447: Table 4-47 Interfaces Switchport Statistics

    Interface Commands Table 4-47 Interfaces Switchport Statistics Field Description Native VLAN Indicates the default Port VLAN ID (page 4-228). Priority for untagged traffic Indicates the default priority for untagged frames (page 4-245). Gvrp status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-221). Allowed Vlan Shows the VLANs this interface has joined, where “(u)”...

  • Page 448: Mirror Port Commands

    Command Line Interface Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-48 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-162 show port monitor Shows the configuration for a mirror port 4-163 port monitor...

  • Page 449: Show Port Monitor

    Mirror Port Commands Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...

  • Page 450: Rate Limit Commands

    Command Line Interface Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.

  • Page 451: Link Aggregation Commands

    Link Aggregation Commands Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.

  • Page 452: Channel-Group

    Command Line Interface Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. •...

  • Page 453: Lacp

    Link Aggregation Commands Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting...

  • Page 454: Lacp System-Priority

    Command Line Interface Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...

  • Page 455: Lacp Admin-Key (Ethernet Interface)

    Link Aggregation Commands Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.

  • Page 456: Lacp Admin-Key (Port Channel)

    Command Line Interface • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.

  • Page 457: Lacp Port-Priority

    Link Aggregation Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...

  • Page 458: Table 4-51 Show Lacp Counters - Display Description

    Command Line Interface Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-51...

  • Page 459: Show Lacp Internal - Display Description

    Link Aggregation Commands Table 4-52 show lacp internal - display description Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel.

  • Page 460: Table 4-53 Show Lacp Neighbors - Display Description

    Command Line Interface Table 4-53 show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Current administrative value of the port number for the protocol Partner.

  • Page 461: Address Table Commands

    Address Table Commands Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 4-55 Address Table Commands Command Function Mode Page mac-address-table static Maps a static address to a port in a VLAN 4-175 clear mac-address-table...

  • Page 462: Clear Mac-Address-Table Dynamic

    Command Line Interface Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...

  • Page 463: Mac-Address-Table Aging-Time

    Address Table Commands • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: - Learned - Dynamic address entries - Permanent - Static entry - Delete-on-reset - Static entry to be deleted when system is reset...

  • Page 464: Show Mac-Address-Table Aging-Time

    Command Line Interface Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.

  • Page 465: Table 4-56 Lldp Commands

    LLDP Commands Table 4-56 LLDP Commands (Continued) Command Function Mode Page lldp reinit-delay Configures the delay before attempting to re-initialize after 4-183 LLDP ports are disabled or the link goes down lldp tx-delay Configures a delay between the successive transmission of 4-183 advertisements initiated by a change in local LLDP MIB variables...

  • Page 466: Lldp

    Command Line Interface Table 4-56 LLDP Commands (Continued) Command Function Mode Page lldp medtlv Configures an LLDP-MED-enabled port to advertise its 4-194 med-cap Media Endpoint Device capabilities lldp medtlv Configures an LLDP-MED-enabled port to advertise its 4-194 network-policy network policy configuration show lldp config Shows LLDP configuration settings for all ports 4-195...

  • Page 467: Lldp Medfaststartcount

    LLDP Commands Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during...

  • Page 468: Lldp Refresh-Interval

    Command Line Interface Default Setting 5 seconds Command Mode Global Configuration Command Usage • This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. • Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.

  • Page 469: Lldp Reinit-Delay

    LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP. (Range: 1 - 10 seconds) Default Setting 2 seconds...

  • Page 470: Lldp Admin-Status

    Command Line Interface • This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status...

  • Page 471: Lldp Mednotification

    LLDP Commands the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. • SNMP trap destinations are defined using the snmp-server host command (page 4-137). • Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.

  • Page 472: Lldp Basic-Tlv Management-Ip-Address

    Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp mednotification Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode...

  • Page 473: Lldp Basic-Tlv System-Capabilities

    LLDP Commands Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.

  • Page 474: Lldp Basic-Tlv System-Name

    Command Line Interface Syntax [no] lldp basic-tlv system-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.

  • Page 475: Lldp Dot1-Tlv Proto-Vid

    LLDP Commands Syntax dot1-tlv proto-ident [no] lldp Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information.

  • Page 476: Lldp Dot1-Tlv Vlan-Name

    Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-228). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)#...

  • Page 477: Lldp Dot3-Tlv Mac-Phy

    LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg...

  • Page 478: Lldp Dot3-Tlv Poe

    Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size Commands” on page 4-72 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its...

  • Page 479: Lldp Medtlv Inventory

    LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).

  • Page 480: Lldp Medtlv Med-Cap

    Command Line Interface Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities.

  • Page 481: Show Lldp Config

    LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.

  • Page 482: Command Line Interface

    Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...

  • Page 483: Show Lldp Info Local-Device

    LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : Layer2+ Fast Ethernet Standalone Switch ES3510 System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information...

  • Page 484: Show Lldp Info Remote-Device

    Command Line Interface show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit.
  • Page 485 LLDP Commands • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-10) • port-channel channel-id (Range: 1-5) Command Mode Privileged Exec Example switch#show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count...

  • Page 486: Spanning Tree Commands

    Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-57 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-201 spanning-tree mode...

  • Page 487: Spanning-Tree

    Spanning Tree Commands spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.

  • Page 488: Spanning-Tree Forward-Time

    Command Line Interface - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.

  • Page 489: Spanning-Tree Hello-Time

    Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state;...

  • Page 490: Spanning-Tree Max-Age

    Command Line Interface spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].

  • Page 491: Spanning-Tree Pathcost Method

    Spanning Tree Commands Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.

  • Page 492: Spanning-Tree Transmission-Limit

    Command Line Interface spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...

  • Page 493: Mst Vlan

    Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range •...

  • Page 494: Name

    Command Line Interface Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.

  • Page 495: Revision

    Spanning Tree Commands revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration...

  • Page 496: Spanning-Tree Spanning-Disabled

    Command Line Interface specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface.

  • Page 497: Spanning-Tree Port-Priority

    Spanning Tree Commands • Fast Ethernet – half duplex: 200,000; full duplex: 100,000; trunk: 50,000 • Gigabit Ethernet – full duplex: 10,000; trunk: 5,000 • 10 Gigabit Ethernet – full duplex: 1000; trunk: 500 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...

  • Page 498: Spanning-Tree Edge-Port

    Command Line Interface Related Commands spanning-tree cost (4-210) spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...

  • Page 499: Spanning-Tree Link-Type

    Spanning Tree Commands Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.

  • Page 500: Spanning-Tree Mst Cost

    Command Line Interface • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple...

  • Page 501: Spanning-Tree Mst Port-Priority

    Spanning Tree Commands Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (4-215) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority...

  • Page 502: Spanning-Tree Protocol-Migration

    Command Line Interface spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-10) •...

  • Page 503: Table 4-58 Vlans

    Spanning Tree Commands Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).

  • Page 504: Show Spanning-Tree Mst Configuration

    Command Line Interface --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000...

  • Page 505: Vlan Commands

    VLAN Commands VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.

  • Page 506: Bridge-Ext Gvrp

    Command Line Interface bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.

  • Page 507: Switchport Gvrp

    VLAN Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.

  • Page 508: Garp Timer

    Command Line Interface garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...

  • Page 509: Editing Vlan Groups

    VLAN Commands Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-10) • port-channel channel-id (Range: 1-5) Default Setting Shows all GARP timers. Command Mode Normal Exec, Privileged Exec Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status:...

  • Page 510: Vlan

    Command Line Interface Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.

  • Page 511: Configuring Vlan Interfaces

    VLAN Commands Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# Related Commands show vlan (4-231) Configuring VLAN Interfaces Table 4-61 Configuring VLAN Interfaces Command Function...

  • Page 512: Switchport Mode

    Command Line Interface Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-155) switchport mode This command configures the VLAN membership mode for a port.

  • Page 513: Switchport Acceptable-Frame-Types

    VLAN Commands switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...

  • Page 514: Switchport Native Vlan

    Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. •...

  • Page 515: Switchport Allowed Vlan

    VLAN Commands switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged.

  • Page 516: Switchport Forbidden Vlan

    Command Line Interface Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs.

  • Page 517: Displaying Vlan Information

    VLAN Commands Displaying VLAN Information Table 4-62 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-231 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-157 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-159 interface...

  • Page 518: Configuring Ieee 802.1Q Tunneling

    Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.

  • Page 519: Switchport Dot1Q-Tunnel Mode

    VLAN Commands Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (4-234) show interfaces switchport (4-159) switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port.

  • Page 520: Switchport Dot1Q-Tunnel Tpid

    Command Line Interface switchport dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.

  • Page 521: Configuring Private Vlans

    VLAN Commands Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100.
  • Page 522 Command Line Interface Table 4-64 Private VLAN Commands Command Function Mode Page private-vlan association Associates a community VLAN with a primary VLAN 4-237 Configure Private VLAN Interfaces switchport mode Sets an interface to host mode or promiscuous mode 4-238 private-vlan switchport private-vlan Associates an interface with a secondary VLAN 4-239...

  • Page 523: Private-Vlan

    VLAN Commands private-vlan Use this command to create a primary, community, or isolated private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4094, no leading zeroes). •...

  • Page 524: Switchport Mode Private-Vlan

    Command Line Interface no private-vlan primary-vlan-id association • primary-vlan-id - ID of primary VLAN. (Range: 1-4094, no leading zeroes). • secondary-vlan-id - ID of secondary (i.e, community) VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members.

  • Page 525: Switchport Private-Vlan Host-Association

    VLAN Commands • To assign a promiscuous port or host port to an isolated VLAN, use the switchport private-vlan isolated command. Example Console(config)#interface ethernet 1/2 Console(config-if)#switchport mode private-vlan promiscuous Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#switchport mode private-vlan host Console(config-if)# switchport private-vlan host-association Use this command to associate an interface with a secondary VLAN.

  • Page 526: Switchport Private-Vlan Mapping

    Command Line Interface Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Host ports assigned to a isolated VLAN cannot pass traffic between group members, and must communicate with resources outside of the group via a promiscuous port. Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan isolated 3...

  • Page 527: Show Vlan Private-Vlan

    VLAN Commands show vlan private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show vlan private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces. •...

  • Page 528: Configuring Protocol-Based Vlans

    Command Line Interface Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.

  • Page 529: Protocol-Vlan Protocol-Group (Configuring Interfaces)

    VLAN Commands manually defines the protocol-type with it’s hexadecimal code instead of choosing the preconfigured apple_talk, ip, or ipx protocol-types. The three preconfigured protocol-types match all frame-types. Default Setting No protocol groups are configured. Command Mode Global Configuration Example The following creates protocol group 1, and specifies the IPX protocol type. Protocol VLAN group 2 is created with protocol-type IPv6 (86DD) and frame-type ethernet specified: Console(config)#protocol-vlan protocol-group 1 add protocol-type ipx...

  • Page 530: Show Protocol-Vlan Protocol-Group

    Command Line Interface - If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.

  • Page 531: Show Interfaces Protocol-Vlan Protocol-Group

    Priority Commands show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-10) •...

  • Page 532: Priority Commands (Layer 2)

    Command Line Interface Priority Commands (Layer 2) Table 4-67 Priority Commands (Layer 2) Command Function Mode Page queue mode Sets the queue mode to strict priority, Weighted Round-Robin 4-246 (WRR), or hybrid switchport priority default Sets a port priority for incoming untagged frames 4-247 queue bandwidth Assigns round-robin weights to the priority queues...

  • Page 533: Switchport Priority Default

    Priority Commands each queue before moving on to the next queue. Thus, a queue weighted 8 will be allowed to transmit up to 8 packets, after which the next lower priority queue will be serviced according to it’s weighting. This prevents the head-of-line blocking that can occur with strict priority queuing.

  • Page 534: Queue Bandwidth

    Command Line Interface ports is zero. Therefore, any inbound frames that do not have priority tags will be placed in queue 0 of the output port. (Note that if the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.) Example The following example shows how to set a default priority on port 3 to 5:...

  • Page 535: Show Queue Mode

    Priority Commands Syntax queue cos-map queue_id [cos1 ... cosn] no queue cos-map • queue_id - The ID of the priority queue. Ranges are 0 to 3, where 3 is the highest priority queue. • cos1 .. cosn - The CoS values that are mapped to the queue ID. It is a space-separated list of numbers.

  • Page 536: Show Queue Bandwidth

    Command Line Interface Command Mode Privileged Exec Example Console#show queue mode Queue mode: wrr Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight...

  • Page 537: Priority Commands (Layer 3 And 4)

    Priority Commands Example Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 Traffic Class : 0 1 2 3 4 5 6 7 Priority Queue: 1 0 0 1 2 2 3 3 Console# Priority Commands (Layer 3 and 4) Table 4-69 Priority Commands (Layer 3 and 4) Command...

  • Page 538: Map Ip Port

    Command Line Interface The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS queue 0. Table 4-70 IP DSCP to CoS Queue IP DSCP Value CoS Queue 0, 8 10, 12, 14, 16, 18, 20, 22, 24 26, 28, 30, 32, 34, 36, 38, 40, 42 2...

  • Page 539: Map Ip Precedence

    Priority Commands Command Mode Global Configuration Command Usage • The command map ip port enables the feature on the switch. The command map ip port port-number cos cos-queue maps IP ports to port CoS queues. • The precedence for priority mapping is IP Port, IP Precedence/DSCP/TOS, and default switchport priority.

  • Page 540: Table 4-72 Ip Tos To Cos Queue

    Command Line Interface • This command sets the IP Precedence priority for all interfaces. • IP Precedence, IP DSCP, and IP TOS Priority cannot all be enabled at the same time. Enabling one of these priority types automatically disables the others.

  • Page 541: Map Access-List Mac

    Priority Commands • The precedence for priority mapping is IP Port, IP Precedence/DSCP/TOS, and default switchport priority. • This command sets the IP TOS priority for all interfaces. • IP Precedence, IP DSCP, and IP TOS Priority cannot all be enabled at the same time.

  • Page 542: Show Map Ip Dscp

    Command Line Interface Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage You must configure an ACL before you can map a CoS queue to the rule. Example Console(config)#interface ethernet 1/2 Console(config-if)#map access-list mac steve cos 0 Console(config-if)# show map ip dscp This command shows the IP DSCP priority map.

  • Page 543: Show Map Ip Tos

    Priority Commands Command Mode Privileged Exec Example The following shows that FTP traffic has been mapped to CoS value 2: Console#show map ip port TCP Port Mapping Status: Disabled Port no. COS -------- --- Console# Related Commands map ip port (4-252) show map ip precedence Use this command to show the IP precedence priority map.

  • Page 544: Show Map Access-List

    Command Line Interface Syntax show map ip tos Command Mode Privileged Exec Example Console#show map ip tos tos Mapping Status: Disabled TOS COS --- --- Console# Related Commands map ip tos (4-254) show map access-list This command shows the CoS queue mapped to an ACL for the current interface. Syntax show map access-list <ip | mac>...

  • Page 545: Quality Of Service Commands

    Quality of Service Commands Example Console#show map access-list ip Eth 1/1 access-list ip aclname cos 3 Console# Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs.
  • Page 546 Command Line Interface Use the set command to modify the QoS value for matching traffic class, and use the policer command to monitor the average flow and burst rate, and drop any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate.

  • Page 547: Match

    Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.

  • Page 548: Policy-Map

    Command Line Interface policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.

  • Page 549: Set

    Quality of Service Commands Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.

  • Page 550: Police

    Command Line Interface Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.

  • Page 551: Service-Policy

    Quality of Service Commands Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.

  • Page 552: Show Class-Map

    Command Line Interface show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps. Command Mode Privileged Exec Example...

  • Page 553: Show Policy-Map Interface

    Voice VLAN Commands Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface...

  • Page 554: Voice Vlan

    Command Line Interface Table 4-74 Voice VLAN Commands Command Function Mode Page switchport voice vlan security Enables Voice VLAN security on ports 4-271 switchport voice vlan priority Sets the VoIP traffic priority for ports 4-272 show voice vlan Displays Voice VLAN settings 4-273 voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID.

  • Page 555: Voice Vlan Aging

    Voice VLAN Commands voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes...

  • Page 556: Switchport Voice Vlan

    Command Line Interface Command Usage • VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.

  • Page 557: Switchport Voice Vlan Rule

    Voice VLAN Commands switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} •...

  • Page 558: Switchport Voice Vlan Priority

    Command Line Interface Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.

  • Page 559: Show Voice Vlan

    Voice VLAN Commands show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings. Default Setting None Command Mode...

  • Page 560: Multicast Filtering Commands

    Command Line Interface Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.

  • Page 561: Ip Igmp Snooping Vlan Static

    Multicast Filtering Commands Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface •...

  • Page 562: Ip Igmp Snooping Leave-Proxy

    Command Line Interface • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version. If there are legacy devices in your network that only support Version 1, you will also have to configure this switch to use Version 1.

  • Page 563: Ip Igmp Snooping Immediate-Leave

    Multicast Filtering Commands Example Console(config)#ip igmp snooping leave-proxy Console(config)# ip igmp snooping immediate-leave This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.

  • Page 564: Show Mac-Address-Table Multicast

    Command Line Interface Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-207 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Enabled Querier status: Enabled...

  • Page 565: Igmp Query Commands (Layer 2)

    Multicast Filtering Commands Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.

  • Page 566: Ip Igmp Snooping Query-Count

    Command Line Interface Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.

  • Page 567: Ip Igmp Snooping Query-Max-Response-Time

    Multicast Filtering Commands Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.

  • Page 568: Ip Igmp Snooping Router-Port-Expire-Time

    Command Line Interface ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.

  • Page 569: Ip Igmp Snooping Vlan Mrouter

    Multicast Filtering Commands ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration. Syntax [no] ip igmp snooping vlan vlan-id mrouter interface • vlan-id - VLAN ID (Range: 1-4094) •...

  • Page 570: Igmp Filtering And Throttling Commands

    Command Line Interface Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static...

  • Page 571: Ip Igmp Profile

    Multicast Filtering Commands Command Mode Global Configuration Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port.

  • Page 572: Range

    Command Line Interface Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.

  • Page 573: Ip Igmp Filter (Interface Configuration)

    Multicast Filtering Commands ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. Syntax [no] ip igmp filter profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode...

  • Page 574: Ip Igmp Max-Groups Action

    Command Line Interface action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. • IGMP throttling can also be set on a trunk interface. When ports are configured as trunk members, the trunk uses the throttling settings of the first port member in the trunk.

  • Page 575: Show Ip Igmp Profile

    Multicast Filtering Commands - port - Port number. (Range: 1-10) • port-channel channel-id (Range: 1-5) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny...

  • Page 576: Show Ip Igmp Throttle Interface

    Command Line Interface show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-10) •...

  • Page 577: Mvr (Global Configuration)

    Multicast VLAN Registration Commands and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Table 4-80 Multicast VLAN Registration Commands Command Function Mode Page Globally enables MVR, statically configures MVR group 4-291 address(es), or specifies the MVR VLAN identifier Configures an interface as an MVR receiver or source port,...

  • Page 578: Mvr (Interface Configuration)

    Command Line Interface Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.
  • Page 579 Multicast VLAN Registration Commands Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN.

  • Page 580: Show Mvr

    Command Line Interface show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
  • Page 581 Multicast VLAN Registration Commands The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port Type Status Immediate Leave ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP Disable eth1/2 RECEIVER ACTIVE/UP Disable eth1/5 RECEIVER INACTIVE/DOWN Disable eth1/6 RECEIVER INACTIVE/DOWN...

  • Page 582: Ip Interface Commands

    Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.

  • Page 583: Ip Default-Gateway

    IP Interface Commands • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).

  • Page 584: Ip Dhcp Restart

    Command Line Interface ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. •...

  • Page 585: Show Ip Redirects

    IP Interface Commands show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-297) ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [size size] [count count] •...
  • Page 586 Command Line Interface Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...

  • Page 587: Dhcp Snooping Commands

    DHCP Snooping Commands DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
  • Page 588 Command Line Interface • When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. • Table entries are only learned for untrusted interfaces. Each entry includes a MAC address, IP address, lease time, entry type (Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier.

  • Page 589: Ip Dhcp Snooping Vlan

    DHCP Snooping Commands Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (4-303) ip dhcp snooping trust (4-304) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.

  • Page 590: Ip Dhcp Snooping Trust

    Command Line Interface ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...

  • Page 591: Ip Dhcp Snooping Verify Mac-Address

    DHCP Snooping Commands ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function. Syntax [no] ip dhcp snooping verify mac-address Default Setting Enabled Command Mode...

  • Page 592: Ip Dhcp Snooping Information Policy

    Command Line Interface • When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.

  • Page 593: Ip Dhcp Snooping Database Flash

    DHCP Snooping Commands ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.

  • Page 594: Show Ip Dhcp Snooping Binding

    Command Line Interface show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console#...
  • Page 595 IP Source Guard Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.

  • Page 596: Ip Source-Guard Binding

    Command Line Interface Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# Related Commands ip source-guard binding (4-310) ip dhcp snooping (4-301) ip dhcp snooping vlan (4-303) ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.

  • Page 597: Show Ip Source-Guard

    IP Source Guard Commands - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.

  • Page 598: Switch Cluster Commands

    Command Line Interface Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster. The management station uses Telnet to communicate directly with the Commander throught its IP address, and the Commander manages Member switches using cluster “internal”...

  • Page 599: Cluster Commander

    Switch Cluster Commands Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage •...

  • Page 600: Cluster Member

    Command Line Interface switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36. Set a Cluster IP Pool that does not conflict with addresses in the network IP •...

  • Page 601: Show Cluster

    Switch Cluster Commands Command Mode Privileged Exec Command Usage • This command only operates through a Telnet connection to the Commander switch. Managing cluster Members using the local console CLI on the Commander is not supported. There is no need to enter the username and password for access to the •...

  • Page 602: Show Cluster Candidates

    Command Line Interface show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Console# UPnP Commands...

  • Page 603: Upnp Device Ttl

    UPnP Commands Example In the following example, UPnP is enabled on the device. Console(config)#upnp device Console(config)# Related Commands upnp device ttl (4-317) upnp device advertise duration (4-317) upnp device ttl This command sets the time-to-live (TTL) value for sending of UPnP messages from the device.

  • Page 604: Show Upnp

    Command Line Interface Command Mode Global Configuration Example In the following example, the device advertise duration is set to 200 seconds. Console(config)#upnp device advertise duration 200 Console(config)# Related Commands upnp device ttl (4-317) show upnp This command displays the UPnP management status and time out settings. Command Mode Privileged Exec Example...

  • Page 605: Appendix A: Software Specifications

    Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X, MAC Authentication, Web Authentication), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 100 rules per system DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.3-2005...

  • Page 606: Management Features

    Software Specifications Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Management Features...

  • Page 607: Management Information Bases

    Management Information Bases RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665)
  • Page 608 Software Specifications...

  • Page 609: Appendix B: Troubleshooting

    Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...

  • Page 610: Using System Logs

    Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.

  • Page 611: Glossary

    Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
  • Page 612 Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so...
  • Page 613 Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
  • Page 614 Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
  • Page 615 Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
  • Page 616 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.

  • Page 617: Index

    Index Numerics configuring 3-179, 4-245, 4-259 802.1Q tunnel 3-154, 4-232 DSCP 3-186 description 3-154 IP precedence 3-189 interface configuration 3-159, layer 3/4 priorities 3-185, 4-251 4-233–4-234 queue mapping 3-181, 4-248 mode selection 3-159 queue mode 3-183, 4-246 TPID 4-234 traffic class weights 3-183, 4-248 802.1X, port authentication 3-72, 3-88 default gateway, configuration 3-15, acceptable frame type 3-152, 4-227...
  • Page 618 Index IP address BOOTP/DHCP 3-17, 4-296, 4-298, edge port, STA 3-133, 3-135, 4-212 4-316, 4-317 event logging 4-52 setting 2-4, 3-15, 4-296, 4-316, 4-317 IP precedence enabling 3-185 firmware mapping priorities 3-189, 4-253 displaying version 3-12, 4-71 IP source guard upgrading 3-19, 4-73 configuring static entries 4-310 setting filter criteria 4-308...
  • Page 619 Index MSTP 4-201 ports global settings 4-200 autonegotiation 3-100, 4-152 interface settings 4-200 broadcast storm threshold 3-113, multicast filtering 3-206, 3-219, 3-234, 4-156 4-274 capabilities 3-100, 4-153 multicast groups 3-212, 4-278 duplex mode 3-100, 4-151 displaying 4-278 flow control 3-100, 4-154 static 3-212, 4-275, 4-276, 4-278 speed 3-100, 4-151 multicast services...
  • Page 620 Index Simple Network Management Protocol system mode, normal or QinQ 3-157, See SNMP 4-232 SNMP 3-34 system software, downloading from community string 3-36, 3-39, 3-41, server 3-19 3-42, 3-45, 4-135 enabling traps 3-36, 4-139 filtering IP addresses 3-95 TACACS+, logon authentication 3-49, trap manager 3-36, 4-137 4-85 software...
  • Page 621 Index Web interface access requirements 3-1 configuration buttons 3-3 home page 3-2 menu list 3-4 panel display 3-3 Index-5...
  • Page 622 Index Index-6...
  • Page 624 ES3510 E112007-CS-R01 149100034700A...

Table of Contents

Save PDF