Download Print this page

Edge-Core ECS4610-24F Management Manual

Edge-Core ECS4610-24F Management Manual

24-port layer 3 gigabit ethernet switch

Hide thumbs Also See for ECS4610-24F:

Installation manual (17 pages)

,

Installation manual (78 pages)

Table of Contents

Advertisement

Quick Links

See also: Installation Manual

ECS4610-24F

24-Port Layer 3

Ma nage me nt Gu ide

Gigabit Ethernet Switch

www.edge-core.com

Table of Contents

Advertisement

Chapters

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the ECS4610-24F and is the answer not in the manual?

Questions and answers

Summary of Contents for Edge-Core ECS4610-24F

Page 1 ECS4610-24F 24-Port Layer 3 Ma nage me nt Gu ide Gigabit Ethernet Switch www.edge-core.com...
Page 3 ANAGEMENT UIDE ECS4610-24F G IGABIT THERNET WITCH Layer 3 Switch, with 22 1000BASE-X SFP Ports, and 2 Combination Gigabit Ports (RJ-45/SFP) ECS4610-24F E052010/ST-R01 149100000092A...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 BOUT UIDE – 6 –...
Page 7: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features Configuration Backup and Restore Authentication Access Control Lists DHCP Port Configuration Port Mirroring Port Trunking Rate Limiting Broadcast Storm Control Static Addresses IEEE 802.1D Bridge Store-and-Forward Switching Spanning Tree Algorithm Virtual LANs...
Page 8 ONTENTS Address Resolution Protocol Multicast Filtering Multicast Routing Tunneling System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Enabling SNMP Management Access Managing System Files Saving or Restoring Configuration Settings ECTION ONFIGURATION...
Page 9 ONTENTS Showing System Files Setting the System Clock Setting the Time Manually Configuring SNTP Specifying SNTP Time Servers Setting the Time Zone Console Port Settings Telnet Settings Displaying CPU Utilization Displaying Memory Utilization Resetting the System NTERFACE ONFIGURATION Port Configuration Configuring by Port List Configuring by Port Range Displaying Connection Status...
Page 10 ONTENTS Configuring Private VLAN Interfaces IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch Adding an Interface to a QinQ Tunnel Protocol VLANs Configuring Protocol VLAN Groups Mapping Protocol Groups to Interfaces Configuring IP Subnet VLANs Configuring MAC-based VLANs DDRESS ABLE ETTINGS Configuring MAC Address Learning...
Page 11 ONTENTS 13 S ECURITY EASURES AAA Authorization and Accounting Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization Configuring User Accounts Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports Configuring Port Link Detection Configuring a MAC Address Filter Displaying Secure MAC Address Information...
Page 12 ONTENTS Filtering IP Addresses for Management Access Configuring Port Security Configuring 802.1X Port Authentication Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.1X Statistics IP Source Guard Configuring Ports for IP Source Guard Configuring Static Bindings for IP Source Guard Displaying Information for Dynamic IP Source Guard Bindings DHCP Snooping DHCP Snooping Configuration...
Page 13 ONTENTS Remote Monitoring Configuring RMON Alarms Configuring RMON Events Configuring RMON History Samples Configuring RMON Statistical Samples 15 M ULTICAST ILTERING Overview IGMP Protocol Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Specifying Static Interfaces for a Multicast Router Assigning Interfaces to Multicast Services Setting IGMP Snooping Status per Interface Displaying Multicast Groups Discovered by IGMP Snooping...
Page 14 ONTENTS Routing Protocols Configuring IP Routing Interfaces Configuring Local and Remote Interfaces Using the Ping Function Using the Trace Route Function Address Resolution Protocol Basic ARP Configuration Configuring Static ARP Addresses Displaying Dynamic or Local ARP Entries Displaying ARP Statistics Configuring Static Routes Displaying the Routing Table Equal-cost Multipath Routing...
Page 15 ONTENTS Specifying Network Interfaces Specifying Passive Interfaces Specifying Static Neighbors Configuring Route Redistribution Specifying an Administrative Distance Configuring Network Interfaces for RIP Displaying RIP Interface Settings Displaying Peer Router Information Resetting RIP Statistics Configuring the Open Shortest Path First Protocol (Version 2) Defining Network Areas Based on Addresses Configuring General Protocol Settings Displaying Adminstrative Settings and Statistics...
Page 16 ONTENTS Configuring a Static Rendezvous Point Configuring an RP Candidate Displaying the BSR Router Displaying RP Mapping ECTION OMMAND NTERFACE 22 U SING THE OMMAND NTERFACE Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup...
Page 17 ONTENTS 24 S YSTEM ANAGEMENT OMMANDS Device Designation hostname System Status show running-config show startup-config show system show users show version Frame Size jumbo frame File Management boot system copy delete whichboot Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits...
Page 18 ONTENTS logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time sntp client sntp poll sntp server show sntp clock timezone calendar set show calendar Time Range time-range...
Page 19 ONTENTS show snmp group show snmp user show snmp view snmp-server notify-filter show nlm oper-status show snmp notify-filter 26 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection stats show rmon alarm show rmon event show rmon history show rmon statistics 27 A UTHENTICATION...
Page 20 ONTENTS show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-server ip http secure-port Telnet Server ip telnet max-sessions...
Page 21 ONTENTS 802.1X Port Authentication dot1x default dot1x eapol-pass-through dot1x system-auth-control dot1x intrusion-action dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate show dot1x Management IP Filter management show management 28 G ENERAL...
Page 22 ONTENTS mac-authentication intrusion-action mac-authentication max-mac-count show network-access show network-access mac-address-table show network-access mac-filter DHCP Snooping ip dhcp snooping ip dhcp snooping database flash ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping verify mac-address ip dhcp snooping vlan ip dhcp snooping trust clear ip dhcp snooping database flash show ip dhcp snooping...
Page 23 ONTENTS 29 A CCESS ONTROL ISTS IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs access-list ipv6 permit, deny (Standard IPv6 ACL) permit, deny (Extended IPv6 ACL) show ipv6 access-list ipv6 access-group show ipv6 access-group...
Page 24 ONTENTS shutdown speed-duplex switchport packet-rate clear counters show interfaces counters show interfaces status show interfaces switchport test cable-diagnostics dsp test loop internal show cable-diagnostics show loop internal 31 L GGREGATION OMMANDS channel-group lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) show lacp 32 P...
Page 25 ONTENTS spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree transmission-limit max-hops mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority spanning-tree port-priority spanning-tree root-guard...
Page 26 ONTENTS Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering switchport mode switchport native vlan vlan-trunking Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel tpid show dot1q-tunnel Configuring Port-based Traffic Segmentation traffic-segmentation...
Page 27 ONTENTS Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority switchport voice vlan rule switchport voice vlan security show voice vlan 37 C LASS OF ERVICE OMMANDS Priority Commands (Layer 2)
Page 28 ONTENTS policy-map class police flow police srtcm-color police trtcm-color set cos set phb service-policy show class-map show policy-map show policy-map interface 39 M ULTICAST ILTERING OMMANDS IGMP Snooping ip igmp snooping ip igmp snooping proxy-reporting ip igmp snooping querier ip igmp snooping router-alert-option-check ip igmp snooping router-port-expire-time ip igmp snooping tcn-flood ip igmp snooping tcn-query-solicit...
Page 29 ONTENTS Static Multicast Routing ip igmp snooping vlan mrouter show ip igmp snooping mrouter IGMP Filtering and Throttling ip igmp filter (Global Configuration) ip igmp profile permit, deny range ip igmp filter (Interface Configuration) ip igmp max-groups ip igmp max-groups action show ip igmp filter show ip igmp profile show ip igmp throttle interface...
Page 30 ONTENTS lldp holdtime-multiplier lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv mac-phy lldp dot3-tlv max-frame...
Page 31 ONTENTS 42 DHCP C OMMANDS DHCP Client ip dhcp restart client DHCP Relay ip dhcp relay server ip dhcp restart relay DHCP Server ip dhcp excluded-address ip dhcp pool service dhcp bootfile client-identifier default-router dns-server domain-name hardware-address host lease netbios-name-server netbios-node-type network next-server...
Page 32 ONTENTS show vrrp router counters 1004 44 IP I 1005 NTERFACE OMMANDS IP Interface 1005 Basic IP Configuration 1006 ip address 1006 ip default-gateway 1008 show ip interface 1009 traceroute 1009 ping 1010 ARP Configuration 1011 1011 arp timeout 1012 ip proxy-arp 1013 clear arp-cache...
Page 33 ONTENTS redistribute 1031 timers basic 1032 version 1033 ip rip authentication mode 1034 ip rip authentication string 1035 ip rip receive version 1035 ip rip receive-packet 1036 ip rip send version 1037 ip rip send-packet 1038 ip rip split-horizon 1038 clear ip rip route 1039 show ip protocols rip...
Page 34 ONTENTS ip ospf priority 1066 ip ospf retransmit-interval 1067 ip ospf transmit-delay 1068 passive-interface 1069 show ip ospf 1069 show ip ospf border-routers 1071 show ip ospf database 1072 show ip ospf interface 1078 show ip ospf neighbor 1080 show ip ospf route 1081 show ip ospf virtual-links 1081...
Page 35 ONTENTS ip pim register-rate-limit 1102 ip pim register-source 1103 ip pim rp-address 1104 ip pim rp-candidate 1105 ip pim spt-threshold 1107 ip pim dr-priority 1108 ip pim join-prune-interval 1109 clear ip pim bsr rp-set 1110 show ip pim bsr-router 1110 show ip pim rp mapping 1111 show ip pim rp-hash...
Page 36 ONTENTS – 36 –...
Page 37: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Manually Setting the System Clock...
Page 38 IGURES Figure 32: Creating Static Trunks Figure 33: Adding Static Trunks Members Figure 34: Configuring Connection Parameters for a Static Trunk Figure 35: Displaying Connection Parameters for Static Trunks Figure 36: Configuring Dynamic Trunks Figure 37: Configuring the LACP Aggregator Admin Key Figure 38: Enabling LACP on a Port Figure 39: Configuring LACP Parameters on a Port Figure 40: Showing Members of a Dynamic Trunk...
Page 39 IGURES Figure 68: Enabling QinQ Tunneling Figure 69: Adding an Interface to a QinQ Tunnel Figure 70: Configuring Protocol VLANs Figure 71: Displaying Protocol VLANs Figure 72: Assigning Interfaces to Protocol VLANs Figure 73: Showing the Interface to Protocol Group Mapping Figure 74: Configuring IP Subnet VLANs Figure 75: Showing IP Subnet VLANs Figure 76: Configuring MAC-Based VLANs...
Page 40 IGURES Figure 104: Configuring Broadcast Storm Control Figure 105: Configuring a Class Map Figure 106: Showing Class Maps Figure 107: Adding Rules to a Class Map Figure 108: Showing the Rules for a Class Map Figure 109: Configuring a Policy Map Figure 110: Showing Policy Maps Figure 111: Adding Rules to a Policy Map Figure 112: Showing the Rules for a Policy Map...
Page 41 IGURES Figure 140: Configuring a MAC Address Filter for Network Access Figure 141: Showing the MAC Address Filter Table for Network Access Figure 142: Showing Addresses Authenticated for Network Access Figure 143: Configuring HTTPS Figure 144: Downloading the Secure-Site Certificate Figure 145: Configuring the SSH Server Figure 146: Generating the SSH Host Key Pair Figure 147: Showing the SSH Host Key Pair...
Page 42 IGURES Figure 176: Configuring Static Bindings for IP Source Guard Figure 177: Displaying Static Bindings for IP Source Guard Figure 178: Showing the IP Source Guard Binding Table Figure 179: Configuring Global Settings for DHCP Snooping Figure 180: Configuring DHCP Snooping on a VLAN Figure 181: Configuring the Port Mode for DHCP Snooping Figure 182: Displaying the Binding Table for DHCP Snooping Figure 183: Configuring Settings for System Memory Logs...
Page 43 IGURES Figure 212: Configuring Trap Managers (SNMPv2c) Figure 213: Configuring Trap Managers (SNMPv3) Figure 214: Showing Trap Managers Figure 215: Configuring an RMON Alarm Figure 216: Showing Configured RMON Alarms Figure 217: Configuring an RMON Event Figure 218: Showing Configured RMON Events Figure 219: Configuring an RMON History Sample Figure 220: Showing Configured RMON History Samples Figure 221: Showing Collected RMON History Samples...
Page 44 IGURES Figure 248: Displaying Multicast Groups Learned from IGMP (Information) Figure 249: Displaying Multicast Groups Learned from IGMP (Detail) Figure 250: MVR Concept Figure 251: Configuring Global Settings for MVR Figure 252: Configuring the Group Range for MVR Figure 253: Showing the Configured Group Range for MVR Figure 254: Configuring Interface Settings for MVR Figure 255: Assigning Static MVR Groups to a Port Figure 256: Showing the Static MVR Groups Assigned to a Port...
Page 45 IGURES Figure 284: Showing Counters for Errors Found in a VRRP Group Figure 285: Configuring General Settings for DNS Figure 286: Configuring a List of Domain Names for DNS Figure 287: Showing the List of Domain Names for DNS Figure 288: Configuring a List of Name Servers for DNS Figure 289: Showing the List of Name Servers for DNS Figure 290: Configuring Static Entries in the DNS Table Figure 291: Showing Static Entries in the DNS Table...
Page 46 IGURES Figure 320: Showing the Distance Assigned to External Routes Figure 321: Configuring a Network Interface for RIP Figure 322: Showing RIP Network Interface Settings Figure 323: Showing RIP Interface Settings Figure 324: Showing RIP Peer Information Figure 325: Resetting RIP Statistics Figure 326: Configuring OSPF Figure 327: OSPF Areas Figure 328: Defining OSPF Network Areas Based on Addresses...
Page 47 IGURES Figure 356: Configuring Detailed Settings for a Virtual Link Figure 357: Showing MD5 Authentication Keys Figure 358: Displaying Information in the Link State Database Figure 359: Displaying Virtual Links Stored in the Link State Database Figure 360: Displaying Neighbor Routers Stored in the Link State Database Figure 361: Enabling Multicast Routing Figure 362: Displaying the Multicast Routing Table Figure 363: Displaying Detailed Entries from the Multicast Routing Table...
Page 48 IGURES – 48 –...
Page 49: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Port Statistics Table 6: LACP Port Counters Table 7: LACP Internal Configuration Information Table 8: LACP Internal Configuration Information Table 9: Recommended STA Path Cost Range Table 10: Default STA Path Costs Table 11: Dynamic QoS Profiles...
Page 50 ABLES Table 32: System Management Commands Table 33: Device Designation Commands Table 34: System Status Commands Table 35: Frame Size Commands Table 36: Flash/File Commands Table 37: File Directory Information Table 38: Line Commands Table 39: Event Logging Commands Table 40: Logging Levels Table 41: show logging flash/ram - display description Table 42: show logging trap - display description Table 43: Event Logging Commands...
Page 51 ABLES Table 68: Network Access Commands Table 69: Dynamic QoS Profiles Table 70: DHCP Snooping Commands Table 71: IP Source Guard Commands Table 72: ARP Inspection Commands Table 73: Access Control List Commands Table 74: IPv4 ACL Commands Table 75: IPv4 ACL Commands Table 76: MAC ACL Commands Table 77: ARP ACL Commands Table 78: ACL Information Commands...
Page 52 ABLES Table 104: Voice VLAN Commands Table 105: Priority Commands Table 106: Priority Commands (Layer 2) Table 107: Default CoS Priority Levels Table 108: Priority Commands (Layer 3 and 4) Table 109: Mapping IP DSCP to CoS Values Table 110: Mapping IP Precedence to CoS Values Table 111: Quality of Service Commands Table 112: Multicast Filtering Commands Table 113: IGMP Snooping Commands...
Page 53 ABLES Table 140: Global Routing Configuration Commands 1019 Table 141: Routing Information Protocol Commands 1024 Table 142: Open Shortest Path First Commands 1042 Table 143: show ip ospf - display description 1070 Table 144: show ip ospf database - display description 1073 Table 145: show ip ospf database summary - display description 1074...
Page 54 ABLES – 54 –...
Page 55: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 57 ◆...
Page 56 | Getting Started ECTION – 56 –...
Page 57: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 58: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 256 using IEEE 802.1Q, port-based, protocol-based, private...
Page 59: Access Control Lists
| Introduction HAPTER Description of Software Features TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Page 60: Rate Limiting
| Introduction HAPTER Description of Software Features This feature controls the maximum rate for traffic transmitted or received IMITING on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 61: Virtual Lans
| Introduction HAPTER Description of Software Features 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) –...
Page 62: Traffic Prioritization
| Introduction HAPTER Description of Software Features This switch prioritizes each packet based on the required level of service, RAFFIC using eight priority queues with strict priority, Weighted Round Robin RIORITIZATION (WRR), or a combination of strict and weighted queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application.
Page 63: Equal-Cost Multipath Load Balancing
| Introduction HAPTER Description of Software Features When multiple paths to the same destination and with the same path cost QUAL COST are found in the routing table, the Equal-cost Multipath (ECMP) algorithm ULTIPATH first checks if the cost is lower than that of any other routing entries. If the ALANCING cost is the lowest in the table, the switch will use up to eight paths having the lowest path cost to balance traffic forwarded to the destination.
Page 64: Tunneling
| Introduction HAPTER System Defaults the overhead of frequent flooding is justified. While Sparse mode is designed for network areas, such as the Wide Area Network, where the probability of multicast clients is low. Configures tunnels for customer traffic crossing the service provider’s UNNELING network using IEEE 802.1Q.
Page 65 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Disabled HTTP Secure Server Redirect Disabled SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled...
Page 66 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Strict Weighted Round Robin Queue: 0 1 2 3 4 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled...
Page 67: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 68: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4093 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 69: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Make sure the terminal emulation software is set as follows: Select the appropriate serial port (COM port 1 or COM port 2). ■ Set the baud rate to 115200 bps. ■ Set the data format to 8 data bits, 1 stop bit, and no parity.
Page 70: Basic Configuration
Press <Enter>. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the ECS4610-24F is opened. To end the CLI session, enter [Exit]. – 70 –...
Page 71: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the stack to obtain ETTING AN management access through the network. This can be done in either of the DDRESS following ways: Manual —...
Page 72 | Initial Switch Configuration HAPTER Basic Configuration To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit...
Page 73: Enabling Snmp Management Access
| Initial Switch Configuration HAPTER Basic Configuration Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: DHCP Console#copy running-config startup-config Startup configuration file name []: startup...
Page 74 | Initial Switch Configuration HAPTER Basic Configuration To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,”...
Page 75: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files SNMP V ONFIGURING CCESS FOR ERSION LIENTS To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group.
Page 76: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files Diagnostic Code — Software that is run during system boot-up, also ◆ known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files.
Page 77 | Initial Switch Configuration HAPTER Managing System Files To restore configuration settings from a backup server, enter the following command: From the Privileged Exec mode prompt, type “copy tftp startup-config” and press <Enter>. Enter the address of the TFTP server. Press <Enter>. Enter the name of the startup file stored on the server.
Page 78 | Initial Switch Configuration HAPTER Managing System Files – 78 –...
Page 79: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 81 ◆ "Basic Management Tasks" on page 101 ◆...
Page 80 | Web Configuration ECTION "Unicast Routing" on page 483 ◆ "Multicast Routing" on page 541 ◆ – 80 –...
Page 81: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 82: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the manufacturer’s web site by clicking on the Edge-core logo. – 82 –...
Page 83: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 84: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
Page 85 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Trunk Static Configure Trunk Creates a trunk, along with the first port member Show Shows the configured trunk identifiers Add Member Specifies ports to group into static trunks Show Member Shows the port members for the selected trunk...
Page 86 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page VLAN Virtual LAN Static Creates VLAN groups Show Displays configured VLAN groups Modify Configures group name and administrative status Edit Member by VLAN Specifies VLAN attributes per VLAN Edit Member by Interface Specifies VLAN attributes per interface...
Page 87 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping MAC Address Learning Status Enables MAC address learning on selected interfaces Static...
Page 88 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page DiffServ Configure Class Creates a class map for a type of traffic Show Shows configured class maps Modify Modifies the name of a class map Add Rule Configures the criteria used to classify ingress traffic Show Rule...
Page 89 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Method Configures accounting for various service types Show Shows the accounting settings used for various service types Configure Service Sets the accouning method applied to specific interfaces for 802.1X, CLI command priivilege levels for the console port, and for Telnet...
Page 90 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Host Key Generate Generates the host key pair (public and private) Show Displays RSA and DSA host keys; deletes host keys Configure User Key Copy Imports user public keys from TFTP server...
Page 91 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Interface Sets authentication parameters for individual ports Show Statistics Displays protocol statistics for the selected port IP Source Guard Filters IP traffic based on static entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table Port Configuration...
Page 92 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure View Add View Adds an SNMP v3 view of the OID MIB Show View Shows configured SNMP v3 views Add OID Subtree Specifies a part of the subtree for the selected view Show OID Subtree...
Page 93 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Details History Shows sampled data for each entry in the history group Statistics Shows sampled data for each entry in the history group General Routing Interface Configures an IP interface for a VLAN...
Page 94 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Detail Configure detailed settings, such as advertisement interval, preemption, priority, and authentication Show Statistics Global Statistics Displays global statistics for VRRP protocol packet errors Group Statistics Displays statistics for VRRP protocol events and errors on the...
Page 95 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Host Add address entry for specified host Show Shows DHCP pool list Modify Modifies the specified pool entry Show IP Binding Displays addresses currently bound to DHCP clients UDP Helper General...
Page 96 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows configured IGMP filter profiles Add Multicast Group Range Assigns multicast groups to selected profile Show Multicast Group Range Shows multicast groups assigned to a profile Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling...
Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Routing Protocol Routing Information Protocol General Configure Enables or disables RIP, sets the global RIP attributes and timer values Clear Route Clears the specified route type or network interface from the routing table Network...
Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page OSPF Open Shortest Path First (Version 2) Network Area Defines OSPF area address, area ID, and process ID Show Shows configured areas Show Process Show configured processes System...
Page 99 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows virtual links, neighbor address, and state Configure Detailed Settings Configures detailed protocol and authentication settings Show MD5 Key Shows the MD5 key ID used for each neighbor Information LSDB...
Page 100 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 100 –...
Page 101: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Switch Hardware/Software Versions – Shows the hardware ◆ version, power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 102: Basic Management Task
| Basic Management Tasks HAPTER Displaying System Information ARAMETERS These parameters are displayed in the web interface: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. System Up Time –...
Page 103: Displaying Switch Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Switch Hardware/Software Versions ISPLAYING WITCH ARDWARE OFTWARE ERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI R EFERENCES ◆...
Page 104: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames Figure 4: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes for Gigabit Ethernet.
Page 105: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities Click Apply. Figure 5: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs.
Page 106: Managing System Files
| Basic Management Tasks HAPTER Managing System Files Max Supported VLAN ID – The maximum configurable VLAN ◆ identifier supported on this switch. GMRP – GARP Multicast Registration Protocol (GMRP) allows network ◆ devices to register end stations with multicast groups. This switch does not support GMRP;...
Page 107 | Basic Management Tasks HAPTER Managing System Files different name from the current version, and then set the new file as the startup file. CLI R EFERENCES "copy" on page 595 ◆ ARAMETERS The following parameters are displayed in the web interface: ◆...
Page 108: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files Select Copy from the Action list. Select FTP Upgrade, HTTP Upgrade, or TFTP Upgrade as the file transfer method. If FTP or TFTP Upgrade is used, enter the IP address of the file server. If FTP Upgrade is used, enter the user name and password for your account on the FTP server.
Page 109 | Basic Management Tasks HAPTER Managing System Files ARAMETERS The following parameters are displayed in the web interface: Copy Type – The copy operation includes this option: ◆ Running-Config – Copies the current configuration settings to a local ■ file on the switch. Destination File Name –...
Page 110: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files Use the System > File (Set Start-Up) page to specify the firmware or ETTING TART configuration file to use for system initialization. CLI R EFERENCES "whichboot" on page 599 ◆ "boot system" on page 594 ◆...
Page 111: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock Select Show from the Action list. To delete a file, mark it in the File List and click Delete. Figure 10: Displaying System Files ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP).
Page 112: Configuring Sntp
| Basic Management Tasks HAPTER Setting the System Clock Day – Sets the day of the month. (Range: 1-31; Default: 1) ◆ Year – Sets the year. (Range: 2001-2100; Default: 2009) ◆ NTERFACE To manually set the system clock: Click System, then Time. Select Configure General from the Action list.
Page 113: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock NTERFACE To set the polling interval for SNTP: Click System, then Time. Select Configure General from the Action list. Select SNTP from the Maintain Type list. Modify the polling interval if required. Click Apply Figure 12: Setting the Polling Interval for SNTP Use the System >...
Page 114: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Figure 13: Specifying SNTP Time Servers Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 115: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings Figure 14: Setting the Time Zone ONSOLE ETTINGS Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 116 | Basic Management Tasks HAPTER Console Port Settings Data Bits – Sets the number of data bits per character that are ◆ interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 117: Telnet Settings
| Basic Management Tasks HAPTER Telnet Settings ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 118: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization NTERFACE To configure parameters for the console port: Click System, then Telnet. Specify the connection parameters as required. Click Apply Figure 16: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization.
Page 119: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization Figure 17: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES no comparable command ◆ ARAMETERS The following parameters are displayed in the web interface: ◆...
Page 120: Resetting The System
| Basic Management Tasks HAPTER Resetting the System ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)" on page 584 ◆...
Page 121 | Basic Management Tasks HAPTER Resetting the System Regularly – Specifies a periodic interval at which to reload the ■ switch. Time HH - The hour at which to reload. (Range: 0-23) ■ MM - The minute at which to reload. (Range: 0-59) ■...
Page 122 | Basic Management Tasks HAPTER Resetting the System Figure 20: Restarting the Switch (In) Figure 21: Restarting the Switch (At) – 122 –...
Page 123 | Basic Management Tasks HAPTER Resetting the System Figure 22: Restarting the Switch (Regularly) – 123 –...
Page 124 | Basic Management Tasks HAPTER Resetting the System – 124 –...
Page 125: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Port Mirroring – Sets the source and target ports for mirroring on the ◆...
Page 126 | Interface Configuration HAPTER Port Configuration The 1000BASE-T standard does not support forced mode. Auto- ◆ negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Page 127 | Interface Configuration HAPTER Port Configuration operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full- duplex operation. Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
Page 128: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 129 | Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed in the web interface: Port – Port identifier. ◆ Type – Indicates the port type. (1000Base-T, 1000Base SFP) ◆ Name – Interface label. ◆ ◆ Admin – Shows if the port is enabled or disabled. Oper Status –...
Page 130: Configuring Port Mirroring
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING port to a target port for real-time analysis. You can then attach a logic IRRORING analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 131: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 27: Configuring Local Port Mirroring To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 28: Displaying Local Port Mirror Sessions Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and...
Page 132: Table 5: Port Statistics
| Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed in the web interface: Table 5: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Page 133 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size.
Page 134 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description 65-127 Byte Packets The total number of packets (including bad packets) received and transmitted where the number of octets fall within the 128-255 Byte Packets specified range (excluding framing bits but including FCS 256-511 Byte Packets octets).
Page 135: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Page 136: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration mode. Should one link in the trunk fail, one of the standby ports will automatically be activated to replace it. OMMAND SAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails.
Page 137 | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 138 | Interface Configuration HAPTER Trunk Configuration Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member. Click Apply. Figure 33: Adding Static Trunks Members To configure connection parameters for a static trunk: Click Interface, Trunk, Static.
Page 139: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration Select Show Information from the Action list. Figure 35: Displaying Connection Parameters for Static Trunks Use the Interface > Trunk > Dynamic (Configure Aggregator) page to set ONFIGURING A the administrative key for an aggregation group, enable LACP on a port, YNAMIC RUNK and configure protocol parameters for local and partner ports.
Page 140 | Interface Configuration HAPTER Trunk Configuration If the LACP admin key is not set when a channel group is formed (i.e., it has a null value of 0), the operational value of this key is set to the same value as the port admin key used by the interfaces that joined the group (see the show lacp internal command described on...
Page 141 | Interface Configuration HAPTER Trunk Configuration NTERFACE To configure the admin key for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Aggregator from the Step list. Set the Admin Key for the required LACP group. Click Apply. Figure 37: Configuring the LACP Aggregator Admin Key To enable LACP for a port: Click Interface, Trunk, Dynamic.
Page 142 | Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 39: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 143 | Interface Configuration HAPTER Trunk Configuration To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Configure from the Action List. Modify the required interface settings. (See "Configuring by Port List" on page 125 for a description of the interface settings.) Click Apply.
Page 144: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 793 ◆...
Page 145: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Figure 43: Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
Page 146 | Interface Configuration HAPTER Trunk Configuration Table 7: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; ◆ Defaulted –...
Page 147: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration Figure 44: Displaying LACP Port Internal Information Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation.
Page 148 | Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Neighbors. Select a group member from the Port list. Figure 45: Displaying LACP Port Remote Information –...
Page 149: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports.
Page 150: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 151: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking" on page 843 ◆ OMMAND SAGE Use this feature to configure a tunnel across one or more intermediate ◆...
Page 152 | Interface Configuration HAPTER VLAN Trunking ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-24) ◆ VLAN trunking can only be enabled on Gigabit ports. ◆...
Page 153: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ Private VLANs – Configures private VLANs, using primary for ◆ unrestricted upstream access and community groups which are restricted to other local group members or to the ports in the associated primary group.
Page 154 | VLAN Configuration HAPTER IEEE 802.1Q VLANs or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4093 VLANs based on the IEEE 802.1Q standard ◆...
Page 155 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 156: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 51: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 157 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Status – Enables or disables the specified VLAN. ◆ Show VLAN ID – ID of configured VLAN. ◆ VLAN Name – Name of the VLAN. ◆ Status – Operational status of configured VLAN. ◆...
Page 158: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 53: Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: Click VLAN, Static. Select Show from the Action list. Figure 54: Showing Static VLANs Use the VLAN > Static page to configure port members for the selected DDING TATIC VLAN index, interface, or a range of interfaces.
Page 159 | VLAN Configuration HAPTER IEEE 802.1Q VLANs ARAMETERS These parameters are displayed in the web interface: Edit Member by VLAN VLAN – ID of configured VLAN (1-4093). ◆ Interface – Displays a list of ports or trunks. ◆ ◆ Port – Port Identifier. (Range: 1-24) Trunk –...
Page 160 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Ingress filtering does not affect VLAN independent BPDU frames, ■ such as GVRP or STP. However, they do affect VLAN dependent BPDU frames, such as GMRP. Membership Type – Select VLAN membership for each interface by ◆...
Page 161 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Select Edit Member by VLAN from the Step list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required. Remember that Membership Type cannot be changed until an interface has been added to another VLAN and the PVID changed to anything other than 1.
Page 162 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 56: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Step list. Set the Interface type to display as Port or Trunk. Enter an interface range.
Page 163: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES "GVRP and Bridge Extension Commands" on page 832 ◆...
Page 164 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN –...
Page 165 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 59: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 60: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
Page 166: Private Vlans
| VLAN Configuration HAPTER Private VLANs Figure 61: Showing the Members of a Dynamic VLAN VLAN RIVATE Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other...
Page 167: Creating Private Vlans
| VLAN Configuration HAPTER Private VLANs Use the VLAN > Private (Configure VLAN - Add) page to create primary or REATING RIVATE community VLANs. VLAN CLI R EFERENCES "private-vlan" on page 853 ◆ ARAMETERS These parameters are displayed in the web interface: ◆...
Page 168: Associating Private Vlans
| VLAN Configuration HAPTER Private VLANs Figure 63: Showing Private VLANs All member ports must be removed from the VLAN before it can be deleted. Use the VLAN > Private (Configure VLAN - Add Community VLAN) page to SSOCIATING RIVATE associate each community VLAN with a primary VLAN.
Page 169: Configuring Private Vlan Interfaces
| VLAN Configuration HAPTER Private VLANs Figure 64: Associating Private VLANs To show a list of community VLANs associated with a primary VLAN: Click VLAN, Private. Select Configure VLAN from the Step list. Select Show Community VLAN from the Action list. Select an entry from the Primary VLAN list.
Page 170 | VLAN Configuration HAPTER Private VLANs Normal – The port is not assigned to a private VLAN. ■ Host – The port is a community port. A community port can ■ communicate with other ports in its own community VLAN and with designated promiscuous port(s).
Page 171: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 172 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 67: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel...
Page 173 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) ◆...
Page 174 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If ◆ the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
Page 175: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON THE Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
Page 176: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 68: Enabling QinQ Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.
Page 177: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To add an interface to a QinQ tunnel: Click VLAN, Tunnel. Select Configure Interface from the Step list. Set the mode for any tunnel access port to Tunnel and the tunnel uplink port to Tunnel Uplink. Click Apply.
Page 178: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs OMMAND SAGE ◆ To configure protocol-based VLANs, follow these steps: First configure VLAN groups for the protocols you want to use (page 836). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time.
Page 179 | VLAN Configuration HAPTER Protocol VLANs NTERFACE To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Add from the Action list. Select an entry from the Frame Type list. Select an entry from the Protocol Type list. Enter an identifier for the protocol group.
Page 180: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group. NTERFACES CLI R EFERENCES "protocol-vlan protocol-group (Configuring Interfaces)"...
Page 181 | VLAN Configuration HAPTER Protocol VLANs Enter the corresponding VLAN to which the protocol traffic will be forwarded. Click Apply. Figure 72: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list.
Page 182: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 183 | VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
Page 184: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 185 | VLAN Configuration HAPTER Configuring MAC-based VLANs Click Apply. Figure 76: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 77: Showing MAC-Based VLANs – 185 –...
Page 186 | VLAN Configuration HAPTER Configuring MAC-based VLANs – 186 –...
Page 187: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 188 | Address Table Settings HAPTER Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the ◆ following conditions exist: 802.1X Port Authentication has been globally enabled on the switch ■ (see "Configuring 802.1X Global Settings" on page 314).
Page 189: Setting Static Addresses
| Address Table Settings HAPTER Setting Static Addresses ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 190: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Click Apply. Figure 79: Configuring Static MAC Addresses To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 80: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address >...
Page 191: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
Page 192: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
Page 193 | Address Table Settings HAPTER Clearing the Dynamic Address Table Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. Click Clear.
Page 194 | Address Table Settings HAPTER Clearing the Dynamic Address Table – 194 –...
Page 195: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 196 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 84: STP Root Ports and Designated Ports Designated Root...
Page 197 | Spanning Tree Algorithm HAPTER Overview Figure 85: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees"...
Page 198: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 199: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Loopback Detection. Click Port or Trunk to display the required interface type. Modify the required loopback detection attributes. Click Apply Figure 87: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR...
Page 200 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) ■ after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
Page 201 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Default: 32768 ■ Range: 0-61440, in steps of 4096 ■ Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, ■ 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the switch uses a backwards-compatible subset of RSTP to implement STP, and also apply to MSTP which is based on RSTP according to the standard:...
Page 202 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA return to a discarding state; otherwise, temporary data loops might result. Default: 15 ■ Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] ■ Maximum: 30 ■...
Page 203 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 88: Configuring Global Settings for STA (STP) Figure 89: Configuring Global Settings for STA (RSTP) – 203 –...
Page 204: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 90: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 205: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the ◆ root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 206: Table 9: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES ◆ "Spanning Tree Commands" on page 807 ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. ◆...
Page 207 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Shared – A connection to two or more bridges. ■ Auto – The switch automatically determines if the interface is ■ attached to a point-to-point link or to shared media. (This is the default setting.) Root Guard –...
Page 208 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA If the port does not receive any BPDUs after the edge delay timer ■ expires, its role changes to designated port and it immediately enters forwarding state (see "Displaying Interface Settings for STA" on page 209).
Page 209: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 92: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 210 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA If two ports of a switch are connected to the same segment and ■ there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. All ports are discarding when the switch is booted, then some of ■...
Page 211 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 93: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 212: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 807 ◆...
Page 213 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 214 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 215 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 216: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 807 ◆...
Page 217 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 9 on page 206. The default path costs are listed in Table 10 on page 206. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.
Page 218 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP – 218 –...
Page 219: Rate Limit Configuration
IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 220 | Rate Limit Configuration HAPTER Figure 103: Configuring Rate Limits – 220 –...
Page 221: Storm Control Configuration
TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast storm control thresholds. Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 222 | Storm Control Configuration HAPTER Figure 104: Configuring Broadcast Storm Control – 222 –...
Page 223: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 224: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 225 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the ◆...
Page 226 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 106: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 227: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 108: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 228 | Quality of Service HAPTER Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate”...
Page 229 | Quality of Service HAPTER Creating QoS Policies if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B ■ down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. ■...
Page 230 | Quality of Service HAPTER Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
Page 231 | Quality of Service HAPTER Creating QoS Policies Add Rule Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification ◆ upon which a policy can act. Action – Configures the service provided to ingress traffic. Packets ◆...
Page 232 | Quality of Service HAPTER Creating QoS Policies Violate – Specifies whether the traffic that exceeds the ■ maximum rate (CIR) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of ■...
Page 233 | Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether traffic that exceeds the maximum ■ rate (CIR) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of ■...
Page 234 | Quality of Service HAPTER Creating QoS Policies Peak Burst Size (BP) – Burst size in bytes. ■ (Range: 64-524288 bytes) The burst size cannot exceed 16 Mbytes. Conform – Specifies whether that traffic conforming to the ■ maximum rate (CIR) will be transmitted without any change to the DSCP service level, or if the DSCP service level will be modified.
Page 235 | Quality of Service HAPTER Creating QoS Policies Figure 109: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 110: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
Page 236 | Quality of Service HAPTER Creating QoS Policies Figure 111: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 112: Showing the Rules for a Policy Map –...
Page 237: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI R EFERENCES "Quality of Service Commands" on page 885 ◆...
Page 238 | Quality of Service HAPTER Attaching a Policy Map to a Port – 238 –...
Page 239: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 240: V O Ip T Raffic C Onfiguration
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES ◆ "Configuring Voice VLANs" on page 864 ARAMETERS These parameters are displayed in the web interface: Auto Detection Status – Enables the automatic detection of VoIP ◆ traffic on switch ports. (Default: Disabled) Voice VLAN –...
Page 241: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 242: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 115: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list. Figure 116: Showing an OUI Telephony List IP T ONFIGURING...
Page 243 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Auto – The port will be added as a tagged member to the Voice ■ VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or 802.1ab (LLDP). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list.
Page 244 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 117: Configuring Port Settings for a Voice VLAN – 244 –...
Page 245: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 246: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Access Control Lists, IP Source Guard, and then DHCP Snooping. AAA A UTHORIZATION AND CCOUNTING The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch.
Page 247: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide, refer to the documentation provided with the RADIUS or TACACS+ server software.
Page 248: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods). Click Apply. Figure 118: Configuring the Authentication Sequence Use the Security > AAA > Server page to configure the message exchange ONFIGURING EMOTE parameters for RADIUS or TACACS+ remote access authentication servers.
Page 249 | Security Measures HAPTER AAA Authorization and Accounting OMMAND SAGE ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet. ◆...
Page 250 | Security Measures HAPTER AAA Authorization and Accounting Confirm Authentication Key – Re-type the string entered in the ■ previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. TACACS+ ◆...
Page 251 | Security Measures HAPTER AAA Authorization and Accounting To set or modify the authentication key, mark the Set Key box, enter the key, and then confirm it. Click Apply. Figure 120: Configuring Remote Authentication Server (RADIUS) Figure 121: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server.
Page 252 | Security Measures HAPTER AAA Authorization and Accounting Enter the group name, followed by the index of the server to use for each priority level. Click Apply. Figure 122: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server.
Page 253: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Accounting page to enable accounting of ONFIGURING requested services for billing or security purposes, and also to display the CCOUNTING configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions.
Page 254 | Security Measures HAPTER AAA Authorization and Accounting Configure Service Accounting Type – Specifies the service as 802.1X, Command or Exec ◆ as described in the preceding section. 802.1X ■ Method Name – Specifies a user defined accounting method to ■...
Page 255 | Security Measures HAPTER AAA Authorization and Accounting Figure 124: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list.
Page 256 | Security Measures HAPTER AAA Authorization and Accounting To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Show from the Action list. Figure 126: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or...
Page 257 | Security Measures HAPTER AAA Authorization and Accounting Figure 128: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.
Page 258: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces. CLI R EFERENCES "AAA"...
Page 259 | Security Measures HAPTER AAA Authorization and Accounting Interface - Displays the console or Telnet interface to which these ◆ rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group:...
Page 260 | Security Measures HAPTER AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 133: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization.
Page 261: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 657 ◆ OMMAND SAGE The default guest name is “guest”...
Page 262: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 135: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 136: Showing User Accounts (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 263 | Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND SAGE ◆ MAC address authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 264: Table 11: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 11: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map- service-policy-in=p1 name Rate Limit rate-limit-input=rate rate-limit-input=100 (in units of Kbps)
Page 265: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) While a port has an assigned dynamic QoS profile, any manual QoS ◆ configuration changes only take effect after all users have logged off the port. MAC address authentication is configured on a per-port basis, however ONFIGURING LOBAL there are two configurable parameters that apply globally to all ports on...
Page 266: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 137: Configuring Global Settings for Network Access Use the Security > Network Access (Configure Interface - General) page to ONFIGURING configure MAC authentication on switch ports, including enabling address ETWORK CCESS authentication, setting the maximum MAC count, and enabling dynamic ORTS...
Page 267 | Security Measures HAPTER Network Access (MAC Address Authentication) Dynamic VLAN – Enables dynamic VLAN assignment for an ◆ authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server are applied to the port, providing the VLANs have already been created on the switch.
Page 268: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION occurs. CLI R EFERENCES "Network Access (MAC Address Authentication)"...
Page 269: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 139: Configuring Link Detection for Network Access Use the Security > MAC Authentication (Configure MAC Filter) page to ONFIGURING A designate specific MAC addresses or MAC address ranges as exempt from DDRESS ILTER authentication.
Page 270: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Enter a filter ID, MAC address, and optional mask. Click Apply. Figure 140: Configuring a MAC Address Filter for Network Access To show the MAC address filter table for MAC authentication: Click Security, Network Access.
Page 271 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address – Specifies a specific MAC address. ■ Interface – Specifies a port interface. ■ Attribute – Displays static or dynamic addresses. ■ Authenticated MAC Address List ◆ MAC Address – The authenticated MAC address. ■...
Page 272: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 142: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 273: Table 12: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above. The following web browsers and operating systems currently support ◆...
Page 274: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site.
Page 275: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To replace the default secure-site certificate: Click Security, HTTPS. Select Copy Certificate from the Step list. Fill in the TFTP server, certificate and private key file name, and private password. Click Apply. Figure 144: Downloading the Secure-Site Certificate ONFIGURING THE ECURE...
Page 276 | Security Measures HAPTER Configuring the Secure Shell OMMAND SAGE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the System Authentication page (page...
Page 277 | Security Measures HAPTER Configuring the Secure Shell Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) The client sends its password to the server. The switch compares the client's password to those stored in memory.
Page 278: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch.
Page 279: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To configure the SSH server: Click Security, SSH. Select Configure Global from the Step list. Enable the SSH server. Adjust the authentication parameters as required. Click Apply. Figure 145: Configuring the SSH Server Use the Security >...
Page 280 | Security Measures HAPTER Configuring the Secure Shell client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. Save Host-Key from Memory to Flash – Saves the host key from ◆...
Page 281: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell Figure 147: Showing the SSH Host Key Pair Use the Security > SSH (Configure User Key - Copy) page to upload a MPORTING user’s public key to the switch. This public key must be stored on the UBLIC switch for the user to be able to log in using the public key authentication mechanism.
Page 282 | Security Measures HAPTER Configuring the Secure Shell NTERFACE To copy the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Copy from the Action list. Select the user name and the public-key type from the respective drop- down boxes, input the TFTP server IP address and the public key source file name.
Page 283: Access Control Lists
| Security Measures HAPTER Access Control Lists Figure 149: Showing the SSH User’s Public Key CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type).
Page 284: Settinga Time Range
| Security Measures HAPTER Access Control Lists security reasons). A packet will also be denied if the IP ACL denies it and the MAC ACL accepts it. Use the Security > ACL (Configure Time Range) page to sets a time range ETTING during which ACL functions are applied.
Page 285 | Security Measures HAPTER Access Control Lists Figure 150: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL. Select Configure Time Range from the Step list. Select Show from the Action list. Figure 151: Showing a List of Time Ranges To configure a rule for a time range: Click Security, ACL.
Page 286: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Figure 152: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list. Figure 153: Showing the Rules Configured for a Time Range Use the Security >...
Page 287 | Security Measures HAPTER Access Control Lists Type – The following filter modes are supported: ◆ IP Standard: IPv4 ACL mode filters packets based on the source ■ IPv4 address. IP Extended: IPv4 ACL mode filters packets based on the source ■...
Page 288: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists Select Show from the Action list. Figure 155: Showing a List of ACLs Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R...
Page 289: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Standard from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP).
Page 290 | Security Measures HAPTER Access Control Lists Source/Destination Address Type – Specifies the source or ◆ destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Subnet Mask fields.
Page 291 | Security Measures HAPTER Access Control Lists SYN valid and ACK invalid, use control-code 2, control bit mask 18 ■ Time Range – Name of a time range. ◆ NTERFACE To add rules to an Extended IPv4 ACL: Click Security, ACL. Select Configure ACL from the Step list.
Page 292: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)" on page 755 ◆...
Page 293: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and the prefix length. Click Apply. Figure 158: Configuring a Standard IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL.
Page 294 | Security Measures HAPTER Access Control Lists Destination Prefix-Length – A decimal value indicating how many ◆ contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-64 bits) DSCP – DSCP traffic class. (Range: 0-63) ◆...
Page 295 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Extended from the Type list. Select the name of an ACL from the Name list.
Page 296: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)" on page 761 ◆...
Page 297 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 298: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 299 | Security Measures HAPTER Access Control Lists Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny). Select the packet type (Request, Response, All). Select the address type (Any, Host, or IP).
Page 300: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.
Page 301: Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 162: Binding a Port to an ACL ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
Page 302: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection When ARP Inspection is disabled, all ARP request and reply packets ■ will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect ■...
Page 303 | Security Measures HAPTER ARP Inspection ARP Inspection Logging By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, ◆...
Page 304: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 305: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection packets not matching any rules are dropped, and the DHCP snooping bindings database check is bypassed. If Static is not specified, ARP packets are first validated against the ◆ selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity.
Page 306: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate. ARP I NSPECTION CLI R EFERENCES "ARP Inspection" on page 738 ◆...
Page 307: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection Figure 165: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or NSPECTION dropped for various reasons. TATISTICS CLI R EFERENCES...
Page 308: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Configure Information from the Step list. Select Show Statistics from the Step list. Figure 166: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated NSPECTION...
Page 309: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Configure Information from the Step list. Select Show Log from the Step list. Figure 167: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
Page 310 | Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or ◆ by specifying both the start address and end address. ARAMETERS These parameters are displayed in the web interface: Mode ◆...
Page 311: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 169: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
Page 312 | Security Measures HAPTER Configuring Port Security OMMAND SAGE ◆ A secure port has the following restrictions: It cannot be used as a member of a static or dynamic trunk. ■ It should not be connected to a network interconnection device. ■...
Page 313: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 170: Configuring Port Security 802.1X P ONFIGURING UTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 314: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Figure 171: Configuring Port Security 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. RADIUS 3.
Page 315 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed in the web interface: Port Authentication Status – Sets the global setting for 802.1X. ◆ (Default: Disabled) ◆ EAPOL Pass Through – Passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled.
Page 316: Configuring Port Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Use the Security > Port Authentication (Configure Interface) page to ONFIGURING configure 802.1X port settings for the switch as the local authenticator. 802.1X ETTINGS FOR When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 317 | Security Measures HAPTER Configuring 802.1X Port Authentication In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Page 318 | Security Measures HAPTER Configuring 802.1X Port Authentication Intrusion Action – Sets the port’s response to a failed authentication. ◆ Block Traffic – Blocks all non-EAP traffic on the port. (This is the ■ default setting.) Guest VLAN – All traffic for the port is assigned to a guest VLAN. ■...
Page 319 | Security Measures HAPTER Configuring 802.1X Port Authentication Figure 173: Configuring Interface Settings for 802.1X Port Authenticator – 319 –...
Page 320: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication Use the Security > Port Authentication (Show Statistics) page to display 802.1X ISPLAYING statistics for dot1x protocol exchanges for any port. TATISTICS CLI R EFERENCES "show dot1x" on page 702 ◆ ARAMETERS These parameters are displayed in the web interface: Table 15: 802.1X Statistics Parameter...
Page 321: Ip Source Guard
| Security Measures HAPTER IP Source Guard NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 174: Showing Statistics for 802.1X Port Authenticator IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see...
Page 322 | Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 323: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and ■ corresponding MAC addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be ◆ bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see...
Page 324 | Security Measures HAPTER IP Source Guard If there is an entry with the same VLAN ID and MAC address, and ■ the type of entry is static IP source guard binding, then the new entry will replace the old one. If there is an entry with the same VLAN ID and MAC address, and ■...
Page 325: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Show from the Action list. Figure 177: Displaying Static Bindings for IP Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface.
Page 326: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 178: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully...
Page 327 | Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed ◆ by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an ◆...
Page 328 | Security Measures HAPTER DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its ◆ DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 329: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP S NOOPING DHCP Snooping globally on the switch, or to configure MAC Address ONFIGURATION Verification. CLI R EFERENCES "DHCP Snooping" on page 724 ◆...
Page 330: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping Figure 179: Configuring Global Settings for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or DHCP S NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...
Page 331: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping Enable DHCP Snooping on any existing VLAN. Click Apply Figure 180: Configuring DHCP Snooping on a VLAN Use the IP Service > DHCP > Snooping (Configure Interface) page to ONFIGURING ORTS configure switch ports as trusted or untrusted. DHCP S NOOPING CLI R...
Page 332: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping Set any ports within the local network or firewall to trusted. Click Apply Figure 181: Configuring the Port Mode for DHCP Snooping Use the IP Service > DHCP > Snooping (Show Information) page to display DHCP ISPLAYING entries in the binding table.
Page 333 | Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for DHCP Snooping: Click Security, IP Source Guard, DHCP Snooping. Select Show Information from the Step list. Use the Store or Clear function if required. Figure 182: Displaying the Binding Table for DHCP Snooping –...
Page 334 | Security Measures HAPTER DHCP Snooping – 334 –...
Page 335: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 336: Table 16: Logging Levels
| Basic Administration Protocols HAPTER Configuring Event Logging ARAMETERS These parameters are displayed in the web interface: System Log Status – Enables/disables the logging of debug or error ◆ messages to the logging process. (Default: Enabled) ◆ Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
Page 337: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 183: Configuring Settings for System Memory Logs To show the error messages logged to system memory: Click Administration, Log, System. Select Show System Logs from the Step list. This page allows you to scroll through the logged system and event messages.
Page 338 | Basic Administration Protocols HAPTER Configuring Event Logging Logging Facility – Sets the facility type for remote logging of syslog ◆ messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service.
Page 339: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging Use the Administration > Log > SMTP page to alert system administrators ENDING IMPLE of problems by sending SMTP (Simple Mail Transfer Protocol) email RANSFER ROTOCOL messages when triggered by logging events of a specified level. The LERTS messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
Page 340: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 186: Configuring SMTP Alert Messages AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 341 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol This attribute must comply with the following rule: (Transmission Interval * Hold Time Multiplier) ≤ 65536, and Transmission Interval >= (4 * Delay Interval) Hold Time Multiplier – Configures the time-to-live (TTL) value sent in ◆...
Page 342: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Click Apply. Figure 187: Configuring LLDP Timing Attributes Use the Administration > LLDP (Configure Interface) page to specify the LLDP ONFIGURING message attributes for individual interfaces, including whether messages NTERFACE are transmitted, received, or both transmitted and received, whether SNMP TTRIBUTES notifications are sent, and the type of information advertised.
Page 343 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Basic Optional TLVs – Configures basic information included in the ◆ TLV field of advertised messages. Management Address – The management address protocol ■ packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Page 344 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN Name – The name of all VLANs to which this interface has ■ been assigned(see "IEEE 802.1Q VLANs" on page 153 "Protocol VLANs" on page 177). Port And Protocol VLAN ID – The port-based and protocol-based ■...
Page 345: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 188: Configuring LLDP Interface Attributes Use the Administration > LLDP (Show Local Device Information) page to LLDP ISPLAYING display information about the switch, such as its MAC address, chassis ID, OCAL EVICE management IP address, and port information.
Page 346: Table 18: System Capabilities
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Chassis ID – An octet string indicating the specific identifier for the ◆ particular chassis in this system. System Name – A string that indicates the system’s administratively ◆ assigned name (see "Displaying System Information"...
Page 347: Displaying Lldp Remote Port Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 189: Displaying Local Device Information for LLDP (General) Figure 190: Displaying Local Device Information for LLDP (Port) Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE which are advertising information through LLDP, or to display detailed...
Page 348: Table 19: Port Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port ID – A string that contains the specific identifier for the port from ◆ which this LLDPDU was transmitted. System Name – A string that indicates the system’s administratively ◆ assigned name.
Page 349: Table 20: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Capabilities Supported – The capabilities that define the ◆ primary function(s) of the system. (See Table 18, "System Capabilities," on page 346.) System Capabilities Enabled – The primary function(s) of the ◆...
Page 350 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 20: Remote Port Auto-Negotiation Advertised Capability Capability Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode 1000BASE-X, -LX, -SX, -CX full duplex mode 1000BASE-T half duplex mode 1000BASE-T full duplex mode ◆...
Page 351 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Link Aggregation Port ID – This object contains the IEEE ◆ 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.1), derived from the ifNumber of the ifIndex for the port component associated with the remote system. If the remote port is not in link aggregation state and/or it does not support link aggregation, this value should be zero.
Page 352: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 192: Displaying Remote Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces.
Page 353 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Deleted Count – The number of LLDP neighbors ◆ which have been removed from the LLDP remote systems MIB for any reason. Neighbor Entries Dropped Count – The number of times which the ◆...
Page 354: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 193: Displaying LLDP Device Statistics (General) Figure 194: Displaying LLDP Device Statistics (Port) IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Page 355: Table 21: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using network management software.
Page 356: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Use the Administration >...
Page 357: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Agent Status – Enables SNMP on the switch. (Default: Enabled) ◆ Authentication Traps – Issues a notification message to specified IP ◆ trap managers whenever an invalid community string is submitted during the SNMP access authentication process.
Page 358: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. ARAMETERS These parameters are displayed in the web interface: Engine ID – A new engine ID can be specified by entering 9 to 64 ◆...
Page 359 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Remote Engine ID – The engine ID can be specified by entering 9 to ◆ 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.
Page 360: Setting Snmpv3 Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 198: Showing Remote Engine IDs for SNMP Use the Administration > SNMP (Configure View) page to configure SNMP ETTING SNMPv3 views which are used to restrict user access to specified portions IEWS of the MIB tree.
Page 361 | Basic Administration Protocols HAPTER Simple Network Management Protocol Select Add View from the Action list. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view.
Page 362 | Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 201: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.
Page 363: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Group) page to add an SNMPv3 ONFIGURING group which can be used to set the access policy for its assigned users, SNMP ROUPS restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Page 364 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 22: Supported Notification Messages (Continued) Model Level Group SNMPv2 Traps coldStart 1.3.6.1.6.3.1.1.5.1 A coldStart trap signifies that the SNMPv2 entity, acting in an agent role, is reinitializing itself and that its configuration may have been altered.
Page 365 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 22: Supported Notification Messages (Continued) Model Level Group swLoginSucceedTrap 1.3.6.1.4.1.259.10.1.5.2.1.0.67 This trap is sent when login succeeds via console,telnet, or web. swLoopbackDetectionTrap 1.3.6.1.4.1.259.10.1.5.2.1.0.95 This trap will be sent when loopback BPDUs have been detected.
Page 366: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show SNMP groups: Click Administration, SNMP. Select Configure Group from the Step list. Select Show from the Action list. Figure 204: Showing SNMP Groups Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access...
Page 367 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To set a community access string: Click Administration, SNMP. Select Configure User from the Step list. Select Add Community from the Action list. Add new community strings as required, and select the corresponding access rights from the Access Mode list.
Page 368: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify SNMP SERS the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
Page 369 | Basic Administration Protocols HAPTER Simple Network Management Protocol Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified. If the security level is authPriv, a privacy password must also be specified.
Page 370: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from SNMP SERS the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Page 371 | Basic Administration Protocols HAPTER Simple Network Management Protocol Privacy Password – A minimum of eight plain text characters is ◆ required. NTERFACE To configure a remote SNMPv3 user: Click Administration, SNMP. Select Configure User from the Step list. Select Add SNMPv3 Remote User from the Action list. Enter a name and assign it to a group.
Page 372: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 210: Showing Remote SNMPv3 Users Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers.
Page 373 | Basic Administration Protocols HAPTER Simple Network Management Protocol Create a view with the required notification messages (page 360). Create a group that includes the required notify view (page 363). Enable trap informs as described in the following pages. ARAMETERS These parameters are displayed in the web interface: SNMP Version 1 IP Address –...
Page 374 | Basic Administration Protocols HAPTER Simple Network Management Protocol Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. UDP Port – Specifies the UDP port number used by the trap manager. ◆...
Page 375 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthNoPriv – SNMP communications use authentication, but the ■ data is not encrypted. AuthPriv – SNMP communications use both authentication and ■ encryption. NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list.
Page 376: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring Figure 213: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 214: Showing Trap Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
Page 377: Configuring Rmon Alarms
| Basic Administration Protocols HAPTER Remote Monitoring The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol.
Page 378 | Basic Administration Protocols HAPTER Remote Monitoring Last Value – The value of the statistic during the last sampling period. ◆ Rising Threshold – If the current value is greater than or equal to the ◆ rising threshold, and the last sample value was less than this threshold, then an alarm will be generated.
Page 379 | Basic Administration Protocols HAPTER Remote Monitoring Figure 215: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 216: Showing Configured RMON Alarms –...
Page 380: Configuring Rmon Events
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Event) page to RMON ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Page 381 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.
Page 382: Configuring Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring Figure 218: Showing Configured RMON Events Use the Administration > RMON (Configure Interface - Add - History) page RMON ONFIGURING to collect statistics on a physical interface to monitor network utilization, ISTORY AMPLES packet types, and errors.
Page 383 | Basic Administration Protocols HAPTER Remote Monitoring Owner - Name of the person who created this entry. (Range: 1-127 ◆ characters) NTERFACE To periodically sample statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click History.
Page 384: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring Figure 220: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click History.
Page 385 | Basic Administration Protocols HAPTER Remote Monitoring The information collected for each entry includes: ◆ input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, CRC alignment errors, jabbers, fragments, collisioins, drop events, and frames of various sizes. ARAMETERS These parameters are displayed in the web interface: Port –...
Page 386 | Basic Administration Protocols HAPTER Remote Monitoring Select a port from the list. Click Statistics. Figure 223: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list.
Page 387: Multicast Filtering
ULTICAST ILTERING This chapter describes how to configure the following multicast servcies: Layer 2 IGMP – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttling ◆ the maximum of multicast groups allowed on an interface. Layer 3 IGMP –...
Page 388: Igmp Protocol
| Multicast Filtering HAPTER IGMP Protocol This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Page 389: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) across different subnetworks. Therefore, when PIM routing is enabled for a subnet on the switch, IGMP is automatically enabled. Figure 226: IGMP Protocol Network core (multicast routing) Edge switches (snooping and query) Switch to end nodes (snooping on IGMP clients) 2 IGMP (S...
Page 390 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. IGMP snooping will not function unless a multicast router port is enabled on the switch.
Page 391: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic intelligently. Based on the IGMP query and NOOPING AND UERY report messages, the switch forwards multicast traffic only to the ports ARAMETERS that request it.
Page 392 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy ◆ Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 393 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it immediately issues an IGMP general query.
Page 394 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This attribute configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
Page 395: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add Static PECIFYING TATIC Multicast Router) page to statically attach an interface to a multicast NTERFACES FOR A router/switch. ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 396 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information. Figure 229: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet.
Page 397: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) SSIGNING page to statically assign a multicast service to an interface. NTERFACES TO ULTICAST ERVICES Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters"...
Page 398 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 231: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
Page 399: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 233: Showing Current Interfaces Assigned to a Multicast Service Use the Multicast > IGMP Snooping > Interface (Configure) page to IGMP ETTING configure IGMP snooping attributes for a VLAN interface. To configure NOOPING TATUS snooping globally, refer to...
Page 400 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) forwarding is enabled. They are sent upon the occurrence of these events: Upon the expiration of a periodic (randomized) timer. ■ As a part of a router's start up procedure. ■...
Page 401 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Version Exclusive – Discards any received IGMP messages (except for ◆...
Page 402 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If proxy reporting is disabled, report suppression can still be configured by a separate attribute as described above. ◆ Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
Page 403 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Query Address – A static source address for locally generated ◆ query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 404: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show from the Action list. Figure 235: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping.
Page 405: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 236: Showing Multicast Groups Learned by IGMP Snooping IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 406: Configuring Igmp Filter Profiles
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed in the web interface: IGMP Filter Status – Enables IGMP filtering and throttling globally for ◆ the switch. (Default: Disabled) NTERFACE To enables IGMP filtering and throttling on the switch: Click Multicast, IGMP Snooping, Filtering.
Page 407 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups When the access mode is set to deny, IGMP join reports are only processed when the multicast group is not in the controlled range. Add Multicast Group Range Profile ID – Selects an IGMP profile to configure. ◆...
Page 408 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filtering. Select Add Multicast Group Range from the Action list. Select the profile to configure, and add a multicast group address or range of addresses.
Page 409: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Use the Multicast > IGMP Snooping > Configure Interface page to assign IGMP ONFIGURING and IGMP filter profile to interfaces on the switch, or to throttle multicast ILTERING AND traffic by limiting the maximum number of multicast groups an interface HROTTLING FOR can join at the same time.
Page 410: Layer 3 Igmp (Query Used With Multicast Routing)
| Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Select a profile to assign to an interface, then set the maximum number of allowed multicast groups and the throttling response. Click Apply. Figure 242: Configuring IGMP Filtering and Throttling Interface Settings 3 IGMP (Q AYER UERY USED WITH...
Page 411: Configuring Igmp Proxy Routing
| Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Use the Multicast > IGMP > Proxy page to configure IGMP Proxy Routing. IGMP ONFIGURING ROXY OUTING In simple network topologies, it is sufficient for a device to learn multicast requirements from its downstream interfaces and proxy this group membership information to the upstream router.
Page 412 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) The IGMP proxy routing tree must be manually configured by designating one upstream interface and multiple downstream interfaces on each proxy device. No other multicast routers except for the proxy devices can exist within the tree, and the root of the tree must be connected to a wider multicast infrastructure.
Page 413: Configuring Igmp Interface Parameters
| Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Multicast routing protocols are not supported when IGMP proxy service ◆ is enabled. Only one upstream interface is supported on the system. ◆ A maximum of 1024 multicast entries are supported. ◆...
Page 414 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) that interface from the multicast tree. A host can also submit a join message at any time without waiting for a query from the router. Hosts can also signal when they no longer want to receive traffic for a specific group by sending a leave-group message.
Page 415 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Multicast routers send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service. Only the designated multicast router for a subnet sends host query messages, which are addressed to the multicast address 224.0.0.1, and use a time-to-live (TTL) value of 1.
Page 416: Configuring Static Igmp Group Membership
| Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Figure 245: Configuring IGMP Interface Settings Use the Multicast > IGMP > Static Group page to manually propagate ONFIGURING TATIC traffic from specific multicast groups onto the specified VLAN interface. IGMP G ROUP EMBERSHIP...
Page 417 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Static Group Address – An IP multicast group address. (The group ◆ addresses specified cannot be in the range of 224.0.0.1 - 239.255.255.255.) Source Address – The source address of a multicast server ◆...
Page 418: Displaying Multicast Group Information
| Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > ISPLAYING Group Information pages to display the current multicast groups learned ULTICAST ROUP through IGMP.
Page 419 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Show Detail The following additional information is displayed on this page: Group Address – IP multicast group address with subscribers directly ◆ attached or downstream from the switch, or a static multicast group assigned to this interface.
Page 420: Multicast Vlan Registration
| Multicast Filtering HAPTER Multicast VLAN Registration To display detailed information about the current multicast groups learned through IGMP: Click Multicast, IGMP, Group Information. Select Show Detail from the Action list. Select a VLAN. The selected entry must be a configured IP interface. Figure 249: Displaying Multicast Groups Learned from IGMP (Detail) VLAN R ULTICAST...
Page 421 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 250: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE General Configuration Guidelines for MVR: ◆ Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see "Configuring Global MVR Settings"...
Page 422: Configuring Global Mvr Settings
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure General) page to enable MVR globally ONFIGURING LOBAL on the switch, and select the VLAN that will serve as the sole channel for MVR S ETTINGS common multicast streams supported by the service provider. CLI R EFERENCES "Multicast VLAN Registration"...
Page 423: Configuring The Mvr Group Range
| Multicast Filtering HAPTER Multicast VLAN Registration Figure 251: Configuring Global Settings for MVR Use the Multicast > MVR (Configure Group Range) page to assign the ONFIGURING THE multicast group address for each service to the MVR VLAN. MVR G ROUP ANGE CLI R...
Page 424: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure multicast groups for the MVR VLAN: Click Multicast, MVR. Select Configure Group Range from the Step list. Select Add from the Action list. Add the multicast groups that will stream traffic to participating hosts. Click Apply.
Page 425 | Multicast Filtering HAPTER Multicast VLAN Registration OMMAND SAGE ◆ A port configured as an MVR receiver or source port can join or leave multicast groups configured under MVR. However, note that these ports can also use IGMP snooping to join or leave any other multicast groups using the standard rules for multicast filtering.
Page 426 | Multicast Filtering HAPTER Multicast VLAN Registration designated multicast services supported by the MVR VLAN. Just remember that only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned (see "Assigning Static Multicast Groups to Interfaces"...
Page 427: Assigning Static Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term ULTICAST ROUPS multicast streams associated with a stable set of hosts. NTERFACES CLI R EFERENCES...
Page 428: Showing Multicast Groups Assigned To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration Select the port for which to display this information. Figure 256: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast HOWING ULTICAST groups either statically or dynamically assigned to the MVR VLAN on each ROUPS...
Page 429 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 257: Showing All MVR Groups Assigned to a Port – 429 –...
Page 430 | Multicast Filtering HAPTER Multicast VLAN Registration – 430 –...
Page 431: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an initial IP interface for management access to the switch over the network. You can manually configure a specific address or direct the switch to obtain an address from a BOOTP or DHCP server when it is powered on. ’...
Page 432: Ip Configuration Setting The Switch's Ip Address (Ip Version 4)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) ARAMETERS These parameters are displayed in the web interface: VLAN – ID of the configured VLAN (1-4093). By default, all ports on ◆ the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 433 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Click Apply. Figure 258: Configuring a Static Address To obtain an dynamic address through DHCP/BOOTP for the switch: Click IP, General, Routing Interface. Select Add from the Action list. Select any configured VLAN, and set IP Address Mode to “BOOTP”...
Page 434 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Page 435: General Ip Routing
IP R ENERAL OUTING This chapter provides information on network functions including: Ping – Sends ping message to another node on the network. ◆ Trace – Sends ICMP echo request packets to another node on the ◆ network. Address Resolution Protocol –...
Page 436: Ip Routing And Switching
| General IP Routing HAPTER IP Routing and Switching Figure 261: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP R OUTING AND...
Page 437: Routing Path Management
| General IP Routing HAPTER IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
Page 438: Routing Protocols
| General IP Routing HAPTER Configuring IP Routing Interfaces The switch supports both static and dynamic routing. OUTING ROTOCOLS Static routing requires routing information to be stored in the switch ◆ either manually or when a connection is set up by an application outside the switch.
Page 439: Using The Ping Function
| General IP Routing HAPTER Configuring IP Routing Interfaces entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway, use the static routing table as described on page 447, enter 0.0.0.0 for the IP address and subnet mask, and then specify this switch itself or another router as the gateway.
Page 440: Using The Trace Route Function
| General IP Routing HAPTER Configuring IP Routing Interfaces Figure 262: Pnging a Network Device Use the IP > General > Trace Route page to to show the route packets take SING THE RACE to the specified destination. OUTE UNCTION CLI R EFERENCES "traceroute"...
Page 441: Address Resolution Protocol
| General IP Routing HAPTER Address Resolution Protocol NTERFACE To trace the route to another device on the network: Click IP, General, Trace Route. Specify the target device. Click Apply. Figure 263: Tracing the Route to a Network Device DDRESS ESOLUTION ROTOCOL If IP routing is enabled (page 483), the router uses its routing tables to...
Page 442: Basic Arp Configuration
| General IP Routing HAPTER Address Resolution Protocol If there is no entry for an IP address in the ARP cache, the router will broadcast an ARP request packet to all devices on the network. The ARP request contains the following fields similar to that shown in this example: Table 23: Address Resolution Protocol destination IP address 10.1.0.19...
Page 443 | General IP Routing HAPTER Address Resolution Protocol ARAMETERS These parameters are displayed in the web interface: Timeout – Sets the aging time for dynamic entries in the ARP cache. ◆ (Range: 300 - 86400 seconds; Default: 1200 seconds or 20 minutes) The ARP aging timeout can be set for any configured VLAN.
Page 444: Configuring Static Arp Addresses
| General IP Routing HAPTER Address Resolution Protocol For devices that do not respond to ARP requests or do not respond in a ONFIGURING TATIC timely manner, traffic will be dropped because the IP address cannot be ARP A DDRESSES mapped to a physical address.
Page 445: Displaying Dynamic Or Local Arp Entries
| General IP Routing HAPTER Address Resolution Protocol Figure 266: Configuring Static ARP Entries To display static entries in the ARP cache: Click IP, ARP. Select Configure Static Address from the Step List. Select Show from the Action List. Figure 267: Displaying Static ARP Entries The ARP cache contains static entries, and entries for local interfaces, ISPLAYING YNAMIC...
Page 446: Displaying Arp Statistics
| General IP Routing HAPTER Address Resolution Protocol Figure 268: Displaying Dynamic ARP Entries To display all local entries in the ARP cache: Click IP, ARP. Select Show Information from the Step List. Click Other Address. Figure 269: Displaying Local ARP Entries Use the IP >...
Page 447: Configuring Static Routes
| General IP Routing HAPTER Configuring Static Routes NTERFACE To display ARP statistics: Click IP, ARP. Select Show Information from the Step List. Click Statistics. Figure 270: Displaying ARP Statistics ONFIGURING TATIC OUTES This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP or OSPF).
Page 448 | General IP Routing HAPTER Configuring Static Routes Static routes are included in RIP and OSPF updates periodically sent by ◆ the router if this feature is enabled by RIP or OSPF (see page 521, respectively). ARAMETERS These parameters are displayed in the web interface: Destination IP Address –...
Page 449: Displaying The Routing Table
| General IP Routing HAPTER Displaying the Routing Table Figure 272: Displaying Static Routes ISPLAYING THE OUTING ABLE Use the IP > Routing > Routing Table page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
Page 450: Equal-Cost Multipath Routing
| General IP Routing HAPTER Equal-cost Multipath Routing ARAMETERS These parameters are displayed in the web interface: VLAN – VLAN identifier (i.e., configure as a valid IP subnet). ◆ Destination IP Address – IP address of the destination network, ◆ subnetwork, or host.
Page 451 | General IP Routing HAPTER Equal-cost Multipath Routing manually configured in the static routing table, or equal-cost multipaths dynamically generated by the Open Shortest Path Algorithm (OSPF). In other words, it uses either static or OSPF entries, not both. Normal unicast routing simply selects the path to the destination that has the lowest cost.
Page 452 | General IP Routing HAPTER Equal-cost Multipath Routing NTERFACE To configure the maximum ECMP number: Click IP, Routing, Routing Table. Select Configure ECMP Number from the Action List. Enter the maximum number of equal-cost paths used to route traffic to the same destination that are permitted on the switch.
Page 453: Configuring Router Redundancy
ONFIGURING OUTER EDUNDANCY Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load.
Page 454: Configuring Vrrp Groups
| Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 277: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing Router 1 Router 2 VRID 23 (Master) VRID 23 (Backup) IP(R1) = 192.168.1.3 IP(R1) = 192.168.1.5 IP(VR23) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 VR Priority = 100...
Page 455 | Configuring Router Redundancy HAPTER Configuring VRRP Groups priority. In cases where the configured priority is the same on several group members, then the master router with the highest IP address is selected from this group. If you have multiple secondary addresses configured on the current ◆...
Page 456 | Configuring Router Redundancy HAPTER Configuring VRRP Groups VLAN – ID of a VLAN configured with an IP interface. (Range: 1-4093; ◆ Default: 1) Adding a Virtual IP Address VLAN ID – ID of a VLAN configured with an IP interface. (Range: 1- ◆...
Page 457 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Authentication Mode – Authentication mode used to verify VRRP ◆ packets received from other routers. (Options: None, Simple Text; Default: None) If simple text authentication is selected, then you must also enter an authentication string.
Page 458 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 278: Configuring the VRRP Group ID To show the configured VRRP groups: Click IP, VRRP. Select Configure Group ID from the Step List. Select Show from the Action List. Figure 279: Showing Configured VRRP Groups To configure the virtual router address for a VRRP group: Click IP, VRRP.
Page 459 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 280: Setting the Virtual Router Address for a VRRP Group To show the virtual IP address assigned to a VRRP group: Click IP, VRRP. Select Configure Group ID from the Step List. Select Show IP Addresses from the Action List.
Page 460: Displaying Vrrp Global Statistics
| Configuring Router Redundancy HAPTER Displaying VRRP Global Statistics Figure 282: Configuring Detailed Settings for a VRRP Group VRRP G ISPLAYING LOBAL TATISTICS Use the IP > VRRP (Show Statistics – Global Statistics) page to display counters for errors found in VRRP protocol packets. CLI R EFERENCES "show vrrp router counters"...
Page 461: Displaying Vrrp Group Statistics
| Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics Figure 283: Showing Counters for Errors Found in VRRP Packets VRRP G ISPLAYING ROUP TATISTICS Use the IP > VRRP (Show Statistics – Group Statistics) page to display counters for VRRP protocol events and errors that have occurred on a specific VRRP interface.
Page 462 | Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics Table 25: VRRP Group Statistics Statistics (Continued) Parameter Description Received Invalid Type Number of VRRP packets received by the virtual router with an VRRP Packets invalid value in the “type” field. Received Error Address Number of packets received for which the address list does not List VRRP Packets...
Page 463: Ip Services
IP S ERVICES This chapter describes the following IP services: – Configures default domain names, identifies servers to use for ◆ dynamic lookup, and shows how to configure static entries. DHCP Relay – Enables DHCP relay service, and defines the servers to ◆...
Page 464: Configuring A List Of Domain Names
| IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed in the web interface: Domain Lookup – Enables DNS host name-to-address translation. ◆ (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 465 | IP Services HAPTER Domain Name Service When an incomplete host name is received by the DNS service on this ◆ switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers"...
Page 466: Configuring A List Of Name Servers
| IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 973 ◆...
Page 467: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Domain Name Service Figure 289: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING TATIC configure static entries in the DNS table that are used to map domain DNS H OST TO names to IP addresses.
Page 468: Displaying The Dns Cache
| IP Services HAPTER Domain Name Service Figure 290: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 291: Showing Static Entries in the DNS Table Use the IP Service >...
Page 469: Dynamic Host Configuration Protocol
| IP Services HAPTER Dynamic Host Configuration Protocol ARAMETERS These parameters are displayed in the web interface: No. – The entry number for each resource record. ◆ Flag – The flag is always “4” indicating a cache entry and therefore ◆...
Page 470: Configuring Dhcp Relay Service
| IP Services HAPTER Dynamic Host Configuration Protocol Use the IP Service > DHCP > Relay page to configue DHCP relay service for DHCP ONFIGURING attached host devices. If DHCP relay is enabled, and this switch sees a ELAY ERVICE DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.
Page 471: Configuring The Dhcp Server
| IP Services HAPTER Dynamic Host Configuration Protocol Figure 294: Configuring DHCP Relay Service This switch includes a Dynamic Host Configuration Protocol (DHCP) server ONFIGURING THE that can assign temporary IP addresses to any attached host requesting DHCP S ERVER service.
Page 472 | IP Services HAPTER Dynamic Host Configuration Protocol CLI R EFERENCES ◆ "service dhcp" on page 984 ARAMETERS These parameters are displayed in the web interface: DHCP Server – Enables or disables the DHCP server on this switch. ◆ (Default: Disabled) NTERFACE To enable the DHCP server: Click IP Service, DHCP, Server.
Page 473 | IP Services HAPTER Dynamic Host Configuration Protocol NTERFACE To configure IP addresses excluded for DHCP clients: Click IP Service, DHCP, Server. Select Configure Excluded Addresses from the Step list. Select Add from the Action list. Enter a single address or an address range. Click Apply.
Page 474 | IP Services HAPTER Dynamic Host Configuration Protocol OMMAND SAGE ◆ First configure address pools for the network interfaces. Then you can manually bind an address to a specific client if required. However, note that any static host address must fall within the range of an existing network address pool.
Page 475 | IP Services HAPTER Dynamic Host Configuration Protocol Client-Identifier – A unique designation for the client device, either a ◆ text string (1-15 characters) or hexadecimal value. The information included in the identifier is based on RFC 2132 Option 60, and must be unique for all clients in the same administrative domain.
Page 476 | IP Services HAPTER Dynamic Host Configuration Protocol Click Apply. Figure 299: Configuring DHCP Server Address Pools (Network) Figure 300: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: Click IP Service, DHCP, Server. Select Configure Pool from the Step list. –...
Page 477 | IP Services HAPTER Dynamic Host Configuration Protocol Select Show from the Action list. Figure 301: Showing Configured DHCP Server Address Pools ISPLAYING DDRESS INDINGS Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server.
Page 478: Forwarding Udp Service Requests
| IP Services HAPTER Forwarding UDP Service Requests UDP S ORWARDING ERVICE EQUESTS This section describes how this switch can forward UDP broadcast packets originating from host applications to another part of the network when an local application server is not available. OMMAND SAGE ◆...
Page 479: Specifying Udp Destination Ports
| IP Services HAPTER Forwarding UDP Service Requests Figure 303: Enabling the UDP Helper Use the IP Service > UDP Helper > Forwarding page to specify the UDP PECIFYING destination ports for which broadcast traffic will be forwarded when the ESTINATION ORTS UDP helper is enabled.
Page 480: Specifying The Target Server Or Subnet
| IP Services HAPTER Forwarding UDP Service Requests Figure 304: Specifying UDP Destination Ports To show the configured UDP destination ports: Click IP Service, UDP Helper, Forwarding. Select Show from the Action list. Figure 305: Showing the UDP Destination Ports Use the IP Service >...
Page 481 | IP Services HAPTER Forwarding UDP Service Requests The IP time-to-live (TTL) value must be at least 2. ■ The IP protocol must be UDP (17). ■ The UDP destination port must be TFTP, Domain Name System ■ (DNS), Time, NetBIOS, BOOTP or DHCP packet, or a UDP port specified on the IP Service >...
Page 482 | IP Services HAPTER Forwarding UDP Service Requests Figure 307: Showing the Target Server or Subnet for UDP Requests – 482 –...
Page 483: Unicast Routing
NICAST OUTING This chapter describes how to configure the following unicast routing protocols: – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. VERVIEW This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol.
Page 484: Configuring The Routing Information Protocol
| Unicast Routing HAPTER Configuring the Routing Information Protocol To coexist with a network built on multilayer switches, the subnetworks for non-IP protocols must follow the same logical boundary as that of the IP subnetworks. A separate multi-protocol router can then be used to link the subnetworks by connecting to one port from each available VLAN on the network.
Page 485: Configuring General Protocol Settings
| Unicast Routing HAPTER Configuring the Routing Information Protocol versions can take a long time to converge on a new route after the failure of a link or router during which time routing loops may occur, and its small hop count limitation of 15 restricts its use to smaller networks.
Page 486 | Unicast Routing HAPTER Configuring the Routing Information Protocol RIP send/receive versions set on the RIP Interface settings screen (page 496) always take precedence over the settings for the Global RIP Version. However, when the Global RIP Version is set to “By Interface,” any VLAN interface not previously set to a specific receive or send version is set to the following default values: Receive: Accepts RIPv1 or RIPv2 packets.
Page 487 | Unicast Routing HAPTER Configuring the Routing Information Protocol access list that filters networks according to the IP address of the router supplying the routing information. Number of Route Changes – The number of route changes made to ◆ the IP route database by RIP. Number of Queries –...
Page 488: Clearing Entries From The Routing Table
| Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 309: Configuring General Settings for RIP Use the Routing Protocol > RIP > General (Clear Route) page to clear LEARING NTRIES entries from the routing table based on route type or a specific network FROM THE OUTING address.
Page 489: Specifying Network Interfaces
| Unicast Routing HAPTER Configuring the Routing Information Protocol Clear Route By Network – Clears a specific route based on its IP ◆ address and prefix length. Network IP Address – Deletes all related entries for the specified ■ network address. Prefix Length –...
Page 490 | Unicast Routing HAPTER Configuring the Routing Information Protocol ARAMETERS These parameters are displayed in the web interface: By Address – Adds a network to the RIP routing process. ◆ Subnet Address – IP address of a network directly connected to ■...
Page 491: Specifying Passive Interfaces
| Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 312: Showing Network Interfaces Using RIP Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP PECIFYING ASSIVE from sending routing updates on the specified interface. NTERFACES CLI R EFERENCES...
Page 492: Specifying Static Neighbors
| Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 313: Specifying a Passive RIP Interface To show the passive RIP interfaces: Click Routing Protocol, RIP, Passive Interface. Select Show from the Action list. Figure 314: Showing Passive RIP Interfaces Use the Routing Protocol >...
Page 493: Configuring Route Redistribution
| Unicast Routing HAPTER Configuring the Routing Information Protocol Add the address of any static neighbors which may not readily to discovered through RIP. Click Apply. Figure 315: Specifying a Static RIP Neighbor To show static RIP neighbors: Click Routing Protocol, RIP, Neighbor Address. Select Show from the Action list.
Page 494 | Unicast Routing HAPTER Configuring the Routing Information Protocol Metric – Metric assigned to all external routes for the specified ◆ protocol. (Range: 0-16; Default: the default metric as described under "Configuring General Protocol Settings" on page 485.) A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
Page 495: Specifying An Administrative Distance
| Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 318: Showing External Routes Redistributed into RIP Use the Routing Protocol > RIP > Distance (Add) page to define an PECIFYING AN administrative distance for external routes learned from other routing DMINISTRATIVE protocols.
Page 496: Configuring Network Interfaces For Rip
| Unicast Routing HAPTER Configuring the Routing Information Protocol NTERFACE To define an administrative distance for external routes learned from other routing protocols: Click Routing Protocol, RIP, Distance. Select Add from the Action list. Enter the distance, the external route, and optionally enter the name of an ACL to filter networks according to the IP address of the router supplying the routing information.
Page 497 | Unicast Routing HAPTER Configuring the Routing Information Protocol "ip rip authentication mode" on page 1034 ◆ ◆ "ip rip authentication string" on page 1035 "ip rip split-horizon" on page 1038 ◆ OMMAND SAGE Specifying Receive and Send Protocol Types ◆...
Page 498 | Unicast Routing HAPTER Configuring the Routing Information Protocol password. If any incoming protocol messages do not contain the correct password, they are simply dropped. For authentication to function properly, both the sending and receiving interface must be configured with the same password or authentication key.
Page 499 | Unicast Routing HAPTER Configuring the Routing Information Protocol Authentication Type – Specifies the type of authentication required ◆ for exchanging RIPv2 protocol messages. (Default: No Authentication) No Authentication: No authentication is required. ■ Simple Password: Requires the interface to exchange routing ■...
Page 500: Displaying Rip Interface Settings
| Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 321: Configuring a Network Interface for RIP To show the network interface settings configured for RIP: Click Routing Protocol, RIP, Interface. Select Show from the Action list. Figure 322: Showing RIP Network Interface Settings Use the Routing Protocol >...
Page 501: Displaying Peer Router Information
| Unicast Routing HAPTER Configuring the Routing Information Protocol Rcv Bad Routes – Number of bad routes received. ◆ Send Updates – Number of route changes. ◆ NTERFACE To display RIP interface configuration settings: Click Routing Protocol, RIP, Statistics. Select Show Interface Information from the Action list. Figure 323: Showing RIP Interface Settings Use the Routing Protocol >...
Page 502: Resetting Rip Statistics
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 324: Showing RIP Peer Information Use the Routing Protocol > RIP > Statistics (Reset Statistics) page to reset ESETTING all statistics for RIP protocol messages. TATISTICS CLI R EFERENCES no comparable command...
Page 503 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 326: Configuring OSPF isolated stub area virtual link backbone normal area ASBR NSSA Autonomous System A ASBR ASBR Router external network Autonomous System B OMMAND SAGE OSPF looks at more than just the simple hop count.
Page 504: Defining Network Areas Based On Addresses
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) You can further optimize the exchange of OSPF traffic by specifying ■ an area range that covers a large number of subnetwork addresses. This is an important technique for limiting the amount of traffic exchanged between Area Border Routers (ABRs).
Page 505 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES ◆ "router ospf" on page 1043 "network area" on page 1059 ◆ OMMAND SAGE Specify an Area ID and the corresponding network address range for ◆...
Page 506 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) NTERFACE To define an OSPF area and the interfaces that operate within this area: Click Routing Protocol, OSPF, Network Area. Select Add from the Action list. Configure a backbone area that is contiguous with all the other areas in the network, and configure an area for all of the other OSPF interfaces.
Page 507: Configuring General Protocol Settings
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 330: Showing OSPF Process Identifiers To implement dynamic OSPF routing, first assign VLAN groups to each IP ONFIGURING subnet to which this router will be attached (as described in the preceding ENERAL ROTOCOL section), then use the Routing Protocol >...
Page 508 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) If this router already has registered neighbors, the new router ID will be used when the router is rebooted, or manually restarted using the no router ospf command followed by the router ospf command.
Page 509 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 331: AS Boundary Router AS 1 AS 2 ASBR ASBR Advertise Default Route – The router can advertise a default ◆ external route into the autonomous system (AS). (Options: Not Always, Always;...
Page 510: Displaying Adminstrative Settings And Statistics
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 332: Configure General Settings for OSPF Use the Routing Protocol > OSPF > System (Show) page to display general ISPLAYING administrative settings and statistics for OSPF. DMINSTRATIVE ETTINGS AND CLI R...
Page 511 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Table 26: OSPF System Information (Continued) Parameter Description ABR Status Indicates if this router connects directly to networks in two or (Area Border Router) more areas. An area border router runs a separate copy of the Shortest Path First algorithm, maintaining a separate routing database for each area.
Page 512: Adding An Nssa Or Stub
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page NSSA DDING AN to add a not-so-stubby area (NSSA) or a stubby area (Stub). CLI R EFERENCES "router ospf"...
Page 513: Configuring Nssa Settings
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show the NSSA or stubs added to the specified OSPF domain: Click Routing Protocol, OSPF, Area. Select Configure Area from the Step list. Select Show Area from the Action list. Select a Process ID.
Page 514 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES ◆ "router ospf" on page 1043 "area default-cost" on page 1048 ◆ "area nssa" on page 1054 ◆ OMMAND SAGE Before creating an NSSA, first specify the address range for the area ◆...
Page 515 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Redistribute – Disable this option when the router is an NSSA Area ◆ Border Router (ABR) and routes only need to be imported into normal areas (see "Redistributing External Routes"...
Page 516: Configuring Stub Settings
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Click Apply Figure 337: Configuring Protocol Settings for an NSSA Use the Routing Protocol > OSPF > Area (Configure Area – Configure Stub ONFIGURING Area) page to configure protocol settings for a stub. ETTINGS A stub does not accept external routing information.
Page 517 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) A stub can have multiple ABRs or exit points. However, all of the exit ◆ points and local routers must contain the same external routing data so that the exit point does not need to be determined for each external destination.
Page 518: Displaying Information On Nssa And Stub Areas
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 339: Configuring Protocol Settings for a Stub Use the Routing Protocol > OSPF > Area (Show Information) page to ISPLAYING protocol information on NSSA and Stub areas. NFORMATION ON NSSA CLI R...
Page 519: Configuring Area Ranges (Route Summarization For Abrs)
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 340: Displaying Information on NSSA and Stub Areas An OSPF area can include a large number of nodes. If the Area Border ONFIGURING Router (ABR) has to advertise route information for each of these nodes, ANGES OUTE this wastes a lot of bandwidth and processor time.
Page 520 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area ◆ configuration screen (see page 504). ◆ Area ID –...
Page 521: Redistributing External Routes
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select the process ID. Figure 343: Showing Configured Route Summaries Use the Routing Protocol > OSPF > Redistribute (Add) page to import EDISTRIBUTING external routing information from other routing protocols, static routes, or XTERNAL OUTES directly connected routes into the autonomous system, and to generate...
Page 522 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Protocol Type – Specifies the external routing protocol type for which ◆ routing information is to be redistributed into the local routing domain. (Options: RIP, Static; Default: RIP) Metric Type –...
Page 523: Configuring Summary Addresses (For External As Routes)
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 345: Importing External Routes To show the imported external route types: Click Routing Protocol, OSPF, Redistribute. Select Show from the Action list. Select the process ID. Figure 346: Showing Imported External Route Types Redistributing routes from other protocols into OSPF normally requires the ONFIGURING...
Page 524 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES ◆ "router ospf" on page 1043 "summary-address" on page 1053 ◆ OMMAND SAGE If you are not sure what address ranges to consolidate, first enable ◆...
Page 525: Configuring Ospf Interfaces
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show the summary addresses for external routes: Click Routing Protocol, OSPF, Summary Address. Select Show from the Action list. Select the process ID. Figure 348: Showing Summary Addresses for External Routes You should specify a routing interface for any local subnet that needs to OSPF ONFIGURING...
Page 526 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) IP Address – Address of the interfaces assigned to a VLAN on the ◆ Network Area (Add) page. This parameter only applies to the Configure by Address page. Cost –...
Page 527 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Transmit Delay – Sets the estimated time to send a link-state update ◆ packet over an interface. (Range: 1-65535 seconds; Default: 1 second) LSAs have their age incremented by this delay before transmission. You should consider both the transmission and propagation delays for an interface when estimating this delay.
Page 528 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) the OSPF header when routing protocol packets are originated by this device. A different password can be assigned to each network interface, but the password must be used consistently on all neighboring routers throughout a network (that is, autonomous system).
Page 529 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 349: Configuring Settings for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN: Click Routing Protocol, OSPF, Interface. Select Configure by Address from the Action list.
Page 530 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 350: Configuring Settings for a Specific Area Assigned to a VLAN To show the configuration settings for OSPF interfaces: Click Routing Protocol, OSPF, Interface. Select Show from the Action list. Select the VLAN ID.
Page 531: Configuring Virtual Links
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 352: Showing MD5 Authentication Keys Use the Routing Protocol > OSPF > Virtual Link (Add) and (Configure ONFIGURING IRTUAL Detailed Settings) pages to configure a virtual link from an area that does INKS not have a direct physical connection to the OSPF backbone.
Page 532 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES ◆ "router ospf" on page 1043 "area virtual-link" on page 1057 ◆ OMMAND SAGE Use the Add page to create a virtual link, and then use the Configure ◆...
Page 533 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show virtual links: Click Routing Protocol, OSPF, Virtual Link. Select Show from the Action list. Select the process ID. Figure 355: Showing Virtual Links To configure detailed settings for a virtual link: Click Routing Protocol, OSPF, Virtual Link.
Page 534: Displaying Link State Database Information
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 357: Showing MD5 Authentication Keys Use the Routing Protocol > OSPF > Information (LSDB) page to show the ISPLAYING Link State Advertisements (LSAs) sent by OSPF routers advertising routes. TATE ATABASE The full collection of LSAs collected by a router interface from the attached...
Page 535 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area ◆ configuration screen (see page 504). ◆ Query by –...
Page 536: Displaying Information On Virtual Links
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 358: Displaying Information in the Link State Database Use the Routing Protocol > OSPF > Information (Virtual Link) page to show ISPLAYING the Link State Advertisements (LSAs) stored in the link state database for NFORMATION ON virtual links.
Page 537 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Transit Area – Common area the virtual link crosses to reach the ◆ target router. This identifier is in the form of an IP address. Router ID – Virtual neighbor’s router ID. ◆...
Page 538: Displaying Information On Neighboring Routers
| Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Use the Routing Protocol > OSPF > Information (Neighbor) page to display ISPLAYING information about neighboring routers on each interface. NFORMATION ON EIGHBORING CLI R EFERENCES OUTERS "show ip ospf neighbor"...
Page 539 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select the process identifier. Figure 360: Displaying Neighbor Routers Stored in the Link State Database – 539 –...
Page 540 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) – 540 –...
Page 541: Multicast Routing
ULTICAST OUTING This chapter describes the following multicast routing topics: Enabling Multicast Routing Globally – Describes how to globally enable ◆ multicast routing. Displaying the Multicast Routing Table – Describes how to display the ◆ multicast routing table. Configuring PIM for IPv4 –...
Page 542 | Multicast Routing HAPTER Overview but instead, uses the routing table provided by whatever unicast routing protocol is enabled on the router interface. When the router receives a multicast packet for a source-group pair, PIM-DM checks the unicast routing table on the inbound interface to determine if this is the same interface used for routing unicast packets to the multicast source network.
Page 543 | Multicast Routing HAPTER Overview each multicast group. If each router is properly configured, the results of the election process will be the same for each router. Each elected RP then starts to serve as the root of a shared distribution tree for one or more multicast groups.
Page 544: Configuring Global Settings For Multicast Routing
| Multicast Routing HAPTER Configuring Global Settings for Multicast Routing ONFIGURING LOBAL ETTINGS FOR ULTICAST OUTING To use multicast routing on this router, first globally enable multicast routing as described in this section, then specify the interfaces that will employ multicast routing protocols (PIM-DM or PIM-SM on page 548).
Page 545 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing CLI R EFERENCES ◆ "show ip mroute" on page 1086 ARAMETERS These parameters are displayed in the web interface: Show Summary Group Address – IP group address for a multicast service. ◆...
Page 546 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Owner – The associated multicast protocol (PIM-DM, PIM-SM, IGMP ◆ Proxy). Flags – The flags associated with each routing entry indicate: ◆ Dense – PIM Dense mode in use. ■ Sparse –...
Page 547 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Figure 362: Displaying the Multicast Routing Table To display detailed information on a specific flow in multicast routing table: Click Multicast, Multicast Routing, Information. Select Show Details from the Action List. Select a Group Address.
Page 548: Configuring Pim For Ipv4
| Multicast Routing HAPTER Configuring PIM for IPv4 ONFIGURING This section describes how to configure PIM-DM and PIM-SM for IPv4. Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing NABLING globally on the router. LOBALLY CLI R EFERENCES "router pim"...
Page 549 | Multicast Routing HAPTER Configuring PIM for IPv4 PIM and IGMP proxy cannot be used at the same time. When an ◆ interface is set to use PIM Dense mode or Sparse mode, IGMP proxy cannot be enabled on any interface of the device (see "Configuring IGMP Snooping and Query Parameters"...
Page 550 | Multicast Routing HAPTER Configuring PIM for IPv4 Hello messages are sent to neighboring PIM routers from which this device has received probes, and are used to verify whether or not these neighbors are still active members of the multicast tree. PIM-SM routers use these messages not only to inform neighboring routers of their presence, but also to determine which router for each LAN segment will serve as the Designated Router (DR).
Page 551 | Multicast Routing HAPTER Configuring PIM for IPv4 The override interval and the propogation delay are used to calculate the LAN prune delay. If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message, then the override interval represents the time required for the downstream router to process the message and then respond by sending a Join message back to the upstream router to ensure that the...
Page 552 | Multicast Routing HAPTER Configuring PIM for IPv4 topology changes (sources joining or leaving a multicast group) before the default three-minute state timeout expires. This command is only effectively for interfaces of first hop, PIM-DM routers that are directly connected to the sources of multicast groups. Sparse-Mode Attributes DR Priority –...
Page 553 | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 365: Configuring PIM Interface Settings (Dense Mode) Figure 366: Configuring PIM Interface Settings (Sparse Mode) – 553 –...
Page 554: Displaying Neighbor Information
| Multicast Routing HAPTER Configuring PIM for IPv4 Use the Routing Protocol > PIM > Neighbor page to display all neighboring ISPLAYING EIGHBOR PIM routers. NFORMATION CLI R EFERENCES "show ip pim neighbor" on page 1098 ◆ ARAMETERS These parameters are displayed in the web interface: ◆...
Page 555 | Multicast Routing HAPTER Configuring PIM for IPv4 Register Source – Configures the IP source address of a register ◆ message to an address other than the outgoing interface address of the DR that leads back toward the RP. (Range: VLAN 1-4094; Default: The IP address of the DR’s outgoing interface that leads back to the RP) When the source address of a register message is filtered by intermediate network devices, or is not a uniquely routed address to...
Page 556: Configuring Absr Candidate
| Multicast Routing HAPTER Configuring PIM for IPv4 Figure 368: Configuring Global Settings for PIM-SM Use the Routing Protocol > PIM > SM (BSR Candidate) page to configure ONFIGURING A the switch as a Bootstrap Router (BSR) candidate. ANDIDATE CLI R EFERENCES "ip pim bsr-candidate"...
Page 557: Configuring A Static Rendezvous Point
| Multicast Routing HAPTER Configuring PIM for IPv4 with the same seed hash will be mapped to the same RP. If the mask length is less than 32, then only the first portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32; Default: 10) Priority –...
Page 558 | Multicast Routing HAPTER Configuring PIM for IPv4 If an IP address is specified that was previously used for an RP, then ◆ the older entry is replaced. Multiple RPs can be defined for different groups or group ranges. If a ◆...
Page 559: Configuring An Rp Candidate
| Multicast Routing HAPTER Configuring PIM for IPv4 Figure 370: Configuring a Static Rendezvous Point To display static rendezvous points: Click Multicast, Multicast Routing, SM. Select RP Address from the Step list. Select Show from the Action list. Figure 371: Showing Static Rendezvous Points Use the Routing Protocol >...
Page 560 | Multicast Routing HAPTER Configuring PIM for IPv4 The election process for each group is based on the following criteria: ◆ Find all RPs with the most specific group range. ■ Select those with the highest priority (lowest priority value). ■...
Page 561: Displaying The Bsr Router
| Multicast Routing HAPTER Configuring PIM for IPv4 Figure 372: Configuring an RP Candidate To display settings for an RP candidate: Click Multicast, Multicast Routing, PIM-SM. Select RP Candidate from the Step list. Select Show from the Action list. Select an interface from the VLAN list. Figure 373: Showing Settings for an RP Candidate Use the Routing Protocol >...
Page 562 | Multicast Routing HAPTER Configuring PIM for IPv4 Priority – Priority value used by this BSR candidate. ◆ Hash Mask Length – The number of significant bits used in the ◆ multicast group comparison mask by this BSR candidate. Expire – The time before the BSR is declared down. ◆...
Page 563: Displaying Rp Mapping
| Multicast Routing HAPTER Configuring PIM for IPv4 Figure 374: Showing Information About the BSR Use the Routing Protocol > PIM > SM (Show Information – Show RP ISPLAYING Mapping) page to display active RPs and associated multicast routing APPING entries.
Page 564 | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 375: Showing RP Mapping – 564 –...
Page 565: Ection
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "General Commands" on page 579 ◆ "System Management Commands" on page 587 ◆ "SNMP Commands"...
Page 566 | Command Line Interface ECTION "Domain Name Service Commands" on page 969 ◆ "DHCP Commands" on page 979 ◆ "VRRP Commands" on page 995 ◆ "IP Interface Commands" on page 1005 ◆ "IP Routing Commands" on page 1019 ◆ "Multicast Routing Commands" on page 1085 ◆...
Page 567: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the ECS4610-24F is opened. To end the CLI session, enter [Exit]. Console# – 567 –...
Page 568: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the ECS4610-24F is opened. To end the CLI session, enter [Exit]. Vty-0# – 568 –...
Page 569: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 570: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 571: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands users Information about users logged in version System hardware and software versions vlan Shows virtual LAN settings voice Shows the voice VLAN information vrrp Shows VRRP Console#show The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information...
Page 572: Understanding Command Modes
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ECS4610-24F is opened. To end the CLI session, enter [Exit]. Console# – 572 –...
Page 573: Configuration Commands
| Using the Command Line Interface HAPTER Entering Commands Username: guest Password: [guest login password] CLI session with the ECS4610-24F is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration commands are privileged level commands used to modify ONFIGURATION switch settings.
Page 574: Table 28: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands VLAN Configuration - Includes the command to create VLAN groups. ◆ To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#”...
Page 575: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 576: Cli Command Groups
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 30: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
Page 577 | Using the Command Line Interface HAPTER CLI Command Groups Table 30: Command Group Index (Continued) Command Group Description Page Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router; also configures multicast VLAN registration Link Layer Discovery Configures LLDP settings to enable information...
Page 578 | Using the Command Line Interface HAPTER CLI Command Groups – 578 –...
Page 579: General Commands
ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 31: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 580: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload (Global delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 581: Enable
| General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 582: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (584) enable password (658) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 583: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 584: Disable
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 585: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 586 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 586 –...
Page 587: System Management Commands
YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 32: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...
Page 588: Hostname
| System Management Commands HAPTER System Status This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 589: Interface Settings
| System Management Commands HAPTER System Status This command displays settings for key command modes. Each mode ◆ group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: MAC address for the switch ■...
Page 590: Show Startup-Config
| System Management Commands HAPTER System Status ELATED OMMANDS show startup-config (590) This command displays the configuration file stored in non-volatile memory show startup-config that is used to start up the system. OMMAND Privileged Exec OMMAND SAGE Use this command in conjunction with the show running-config ◆...
Page 591: Show Users
| System Management Commands HAPTER System Status XAMPLE Console#show system System Description : ECS4610-50T/ECS4610-26T System OID String : 1.3.6.1.4.1.259.10.1.1 System Information System Up Time : 0 days, 0 hours, 21 minutes, and 47.6 seconds System Name System Location System Contact MAC Address (Unit 1) : 00-00-E8-93-82-A0 Web Server...
Page 592: Show Version
| System Management Commands HAPTER Frame Size This command displays hardware and software version information for the show version system. OMMAND Normal Exec, Privileged Exec OMMAND SAGE "Displaying Switch Hardware/Software Versions" on page 103 detailed information on the items displayed by this command. XAMPLE Console#show version Unit 1...
Page 593: File Management
| System Management Commands HAPTER File Management OMMAND SAGE ◆ This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames on Gigabit Ethernet ports up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 594: Boot System
| System Management Commands HAPTER File Management “Factory_Default_Config.cfg” can be copied to the FTP/TFTP server, but cannot be used as the destination on the switch. Table 36: Flash/File Commands Command Function Mode boot system Specifies the file or image used to start up the system copy Copies a code image or a switch configuration to or...
Page 595: Copy
| System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 596 | System Management Commands HAPTER File Management The Boot ROM and Loader cannot be uploaded or downloaded from the ◆ FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the ◆...
Page 597: System Management Commands
| System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 598: Delete
| System Management Commands HAPTER File Management This command deletes a file or image. delete YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE ◆ If the file type is used for system startup, then this file cannot be deleted.
Page 599: Whichboot
| System Management Commands HAPTER File Management OMMAND SAGE ◆ If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 37: File Directory Information Column Heading Description File Name The name of the file. Type File types: Boot-Rom, Operation Code, and Config file.
Page 600: Line
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 601: Databits
| System Management Commands HAPTER Line EFAULT ETTING There is no default line. OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 602: Exec-Timeout
| System Management Commands HAPTER Line XAMPLE To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# ELATED OMMANDS parity (604) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout...
Page 603: Login
| System Management Commands HAPTER Line This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 604: Parity
| System Management Commands HAPTER Line This command defines the generation of a parity bit. Use the no form to parity restore the default setting. YNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING...
Page 605: Password-Thresh
| System Management Commands HAPTER Line OMMAND SAGE ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns...
Page 606: Silent-Time
| System Management Commands HAPTER Line XAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# ELATED OMMANDS silent-time (606) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Page 607: Stopbits
| System Management Commands HAPTER Line EFAULT ETTING 115200 bps OMMAND Line Configuration OMMAND SAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
Page 608: Timeout Login Response
| System Management Commands HAPTER Line This command sets the interval that the system waits for a user to log into timeout login the CLI. Use the no form to restore the default setting. response YNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 609: Show Line
| System Management Commands HAPTER Line XAMPLE Console#disconnect 1 Console# ELATED OMMANDS show ssh (693) show users (591) This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING Shows all lines...
Page 610: Event Logging
| System Management Commands HAPTER Event Logging VENT OGGING This section describes commands used to configure event logging on the switch. Table 39: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory...
Page 611: Logging History
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 612: Logging Host
| System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. EFAULT ETTING None...
Page 613: Logging Trap
| System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (611) logging trap (613) clear log (613) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 614: Show Log
| System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (614) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 615: Show Logging
| System Management Commands HAPTER Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 616: Smtp Alerts
| System Management Commands HAPTER SMTP Alerts Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Console# Table 42: show logging trap - display description Field...
Page 617: Logging Sendmail
| System Management Commands HAPTER SMTP Alerts This command enables SMTP event handling. Use the no form to disable logging sendmail this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail the no form to remove an SMTP server.
Page 618: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# This command sets the severity threshold used to trigger alert messages. logging sendmail Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
Page 619: Logging Sendmail Source-Email
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# This command sets the email address used for the “From” field in alert logging sendmail messages.
Page 620: Time
| System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- 1. ted@this-company.com SMTP Source E-mail Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 621: Sntp Poll
| System Management Commands HAPTER Time OMMAND SAGE ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 622: Sntp Server
| System Management Commands HAPTER Time ELATED OMMANDS sntp client (620) This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 623: Clock Timezone
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 137.92.140.81 Console# This command sets the time zone for the switch’s internal clock. clock timezone YNTAX clock timezone name hour hours minute minutes...
Page 624: Calendar Set
| System Management Commands HAPTER Time This command sets the system clock. It may be used if there is no time calendar set server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
Page 625: Time Range
| System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 45: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
Page 626: Absolute
| System Management Commands HAPTER Time Range This command sets the time range for the execution of a command. Use absolute the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Page 627 | System Management Commands HAPTER Time Range monday - Monday saturday - Saturday sunday - Sunday thursday - Thursday tuesday - Tuesday wednesday - Wednesday weekdays - Weekdays weekend - Weekends hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) EFAULT ETTING None...
Page 628 | System Management Commands HAPTER Time Range – 628 –...
Page 629: Snmp Commands
SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 630: Snmp-Server
| SNMP Commands HAPTER Table 46: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter Displays the configured notification logs...
Page 631: Snmp-Server Contact
| SNMP Commands HAPTER EFAULT ETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. private - Read/write access. Authorized management stations are able ◆ to both retrieve and modify MIB objects. OMMAND Global Configuration XAMPLE Console(config)#snmp-server community alpha rw Console(config)#...
Page 632: Show Snmp
| SNMP Commands HAPTER EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (631) This command can be used to check the status of SNMP communications. show snmp EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command provides information on the community access strings,...
Page 633: Snmp-Server Enable Traps
| SNMP Commands HAPTER 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# This command enables this device to send Simple Network Management snmp-server enable Protocol traps or informs (i.e., SNMP notifications). Use the no form to traps disable SNMP notifications.
Page 634: Snmp-Server Host
| SNMP Commands HAPTER ELATED OMMANDS snmp-server host (634) This command specifies the recipient of a Simple Network Management snmp-server host Protocol notification operation. Use the no form to remove the specified host. YNTAX snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr...
Page 635 | SNMP Commands HAPTER OMMAND SAGE ◆ If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
Page 636: Snmp-Server Engine-Id
| SNMP Commands HAPTER If you specify an SNMP Version 3 host, then the community string is ◆ interpreted as an SNMP user name. The user name must first be defined with the snmp-server user command. Otherwise, an SNMPv3 group will be automatically created by the snmp-server host command using the name of the specified community string, and default settings for the read, write, and notify view.
Page 637: Snmp-Server Group
| SNMP Commands HAPTER therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Trailing zeroes need not be entered to uniquely specify a engine ID. In ◆ other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID.
Page 638 | SNMP Commands HAPTER EFAULT ETTING Default groups: public (read only), private (read/write) readview - Every object belonging to the Internet OID space (1). writeview - Nothing is defined. notifyview - Nothing is defined. OMMAND Global Configuration OMMAND SAGE A group sets the access policy for the assigned users. ◆...
Page 639: Snmp-Server User
| SNMP Commands HAPTER This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. YNTAX snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]...
Page 640: Snmp-Server View
| SNMP Commands HAPTER Before you configure a remote user, use the snmp-server engine-id ◆ command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/ privacy digests from the user’s password.
Page 641: Show Snmp Engine-Id
| SNMP Commands HAPTER XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Page 642: Show Snmp Group
| SNMP Commands HAPTER Four default groups are provided – SNMPv1 read-only access and read/ show snmp group write access, and SNMPv2c read-only access and read/write access. OMMAND Privileged Exec XAMPLE Console#show snmp group Group Name : r&d Security Model : v3 Read View : defaultview Write View...
Page 643: Show Snmp User
| SNMP Commands HAPTER Table 48: show snmp group - display description (Continued) Field Description Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. This command shows information on SNMP users. show snmp user OMMAND Privileged Exec...
Page 644: Show Snmp View
| SNMP Commands HAPTER This command shows information on the SNMP views. show snmp view OMMAND Privileged Exec XAMPLE Console#show snmp view View Name : mib-2 Subtree OID : 1.2.2.3.6.2.1 View Type : included Storage Type : nonvolatile Row Status : active View Name : defaultview...
Page 645: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Disabling logging with this command does not delete the entries stored ◆ in the notification log. XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# This command creates an SNMP notification log. Use the no form to snmp-server notify- remove this log.
Page 646: Show Nlm Oper-Status
| SNMP Commands HAPTER To avoid this problem, notification logging should be configured and ◆ enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 647: Show Snmp Notify-Filter
| SNMP Commands HAPTER This command displays the configured notification logs. show snmp notify- filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23 Console# –...
Page 648 | SNMP Commands HAPTER – 648 –...
Page 649: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 650: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval seconds {absolute | delta} rising-threshold threshold event event-index falling-threshold threshold event event-index [owner name] no rmon event index index –...
Page 651: Rmon Event
| Remote Monitoring Commands HAPTER such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. XAMPLE Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.1 interval 15 delta rising-threshold 100 event 1 falling-threshold 30 event 1 owner mike Console(config)# This command creates a response event for an alarm.
Page 652: Rmon Collection History
| Remote Monitoring Commands HAPTER OMMAND SAGE ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. The specified events determine the action to take when an alarm ◆...
Page 653: Rmon Collection Stats
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethenet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# This command enables the collection of statistics on a physical interface. rmon collection Use the no form to disable statistics collection. stats YNTAX rmon collection stats index [owner name]...
Page 654: Show Rmon Alarm
| Remote Monitoring Commands HAPTER This command shows the settings for all configured alarms. show rmon alarm OMMAND Privileged Exec XAMPLE Console#show rmon alarm Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 This command shows the settings for all configured events.
Page 655: Show Rmon Statistics
| Remote Monitoring Commands HAPTER This command shows the information collected for all configured entries in show rmon the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets,...
Page 656 | Remote Monitoring Commands HAPTER – 656 –...
Page 657: Authentication
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 658: Enable Password
| Authentication Commands HAPTER User Accounts After initially logging onto the system, you should set the Privileged Exec enable password password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 659: Username
| Authentication Commands HAPTER User Accounts This command adds named users, requires authentication at login, username specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Page 660: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 55: Authentication Sequence Commands Command Function Mode...
Page 661: Authentication Login
| Authentication Commands HAPTER Authentication Sequence If the TACACS+ server is not available, the local user name and password is checked. XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (658) This command defines the login authentication method and precedence. authentication login Use the no form to restore the default.
Page 662: Radius Client
| Authentication Commands HAPTER RADIUS Client XAMPLE Console(config)#authentication login radius Console(config)# ELATED OMMANDS username - for setting the local user names and passwords (659) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 663: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client XAMPLE Console(config)#radius-server acct-port 181 Console(config)# This command sets the RADIUS server network port. Use the no form to radius-server auth- restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 664: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) EFAULT ETTING auth-port - 1812...
Page 665: Radius-Server Retransmit
| Authentication Commands HAPTER RADIUS Client This command sets the number of retries. Use the no form to restore the radius-server default. retransmit YNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 666: Show Radius-Server
| Authentication Commands HAPTER TACACS+ Client This command displays the current settings for the RADIUS server. show radius-server EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout...
Page 667: Tacacs-Server
| Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server and other optional tacacs-server parameters. Use the no form to remove the server, or to restore the default values. YNTAX tacacs-server index host host-ip-address [key key] [port port-number] no tacacs-server index index - The index for this server.
Page 668: Tacacs-Server Key
| Authentication Commands HAPTER TACACS+ Client This command sets the TACACS+ encryption key. Use the no form to tacacs-server key restore the default. YNTAX tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
Page 669: Show Tacacs-Server
| Authentication Commands HAPTER This command displays the current settings for the TACACS+ server. show tacacs-server EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number: 49 Server 1: Server IP Address : 10.11.12.13 Server Port Number : 49 Tacacs Server Group:...
Page 670: Aaa Accounting Commands
| Authentication Commands HAPTER Table 58: AAA Commands (Continued) Command Function Mode authorization exec Applies an authorization method to local console, Line Telnet or SSH connections show accounting Displays all accounting information This command enables the accounting of Exec mode commands. Use the aaa accounting no form to disable the accounting service.
Page 671: Aaa Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa accounting commands 15 default start-stop group tacacs+ Console(config)# This command enables the accounting of requested 802.1X services for aaa accounting network access. Use the no form to disable the accounting service. dot1x YNTAX aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} default - Specifies the default accounting method for service...
Page 672: Aaa Accounting Exec
| Authentication Commands HAPTER This command enables the accounting of requested Exec services for aaa accounting exec network access. Use the no form to disable the accounting service. YNTAX aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
Page 673: Aaa Accounting Update
| Authentication Commands HAPTER This command enables the sending of periodic updates to the accounting aaa accounting server. Use the no form to disable accounting updates. update YNTAX aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Page 674: Aaa Group Server
| Authentication Commands HAPTER EFAULT ETTING Authorization is not enabled No servers are specified OMMAND Global Configuration OMMAND SAGE This command performs authorization to determine if a user is allowed ◆ to run an Exec shell. ◆ AAA authentication must be enabled before authorization is enabled. If this command is issued without a specified named method, the ◆...
Page 675: Server
| Authentication Commands HAPTER This command adds a security server to an AAA server group. Use the no server form to remove the associated server from the group. YNTAX [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server.
Page 676: Accounting Exec
| Authentication Commands HAPTER XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# This command applies an accounting method to local console, Telnet or accounting exec SSH connections. Use the no form to disable accounting on the line. YNTAX accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the accounting exec...
Page 677: Show Accounting
| Authentication Commands HAPTER OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# This command displays the current accounting settings per function and show accounting per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information.
Page 678: Web Server
| Authentication Commands HAPTER Web Server Group List : radius Interface : Eth 1/2 Accounting Type : EXEC Method List : default Group List : tacacs+ Interface : vty Console# ERVER This section describes commands used to configure web browser management access to the switch.
Page 679: Ip Http Server
| Authentication Commands HAPTER Web Server ELATED OMMANDS ip http server (679) show system (590) This command allows this device to be monitored or configured from a ip http server browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT ETTING...
Page 680: Table 60: Https System Support
| Authentication Commands HAPTER Web Server When you start HTTPS, the connection is established in this way: ◆ The client authenticates the server using the server’s digital ■ certificate. The client and server negotiate a set of security protocols to use for ■...
Page 681: Ip Http Secure-Port
| Authentication Commands HAPTER Telnet Server This command specifies the UDP port number used for HTTPS connection to ip http secure-port the switch’s web interface. Use the no form to restore the default port. YNTAX ip http secure-port port_number no ip http secure-port port_number –...
Page 682: Ip Telnet Max-Sessions
| Authentication Commands HAPTER Telnet Server This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. This command specifies the maximum number of Telnet sessions that can ip telnet max- simultaneously connect to this system.
Page 683: Ip Telnet Server
| Authentication Commands HAPTER Telnet Server OMMAND Global Configuration XAMPLE Console(config)#ip telnet port 123 Console(config)# This command allows this device to be monitored or configured from ip telnet server Telnet. Use the no form to disable this function. YNTAX [no] ip telnet server EFAULT ETTING Enabled...
Page 684: Secure Shell
| Authentication Commands HAPTER Secure Shell ECURE HELL This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. The switch supports both SSH Version 1.5 and 2.0 clients.
Page 685 | Authentication Commands HAPTER Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 686 | Authentication Commands HAPTER Secure Shell To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.
Page 687: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell This command configures the number of times the SSH server attempts to ip ssh reauthenticate a user. Use the no form to restore the default setting. authentication- retries YNTAX ip ssh authentication-retries count no ip ssh authentication-retries count –...
Page 688: Ip Ssh Server-Key Size
| Authentication Commands HAPTER Secure Shell XAMPLE Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# ELATED OMMANDS ip ssh crypto host-key generate (689) show ssh (693) This command sets the SSH server key size. Use the no form to restore the ip ssh server-key default setting.
Page 689: Delete Public-Key
| Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 690: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell EFAULT ETTING Generates both the DSA and RSA key pairs. OMMAND Privileged Exec OMMAND SAGE The switch uses only RSA Version 1 for SSHv1.5 clients and DSA ◆ Version 2 for SSHv2 clients. This command stores the host key pair in memory (i.e., RAM). Use the ◆...
Page 691: Ip Ssh Save Host-Key
| Authentication Commands HAPTER Secure Shell The SSH server must be disabled before you can execute this ◆ command. XAMPLE Console#ip ssh crypto zeroize dsa Console# ELATED OMMANDS ip ssh crypto host-key generate (689) ip ssh save host-key (691) ip ssh server (687) This command saves the host key from RAM to flash memory.
Page 692: Show Public-Key
| Authentication Commands HAPTER Secure Shell This command shows the public key for the specified user or for the host. show public-key YNTAX show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) EFAULT ETTING Shows all public keys.
Page 693: Show Ssh
| Authentication Commands HAPTER 802.1X Port Authentication This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 63: show ssh - display description Field Description Session...
Page 694: Dot1X Default
| Authentication Commands HAPTER 802.1X Port Authentication Table 64: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client dot1x timeout re- Sets the time period after which a connected client authperiod...
Page 695: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication When this device is functioning as an edge switch but does not require ◆ any attached clients to be authenticated, the no dot1x eapol-pass- through command can be used to discard unnecessary EAPOL traffic. XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state.
Page 696: Dot1X Max-Req
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
Page 697: Dot1X Operation-Mode
| Authentication Commands HAPTER 802.1X Port Authentication This command allows hosts (clients) to connect to an 802.1X-authorized dot1x operation- port. Use the no form with no keywords to restore the default to single mode host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Page 698: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 699: Dot1X Timeout Quiet-Period
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# ELATED OMMANDS dot1x timeout re-authperiod (699) This command sets the time that a switch port waits after the maximum dot1x timeout quiet- request count (see page 696) has been exceeded before attempting to period acquire a new client.
Page 700: Dot1X Timeout Supp-Timeout
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout supp- response to an EAP request from a client before re-transmitting an EAP timeout packet.
Page 701: Dot1X Re-Authenticate
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT 30 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# This command forces re-authentication on all ports or a specific interface. dot1x re- authenticate YNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Stack unit.
Page 702: Show Dot1X
| Authentication Commands HAPTER 802.1X Port Authentication This command shows general port authentication related settings on the show dot1x switch or a specific interface. YNTAX show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Stack unit.
Page 703 | Authentication Commands HAPTER 802.1X Port Authentication Operation Mode– Shows if single or multiple hosts (clients) can ■ connect to an 802.1X-authorized port. Port Control–Shows the dot1x mode on a port as auto, force- ■ authorized, or force-unauthorized (page 698). Intrusion Action–...
Page 704: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Quiet Period : 60 TX Period : 30 Supplicant Timeout : 30 Server Timeout : 10 Reauth Max Retries Max Request Operation Mode : Multi-host Port Control : Auto Intrusion Action : Block traffic Supplicant : 00-e0-29-94-34-65 Authenticator PAE State Machine...
Page 705: Management
| Authentication Commands HAPTER Management IP Filter This command specifies the client IP addresses that are allowed management management access to the switch through various protocols. Use the no form to restore the default setting. YNTAX [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] all-client - Adds IP address(es) to all groups.
Page 706: Show Management
| Authentication Commands HAPTER Management IP Filter This command displays the client IP addresses that are allowed show management management access to the switch through various protocols. YNTAX show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group.
Page 707: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 708: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 709: Port Security
| General Security Measures HAPTER Port Security The mac-learning commands cannot be used if 802.1X Port ◆ Authentication has been globally enabled on the switch with the dot1x system-auth-control command, or if MAC Address Security has been enabled by the port security command on the same interface.
Page 710 | General Security Measures HAPTER Port Security addresses when it reaches a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. First use the port security max-mac-count command to set the ◆...
Page 711: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 712: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored network-access in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
Page 713: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the ◆ mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
Page 714: Network-Access Dynamic-Qos
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
Page 715: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable dynamic VLAN assignment for an network-access authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan EFAULT ETTING Enabled OMMAND Interface Configuration OMMAND...
Page 716: Network-Access Link-Detection
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The VLAN to be used as the guest VLAN must be defined and set as ◆ active (See the vlan database command). When used with 802.1X authentication, the intrusion-action must be ◆...
Page 717: Network-Access Link-Detection Link-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to detect link-down events. When detected, the switch network-access can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.
Page 718: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# Use this command to detect link-up and link-down events. When either network-access event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.
Page 719: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 720: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from ◆ the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN ◆...
Page 721: Mac-Authentication Intrusion-Action
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...
Page 722: Show Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display the MAC authentication settings for port show network- interfaces. access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Page 723: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display secure MAC address table entries. show network- access mac- address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries.
Page 724: Show Network-Access Mac-Filter
| General Security Measures HAPTER DHCP Snooping Use this command to display information for entries in the MAC filter show network- tables. access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 725: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command enables DHCP snooping globally. Use the no form to restore ip dhcp snooping the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are ◆...
Page 726 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or ■ RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, ■...
Page 727: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 728: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping Use the ip dhcp snooping information option command to specify ◆ how to handle DHCP client request packets which already contain Option 82 information. XAMPLE This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# This command sets the DHCP snooping information option policy for DHCP...
Page 729: Ip Dhcp Snooping Verify Mac-Address
| General Security Measures HAPTER DHCP Snooping This command verifies the client’s hardware address stored in the DHCP ip dhcp snooping packet against the source MAC address in the Ethernet header. Use the no verify mac-address form to disable this function. YNTAX [no] ip dhcp binding verify mac-address EFAULT...
Page 730: Ip Dhcp Snooping Trust
| General Security Measures HAPTER DHCP Snooping When the DHCP snooping is globally disabled, DHCP snooping can still ◆ be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. When DHCP snooping is globally enabled, configuration changes for ◆...
Page 731: Clear Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping When an untrusted port is changed to a trusted port, all the dynamic ◆ DHCP snooping bindings associated with this port are removed. Additional considerations when the switch itself is a DHCP client – The ◆...
Page 732: Show Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command shows the DHCP snooping configuration settings. show ip dhcp snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface...
Page 733: Ip Source Guard
| General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 734 | General Security Measures HAPTER IP Source Guard OMMAND Global Configuration OMMAND SAGE Table entries include a MAC address, IP address, lease time, entry type ◆ (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is ◆...
Page 735: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard This command configures the switch to filter inbound traffic based source ip source-guard IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...
Page 736: Ip Source-Guard Max-Binding
| General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: ◆ If DHCP snooping is disabled (see page 725), IP source guard will ■ check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 737: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 738: Arp Inspection
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 739: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 72: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL...
Page 740: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use ip arp inspection the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 741: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 742: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 743: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection ◆ command, it becomes active only on those VLANs where it has been enabled with this command.
Page 744: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, ◆ the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 745: Show Ip Arp Inspection Interface
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number Need Additional Validation(s) : Yes Additional Validation Type : Destination MAC address Console# This command shows the trust status and ARP Inspection rate limit for...
Page 746: Show Ip Arp Inspection Statistics
| General Security Measures HAPTER ARP Inspection This command shows statistics about the number of ARP packets show ip arp processed, or dropped for various reasons. inspection statistics OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 747: Access Control Lists
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 748: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 749: Permit, Deny (Standard Ip Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 750: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 751 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 752: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 753: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE ◆ Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, ◆ the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 754: Ipv6 Acls
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (749) ip access-group (752) 6 ACL The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label.
Page 755: Permit, Deny (Standard Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 756: Permit, Deny (Extended Ipv6 Acl)
| Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 757 | Access Control Lists HAPTER IPv6 ACLs routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-16777215) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) time-range-name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING...
Page 758: Show Ipv6 Access-List
| Access Control Lists HAPTER IPv6 ACLs XAMPLE This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the flow label is 43.”...
Page 759: Ipv6 Access-Group
| Access Control Lists HAPTER IPv6 ACLs This command binds a port to an IPv6 ACL. Use the no form to remove the ipv6 access-group port. YNTAX ipv6 access-group acl-name in [time-range time-range-name] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
Page 760: Mac Acls
| Access Control Lists HAPTER MAC ACLs ELATED OMMANDS ipv6 access-group (759) MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 761: (Mac Acl)
| Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED OMMANDS permit, deny (761) mac access-group (763) show mac access-list (764) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 762 | Access Control Lists HAPTER MAC ACLs {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3...
Page 763: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs The ethertype option can only be used to filter Ethernet II formatted ◆ packets. A detailed listing of Ethernet protocol types can be found in RFC 1060. ◆ A few of the more common types include the following: 0800 - IP ■...
Page 764: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs ELATED OMMANDS show mac access-list (764) Time Range (625) This command shows the ports assigned to MAC ACLs. show mac access- group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# ELATED OMMANDS...
Page 765: Arp Acls
| Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
Page 766: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny (ARP a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
Page 767: Show Arp Access-List
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (765) This command displays the rules for configured ARP ACLs.
Page 768: Acl Information
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 78: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules This command shows the port assignments of ACLs.
Page 769: Interface
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 79: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 770: Interface
| Interface Commands HAPTER This command configures an interface type and enters interface interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface.
Page 771: Capabilities
| Interface Commands HAPTER OMMAND SAGE The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the (Telco's) circuit number/identifier of the interface. XAMPLE The following example adds an alias to port 4.
Page 772: Description
| Interface Commands HAPTER XAMPLE The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# ELATED OMMANDS negotiation (774) speed-duplex (776) flowcontrol (773) This command adds a description to an interface. Use the no form to description remove the description.
Page 773: Flowcontrol
| Interface Commands HAPTER This command enables flow control. Use the no form to disable flow flowcontrol control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 774: Media-Type
| Interface Commands HAPTER This command forces the port type selected for combination ports 25-26. media-type Use the no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed).
Page 775: Shutdown
| Interface Commands HAPTER negotiation is disabled, you must manually specify the link attributes with the speed-duplex flowcontrol commands. If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration ◆ will also be disabled for the RJ-45 ports. XAMPLE The following example configures port 11 to use auto-negotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)#...
Page 776: Speed-Duplex
| Interface Commands HAPTER This command configures the speed and duplex mode of a given interface speed-duplex when auto-negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex 1000full - Forces 1 Gbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
Page 777: Switchport Packet-Rate
| Interface Commands HAPTER ELATED OMMANDS negotiation (774) capabilities (771) This command configures broadcast storm control. Use the no form to switchport packet- restore the default setting. rate YNTAX switchport broadcast packet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., packets per second. (Range: 500-262143) EFAULT ETTING...
Page 778: Clear Counters
| Interface Commands HAPTER This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-24) port-channel channel-id (Range: 1-32) EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE...
Page 779 | Interface Commands HAPTER OMMAND Normal Exec, Privileged Exec OMMAND SAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" on page 131.
Page 780: Show Interfaces Status
| Interface Commands HAPTER ===== Port Utilization ===== 35 Octets Input per seconds 0 Packets Input per seconds 0.00 % Input Utilization 56 Octets Output per seconds 0 Packets Output per second 0.00 % Output Utilization Console# This command displays the status for an interface. show interfaces status YNTAX...
Page 781: Show Interfaces Switchport
| Interface Commands HAPTER : 1518 Current Status: Link Status : Up Port Operation Status : Up Operation Speed-duplex : 100full Flow Control Type : None Console# This command displays the administrative and operational status of the show interfaces specified interfaces. switchport YNTAX show interfaces switchport [interface]...
Page 782: Test Cable-Diagnostics Dsp
| Interface Commands HAPTER Console# Table 80: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled Threshold it also shows the threshold level (page 777). LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 789).
Page 783: Test Loop Internal
| Interface Commands HAPTER OMMAND Privileged Exec OMMAND SAGE Cable diagnostics are performed using Digital Signal Processing (DSP) ◆ test methods. This cable test is only accurate for cables 7 - 140 meters long. ◆ The test takes approximately 5 seconds. The switch displays the results ◆...
Page 784: Show Cable-Diagnostics
| Interface Commands HAPTER OMMAND SAGE When performing an internal loopback test, packets from the specified interface are looped back into its internal PHY. Outgoing data is looped back to the receiver without actually being transmitted. Internal loopback makes it possible to check that an interface is working properly without having to make any network connections.
Page 785 | Interface Commands HAPTER XAMPLE Console#show loop internal interface ethernet 1/1 Port Test Result Last Update -------- -------------- -------------------- Eth 1/1 Succeeded 2024-07-15 15:26:56 Console# – 785 –...
Page 786 | Interface Commands HAPTER – 786 –...
Page 787: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 788: Channel-Group
| Link Aggregation Commands HAPTER Any of the Gigabit ports on the front panel can be trunked together, ◆ including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Page 789: Lacp
| Link Aggregation Commands HAPTER XAMPLE The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# This command enables 802.3ad Link Aggregation Control Protocol (LACP) lacp for the current interface. Use the no form to disable it. YNTAX [no] lacp EFAULT...
Page 790: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER Mac Address : 12-34-12-34-12-3F Configuration: Name Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Flow Control : Disabled Port Security : Disabled Max MAC Count Current status: Created By : LACP Link Status : Up...
Page 791: Lacp Port-Priority
| Link Aggregation Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# This command configures LACP port priority. Use the no form to restore lacp port-priority the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link.
Page 792: Lacp System-Priority
| Link Aggregation Commands HAPTER This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 793: Show Lacp
| Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system ◆ priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 794: Table 82: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent : 12 LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 82: show lacp counters - display description Field Description LACPDUs Sent...
Page 795: Table 84: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Table 83: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State ◆...
Page 796: Table 85: Show Lacp Sysid - Display Description
| Link Aggregation Commands HAPTER Table 84: show lacp neighbors - display description (Continued) Field Description Port Admin Current administrative value of the port priority for the protocol Priority partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner.
Page 797: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 798: Show Port Monitor
| Port Mirroring Commands HAPTER Local Port Mirroring Commands When enabled for an interface, default mirroring is for both received ◆ and transmitted packets. OMMAND Interface Configuration (Ethernet, destination port) OMMAND SAGE You can mirror traffic from any source port to a destination port for ◆...
Page 799 | Port Mirroring Commands HAPTER Local Port Mirroring Commands OMMAND SAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). XAMPLE The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end...
Page 800 | Port Mirroring Commands HAPTER Local Port Mirroring Commands – 800 –...
Page 801: Rate Limit Commands
IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 802 | Rate Limit Commands HAPTER 500 pps limit set by the storm control command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (781) –...
Page 803: Address Table Commands
DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 89: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 804: Mac-Address-Table Static
| Address Table Commands HAPTER This command maps a static address to a destination port in a VLAN. Use mac-address-table the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 805: Clear Mac-Address-Table Dynamic
| Address Table Commands HAPTER This command removes any learned entries from the forwarding database. clear mac-address- table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# This command shows classes of entries in the bridge-forwarding database. show mac-address- table YNTAX...
Page 806: Show Mac-Address-Table Aging-Time
| Address Table Commands HAPTER example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” The maximum number of address entries is 8K. ◆ XAMPLE Console#show mac-address-table Interface MAC Address VLAN Type Life Time --------- ----------------- ---- -------- ----------------- Eth 1/ 1 00-E0-29-94-34-DE 1 Config...
Page 807: Spanning Tree Commands
PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 90: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time...
Page 808: Spanning-Tree
| Spanning Tree Commands HAPTER Table 90: Spanning Tree Commands (Continued) Command Function Mode spanning-tree port-priority Configures the spanning tree priority of an interface spanning-tree root-guard Prevents a designated port from passing superior BPDUs spanning-tree spanning- Disables spanning tree for an interface disabled spanning-tree loopback- Manually releases a port placed in discarding state by...
Page 809: Spanning-Tree Forward-Time
| Spanning Tree Commands HAPTER This command configures the spanning tree bridge forward time globally spanning-tree for this switch. Use the no form to restore the default. forward-time YNTAX spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Page 810: Spanning-Tree Max-Age
| Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree hello-time 5 Console(config)# ELATED OMMANDS spanning-tree forward-time (809) spanning-tree max-age (810) This command configures the spanning tree bridge maximum age globally spanning-tree max- for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age...
Page 811: Spanning-Tree Mode
| Spanning Tree Commands HAPTER This command selects the spanning tree mode for this switch. Use the no spanning-tree mode form to restore the default. YNTAX spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s) EFAULT...
Page 812: Spanning-Tree Pathcost Method
| Spanning Tree Commands HAPTER restarts the system in the new mode, temporarily disrupting user traffic. XAMPLE The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# This command configures the path cost method used for Rapid Spanning spanning-tree Tree and Multiple Spanning Tree.
Page 813: Spanning-Tree Priority
| Spanning Tree Commands HAPTER This command configures the spanning tree priority globally for this switch. spanning-tree Use the no form to restore the default. priority YNTAX spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) EFAULT...
Page 814: Spanning-Tree Transmission-Limit
| Spanning Tree Commands HAPTER revision (817) max-hops (814) This command configures the minimum interval between the transmission spanning-tree of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. transmission-limit YNTAX spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) EFAULT ETTING OMMAND...
Page 815: Mst Priority
| Spanning Tree Commands HAPTER Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. XAMPLE Console(config-mstp)#max-hops 30 Console(config-mstp)# This command configures the priority of a spanning tree instance. Use the mst priority no form to restore the default.
Page 816: Mst Vlan
| Spanning Tree Commands HAPTER This command adds VLANs to a spanning tree instance. Use the no form to mst vlan remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. YNTAX [no] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree.
Page 817: Revision
| Spanning Tree Commands HAPTER OMMAND MST Configuration OMMAND SAGE The MST region name and revision number (page 817) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 818: Spanning-Tree Bpdu-Filter
| Spanning Tree Commands HAPTER This command filters all BPDUs received on an edge port. Use the no form spanning-tree bpdu- to disable this feature. filter YNTAX [no] spanning-tree bpdu-filter EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This command filters all Bridge Protocol Data Units (BPDUs) received on ◆...
Page 819: Spanning-Tree Cost
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ An edge port should only be connected to end nodes which do not generate BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker.
Page 820: Spanning-Tree Edge-Port
| Spanning Tree Commands HAPTER EFAULT ETTING By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 821: Spanning-Tree Link-Type
| Spanning Tree Commands HAPTER cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related time out problems.
Page 822: Spanning-Tree Loopback-Detection
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point This command enables the detection and response to Spanning Tree spanning-tree loopback BPDU packets on the port. Use the no form to disable this loopback-detection feature. YNTAX [no] spanning-tree loopback-detection EFAULT ETTING Enabled...
Page 823: Spanning-Tree Loopback-Detection Trap
| Spanning Tree Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE If the port is configured for automatic loopback release, then the port ◆ will only be returned to the forwarding state if one of the following conditions is satisfied: The port receives any other BPDU except for it’s own, or;...
Page 824: Spanning-Tree Mst Cost
| Spanning Tree Commands HAPTER This command configures the path cost on a spanning instance in the spanning-tree mst Multiple Spanning Tree. Use the no form to restore the default auto- cost configuration mode. YNTAX spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree.
Page 825: Spanning-Tree Mst Port-Priority
| Spanning Tree Commands HAPTER This command configures the interface priority on a spanning instance in spanning-tree mst the Multiple Spanning Tree. Use the no form to restore the default. port-priority YNTAX spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree.
Page 826: Spanning-Tree Root-Guard
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 827: Spanning-Tree Spanning-Disabled
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# This command disables the spanning tree algorithm for the specified spanning-tree interface. Use the no form to re-enable the spanning tree algorithm for the spanning-disabled specified interface.
Page 828: Spanning-Tree Protocol-Migration
| Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree loopback-detection release ethernet 1/1 Console# This command re-checks the appropriate BPDU format to send on the spanning-tree selected interface. protocol-migration YNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Page 829: Show Spanning-Tree
| Spanning Tree Commands HAPTER This command shows the configuration for the common spanning tree show spanning-tree (CST) or for an instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Page 830: Show Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER Root Forward Delay (sec.) : 15 Max. Hops : 20 Remaining Hops : 20 Designated Root : 32768.0.0001ECF8D8C6 Current Root Port : 21 Current Root Cost : 100000 Number of Topology Changes Last Topology Change Time (sec.): 11409 Transmission Limit Path Cost Method : Long...
Page 831: Vlan Commands
VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 832: Gvrp And Bridge Extension Commands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 833: Garp Timer
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command sets the values for the join, leave and leaveall timers. Use garp timer the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 834: Switchport Forbidden Vlan
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command configures forbidden VLANs. Use the no form to remove the switchport list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 835: Show Bridge-Ext
| VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# This command shows the configuration for bridge extension commands. show bridge-ext EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" on page 105 for a description of the displayed items.
Page 836: Show Gvrp Configuration
| VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# ELATED OMMANDS garp timer (833) This command shows if GVRP is enabled.
Page 837: Vlan Database
| VLAN Commands HAPTER Editing VLAN Groups This command enters VLAN database mode. All commands in this mode vlan database will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete ◆...
Page 838: Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING By default only VLAN 1 exists and is active. OMMAND VLAN Database Configuration OMMAND SAGE no vlan vlan-id deletes the VLAN. ◆ no vlan vlan-id name removes the VLAN name. ◆ no vlan vlan-id state returns the VLAN to the default state ◆...
Page 839: Interface Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces This command enters interface configuration mode for VLANs, which is interface vlan used to configure VLAN parameters for a physical interface. Use the no form to change a Layer 3 normal VLAN back to a Layer 2 interface. YNTAX [no] interface vlan vlan-id vlan-id - ID of the configured VLAN.
Page 840: Switchport Allowed Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING All frame types OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. XAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1...
Page 841: Switchport Ingress-Filtering
| VLAN Commands HAPTER Configuring VLAN Interfaces Frames are always tagged within the switch. The tagged/untagged ◆ parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress. If none of the intermediate network devices nor the host at the other ◆...
Page 842: Switchport Mode
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# This command configures the VLAN membership mode for a port. Use the switchport mode no form to restore the default.
Page 843: Switchport Native Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces This command configures the PVID (i.e., default VLAN ID) for a port. Use switchport native the no form to restore the default. vlan YNTAX switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) EFAULT ETTING...
Page 844 | VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE ◆ Use this command to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong. The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E.
Page 845: Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information Console(config-if)#vlan-trunking Console(config-if)# VLAN I ISPLAYING NFORMATION This section describes commands used to display VLAN information. Table 97: Commands for Displaying VLAN Information Command Function Mode show interfaces status Displays status for the specified VLAN interface NE, PE vlan show interfaces...
Page 846: Configuring Ieee 802.1Q Tunneling
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling IEEE 802.1Q T ONFIGURING UNNELING IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer- specific VLAN IDs.
Page 847: Dot1Q-Tunnel System-Tunnel-Control
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Limitations for QinQ The native VLAN for the tunnel uplink ports and tunnel access ports ◆ cannot be the same. However, the same service VLANs can be set on both tunnel port types. IGMP Snooping should not be enabled on a tunnel access port.
Page 848: Switchport Dot1Q-Tunnel Tpid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE QinQ tunneling must be enabled on the switch using the dot1q-tunnel ◆ system-tunnel-control command before the switchport dot1q-tunnel mode interface command can take effect. ◆...
Page 849: Show Dot1Q-Tunnel
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND SAGE ◆ Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Page 850: Configuring Port-Based Traffic Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation ONFIGURING BASED RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 851: Show Traffic-Segmentation
| VLAN Commands HAPTER Configuring Private VLANs Enter no traffic-segmentation to disable traffic segmentation and ◆ clear the configuration settings for segmented groups. XAMPLE This example enables traffic segmentation, and then sets port 12 as the uplink and ports 5-8 as downlinks. Console(config)#traffic-segmentation Console(config)#traffic-segmentation uplink ethernet 1/12 downlink ethernet 1/5-8...
Page 852: Table 100: Private Vlan Commands
| VLAN Commands HAPTER Configuring Private VLANs Table 100: Private VLAN Commands Command Function Mode Edit Private VLAN Groups private-vlan Adds or deletes primary or community VLANs private vlan association Associates a community VLAN with a primary VLAN Configure Private VLAN Interfaces switchport mode private- Sets an interface to host mode or promiscuous mode vlan...
Page 853: Private-Vlan
| VLAN Commands HAPTER Configuring Private VLANs Use this command to create a primary or community private VLAN. Use the private-vlan no form to remove the specified private VLAN. YNTAX private-vlan vlan-id {community | primary} no private-vlan vlan-id vlan-id - ID of private VLAN. (Range: 1-4093, no leading zeroes). community - A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN.
Page 854: Private Vlan Association
| VLAN Commands HAPTER Configuring Private VLANs Use this command to associate a primary VLAN with a secondary (i.e., private vlan community) VLAN. Use the no form to remove all associations for the association specified primary VLAN. YNTAX private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association primary-vlan-id - ID of primary VLAN.
Page 855: Switchport Private-Vlan Host-Association
| VLAN Commands HAPTER Configuring Private VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the switchport private-vlan host-association command.
Page 856: Switchport Private-Vlan Mapping
| VLAN Commands HAPTER Configuring Private VLANs Use this command to map an interface to a primary VLAN. Use the no form switchport private- to remove this mapping. vlan mapping YNTAX switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4093, no leading zeroes).
Page 857: Configuring Protocol-Based Vlans
| VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
Page 858: Protocol-Vlan Protocol-Group (Configuring Groups)
| VLAN Commands HAPTER Configuring Protocol-based VLANs This command creates a protocol group, or to add specific protocols to a protocol-vlan group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.
Page 859: Show Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this ◆ command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 860: Show Interfaces Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# This command shows the mapping from protocol groups to VLANs for the show interfaces selected interfaces.
Page 861: Configuring Ip Subnet Vlans
| VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Page 862: Show Subnet-Vlan
| VLAN Commands HAPTER Configuring IP Subnet VLANs mapping is found, the PVID of the receiving port is assigned to the frame. The IP subnet cannot be a broadcast or multicast IP address. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are ◆...
Page 863: Configuring Mac Based Vlans
| VLAN Commands HAPTER Configuring MAC Based VLANs MAC B VLAN ONFIGURING ASED When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Page 864: Show Mac-Vlan
| VLAN Commands HAPTER Configuring Voice VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are ◆ supported concurrently, priority is applied in this sequence, and then port-based VLANs last. XAMPLE The following example assigns traffic from source MAC address 00-00-00- 11-22-33 to VLAN 10.
Page 865: Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs Table 104: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings This command enables VoIP traffic detection and defines the Voice VLAN voice vlan...
Page 866: Voice Vlan Aging
| VLAN Commands HAPTER Configuring Voice VLANs This command sets the Voice VLAN ID time out. Use the no form to restore voice vlan aging the default. YNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) EFAULT ETTING...
Page 867: Switchport Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE ◆ VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Page 868: Switchport Voice Vlan Priority
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# This command specifies a CoS priority for VoIP traffic on a port. Use the no switchport voice form to restore the default priority on a port.
Page 869: Switchport Voice Vlan Security
| VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING OUI: Enabled LLDP: Disabled OMMAND Interface Configuration OMMAND SAGE When OUI is selected, be sure to configure the MAC address ranges in ◆ the Telephony OUI list (see the voice vlan mac-address command.
Page 870: Show Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables security filtering on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan security Console(config-if)# This command displays the Voice VLAN settings on the switch and the OUI show voice vlan Telephony list.
Page 871: Class Of Service Commands
LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 872: Queue Cos-Map
| Class of Service Commands HAPTER Priority Commands (Layer 2) This command assigns class of service (CoS) values to the priority queues queue cos-map (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values.
Page 873: Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) ELATED OMMANDS show queue cos-map (876) This command sets the scheduling mode used for processing each of the queue mode class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Page 874: Queue Weight
| Class of Service Commands HAPTER Priority Commands (Layer 2) A weight can be assigned to each of the weighted queues (and thereby ◆ to the corresponding traffic priorities). This weight sets the frequency at which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
Page 875: Switchport Priority Default
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ge1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# ELATED OMMANDS...
Page 876: Show Queue Cos-Map
| Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# ELATED OMMANDS show interfaces switchport (781) This command shows the class of service priority map.
Page 877: Show Queue Weight
| Class of Service Commands HAPTER Priority Commands (Layer 2) OMMAND Privileged Exec XAMPLE Console#show queue mode ethernet 1/1 Unit Port queue mode ---- ---- --------------- Weighted Round Robin Console# This command displays the weights used for the weighted queues. show queue weight YNTAX show queue mode interface...
Page 878: Priority Commands (Layer 3 And 4)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 108: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 879: Map Ip Port (Global Configuration)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command enables IP port mapping (i.e., class of service mapping for map ip port (Global TCP/UDP sockets). Use the no form to disable IP port mapping. Configuration) YNTAX [no] map ip port EFAULT...
Page 880: Map Ip Dscp (Interface Configuration)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# This command sets IP DSCP priority (i.e., Differentiated Services Code map ip dscp Point priority).
Page 881: Map Ip Port (Interface Configuration)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following example shows how to map IP DSCP value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# This command sets IP port priority (i.e., TCP/UDP port priority). Use the no map ip port form to remove a specific setting.
Page 882: Map Ip Precedence (Interface Configuration)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command sets IP precedence priority (i.e., IP Type of Service priority). map ip precedence Use the no form to restore the default table. (Interface Configuration) YNTAX map ip precedence ip-precedence-value cos cos-value no map ip precedence precedence-value - 3-bit precedence value.
Page 883: Show Map Ip Dscp
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows the IP DSCP priority map. show map ip dscp YNTAX show map ip dscp [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-24) port-channel channel-id (Range: 1-32) EFAULT ETTING...
Page 884: Show Map Ip Precedence
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port IP Port --------- -------- --- Eth 1/ 5 Console# This command shows the IP precedence priority map.
Page 885: Quality Of Service Commands
UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 886: Class-Map
| Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specifc type of traffic based on an...
Page 887: Description
| Quality of Service Commands HAPTER One or more class maps can be assigned to a policy map (page 889). ◆ The policy map is then bound by a service policy to an interface (page 899). A service policy defines packet classification, service tagging, and bandwidth policing.
Page 888: Match
| Quality of Service Commands HAPTER This command defines the criteria used to classify traffic. Use the no form match to delete the matching criteria. YNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list.
Page 889: Rename
| Quality of Service Commands HAPTER This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Page 890: Class
| Quality of Service Commands HAPTER OMMAND SAGE Use the policy-map command to specify the name of the policy map, ◆ and then use the class command to configure policies for traffic that matches the criteria defined in a class map. A policy map can contain multiple class statements that can be applied ◆...
Page 891: Police Flow
| Quality of Service Commands HAPTER set cos command sets the class of service value in matching ■ packets. (This modifies packet priority in the VLAN tag.) police commands define parameters such as the maximum ■ throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
Page 892 | Quality of Service Commands HAPTER EFAULT ETTING None OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and ◆ the committed-burst cannot exceed 16 Mbytes.
Page 893: Police Srtcm-Color
| Quality of Service Commands HAPTER This command defines an enforcer for classified traffic based on a single police srtcm-color rate three color meter (srTCM). Use the no form to remove a policer. YNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp}...
Page 894 | Quality of Service Commands HAPTER The srTCM as defined in RFC 2697 meters a traffic stream and ◆ processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). The PHB label is composed of five bits, three bits for per-hop behavior, ◆...
Page 895: Police Trtcm-Color
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called "rd-policy," uses the class command to specify the previously defined "rd-class," uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst...
Page 896 | Quality of Service Commands HAPTER violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) transmit - Transmits without taking any action. drop - Drops packet as required by exceed-action or violate-action.
Page 897: Set Cos
| Quality of Service Commands HAPTER When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■...
Page 898: Set Phb
| Quality of Service Commands HAPTER OMMAND SAGE The set cos command is used to set the CoS value in the VLAN tag for ◆ matching packets. The set cos and set phb command function at the same level of ◆...
Page 899: Service-Policy
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
Page 900: Show Class-Map
| Quality of Service Commands HAPTER This command displays the QoS class maps which define matching criteria show class-map used for classifying traffic. YNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) EFAULT ETTING Displays all class maps. OMMAND Privileged Exec XAMPLE...
Page 901: Show Policy-Map Interface
| Quality of Service Commands HAPTER Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# This command displays the service policy assigned to the specified show policy-map interface. interface YNTAX show policy-map interface interface input interface...
Page 902 | Quality of Service Commands HAPTER – 902 –...
Page 903: Multicast Filtering Commands
ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 904: Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping IGMP S NOOPING This section describes commands used to configure IGMP snooping on the switch. Table 113: IGMP Snooping Commands Command Function Mode ip igmp snooping Enables IGMP snooping ip igmp snooping proxy- Enables IGMP Snooping with Proxy Reporting reporting ip igmp snooping querier...
Page 905: Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping Table 113: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Configures the IGMP version for snooping vlan version ip igmp snooping Discards received IGMP messages which use a version different to that currently configured vlan version-exclusive show ip igmp snooping Shows the IGMP snooping, proxy, and query...
Page 906: Ip Igmp Snooping Proxy-Reporting
| Multicast Filtering Commands HAPTER IGMP Snooping This command enables IGMP Snooping with Proxy Reporting. Use the no ip igmp snooping form to restore the default setting. proxy-reporting YNTAX [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4093) enable - Enable on the specified VLAN.
Page 907: Ip Igmp Snooping Router-Alert-Option-Check
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE IGMP snooping querier is not supported for IGMPv3 snooping (see ◆ igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Page 908: Ip Igmp Snooping Router-Port-Expire-Time
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the querier timeout. Use the no form to restore ip igmp snooping the default. router-port-expire- time YNTAX ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Page 909: Ip Igmp Snooping Tcn-Query-Solicit
| Multicast Filtering Commands HAPTER IGMP Snooping If a topology change notification (TCN) is received, and all the uplink ◆ ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. When a new uplink port starts up, the switch sends unsolicited reports ◆...
Page 910: Ip Igmp Snooping Unregistered-Data-Flood
| Multicast Filtering Commands HAPTER IGMP Snooping tree change occurred. When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. The ip igmp snooping tcn query-solicit command can be used to ◆ send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Page 911: Ip Igmp Snooping Unsolicited-Report-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping This command specifies how often the upstream interface should transmit ip igmp snooping unsolicited IGMP reports when report suppression/proxy reporting is unsolicited-report- enabled. Use the no form to restore the default value. interval YNTAX ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping version-exclusive...
Page 912: Ip Igmp Snooping Version-Exclusive
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE This command configures the IGMP report/query version used by IGMP ◆ snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
Page 913: Ip Igmp Snooping Vlan General-Query-Suppression
| Multicast Filtering Commands HAPTER IGMP Snooping This command suppresses general queries except for ports attached to ip igmp snooping downstream multicast hosts. Use the no form to flood general queries to vlan general-query- all ports except for the multicast router port. suppression YNTAX [no] ip igmp snooping vlan vlan-id general-query-suppression...
Page 914: Ip Igmp Snooping Vlan Last-Memb-Query-Count
| Multicast Filtering Commands HAPTER IGMP Snooping (The timeout for this release is currently defined by ip igmp snooping vlan last-memb-query-intvl ip igmp robustval. If immediate-leave is enabled, the switch assumes that only one host is ◆ connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Page 915: Ip Igmp Snooping Vlan Last-Memb-Query-Intvl
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the last-member-query interval. Use the no form ip igmp snooping to restore the default. vlan last-memb- query-intvl YNTAX ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The interval to wait for a response to a group-specific or group-and-source-specific query message.
Page 916: Ip Igmp Snooping Vlan Proxy-Address
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE Multicast Router Discovery (MRD) uses multicast router advertisement, ◆ multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
Page 917: Ip Igmp Snooping Vlan Query-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 918: Ip Igmp Snooping Vlan Query-Resp-Intvl
| Multicast Filtering Commands HAPTER IGMP Snooping This command applies when the switch is serving as the querier ◆ (page 906), or as a proxy host when IGMP snooping proxy reporting is enabled (page 906). XAMPLE Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# This command configures the maximum time the system waits for a ip igmp snooping...
Page 919: Ip Igmp Snooping Vlan Static
| Multicast Filtering Commands HAPTER IGMP Snooping This command adds a port to a multicast group. Use the no form to ip igmp snooping remove the port. vlan static YNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface ethernet unit/port...
Page 920: Show Ip Igmp Snooping Group
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP snooping : Enabled Router port expire time : 300 s Router alert check : Disabled Tcn flood : Disabled Tcn query solicit : Disabled Unregistered data flood...
Page 921: Show Mac-Address-Table Multicast
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE Member types displayed include IGMP or USER, depending on selected options. XAMPLE The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 VLAN Group Source...
Page 922: Static Multicast Routing
| Multicast Filtering Commands HAPTER Static Multicast Routing TATIC ULTICAST OUTING This section describes commands used to configure static multicast routing on the switch. Table 114: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Page 923: Show Ip Igmp Snooping Mrouter
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command displays information on statically configured and show ip igmp dynamically learned multicast router ports. snooping mrouter YNTAX show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Displays multicast router ports for all configured VLANs.
Page 924: Ip Igmp Filter (Global Configuration)
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling Table 115: IGMP Filtering and Throttling Commands (Continued) Command Function Mode ip igmp max-groups Sets the IGMP throttling action for an interface action show ip igmp filter Displays the IGMP filtering status show ip igmp profile Displays IGMP profiles and settings show ip igmp throttle...
Page 925: Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command creates an IGMP filter profile number and enters IGMP ip igmp profile profile configuration mode. Use the no form to delete a profile number. YNTAX [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Page 926: Range
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# This command specifies multicast group addresses for a profile. Use the no range form to delete addresses from a profile. YNTAX [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Page 927: Ip Igmp Max-Groups
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE The IGMP filtering profile must first be created with the ip igmp profile ◆ command before being able to assign it to an interface. Only one profile can be assigned to an interface. ◆...
Page 928: Ip Igmp Max-Groups Action
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command sets the IGMP throttling action for an interface on the ip igmp max-groups switch. action YNTAX ip igmp max-groups action {replace | deny} replace - The new multicast group replaces an existing group. deny - The new multicast group join report is dropped.
Page 929: Show Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# This command displays IGMP filtering profiles created on the switch. show ip igmp profile YNTAX show ip igmp profile [profile-number]...
Page 930: Multicast Vlan Registration
| Multicast Filtering Commands HAPTER Multicast VLAN Registration EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Using this command without specifying an interface displays all interfaces. XAMPLE Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console#...
Page 931: Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Page 932: Mvr Immediate-Leave
| Multicast Filtering Commands HAPTER Multicast VLAN Registration IGMP snooping and MVR share a maximum number of 255 groups. Any ◆ multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN. XAMPLE The following example enables MVR globally, and configures a range of MVR group addresses: Console(config)#mvr...
Page 933: Mvr Type
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command configures an interface as an MVR receiver or source port. mvr type Use the no form to restore the default settings. YNTAX [no] mvr type {receiver | source} receiver - Configures the interface as a subscriber port that can receive multicast data.
Page 934: Mvr Vlan Group
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command statically binds a multicast group to a port which will receive mvr vlan group long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. YNTAX [no] mvr vlan vlan-id group ip-address vlan-id - Receiver VLAN to which the specified multicast traffic is...
Page 935: Show Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command shows information about the global MVR configuration show mvr settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
Page 936: Table 118: Show Mvr Interface - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 117: show mvr - display description (Continued) Field Description MVR Group Address A multicast service sent to all attached subscribers MVR Group Count The number of contiguous MVR group addresses. The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port...
Page 937: Igmp (Layer 3)
| Multicast Filtering Commands HAPTER IGMP (Layer 3) Table 119: show mvr members - display description (Continued) Field Description Source Address Indicates the source address of the multicast service, or displays an asterisk if the group address has been statically assigned. VLAN Indicates the MVR VLAN receiving the multicast service.
Page 938: Ip Igmp Last-Member-Query-Interval
| Multicast Filtering Commands HAPTER IGMP (Layer 3) OMMAND SAGE IGMP (including query functions) can be enabled for specific VLAN ◆ interfaces at Layer 3 through the ip igmp command. When a multicast routing protocol, such as PIM - Dense Mode, is ◆...
Page 939: Ip Igmp Max-Resp-Interval
| Multicast Filtering Commands HAPTER IGMP (Layer 3) OMMAND SAGE When the switch receives an IGMPv2 or IGMPv3 leave message from a host that wants to leave a multicast group, source or channel, it sends a number of group-specific or group-source-specific query messages at intervals defined by this command.
Page 940: Ip Igmp Query-Interval
| Multicast Filtering Commands HAPTER IGMP (Layer 3) ELATED OMMANDS ip igmp version (943) ip igmp query-interval (940) This command configures the frequency at which host query messages are ip igmp query- sent. Use the no form to restore the default. interval YNTAX ip igmp query-interval seconds...
Page 941: Ip Igmp Robustval
| Multicast Filtering Commands HAPTER IGMP (Layer 3) This command specifies the robustness (expected packet loss) for this ip igmp robustval interface. Use the no form of this command to restore the default value. YNTAX ip igmp robustval robust-value no ip igmp robustval robust-value - The robustness of this interface.
Page 942 | Multicast Filtering Commands HAPTER IGMP (Layer 3) EFAULT ETTING None OMMAND Interface Configuration (VLAN) OMMAND SAGE Group addresses within the entire multicast group address range can ◆ be specified with this command. However, if any address within the source-specific multicast (SSM) address range (default 232/8) is specified, but no source address is included in the command, the request to join the multicast group will fail unless the next node up the reverse path tree has statically mapped this group to a specific source...
Page 943: Ip Igmp Version
| Multicast Filtering Commands HAPTER IGMP (Layer 3) This command configures the IGMP version used on an interface. Use the ip igmp version no form of this command to restore the default. YNTAX ip igmp version {1 | 2 | 3} no ip igmp version 1 - IGMP Version 1 2 - IGMP Version 2...
Page 944: Show Ip Igmp Groups
| Multicast Filtering Commands HAPTER IGMP (Layer 3) OMMAND Privileged Exec OMMAND SAGE Enter the address for a multicast group to delete all entries for the specified group. Enter the interface option to delete all multicast groups for the specified interface. Enter no options to clear all multicast groups from the cache.
Page 945: Table 121: Show Ip Igmp Groups - Display Description
| Multicast Filtering Commands HAPTER IGMP (Layer 3) Console#show ip igmp groups interface vlan 1 GroupAddress VLAN LastReporter Uptime Expire V1 Timer --------------- ------ --------------- -------- -------- -------- 224.0.17.17 192.168.1.10 0:0:1 0:4:19 0:0:0 Console# Table 121: show ip igmp groups - display description Field Description IP multicast group address with subscribers directly attached or...
Page 946: Show Ip Igmp Interface
| Multicast Filtering Commands HAPTER IGMP (Layer 3) Table 122: show ip igmp groups detail - display description Field Description In INCLUDE mode, reception of packets sent to the specified Group mode multicast address is requested only from those IP source addresses listed in the source-list parameter.
Page 947: Igmp Proxy Routing
| Multicast Filtering Commands HAPTER IGMP Proxy Routing Querier : 0.0.0.0 Joined Groups : Static Groups : Console# IGMP P ROXY OUTING This section describes commands used to configure IGMP Proxy Routing on the switch. Table 123: IGMP Proxy Commands Command Function Mode...
Page 948: Ip Igmp Proxy Unsolicited-Report-Interval
| Multicast Filtering Commands HAPTER IGMP Proxy Routing OMMAND SAGE When IGMP proxy is enabled on an interface, that interface is known as ◆ the upstream or host interface. This interface performs only the host portion of IGMP by sending IGMP membership reports, and automatically disables IGMP router functions.
Page 949 | Multicast Filtering Commands HAPTER IGMP Proxy Routing EFAULT ETTING 400 seconds OMMAND Interface Configuration (VLAN) XAMPLE The following example sets the interval for sending unsolicited IGMP reports to 5 seconds. Console(config)#interface vlan Console(config-if)#ip igmp proxy unsolicited-report-interval 5 Console(config)# – 949 –...
Page 950 | Multicast Filtering Commands HAPTER IGMP Proxy Routing – 950 –...
Page 951: Lldp Commands
LLDP C OMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 952: Lldp
| LLDP Commands HAPTER Table 124: LLDP Commands (Continued) Command Function Mode lldp dot3-tlv link-agg Configures an LLDP-enabled port to advertise its link aggregation capabilities lldp dot3-tlv mac-phy Configures an LLDP-enabled port to advertise its MAC and physical layer specifications lldp dot3-tlv max- Configures an LLDP-enabled port to advertise frame...
Page 953: Lldp Notification-Interval
| LLDP Commands HAPTER EFAULT ETTING Holdtime multiplier: 4 TTL: 4*30 = 120 seconds OMMAND Global Configuration OMMAND SAGE The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner.
Page 954: Lldp Refresh-Interval
| LLDP Commands HAPTER This command configures the periodic transmit interval for LLDP lldp refresh-interval advertisements. Use the no form to restore the default setting. YNTAX lldp refresh-interval seconds no lldp refresh-delay seconds - Specifies the periodic interval at which LLDP advertisements are sent.
Page 955: Lldp Tx-Delay
| LLDP Commands HAPTER XAMPLE Console(config)#lldp reinit-delay 10 Console(config)# This command configures a delay between the successive transmission of lldp tx-delay advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting. YNTAX lldp -delay seconds...
Page 956: Lldp Basic-Tlv Management-Ip-Address
| LLDP Commands HAPTER EFAULT ETTING tx-rx OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp admin-status rx-only Console(config-if)# This command configures an LLDP-enabled port to advertise the lldp basic-tlv management address for this device. Use the no form to disable this management-ip- feature.
Page 957: Lldp Basic-Tlv Port-Description
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv management-ip-address Console(config-if)# This command configures an LLDP-enabled port to advertise its port lldp basic-tlv port- description. Use the no form to disable this feature. description YNTAX [no] lldp basic-tlv port-description EFAULT ETTING Enabled...
Page 958: Lldp Basic-Tlv System-Description
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities Console(config-if)# This command configures an LLDP-enabled port to advertise the system lldp basic-tlv description. Use the no form to disable this feature. system-description YNTAX [no] lldp basic-tlv system-description EFAULT ETTING Enabled OMMAND...
Page 959: Lldp Dot1-Tlv Proto-Ident
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# This command configures an LLDP-enabled port to advertise the supported lldp dot1-tlv proto- protocols. Use the no form to disable this feature. ident YNTAX [no] lldp dot1-tlv proto-ident EFAULT ETTING Enabled...
Page 960: Lldp Dot1-Tlv Pvid
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# This command configures an LLDP-enabled port to advertise its default lldp dot1-tlv pvid VLAN ID. Use the no form to disable this feature. YNTAX [no] lldp dot1-tlv pvid EFAULT ETTING Enabled...
Page 961: Lldp Dot3-Tlv Link-Agg
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# This command configures an LLDP-enabled port to advertise link lldp dot3-tlv link-agg aggregation capabilities. Use the no form to disable this feature. YNTAX [no] lldp dot3-tlv link-agg EFAULT ETTING Enabled...
Page 962: Lldp Dot3-Tlv Max-Frame
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# This command configures an LLDP-enabled port to advertise its maximum lldp dot3-tlv max- frame size. Use the no form to disable this feature. frame YNTAX [no] lldp dot3-tlv max-frame EFAULT ETTING Enabled...
Page 963: Show Lldp Config
| LLDP Commands HAPTER SNMP trap destinations are defined using the snmp-server host ◆ command. Information about additional changes in LLDP neighbors that occur ◆ between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 964: Show Lldp Info Local-Device
| LLDP Commands HAPTER Eth 1/5 | Tx-Rx True Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan...
Page 965: Show Lldp Info Remote-Device
| LLDP Commands HAPTER Management Address : 192.168.0.101 (IPv4) LLDP Port Information Interface |PortID Type PortID PortDesc --------- + ---------------- ----------------- --------------------------- Eth 1/1 |MAC Address 00-01-02-03-04-06 Ethernet Port on unit 1, port 1 Eth 1/2 |MAC Address 00-01-02-03-04-07 Ethernet Port on unit 1, port 2 Eth 1/3 |MAC Address 00-01-02-03-04-08 Ethernet Port on unit 1, port 3...
Page 966: Show Lldp Info Statistics
| LLDP Commands HAPTER PortID Type : MAC Address PortID : 00-01-02-03-04-06 SysName System Description : ECS4610-50T/ECS4610-26T Port Description : Ethernet Port on unit 1, port 1 SystemCapSupported : Bridge, Router SystemCapEnabled : Bridge, Router Remote Management Address : 192.168.0.2 (IPv4) Remote Port VID : 1 Remote VLAN Name : VLAN-1 : DefaultVlan...
Page 967 | LLDP Commands HAPTER Interface | NumFramesRecvd NumFramesSent NumFramesDiscarded --------- + -------------- ------------- ------------------ Eth 1/1 | 10 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 Console#show lldp info statistics detail ethernet 1/1 LLDP Port Statistics Detail PortName : Eth 1/1 Frames Discarded Frames Invalid Frames Received...
Page 968 | LLDP Commands HAPTER – 968 –...
Page 969: Domain Name Service Commands
OMAIN ERVICE OMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server...
Page 970: Ip Domain-Lookup
| Domain Name Service Commands HAPTER EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this ◆...
Page 971: Ip Domain-Name
| Domain Name Service Commands HAPTER OMMAND SAGE ◆ At least one name server must be specified before DNS can be enabled. If all name servers are deleted, DNS will automatically be disabled. ◆ XAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns...
Page 972: Ip Host
| Domain Name Service Commands HAPTER Default Domain Name: sample.com Domain Name List: Name Server List: Console# ELATED OMMANDS ip domain-list (969) ip name-server (973) ip domain-lookup (970) This command creates a static entry in the DNS table that maps a host ip host name to an IPv4 address.
Page 973: Ip Name-Server
| Domain Name Service Commands HAPTER This command specifies the address of one or more domain name servers ip name-server to use for name-to-address resolution. Use the no form to remove a name server from this list. YNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IP address of domain-name server.
Page 974: Ipv6 Host
| Domain Name Service Commands HAPTER This command creates a static entry in the DNS table that maps a host ipv6 host name to an IPv6 address. Use the no form to remove an entry. YNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host.
Page 975: Clear Host
| Domain Name Service Commands HAPTER This command deletes dynamic entries from the DNS table. clear host YNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. EFAULT ETTING None OMMAND Privileged Exec OMMAND...
Page 976: Show Dns Cache
| Domain Name Service Commands HAPTER This command displays entries in the DNS cache. show dns cache OMMAND Privileged Exec XAMPLE Console#show dns cache Flag Type IP Address Domain ------- ------- ------- --------------- ------- -------- 4 Host 209.131.36.158 115 www-real.wa1.b.yahoo.com 4 CNAME POINTER TO:3 115 www.yahoo.com...
Page 977: Table 127: Show Hosts - Display Description
| Domain Name Service Commands HAPTER Table 127: show hosts - display description Field Description The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address”...
Page 978 | Domain Name Service Commands HAPTER – 978 –...
Page 979: Dhcp Commands
DHCP C OMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface can be configured to automatically obtain an address through DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network, or it can be configured to provide DHCP service directly to any client.
Page 980: Dhcp Relay
| DHCP Commands HAPTER DHCP Relay DHCP requires the server to reassign the client’s last address if ◆ available. If the BOOTP or DHCP server has been moved to a different domain, ◆ the network portion of the address provided to the client will be based on this new domain.
Page 981: Ip Dhcp Restart Relay
| DHCP Commands HAPTER DHCP Relay OMMAND Interface Configuration (VLAN) SAGE UIDELINES You must specify the IP address for at least one DHCP server. ◆ Otherwise, the switch’s DHCP relay agent will not forward client requests to a DHCP server. To start DHCP relay service, enter the ip dhcp restart relay command.
Page 982: Dhcp Server
| DHCP Commands HAPTER DHCP Server Split horizon is enabled Console# ELATED OMMANDS ip dhcp relay server (980) DHCP S ERVER This section describes commands used to configure client address pools for the DHCP service. Table 131: DHCP Server Commands Command Function Mode...
Page 983: Ip Dhcp Excluded-Address
| DHCP Commands HAPTER DHCP Server This command specifies IP addresses that the DHCP server should not ip dhcp excluded- assign to DHCP clients. Use the no form to remove the excluded IP address addresses. YNTAX [no] ip dhcp excluded-address low-address [high-address] low-address - An excluded IP address, or the first IP address in an excluded address range.
Page 984: Service Dhcp
| DHCP Commands HAPTER DHCP Server XAMPLE Console(config)#ip dhcp pool R&D Console(config-dhcp)# ELATED OMMANDS network (991) host (988) This command enables the DHCP server on this switch. Use the no form to service dhcp disable the DHCP server. YNTAX [no] service dhcp EFAULT ETTING Enabled...
Page 985: Client-Identifier
| DHCP Commands HAPTER DHCP Server XAMPLE Console(config-dhcp)#bootfile wme.bat Console(config-dhcp)# ELATED OMMANDS next-server (992) This command specifies the client identifier of a DHCP client. Use the no client-identifier form to remove the client identifier. YNTAX client-identifier {text text | hex hex} no client-identifier text - A text string.
Page 986: Default-Router
| DHCP Commands HAPTER DHCP Server This command specifies default routers for a DHCP pool. Use the no form default-router to remove the default routers. YNTAX default-router address1 [address2] no default-router address1 - Specifies the IP address of the primary router. address2 - Specifies the IP address of an alternate router.
Page 987: Domain-Name
| DHCP Commands HAPTER DHCP Server Servers are listed in order of preference (starting with address1 as the ◆ most preferred server). XAMPLE Console(config-dhcp)#dns-server 10.1.1.253 192.168.3.19 Console(config-dhcp)# This command specifies the domain name for a DHCP client. Use the no domain-name form to remove the domain name.
Page 988: Host
| DHCP Commands HAPTER DHCP Server OMMAND DHCP Pool Configuration OMMAND SAGE This command identifies a DHCP or BOOTP client to bind to an address specified in the host command. BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
Page 989: Lease
| DHCP Commands HAPTER DHCP Server When searching for a manual binding, the switch compares the client ◆ identifier for DHCP clients, and then compares the hardware address for DHCP or BOOTP clients. If no manual binding has been specified for a host entry with the client- ◆...
Page 990: Netbios-Name-Server
| DHCP Commands HAPTER DHCP Server XAMPLE The following example leases an address to clients using this pool for 7 days. Console(config-dhcp)#lease 7 Console(config-dhcp)# This command configures NetBIOS Windows Internet Naming Service netbios-name- (WINS) name servers that are available to Microsoft DHCP clients. Use the server no form to remove the NetBIOS name server list.
Page 991: Netbios-Node-Type
| DHCP Commands HAPTER DHCP Server This command configures the NetBIOS node type for Microsoft DHCP netbios-node-type clients. Use the no form to remove the NetBIOS node type. YNTAX netbios-node-type type no netbios-node-type type - Specifies the NetBIOS node type: broadcast hybrid (recommended) mixed...
Page 992: Next-Server
| DHCP Commands HAPTER DHCP Server server), the switch searches for a network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. If no manually configured host address is found, it assigns an address from the matching network address pool.
Page 993: Clear Ip Dhcp Binding
| DHCP Commands HAPTER DHCP Server This command deletes an automatic address binding from the DHCP server clear ip dhcp database. binding YNTAX clear ip dhcp binding {address | * } address - The address of the binding to clear. * - Clears all automatic bindings.
Page 994: Show Ip Dhcp
| DHCP Commands HAPTER DHCP Server XAMPLE Console#show ip dhcp binding Lease Time Start (dd/hh/mm/ss) --------------- ----------------- ------------------ ----------- 192.1.3.21 00-00-e8-98-73-21 86400 Dec 25 08:01:57 2002 Console# This command displays DHCP address pools configured on the switch. show ip dhcp OMMAND Privileged Exec XAMPLE...
Page 995: Vrrp Commands
VRRP C OMMANDS Virtual Router Redundancy Protocol (VRRP) use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
Page 996: Vrrp Authentication
| VRRP Commands HAPTER This command specifies the key used to authenticate VRRP packets vrrp authentication received from other routers. Use the no form to prevent authentication. YNTAX vrrp group authentication key no vrrp group authentication group - Identifies the virtual router group. (Range: 1-255) key - Authentication string.
Page 997: Vrrp Preempt
| VRRP Commands HAPTER OMMAND Interface (VLAN) OMMAND SAGE The interfaces of all routers participating in a virtual router group must ◆ be within the same IP subnet. ◆ If the IP address assigned to the virtual router with this command is already configured as the primary address on this interface, this router is considered the Owner, and will assume the role of the Master virtual router in the group.
Page 998: Vrrp Priority
| VRRP Commands HAPTER OMMAND SAGE If preempt is enabled, and this backup router has a priority higher than ◆ the current acting master, it will take over as the new master. However, note that if the original master (i.e., the owner of the VRRP IP address) comes back on line, it will always resume control as the master.
Page 999: Vrrp Timers Advertise
| VRRP Commands HAPTER If the backup preempt function is enabled with the vrrp preempt ◆ command, and a backup router with a priority higher than the current acting master comes on line, this backup router will take over as the new acting master.
Page 1000: Clear Vrrp Interface Counters
| VRRP Commands HAPTER before attempting to take over as the master is three times the hello interval plus half a second XAMPLE Console(config-if)#vrrp 1 timers advertise 5 Console(config-if)# This command clears VRRP system statistics for the specified group and clear vrrp interface interface.
Page 1001: Table 133: Show Vrrp - Display Description
| VRRP Commands HAPTER EFAULTS None OMMAND Privileged Exec OMMAND SAGE Use this command without any keywords to display the full listing of ◆ status information for all VRRP groups configured on this router. Use this command with the brief keyword to display a summary of ◆...
Page 1002: Show Vrrp Interface
| VRRP Commands HAPTER Table 133: show vrrp - display description (Continued) Field Description Master Router IP address of the router currently acting as the VRRP group master Master priority The priority of the router currently acting as the VRRP group master Master The advertisement interval configured on the VRRP master.