background image

User Authentication

3-71

3

Re-authen 

– Sets the client to be re-authenticated after the interval specified by 

the Re-authentication Period. Re-authentication can be used to detect if a new 
device is plugged into a switch port. (Default: Disabled)

Max-Req 

– Sets the maximum number of times the switch port will retransmit an 

EAP request packet to the client before it times out the authentication session. 
(Range: 1-10; Default 2)

Quiet Period 

– Sets the time that a switch port waits after the Max Request Count 

has been exceeded before attempting to acquire a new client. 
(Range: 1-65535 seconds; Default: 60 seconds)

• Re-authen Period 

– Sets the time period after which a connected client must be 

re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds)

TX Period 

– Sets the time period during an authentication session that the switch 

waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)

Authorized 

– 

-

Yes 

– Connected client is authorized.

-

No 

– Connected client is not authorized.

-

Blank

 

– Displays nothing when dot1x is disabled on a port.

Supplicant 

– Indicates the MAC address of a connected client.

Trunk 

– Indicates if the port is configured as a trunk port.

Web 

– Click Security, 802.1X, Port Configuration. Modify the parameters required, 

and click Apply.

Figure 3-41  802.1X Port Configuration

Summary of Contents for 24/48 10/100 Ports + 2GE

Page 1: ...Powered by Accton www edge core com Management Guide 24 48 10 100 Ports 2GE Intelligent Layer 2 Fast Ethernet Switch...

Page 2: ......

Page 3: ...Management Guide Fast Ethernet Switch Layer 2 Standalone Switch with 24 48 10 100BASE TX RJ 45 Ports and 2 Combination Gigabit Ports RJ 45 SFP...

Page 4: ...ES3526XA ES3552XA F2 2 6 3 E122006 CS R02 149100005500H...

Page 5: ...2c clients 2 6 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Saving Configuration Settings 2 8 Managing System Files 2 9 Chapter 3 Configuring the Switch 3 1 Using the Web Inter...

Page 6: ...3 44 Configuring SNMPv3 Users 3 45 Configuring Remote SNMPv3 Users 3 47 Configuring SNMPv3 Groups 3 49 Setting SNMPv3 Views 3 53 User Authentication 3 54 Configuring User Accounts 3 54 Configuring Lo...

Page 7: ...6 Configuring Rate Limits 3 107 Rate Limit Granularity 3 107 Rate Limit Configuration 3 108 Showing Port Statistics 3 109 Address Table Settings 3 114 Setting Static Addresses 3 114 Displaying the Add...

Page 8: ...abling IGMP Immediate Leave 3 173 Displaying Interfaces Attached to a Multicast Router 3 174 Specifying Static Interfaces for a Multicast Router 3 175 Displaying Port Members of Multicast Services 3 1...

Page 9: ...5 Using Command History 4 5 Understanding Command Modes 4 5 Exec Commands 4 6 Configuration Commands 4 7 Command Line Processing 4 8 Command Groups 4 9 Line Commands 4 11 line 4 11 login 4 12 passwor...

Page 10: ...authentication retries 4 38 ip ssh server key size 4 39 delete public key 4 39 ip ssh crypto host key generate 4 40 ip ssh crypto zeroize 4 40 ip ssh save host key 4 41 show ip ssh 4 41 show ssh 4 42...

Page 11: ...Frame Size Commands 4 69 jumbo frame 4 69 Flash File Commands 4 70 copy 4 70 delete 4 73 dir 4 73 whichboot 4 74 boot system 4 75 Authentication Commands 4 76 Authentication Sequence 4 76 authenticati...

Page 12: ...authentication reauth time 4 98 clear network access 4 99 show network access 4 99 show network access mac filter 4 100 show network access mac address table 4 100 Access Control List Commands 4 102...

Page 13: ...gotiation 4 133 capabilities 4 134 flowcontrol 4 135 shutdown 4 136 switchport broadcast packet rate 4 137 clear counters 4 137 show interfaces status 4 138 show interfaces counters 4 139 show interfa...

Page 14: ...spanning disabled 4 170 spanning tree cost 4 170 spanning tree port priority 4 171 spanning tree edge port 4 172 spanning tree portfast 4 173 spanning tree link type 4 173 spanning tree mst cost 4 17...

Page 15: ...bandwidth 4 202 show queue cos map 4 203 Priority Commands Layer 3 and 4 4 204 map ip port Global Configuration 4 204 map ip port Interface Configuration 4 205 map ip precedence Global Configuration...

Page 16: ...mp throttle interface 4 227 Multicast VLAN Registration Commands 4 227 mvr Global Configuration 4 228 mvr Interface Configuration 4 229 show mvr 4 230 Domain Name Service Commands 4 233 ip host 4 233...

Page 17: ...252 show cluster members 4 253 show cluster candidates 4 253 Appendix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Append...

Page 18: ...Contents xiv...

Page 19: ...and Line Processing 4 8 Table 4 4 Command Groups 4 9 Table 4 5 Line Commands 4 11 Table 4 6 General Commands 4 20 Table 4 7 System Management Commands 4 25 Table 4 8 Device Designation Commands 4 25 T...

Page 20: ...142 Table 4 48 Rate Limit Commands 4 144 Table 4 49 Link Aggregation Commands 4 146 Table 4 50 show lacp counters display description 4 153 Table 4 51 show lacp internal display description 4 154 Tabl...

Page 21: ...cription 4 231 Table 4 76 show mvr members display description 4 232 Table 4 75 show mvr interface display description 4 232 Table 4 77 DNS Commands 4 233 Table 4 78 show dns cache display description...

Page 22: ...Tables xviii...

Page 23: ...Alerts 3 33 Figure 3 20 Resetting the System 3 34 Figure 3 21 SNTP Configuration 3 35 Figure 3 22 NTP Client Configuration 3 37 Figure 3 23 Setting the System Clock 3 38 Figure 3 24 Enabling the SNMP...

Page 24: ...rt Configuration 3 107 Figure 3 63 Rate Limit Granularity Configuration 3 108 Figure 3 64 Output Rate Limit Port Configuration 3 109 Figure 3 65 Port Statistics 3 113 Figure 3 66 Static Addresses 3 11...

Page 25: ...uter Port Configuration 3 175 Figure 3 102 IP Multicast Registration Table 3 176 Figure 3 103 IGMP Member Port Table 3 177 Figure 3 104 Enabling IGMP Filtering and Throttling 3 179 Figure 3 105 IGMP P...

Page 26: ...Figures xxii...

Page 27: ...P or MAC ACLs DHCP Client Supported Port Configuration Speed duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One port mirrored to a single analysis po...

Page 28: ...ght to access the network via an authentication server Other authentication options include HTTPS for secure management access via the web SSH for secure management access over a Telnet equivalent con...

Page 29: ...ching by learning addresses and then filtering or forwarding traffic based on this information The address table supports up to 8K addresses Store and Forward Switching The switch copies each frame in...

Page 30: ...me VLAN and allowing you to limit the total number of VLANs that need to be configured Traffic Prioritization This switch prioritizes each packet based on the required level of service using four prio...

Page 31: ...one Local Console Timeout 0 disabled Authentication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Pa...

Page 32: ...ing Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port in...

Page 33: ...s Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 6 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled Table 1 2 System Defaults...

Page 34: ...Introduction 1 8 1...

Page 35: ...nsole port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to b...

Page 36: ...end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set the baud rate to...

Page 37: ...s to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program prov...

Page 38: ...ion for the switch to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If you...

Page 39: ...therefore need to use the ip dhcp restart command to start broadcasting service requests Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values ca...

Page 40: ...rovide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that pro...

Page 41: ...re no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a...

Page 42: ...rk Management Protocol on page 3 38 or refer to the specific CLI commands for SNMP starting on page 4 116 Saving Configuration Settings Configuration commands only modify the running configuration fil...

Page 43: ...after boot up also known as run time code This code runs the switch operations and provides the CLI and Web management interfaces See Managing Firmware on page 3 19 for more information Diagnostic Co...

Page 44: ...Initial Configuration 2 10 2...

Page 45: ...Set user names and passwords using an out of band serial connection Access to the Web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwor...

Page 46: ...When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the...

Page 47: ...y visit to the page 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web age...

Page 48: ...emory 3 20 Set Startup Sets the startup file 3 20 Line 3 24 Console Sets console port connection parameters 3 24 Telnet Sets Telnet connection parameters 3 26 Log 3 28 Logs Stores and displays error m...

Page 49: ...filters 3 79 ACL 3 82 Configuration Configures packet filtering based on IP or MAC addresses 3 82 Port Binding Binds a port to the specified ACL 3 88 IP Filter Sets IP addresses of clients allowed man...

Page 50: ...plays STA values used for the bridge 3 119 Configuration Configures global bridge settings for STA and RSTP 3 123 Port Information Displays individual port settings for STA 3 127 Trunk Information Dis...

Page 51: ...nk 3 158 Traffic Classes Maps IEEE 802 1p priority tags to output queues 3 160 Traffic Classes Status Enables disables traffic class priorities not implemented NA Queue Mode Sets queue mode to strict...

Page 52: ...3 181 IGMP Filter Throttling Trunk Configuration Assigns IGMP filter profiles to trunk interfaces and sets throttling settings 3 181 MVR Configuration Globally enables MVR sets the MVR VLAN adds mult...

Page 53: ...Adds switch Members to the cluster 3 195 Member Information Displays cluster Member switch information 3 196 Candidate Information Displays network Candidate switch information 3 197 Table 3 2 Main M...

Page 54: ...is switch Web server Shows if management access via HTTP is enabled Web server port Shows the TCP port number used by the web interface Web secure server Shows if management access via HTTPS is enable...

Page 55: ...er of runtime code Role Shows that this switch is operating as Master or Slave Expansion Slot Expansion Slot 1 2 Combination RJ 45 SFP ports Console config hostname R D 5 4 26 Console config snmp serv...

Page 56: ...3 4 Displaying Switch Information CLI Use the following command to display version information Console show version 4 68 Unit 1 Serial number S542021059 Service tag Hardware version R01A Module A type...

Page 57: ...ering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 114 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering datab...

Page 58: ...been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP...

Page 59: ...tatic enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config...

Page 60: ...nsole connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart co...

Page 61: ...llows compatible DHCP servers to use the information when assigning IP addresses or to set other services or policies for clients Using DHCP Relay Option 82 clients can be identified by the VLAN and s...

Page 62: ...cify at least one DHCP server IP address Click Apply Figure 3 8 DHCP Relay Option 82 Configuration CLI This example enables DHCP relay with Option 82 and sets the policy as replace Console config ip d...

Page 63: ...erver tftp to file Copies a file from a TFTP server to the switch file to unit1 Copies a file from this switch to another unit in the stack unit to file1 Copies a file from another unit in the stack t...

Page 64: ...the TFTP server set the file type to opcode enter the file name of the software to download select a file on the switch to overwrite or specify a new file name then click Apply If you replaced the cur...

Page 65: ...enter the source and destination file names When the file has finished downloading set the new file to start up the system and then restart the switch To start the new firmware enter the reload comma...

Page 66: ...on to a file on the switch startup config to running config Copies the startup config to the running config startup config to tftp Copies the startup configuration to a TFTP server tftp to file Copies...

Page 67: ...ftp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name then...

Page 68: ...e 0 65535 seconds Default 0 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system int...

Page 69: ...a password for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Defa...

Page 70: ...out interval the connection is terminated for the session Range 0 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not...

Page 71: ...es a password for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt De...

Page 72: ...tem Logs page allows you to configure and limit system messages that are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logged to RA...

Page 73: ...the show logging command to display the current settings Table 3 3 Logging Levels Level Severity Name Description 7 Debug Debugging messages 6 Informational Informational messages only 5 Notice Norma...

Page 74: ...type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Ran...

Page 75: ...nfig logging host 192 168 1 15 4 46 Console config logging facility 23 4 46 Console config logging trap 4 4 47 Console config end Console show logging trap 4 47 Syslog logging Enabled REMOTELOG status...

Page 76: ...h or the address of an administrator responsible for the switch Severity Sets the syslog severity threshold level see table on page 3 29 used to trigger alert messages All events at this level or high...

Page 77: ...y level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Add To delete an IP address click the entry in the SMTP Server List and click Remove Spe...

Page 78: ...e the reload command to restart the switch When prompted confirm that you want to reset the switch Note When restarting the system it will always run the Power On Self Test Console config logging send...

Page 79: ...ides more reliable time updates since the updates are collected from many NTP servers then filtered and selected using an algorithm that determines the most accurate time The NTP client also uses auth...

Page 80: ...P server to be polled The switch requests an update from all configured servers then determines the most accurate time update from the responses received Version Specifies the NTP version supported by...

Page 81: ...2 168 5 23 version 3 key 19 Console config ntp poll 60 4 58 Console config ntp client 4 57 Console config ntp authenticate 4 59 Console config exit Console show ntp 4 60 Current time Jan 1 02 58 58 20...

Page 82: ...23 Setting the System Clock CLI This example shows how to set the time zone for the system clock Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing...

Page 83: ...reading and writing which are known as views The switch has a default view all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and...

Page 84: ...anagers should be listed in this table For security reasons you should consider removing the default strings Command Attributes SNMP Community Capability The switch supports up to five community strin...

Page 85: ...or encryption options authNoPriv or authPriv the user name must first be defined in the SNMPv3 Users page page 3 45 Otherwise the authentication password and or privacy password will not exist and the...

Page 86: ...in the Trap Managers table we recommend that you define this string in the SNMP Configuration page for Version 1 or 2c clients or define a corresponding User Name in the SNMPv3 Users page for Version...

Page 87: ...s for Authentication and Link up down traps and then click Apply Figure 3 26 Configuring SNMP Trap Managers CLI This example adds a trap manager and enables authentication traps Configuring SNMPv3 Man...

Page 88: ...than 26 characters are specified trailing zeroes are added to the value For example the value 1234 is equivalent to 1234 followed by 22 zeroes Web Click SNMP SNMPv3 Engine ID Enter an ID of up to 26...

Page 89: ...level and assigned to a group The SNMPv3 group restricts users to a specific read write or notify view Command Attributes User Name The name of user connecting to the SNMP agent Range 1 32 characters...

Page 90: ...sword A minimum of eight plain text characters is required Actions Enables the user to be assigned to another SNMPv3 group Web Click SNMP SNMPv3 Users Click New to configure a user name In the New Use...

Page 91: ...t on the remote device where the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 3 44 Remote I...

Page 92: ...f eight plain text characters is required Web Click SNMP SNMPv3 Remote Users Click New to configure a user name In the New User page define a name and assign it to a group then click Add to save the c...

Page 93: ...SNMP communications AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication a...

Page 94: ...ntity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the notPresent state This...

Page 95: ...with the master board version This trap binds two objects the first object indicates the master version whereas the second represents the slave version swModuleVer MismatchNotificaiton 1 3 6 1 4 1 259...

Page 96: ...k Delete Figure 3 31 Configuring SNMPv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read and wri...

Page 97: ...in the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view W...

Page 98: ...ing User Accounts The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign...

Page 99: ...nt from the list Web Click Security User Accounts To configure a new user account specify a user name select the user s access level then enter a password and confirm it Click Add to save the new user...

Page 100: ...e packet Command Usage By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the auth...

Page 101: ...Network UDP port of authentication server used for authentication messages Range 1 65535 Default 1812 Secret Text String Encryption key used to authenticate logon access for client Do not use blank s...

Page 102: ...thentication login radius 4 76 Console config radius server port 181 4 79 Console config radius server key green 4 79 Console config radius server retransmit 5 4 80 Console config radius server timeou...

Page 103: ...status bar for Internet Explorer 5 x or above and Netscape Navigator 6 2 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Rep...

Page 104: ...obtain a unique certificate and a private key and password from a recognized certification authority Caution For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at...

Page 105: ...uthentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the Authentication Settings pa...

Page 106: ...ble the SSH server on the switch 6 Challenge Response Authentication When an SSH client attempts to contact the switch the SSH server uses the host key pair to negotiate a session key and encryption m...

Page 107: ...andard DSS The last string is the encoded modulus Host Key Type The key type used to generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default RSA The SSH s...

Page 108: ...320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 6032591968369705343933643844522333518828717389689451172929051081...

Page 109: ...0 seconds Default 120 seconds SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authenti...

Page 110: ...frames received on the port Note that you can also manually add secure addresses to the port using the Static Address Table page 3 114 When the port has reached the maximum number of MAC addresses th...

Page 111: ...nt The maximum number of MAC addresses that can be learned on a port Range 0 1024 where 0 means disabled Trunk Trunk number if port is a member page 3 94 and 3 95 Web Click Security Port Security Mark...

Page 112: ...only the challenge but the authentication method to be used The client can reject the authentication method and request another depending on the configuration of the client software and the RADIUS se...

Page 113: ...AEGIS dot1x client or other comparable client software Displaying 802 1X Global Settings The 802 1X protocol provides client authentication Command Attributes 802 1X System Authentication Control The...

Page 114: ...itch and authentication server These parameters are described in this section Command Attributes Port Port number Status Indicates if authentication is enabled or disabled on the port Default Disabled...

Page 115: ...uire a new client Range 1 65535 seconds Default 60 seconds Re authen Period Sets the time period after which a connected client must be re authenticated Range 1 65535 seconds Default 3600 seconds TX P...

Page 116: ...2 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 52 disabl...

Page 117: ...of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx E...

Page 118: ...itch enables network access from these devices to be controlled by authenticating device MAC addresses with a central RADIUS server Note MAC authentication 802 1X and port security cannot be configure...

Page 119: ...VLAN identifier list to be applied to the switch port The following attributes need to be configured on the RADIUS server Tunnel Type VLAN Tunnel Medium Type 802 Tunnel Private Group ID 1u 2t VLAN ID...

Page 120: ...ilter ID Applies a MAC address filter to a port interface MAC address filters must first be created from the MAC Filter Configuration page Only one filter can be applied to a port Default No filters a...

Page 121: ...entries can be displayed and selected entries can be removed from the table Command Attributes Network Access MAC Address Count The number of MAC addresses currently in the secure MAC address table C...

Page 122: ...ress MAC Address The authenticated MAC address RADIUS Server The IP address of the RADIUS server that authenticated the MAC address Time The time when the MAC address was last authenticated Attribute...

Page 123: ...t MAC address filters or a specific filter configuration Add Remove Specify a filter ID and MAC address to create a filter Specify the same filter ID with other MAC addresses to add them to the filter...

Page 124: ...ng addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addr...

Page 125: ...Figure 3 47 Creating a Web IP Filter List CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 29 Console config end Console show management all c...

Page 126: ...ts against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match for a list of all permit rul...

Page 127: ...ype There are three filtering modes Standard IP ACL mode that filters packets based on the source IP address Extended IP ACL mode that filters packets based on source or destination IP address as well...

Page 128: ...te match and 0 bits to indicate ignore The mask is bitwise ANDed with the specified source IP address and compared with the address for each IP packet entering the port s to which this ACL has been as...

Page 129: ...pe to match as TCP UDP or Others where others indicates a specific protocol number 0 255 Options TCP UDP Others Default TCP Source Destination Port Source destination port number for the specified pro...

Page 130: ...packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2...

Page 131: ...matted packets Range 0 65535 A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Web Specify the action i e Permit o...

Page 132: ...t to a port This switch only supports ACLs for ingress filtering You can only bind one IP ACL to any port and one MAC ACL globally for ingress filtering Command Attributes Port Fixed port or SFP modul...

Page 133: ...es if the link is Up or Down Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back P...

Page 134: ...d for a port during auto negotiation To access this item on the web see Configuring Interface Connections on page 3 48 The following capabilities are supported 10half Supports 10 Mbps half duplex oper...

Page 135: ...ace capabilities to advertise or manually fix the speed duplex mode and flow control Command Attributes Name Allows you to label an interface Range 1 64 characters Admin Allows you to manually disable...

Page 136: ...w control Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half dup...

Page 137: ...more than eight ports all other ports will be placed in a standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides ba...

Page 138: ...g on the manufacturer s implementation However note that the static trunks on this switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via t...

Page 139: ...k must be configured for full duplex either by forced mode or auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see page 3...

Page 140: ...unk ports on another switch to form a trunk Console config interface ethernet 1 3 4 131 Console config if lacp 4 148 Console config if exit Console config interface ethernet 1 6 Console config if lacp...

Page 141: ...Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be...

Page 142: ...ou can optionally configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggrega...

Page 143: ...ole show lacp sysid 4 152 Port Channel System Priority System MAC Address 1 3 00 00 E9 31 31 31 2 32768 00 00 E9 31 31 31 3 32768 00 00 E9 31 31 31 4 32768 00 00 E9 31 31 31 Console show lacp 1 intern...

Page 144: ...hernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Illegal Pkts Number of frames that car...

Page 145: ...ormation administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be ena...

Page 146: ...e LACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 4 152 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP...

Page 147: ...gned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregati...

Page 148: ...1 neighbors Eth 1 1 Partner Admin System ID 32768 00 00 00 00 00 00 Partner Oper System ID 3 00 30 F1 CE 2A 20 Partner Admin Port Number 5 Partner Oper Port Number 3 Port Admin Priority 32768 Port Op...

Page 149: ...ffic Any broadcast packets exceeding the specified threshold will then be dropped Command Usage Broadcast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic The...

Page 150: ...sions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Type Allows you to select which traffic to mirror to the target port Rx receive or Tx transmit Tar...

Page 151: ...miting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is...

Page 152: ...apply rate limiting Command Usage Input and output rate limit can be enabled or disabled for individual interfaces Command Attributes Port Trunk Displays the port number Rate Limit Status Enables or d...

Page 153: ...tistics display errors on the traffic passing through each port This information can be used to identify potential problems with the switch such as a faulty port or unusually heavy loading RMON statis...

Page 154: ...luding framing characters Transmit Unicast Packets The total number of packets that higher level protocols requested be transmitted to a subnetwork unicast address including those that were discarded...

Page 155: ...or which reception on a particular interface fails due to an internal MAC sublayer receive error RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of res...

Page 156: ...s received and transmitted that were 64 octets in length excluding framing bits but including FCS octets 65 127 Byte Frames 128 255 Byte Frames 256 511 Byte Frames 512 1023 Byte Frames 1024 1518 Byte...

Page 157: ...nfiguration 3 113 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 65 Port Sta...

Page 158: ...dress of a device mapped to this interface VLAN ID of configured VLAN 1 4094 Console show interfaces counters ethernet 1 13 4 139 Ethernet 1 13 Iftable stats Octets input 868453 Octets output 3492122...

Page 159: ...nd traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indic...

Page 160: ...elect the method of sorting the displayed addresses and then click Query Figure 3 67 Dynamic Addresses CLI This example also displays the address table entries for port 1 Console show mac address tabl...

Page 161: ...on the network and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Prot...

Page 162: ...ompared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and retaining...

Page 163: ...nterconnects all adjacent MST Regions and acts as a virtual bridge node for communications with STP or RSTP nodes in the global network MSTP connects all bridges and LAN segments with a single Common...

Page 164: ...make it return to a discarding state otherwise temporary data loops might result Designated Root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the r...

Page 165: ...changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each...

Page 166: ...Delay sec 15 Max hops 20 Remaining hops 20 Designated Root 32768 0 0000ABCD0000 Current root port 1 Current root cost 200000 Number of topology changes 1 Last topology changes time sec 13380 Transmiss...

Page 167: ...PDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same MSTP configuration allowing the...

Page 168: ...ts and trunks Default 20 Minimum The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before changing stat...

Page 169: ...VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision10 The revision for this MSTI Range 0 65535 Default 0 Region Name The name for this MSTI M...

Page 170: ...Configuring the Switch 3 126 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 3 70 STA Global Configuration...

Page 171: ...packets and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this p...

Page 172: ...t or is the MSTI regional root i e master port or is an alternate or backup port that may provide connectivity if other bridges bridge ports or LANs fail or are removed The role is set to disabled i e...

Page 173: ...rt You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly th...

Page 174: ...information Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter wit...

Page 175: ...hown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the defau...

Page 176: ...y balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all...

Page 177: ...e MSTI settings Command Attributes MST Instance Instance identifier of this spanning tree Default 0 Priority The priority of a spanning tree instance Range 0 61440 in steps of 4096 Options 0 4096 8192...

Page 178: ...d by settings for each port Console show spanning tree mst 1 4 178 Spanning tree information Spanning tree mode MSTP Spanning tree enabled disabled enabled Instance 1 VLANs configuration 1 Priority 32...

Page 179: ...ernal oper path cost 10000 Priority 128 Designated cost 0 Designated port 128 1 Designated root 32768 1 0030F1D473A0 Designated bridge 32768 1 0030F1D473A0 Fast forwarding disabled Forward transitions...

Page 180: ...isplays STA settings for instance 0 followed by settings for each port The settings for instance 0 are global settings that apply to the IST page 3 119 the settings for other instances only apply to t...

Page 181: ...ributes can be configured MST Instance ID Instance identifier to configure Range 0 4094 Default 0 Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for al...

Page 182: ...t path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 Range Ethernet 200 000 20 000 000 Fast Ethernet 20 000 2 000...

Page 183: ...Ns inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN This switch supports the following VLAN features Up to 255 VL...

Page 184: ...ame VLAN Untagged VLANs can be used to manually isolate user groups or subnets However you should use IEEE 802 3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration Automatic...

Page 185: ...he same untagged VLAN However to participate in a VLAN group that crosses several switches you should create a VLAN for that group and enable tagging on all ports Ports can be assigned to multiple tag...

Page 186: ...802 1Q VLAN GVRP Status Enable or disable GVRP and click Apply Figure 3 76 GLobally Enabling GVRP CLI This example enables GVRP for the switch Displaying Basic VLAN Information The VLAN Basic Informa...

Page 187: ...ID ID of configured VLAN 1 4094 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Perman...

Page 188: ...figured VLAN 1 4094 no leading zeroes Type Shows how this VLAN was added to the switch Dynamic Automatically learned via GVRP Static Added as a static entry Name Name of the VLAN 1 to 32 characters St...

Page 189: ...operational Disabled VLAN is suspended i e does not pass packets State CLI Enables or disables the specified VLAN Active VLAN is operational Suspend VLAN is suspended i e does not pass packets Add Add...

Page 190: ...atic Name DefaultVlan Status Active Ports Port channel Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1...

Page 191: ...the VLAN 1 to 32 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Membership Type Select VLA...

Page 192: ...tic Membership by Port menu to assign VLAN groups to the selected interface as a tagged member Command Attributes Interface Port or trunk identifier Member VLANs for which the selected interface is a...

Page 193: ...d the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 81 VLAN Static Membership by Port CLI This example...

Page 194: ...luding tagged or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress...

Page 195: ...p Range 500 18000 centiseconds Default 1000 Mode Indicates VLAN membership mode for an interface Default Hybrid 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link betw...

Page 196: ...red Note that private VLANs and normal VLANs can exist simultaneously within the same switch To configure primary secondary associated groups follow these steps 1 Use the Private VLAN Configuration me...

Page 197: ...the selected VLAN ID is associated A primary VLAN displays its own ID a community VLAN displays the associated primary VLAN and an isolated VLAN displays the stand alone VLAN Ports List The list of p...

Page 198: ...vate VLAN Configuration Enter the VLAN ID number select Primary Isolated or Community type then click Add To remove a private VLAN from the switch highlight an entry in the Current list box and then c...

Page 199: ...is a community port and can only communicate with other ports in its own community VLAN and with the designated promiscuous port s Or the port is an isolated port that can only communicate with the l...

Page 200: ...rt Trunk The switch interface PVLAN Port Type Sets the private VLAN port types Normal The port is not assigned to a private VLAN Host The port is a community port or an isolated port A community port...

Page 201: ...mmunity or isolated VLAN After all the ports have been configured click Apply Figure 3 87 Private VLAN Port Configuration CLI This example shows the switch configured with primary VLAN 5 and secondary...

Page 202: ...ty and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue bl...

Page 203: ...tchport priority default 5 4 199 Console config if end Console show interfaces switchport ethernet 1 3 4 140 Information of Eth 1 3 Broadcast threshold Disabled LACP status Disabled Ingress rate limit...

Page 204: ...he following table However you can map the priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Priority CoS value Range 0...

Page 205: ...ic values for CoS priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config interface ethernet 1 1 4 131 Console con...

Page 206: ...e This prevents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4...

Page 207: ...sequently affects the response time for software applications assigned a specific priority value Command Attributes WRR Setting Table16 Displays a list of weights for each traffic class i e queue Weig...

Page 208: ...t queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and DSCP Priority cannot both be en...

Page 209: ...ation types ToS bits are defined in the following table Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP Pr...

Page 210: ...ToS enabled devices will not conflict with the DSCP mapping Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP default values are defined in...

Page 211: ...P Priority Values CLI The following example globally enables DSCP Priority service on the switch maps DSCP value 0 to CoS value 1 on port 1 and then displays the DSCP Priority settings Note Mapping sp...

Page 212: ...priority IP Port Priority Table Shows the IP port to CoS map IP Port Number TCP UDP Set a new IP port number Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priori...

Page 213: ...only used to map the matching packet to an output queue it is not written to the packet itself For information on mapping the CoS values to output queues see page 3 160 Command Attributes Port Port i...

Page 214: ...service to the network and any hosts that want to receive the multicast register with their local multicast switch router Although this approach reduces the network overhead required by a multicast s...

Page 215: ...witch Static IGMP Host Interface For multicast applications that you need to control more carefully you can manually assign a multicast service to specific interfaces on the switch page 3 177 Configur...

Page 216: ...Default 125 IGMP Report Delay Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its...

Page 217: ...hed network Command Attributes VLAN ID ID of configured VLAN 1 4093 Immediate Leave Enable or disable IGMP immediate leave for the selected VLAN Web Click IGMP Snooping IGMP Immediate Leave Figure 3 9...

Page 218: ...st router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically ass...

Page 219: ...or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web...

Page 220: ...vice Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are...

Page 221: ...to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects t...

Page 222: ...d as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum nu...

Page 223: ...file number you can then configure the multicast groups to filter and set the access mode Command Usage Each profile has only one access mode either permit or deny When the access mode is set to permi...

Page 224: ...P address Specify a single multicast group by entering the same IP address for the start and end of the range Click the Add button to add a range to the current list Current Multicast Address Range Li...

Page 225: ...to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Command Attributes Profile...

Page 226: ...ber and action The current IGMP filtering and throttling settings for the interface are then displayed Console config interface ethernet 1 1 Console config if ip igmp filter 19 4 224 Console config if...

Page 227: ...nto other VLANs to which the subscribers belong Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exch...

Page 228: ...ignated source ports and to all receiver ports that have registered to receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in t...

Page 229: ...ACTIVE only if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Shows if immediate leave i...

Page 230: ...vided through the MVR VLAN Web Click MVR Group IP Information Figure 3 109 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups a...

Page 231: ...dentified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if...

Page 232: ...uration menu see Configuring Global MVR Settings on page 15 10 The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved...

Page 233: ...gnates this switch as a DNS server the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch and waiting for a response You can manually configure entries...

Page 234: ...ntil a response is received or the end of the list is reached with no response Note that if all name servers are deleted DNS will automatically be disabled Command Attributes Domain Lookup Status Enab...

Page 235: ...and a domain list However remember that if a domain list is specified the default domain name is not used Console config ip domain name sample com 4 234 Console config ip domain list sample com uk 4...

Page 236: ...an one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection wi...

Page 237: ...efore unreliable Type This field includes CNAME which specifies the canonical or primary name for the owner and ALIAS which specifies multiple domain names which are mapped to the same IP address as a...

Page 238: ...e managed through only using a Telnet connection to the Commander From the Commander CLI prompt use the rcommand command see page 4 252 to connect to the Member switch Cluster Configuration To create...

Page 239: ...tches in the cluster Number of Candidates The current number of Candidate switches discovered in the network that are available to become Members Web Click Cluster Configuration Figure 3 115 Cluster C...

Page 240: ...nformation Command Attributes Member ID The ID number of the Member switch Range 1 36 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned...

Page 241: ...Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 118 Cluster Candidate Information CLI This example shows information about cluster C...

Page 242: ...Configuring the Switch 3 198 3...

Page 243: ...Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal access mode i e Normal Exec 2 Enter the necessary commands to complete your desired tas...

Page 244: ...e device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty n prompt for the administrator to show that you are using privileged access mode i e Pr...

Page 245: ...ow startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username ad...

Page 246: ...information log Login records logging Login setting mac MAC access lists mac address table Configuration of the address table management Management IP filter map Maps priority mvr CLI_MSG_PRIVILEGE_E...

Page 247: ...tains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or f...

Page 248: ...from within Normal Exec mode by entering the enable command followed by the privileged level password super page 4 28 To enter Privileged Exec mode enter the following user names and passwords Table...

Page 249: ...ups To enter the Global Configuration mode enter the command configure in Privileged Exec mode The system prompt will change to Console config which gives you access privilege to all Global Configurat...

Page 250: ...line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one...

Page 251: ...port for analysis without affecting the data passing through or the performance of the monitored port 4 142 Rate Limiting Controls the maximum rate for traffic transmitted or received on a port 4 144...

Page 252: ...es is indicated by these abbreviations NE Normal Exec IC Interface Configuration PE Privileged Exec LC Line Configuration GC Global Configuration VC VLAN Database Configuration ACL Access Control List...

Page 253: ...Specifies a password on a line LC 4 13 timeout login response Sets the interval that the system waits for a user to log into the CLI LC 4 14 exec timeout Sets the interval that the command interprete...

Page 254: ...There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using...

Page 255: ...em prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before...

Page 256: ...erminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the de...

Page 257: ...se the no form to remove the threshold value Syntax password thresh threshold no password thresh threshold The number of allowed password attempts Range 1 120 0 no threshold Default Setting The defaul...

Page 258: ...ole response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration Example To set the silent time to 60 seconds enter this command Related...

Page 259: ...rity 4 17 parity This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity...

Page 260: ...the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported Example To spe...

Page 261: ...0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection Example Related Commands show ssh 4 42 show users 4 67 show...

Page 262: ...Disabled Login timeout Disabled Silent time Disabled Baudrate 9600 Databits 8 Parity none Stopbits 1 VTY configuration Password threshold 3 times Interactive timeout 600 sec Login timeout 300 sec con...

Page 263: ...enable password 4 28 disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on the switch s configuration or Ethernet stati...

Page 264: ...None Command Mode Privileged Exec Example Related Commands end 4 23 show history This command shows the contents of the command history buffer Default Setting None Command Mode Normal Exec Privileged...

Page 265: ...etain all configuration information stored in non volatile memory by the copy running config startup config command Default Setting None Command Mode Privileged Exec Command Usage This command resets...

Page 266: ...tion mode and then quit the CLI session quit This command exits the configuration program Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can bot...

Page 267: ...the basic user names and passwords for management access 4 26 IP Filter Configures IP addresses that are allowed management access 4 29 Web Server Enables management access via a web browser 4 31 Tel...

Page 268: ...t access are listed in this section This switch also includes other options for password checking via the console or a Telnet connection page 4 11 user authentication via a remote authentication serve...

Page 269: ...password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The fact...

Page 270: ...8 characters plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You cannot set a null password...

Page 271: ...address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectiv...

Page 272: ...p client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console config...

Page 273: ...This command allows this device to be monitored or configured from a browser Use the no form to disable this function Syntax no ip http server Default Setting Enabled Command Mode Global Configuration...

Page 274: ...e client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session ke...

Page 275: ...secure port port_number The UDP port used for HTTPS SSL Range 1 65535 Default Setting 443 Command Mode Global Configuration Command Usage You cannot configure the HTTP and HTTPS servers to use the sa...

Page 276: ...Commands ip telnet server 4 34 ip telnet server This command allows this device to be monitored or configured from Telnet Use the no form to disable this function Syntax no ip telnet server Default S...

Page 277: ...that you also need to install a SSH client on the management station when using this protocol to configure the switch Note The switch supports both SSH Version 1 5 and 2 0 Table 4 15 SSH Commands Com...

Page 278: ...29781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 51941746772984865468615717739390164779355942303577413098022737087794545 24083971752646358058...

Page 279: ...ey must still be given to the client either during initial connection or manually entered into the known host file However you do not need to configure the client s keys ip ssh server This command ena...

Page 280: ...egotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Related Commands exec timeout 4 14 show ip ssh 4...

Page 281: ...and Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example delete public key This command deletes th...

Page 282: ...programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SS...

Page 283: ...save host key 4 41 no ip ssh server 4 37 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host key dsa rsa dsa DSA key type rsa RSA key type Default Settin...

Page 284: ...entication Started Session Started Username The user name of the client Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES...

Page 285: ...ing is the encoded modulus Example Console show public key host Host RSA 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 544358361651999923329781766065830958610825913...

Page 286: ...ory 4 45 clear logging 4 47 Table 4 17 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 44 logging history Limits syslog messages saved to switch me...

Page 287: ...Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 18 Logging Levels Leve...

Page 288: ...s the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog...

Page 289: ...ng Enabled Level 6 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command...

Page 290: ...n Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message le...

Page 291: ...show logging trap Syslog logging Enable REMOTELOG status disable REMOTELOG facility type local use 7 REMOTELOG level type Debugging messages REMOTELOG server IP address 1 2 3 4 REMOTELOG server IP add...

Page 292: ...01 STA root change notification level 6 module 6 function 1 and event no 1 3 00 00 54 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 2 00 00 50 2001 01 01 STA topol...

Page 293: ...he process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example logging sendmail level This command sets the severity threshold used to trigger a...

Page 294: ...the switch Example This example will set the source email john acme com logging sendmail destination email This command specifies the email recipients of alert messages Use the no form to remove a rec...

Page 295: ...nfiguration Example show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console config logging sendmail Console config...

Page 296: ...ient time requests to time servers specified via the sntp servers command It issues time synchronization requests based on the interval set via the sntp poll command Table 4 22 Time Commands Command F...

Page 297: ...e servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchro...

Page 298: ...tp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec...

Page 299: ...tup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the ntp servers command It issues time synchronization requests based on the interval set via the nt...

Page 300: ...optional If enabled with the ntp authenticate command you must also configure at least one key number using the ntp authentication key command Use the no form of this command without an argument to cl...

Page 301: ...ally distributed to NTP servers and clients The key numbers and key values must match on both the server and client Example Related Commands ntp authentication key 4 59 ntp authentication key This com...

Page 302: ...ion is optional When enabled with the ntp authenticate command you must also configure at least one key number using this command Use the no form of this command without an argument to clear all authe...

Page 303: ...To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Console show ntp Current time Jan 1 02 5...

Page 304: ...Minute Range 0 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Defau...

Page 305: ...the following information SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface IP address configured for the switch...

Page 306: ...guest access level 0 username guest password 0 guest enable password level 15 0 super snmp server community public ro snmp server community private rw logging history ram 6 logging history flash 3 vla...

Page 307: ...le memory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the...

Page 308: ...15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783e...

Page 309: ...and IP address of Telnet client Default Setting None Command Mode Normal Exec Privileged Exec Console show system System description Layer2 Fast Ethernet Standalone Switch ES3526XA System OID string...

Page 310: ...Exec Command Usage See Displaying Switch Hardware Software Versions on page 3 11 for detailed information on the items displayed by this command Console show users Username accounts Username Privileg...

Page 311: ...oth the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nod...

Page 312: ...copy file file running config startup config tftp copy running config file startup config tftp copy startup config file running config tftp copy tftp file running config startup config https certifica...

Page 313: ...efault_Config cfg as the source to copy from the factory default configuration file but you cannot use it as the destination To replace the startup configuration you must use startup config as the des...

Page 314: ...file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup c...

Page 315: ...fg configuration file from flash memory Related Commands dir 4 73 delete public key 4 39 dir This command displays a list of files in flash memory Syntax dir boot rom config opcode filename The type o...

Page 316: ...mn Heading Description file name The name of the file file type File types Boot Rom Operation Code and Config file startup Shows if this file is used when the system is started size The length of the...

Page 317: ...config Configuration file opcode Run time operation code filename Name of the configuration file or code image The colon is required Default Setting None Command Mode Global Configuration Command Usag...

Page 318: ...ers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet Tabl...

Page 319: ...age 4 20 Use the no form to restore the default Syntax authentication enable local radius tacacs no authentication enable local Use local password only radius Use RADIUS server password only tacacs Us...

Page 320: ...rver index host host_ip_address host_alias auth port auth_port timeout timeout retransmit retransmit key key index Allows you to specify up to five servers These servers are queried in sequence until...

Page 321: ...default Syntax radius server port port_number no radius server port port_number RADIUS server UDP port used for authentication messages Range 1 65535 Default Setting 1812 Command Mode Global Configura...

Page 322: ...rver Range 1 30 Default Setting 2 Command Mode Global Configuration Example radius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use t...

Page 323: ...r group that require management access to a switch Console config radius server timeout 10 Console config Console show radius server Remote RADIUS server configuration Global settings Communication ke...

Page 324: ...er port This command specifies the TACACS server network port Use the no form to restore the default Syntax tacacs server port port_number no tacacs server port port_number TACACS server TCP port used...

Page 325: ...cters Default Setting None Command Mode Global Configuration Example show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Ex...

Page 326: ...the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number o...

Page 327: ...y re enabled using the no shutdown command Example The following example enables port security for port 5 and sets the response to a security violation to issue a trap message Related Commands shutdow...

Page 328: ...ific ports PE 4 88 dot1x re authentication Enables re authentication for all ports IC 4 89 dot1x timeout quiet period Sets the time that a switch port waits after the Max Request Count has been exceed...

Page 329: ...store the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients th...

Page 330: ...port Range 1 20 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by...

Page 331: ...tch port waits after the Max Request Count has been exceeded before attempting to acquire a new client Use the no form to reset the default Syntax dot1x timeout quiet period seconds no dot1x timeout q...

Page 332: ...tch waits during an authentication session before re transmitting an EAP packet Use the no form to reset to the default value Syntax dot1x timeout tx period seconds no dot1x timeout tx period seconds...

Page 333: ...splays the port access control parameters for each interface including the following items reauth enabled Periodic re authentication page 4 89 reauth period Time after which a connected client must be...

Page 334: ...necting authenticating authenticated aborting held force_authorized force_unauthorized Reauth Count Number of times connecting state is re entered Backend State Machine State Current state including r...

Page 335: ...s disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authori...

Page 336: ...terface Configuration Table 4 33 Network Access Command Function Mode Page network access mode Enables MAC authentication on an interface IC 4 94 network access max mac count Sets a maximum for authen...

Page 337: ...ing time expires The maximum number of secure MAC addresses supported for the switch system is 1024 Configured static MAC addresses are added to the secure address table when seen on a switch port Sta...

Page 338: ...ddress filters Syntax no network access mac filter filter id mac address filter id The number that identifies the filter Range 1 64 mac address A MAC address to be excluded from authentication Must be...

Page 339: ...e Command Mode Interface Configuration Command Usage MAC address filters must first be created using the network access mac filter command Only one filter can be applied to a port Example The followin...

Page 340: ...ess table Example The following example enables dynamic VLAN assignment on port 1 mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re...

Page 341: ...face Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 26 52 Default Setting None Command Mode Privileged Exec Example show network access Use this command to...

Page 342: ...address mask interface interface sort address interface static Specifies static address entries dynamic Specifies dynamic address entries mac address Specifies a MAC address entry Format xx xx xx xx x...

Page 343: ...are For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 00 00 to 00 00 01 FF FF FF to be displayed All other MACs would be filtered out...

Page 344: ...EXT ACL filters packets based on source or destination IP address as well as protocol type and protocol port number If the TCP protocol is specified then you can also filter packets based on the TCP c...

Page 345: ...C ACLs Configures ACLs based on hardware addresses packet format and Ethernet type 4 110 ACL Information Displays ACLs and associated rules shows ACLs assigned to each port 4 115 Table 4 35 IP ACLs Co...

Page 346: ...ng from the specified source Use the no form to remove a rule Syntax no permit deny any source bitmask host source any Any source IP address source Source IP address bitmask Decimal number representin...

Page 347: ...host destination precedence precedence tos tos dscp dscp source port sport end destination port dport end control flag control flags flag bitmask protocol number A specific protocol number Range 0 25...

Page 348: ...quivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following bits may be specified 1 fin Finish 2 syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent p...

Page 349: ...s Command Mode Privileged Exec Example Related Commands permit deny 4 104 ip access group 4 107 ip access group This command binds a port to an IP ACL Use the no form to remove the port Syntax no ip a...

Page 350: ...ands ip access group 4 107 map access list ip This command sets the output queue for packets matching an ACL rule The specified CoS value is only used to map the matching packet to an output queue it...

Page 351: ...he CoS value mapped to an IP ACL for the current interface The CoS value determines the output queue for packets matching an ACL rule Syntax show map access list ip interface interface ethernet unit p...

Page 352: ...owed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Table 4 37 MAC ACLs Command Function Mode Page access list mac Creates a MAC ACL and enters configurati...

Page 353: ...source or destination address host A specific MAC address source Source MAC address destination Destination MAC address range with bitmask address bitmask22 Bitmask for MAC address in hexidecimal form...

Page 354: ...Privileged Exec Example Related Commands permit deny 4 111 mac access group 4 112 mac access group This command binds a port to a MAC ACL Use the no form to remove the port Syntax mac access group acl...

Page 355: ...st mac This command sets the output queue for packets matching an ACL rule The specified CoS value is only used to map the matching packet to an output queue it is not written to the packet itself Use...

Page 356: ...MAC ACL for the current interface The CoS value determines the output queue for packets matching an ACL rule Syntax show map access list mac interface interface ethernet unit port unit This is unit 1...

Page 357: ...ow all ACLs and associated rules PE 4 115 show access group Shows the ACLs assigned to each port PE 4 115 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16...

Page 358: ...s Command Function Mode Page snmp server Enables the SNMP agent GC 4 117 show snmp Displays the status of SNMP communications NE PE 4 117 snmp server community Sets up the community access string to p...

Page 359: ...nfiguration Example show snmp This command can be used to check the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides info...

Page 360: ...nt stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects Console show snmp SNMP Agent e...

Page 361: ...at describes the system contact information Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Related Commands snmp server location 4 119 snmp server locatio...

Page 362: ...0 255 Default 3 seconds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like...

Page 363: ...re that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to networ...

Page 364: ...thentication Keyword to issue authentication failure notifications link up down Keyword to issue link up or link down notifications Default Setting Issue authentication and link up down traps Command...

Page 365: ...ge An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device This engine protects against message replay delay and redirection The engine ID is also used in...

Page 366: ...p server engine id local 12345 Console config snmp server engineID remote 54321 192 168 1 19 Console config Console show snmp engine id Local SNMP engineID 8000002a8000000000e8666672 Local SNMP engine...

Page 367: ...access to the entire MIB tree Command Mode Global Configuration Command Usage Views are used in the snmp server group command to restrict user access to specified portions of the MIB tree The predefin...

Page 368: ...Simple Network Management Protocol on page 3 38 for further information about these authentication and encryption options readview Defines the view for read access 1 64 characters writeview Defines t...

Page 369: ...fication Messages on page 3 50 Also note that the authentication link up and link down messages are legacy traps and must therefore be enabled in conjunction with the snmp server enable traps command...

Page 370: ...s Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write V...

Page 371: ...th the snmp server engine id command before using this configuration command Before you configure a remote user use the snmp server engine id command page 4 123 to specify the engine ID for the remote...

Page 372: ...Name mark Authentication Protocol mdt Privacy Protocol des56 Storage Type nonvolatile Row Status active Console Table 4 44 show snmp user display description Field Description EngineId String identif...

Page 373: ...Adds a description to an interface configuration IC 4 132 speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC 4 132 negotiation Enables aut...

Page 374: ...he following example adds a description to port 24 speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the d...

Page 375: ...egotiation the required mode must be specified in the capabilities list for an interface Example The following example configures port 5 to 100 Mbps half duplex operation Related Commands negotiation...

Page 376: ...full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit only When specified the port transmits and receives pause...

Page 377: ...2 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When...

Page 378: ...mmand Mode Interface Configuration Ethernet Port Channel Command Usage This command allows you to disable a port due to abnormal behavior e g excessive collisions and then reenable it after the proble...

Page 379: ...ceeds the specified threshold packets above that threshold are dropped This command can enable or disable broadcast storm control for the selected interface However the specified threshold value appli...

Page 380: ...e clears statistics on port 5 show interfaces status This command displays the status for an interface Syntax show interfaces status interface interface ethernet unit port unit This is unit 1 port Por...

Page 381: ...s displayed by this command see Showing Port Statistics on page 3 109 Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic information Port type 100TX Mac address 00 00 AB CD 00 01...

Page 382: ...0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment...

Page 383: ...ess rate limit Shows if rate limiting is enabled and the current rate limit page 4 144 VLAN membership mode Indicates membership mode as Trunk or Hybrid page 4 182 Ingress rule Shows if ingress filter...

Page 384: ...traffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in...

Page 385: ...nd Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX Example The following shows mirroring configured from port 6...

Page 386: ...e limit for an interface Granularity is a global setting that applies to Fast Ethernet or Gigabit Ethernet interfaces rate limit Use this command to define the rate limit level for a specific interfac...

Page 387: ...y one granularity option is supported 33 3 Mbps Default Setting Fast Ethernet interface 3 3 Mbps Gigabit Ethernet interface 33 3 Mbps Command Mode Global Configuration Ethernet Port Channel Command Us...

Page 388: ...rt an aggregate bandwidth of 4 Gbps when operating at full duplex Console show rate limit Fast ethernet granularity 1000 Gigabit ethernet granularity 33300 Console Table 4 49 Link Aggregation Commands...

Page 389: ...fied port channel Dynamically Creating a Port Channel Ports assigned to a common port channel must meet the following criteria Ports must have the same LACP system priority Ports must have the same po...

Page 390: ...e Configuration Ethernet Command Usage The ports on both ends of an LACP trunk must be configured for full duplex either by forced mode or auto negotiation A trunk formed with another switch using LAC...

Page 391: ...ership and to identify this device to other switches during LAG negotiations Range 0 65535 Default Setting 32768 Console config interface ethernet 1 11 Console config if lacp Console config if exit Co...

Page 392: ...ey Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate...

Page 393: ...during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configuration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system...

Page 394: ...h the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP set...

Page 395: ...s Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by th...

Page 396: ...ate Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this l...

Page 397: ...signed by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partn...

Page 398: ...up configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system priority and system MAC address are concatenated to form...

Page 399: ...ault mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static add...

Page 400: ...ace ethernet unit port unit This is unit 1 port Port number Range 1 26 52 port channel channel id Range 1 4 vlan id VLAN ID Range 1 4094 sort Sort by address vlan or interface Default Setting None Com...

Page 401: ...seconds Aging time Range 10 30000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwardi...

Page 402: ...ng tree instance MST 4 168 name Configures the name for the multiple spanning tree MST 4 168 revision Configures the revision number for the multiple spanning tree MST 4 169 max hops Configures the ma...

Page 403: ...hat only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down Example This example shows how to enable the Span...

Page 404: ...y timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same...

Page 405: ...xample spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time time no span...

Page 406: ...r designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the atta...

Page 407: ...ng short no spanning tree pathcost method long Specifies 32 bit based values that range from 1 200 000 000 This method is based on the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit b...

Page 408: ...bal Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mod...

Page 409: ...balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all V...

Page 410: ...the root bridge and alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priorit...

Page 411: ...of the spanning tree Range 0 65535 Default Setting 0 Command Mode MST Configuration Command Usage The MST region name page 4 168 and revision number are used to designate a unique MST region A bridge...

Page 412: ...ables the spanning tree algorithm for the specified interface Use the no form to reenable the spanning tree algorithm for the specified interface Syntax no spanning tree spanning disabled Default Sett...

Page 413: ...0 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lower values should...

Page 414: ...AN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Port...

Page 415: ...rvers and also overcome other STA related timeout problems Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end n...

Page 416: ...to restore the default Syntax spanning tree mst instance_id cost cost no spanning tree mst instance_id cost instance_id Instance identifier of the spanning tree Range 0 4094 no leading zeroes cost Pat...

Page 417: ...he Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree mst instance_id port priority priority no spanning tree mst instance_id port priority instance_id Instance identif...

Page 418: ...automatically set the selected interface to forced STP compatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU forma...

Page 419: ...iguration for an instance within the Multiple Spanning Tree MST For a description of the items displayed under Spanning tree information see Configuring Global Settings on page 3 123 For a description...

Page 420: ...al oper path cost 10000 Internal oper path cost 10000 Priority 128 Designated cost 200000 Designated port 128 24 Designated root 32768 0 0000ABCD0000 Designated bridge 32768 0 0030F1552000 Fast forwar...

Page 421: ...mand Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can...

Page 422: ...AN state active VLAN is operational suspend VLAN is suspended Suspended VLANs do not pass packets Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration C...

Page 423: ...erface configuration mode for a specified VLAN IC 4 181 switchport mode Configures VLAN membership mode for an interface IC 4 182 switchport acceptable frame types Configures frame types to be accepte...

Page 424: ...tion of this command see switchport mode private vlan on page 4 191 Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Channel...

Page 425: ...d Command Mode Interface Configuration Ethernet Port Channel Command Usage Ingress filtering only affects tagged frames If ingress filtering is disabled and a port receives frames tagged for VLANs for...

Page 426: ...face is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an interface must first be configured...

Page 427: ...witchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when addi...

Page 428: ...n Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interf...

Page 429: ...ll VLANs Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Console show vlan id 1 Vlan ID 1 Type Static Name DefaultVlan Status Active...

Page 430: ...LAN One or more isolated VLANs can also be configured Note that private VLANs and normal VLANs can exist simultaneously within the same switch This section describes commands used to configure private...

Page 431: ...to an isolated VLAN 4 Use the show vlan private vlan command to verify your configuration settings private vlan Use this command to create a primary community or isolated private VLAN Use the no form...

Page 432: ...id association secondary vlan id add secondary vlan id remove secondary vlan id no private vlan primary vlan id association primary vlan id ID of primary VLAN Range 1 4094 no leading zeroes secondary...

Page 433: ...primary VLAN use the switchport private vlan mapping command To assign a host port to a community VLAN use the private vlan host association command To assign a promiscuous port or host port to an iso...

Page 434: ...signment Syntax switchport private vlan isolated isolated vlan id no switchport private vlan isolated isolated vlan id ID of isolated VLAN Range 1 4094 Default Setting None Command Mode Interface Conf...

Page 435: ...ers within any associated secondary VLANs Example show vlan private vlan Use this command to show the private VLAN configuration settings on this switch Syntax show vlan private vlan community isolate...

Page 436: ...r to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Console show vlan...

Page 437: ...les GVRP for a port Use the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console config bridge ext gvrp C...

Page 438: ...mand sets the values for the join leave and leaveall timers Use the no form to restore the timers default values Syntax garp timer join leave leaveall timer_value no garp timer join leave leaveall joi...

Page 439: ...leave Note Set GVRP timers on all Layer 2 devices connected in the same network to the same values Otherwise GVRP may not operate successfully Example Related Commands show garp timer 4 197 show garp...

Page 440: ...ty for untagged frames sets queue weights and maps class of service tags to hardware queues 4 198 Priority Layer 3 and 4 Maps TCP ports IP precedence tags or IP DSCP tags to class of service values 4...

Page 441: ...n a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relativ...

Page 442: ...default ingress user priority and then placed in the appropriate priority queue at the output port The default priority for all ingress ports is zero Therefore any inbound frames that do not have prio...

Page 443: ...iority queue Ranges are 0 to 3 where 3 is the highest priority queue cos1 cosn The CoS values that are mapped to the queue ID It is a space separated list of numbers The CoS value is a number from 0 t...

Page 444: ...current queue mode Default Setting None Command Mode Privileged Exec Example show queue bandwidth This command displays the weighted round robin WRR bandwidth allocation for the four priority queues D...

Page 445: ...ernet unit port unit This is unit 1 port Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting None Command Mode Privileged Exec Example Console show queue bandwidth Queue ID Wei...

Page 446: ...C 4 205 map ip precedence Enables IP precedence class of service mapping GC 4 204 map ip precedence Maps IP precedence value to a class of service IC 4 206 map ip dscp Enables IP DSCP class of service...

Page 447: ...priority This command sets the IP port priority for all interfaces Example The following example shows how to map HTTP traffic to CoS value 0 map ip precedence Global Configuration This command enable...

Page 448: ...on Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Servi...

Page 449: ...itchport priority IP Precedence and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type Example The following example shows how to enable IP D...

Page 450: ...EEE 802 1p standard and then subsequently mapped to the four hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP v...

Page 451: ...ip port Interface Configuration 4 205 show map ip precedence This command shows the IP precedence priority map Syntax show map ip precedence interface interface ethernet unit port unit This is unit 1...

Page 452: ...p Syntax show map ip dscp interface interface ethernet unit port unit This is unit 1 port Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting None Command Mode Privileged Exec...

Page 453: ...h 1 1 63 0 Console Table 4 68 Multicast Filtering Commands Command Groups Function Page IGMP Snooping Configures multicast groups via IGMP snooping or static assignment sets the IGMP version displays...

Page 454: ...lan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit This is unit 1 port Port number Range 1 26 52 port channel channel id Range 1 4 Default Setting...

Page 455: ...et must support the same version If there are legacy devices in your network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for...

Page 456: ...t Example show ip igmp snooping This command shows the IGMP snooping configuration Default Setting None Command Mode Privileged Exec Command Usage See Configuring IGMP Snooping and Query Parameters on...

Page 457: ...lay only entries learned through IGMP snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Example The fol...

Page 458: ...p igmp snooping query count count no ip igmp snooping query count count The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from t...

Page 459: ...have left the multicast group Example The following shows how to configure the query count to 10 Related Commands ip igmp snooping query max response time 4 218 ip igmp snooping query interval This co...

Page 460: ...ponded a countdown timer is started using an initial value set by this command If the countdown finishes and the client still has not responded then that client is considered to have left the multicas...

Page 461: ...se the no form to remove the configuration Syntax no ip igmp snooping vlan vlan id mrouter interface vlan id VLAN ID Range 1 4094 interface ethernet unit port unit This is unit 1 port Port number Rang...

Page 462: ...how ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports Syntax show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID...

Page 463: ...nly one profile can be assigned to a port When enabled IGMP join reports received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is...

Page 464: ...An IGMP filter profile number Range 1 4294967295 Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denie...

Page 465: ...or start of a group range high ip address A valid IP address for the end of a multicast group range Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multip...

Page 466: ...max groups number The maximum number of multicast groups an interface can join at the same time Range 0 64 Default Setting 64 Command Mode Interface Configuration Command Usage IGMP throttling sets a...

Page 467: ...r replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast gr...

Page 468: ...command displays the interface settings for IGMP throttling Syntax show ip igmp throttle interface interface interface ethernet unit port unit This is unit 1 port Port number Range 1 26 52 Console sho...

Page 469: ...lticast VLAN Also note that MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong Console s...

Page 470: ...VR group address is defined The default number of contiguous addresses is 0 MVR VLAN ID is 1 Command Mode Global Configuration Command Usage Use the mvr group command to statically configure all multi...

Page 471: ...Configuration Ethernet Port Channel Command Usage A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for...

Page 472: ...assigns a multicast group to another receiver port show mvr This command shows information about the global MVR configuration settings when entered without any keywords the interfaces attached to the...

Page 473: ...lan Shows the VLAN used to transport all MVR multicast traffic MVR Max Multicast Groups Shows the maximum number of multicast groups which can assigned to the MVR VLAN MVR Current multicast groups Sho...

Page 474: ...able 4 76 show mvr members display description Field Description MVR Group IP Multicast groups assigned to the MVR VLAN Status Shows whether or not the there are active subscribers for this multicast...

Page 475: ...one IP address is associated with a host name using this command a DNS client can try each address in succession until it establishes a connection with the target device Example This example maps two...

Page 476: ...e the current domain name Syntax ip domain name name no ip domain name name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 64 characters Defa...

Page 477: ...n incomplete host name is received by the DNS service on this switch it will work through the domain list appending each domain name in the list to the host name and checking with the specified name s...

Page 478: ...e The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response Example This example adds two domain name servers to the...

Page 479: ...e server 4 236 show hosts This command displays the static host name to address mapping table Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped t...

Page 480: ...E 66 218 71 81 298 www yahoo akadns net 5 4 CNAME 66 218 71 80 298 www yahoo akadns net 6 4 CNAME 66 218 71 89 298 www yahoo akadns net 7 4 CNAME 66 218 71 86 298 www yahoo akadns net 8 4 ALIAS POINTE...

Page 481: ...e Service Commands 4 239 4 clear dns cache This command clears all entries in the DNS cache Command Mode Privileged Exec Example Console clear dns cache Console show dns cache NO FLAG TYPE IP TTL DOMA...

Page 482: ...ation when assigning IP addresses or to set other services or policies for clients When the DHCP relay Option 82 is enabled clients can be identified by the VLAN and switch port to which they are conn...

Page 483: ...switch receives DHCP packets from clients that already include DHCP Option 82 information the switch can be configured to set the action policy for these packets Either the switch can discard the Opt...

Page 484: ...ire VLAN Example show ip dhcp relay This command shows the current DHCP relay agent configuration Default Setting None Command Mode Privileged Exec Example Console config ip dhcp relay server 192 168...

Page 485: ...specific subnets bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Table 4 80 IP Interface Commands Command Function...

Page 486: ...witch Note Only one VLAN interface can be assigned an IP address the default is VLAN 1 This defines the management VLAN the only VLAN through which you can gain management access to the switch If you...

Page 487: ...le If the BOOTP or DHCP server has been moved to a different domain the network portion of the address provided to the client will be based on this new domain Example In the following example the devi...

Page 488: ...f bytes in a packet Range 32 512 default 32 The actual packet size will be eight bytes larger than the size specified because the switch adds header information count Number of packets to send Range 1...

Page 489: ...r host unreachable The gateway found no corresponding entry in the route table Press Esc to stop pinging Example Related Commands interface 4 131 Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0...

Page 490: ...et the switch as a Cluster Commander Set a Cluster IP Pool that does not conflict with any other IP subnets in the network Cluster IP addresses are assigned to switches when they become Members and ar...

Page 491: ...by the administrator through the management station Cluster Member switches can be managed through only using a Telnet connection to the Commander From the Commander CLI prompt use the rcommand id com...

Page 492: ...be disabled Example cluster member This command configures a Candidate switch as a cluster Member Use the no form to remove a Member switch from the cluster Syntax cluster member mac address mac addr...

Page 493: ...ing configuration Command Mode Privileged Exec Example show cluster members This command shows the current switch cluster members Command Mode Privileged Exec Example Vty 0 rcommand id 1 CLI session w...

Page 494: ...overed Candidate switches in the network Command Mode Privileged Exec Example Console show cluster candidates Cluster Candidates Role Mac Description ACTIVE MEMBER 00 12 cf 23 49 c0 24 48 L2 L4 IPV4 I...

Page 495: ...roring One source port one destination port Rate Limits Input Limit Output limit Range configured per port Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Cont...

Page 496: ...ccess via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D Spanning Tree Protocol and traffic priorities IEEE 802 1p Priority ta...

Page 497: ...roup MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 2668 MIB II RFC 1213 Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB RADIUS...

Page 498: ...Software Specifications A 4 A...

Page 499: ...the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum...

Page 500: ...messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list...

Page 501: ...ces Code Point Service DSCP DSCP uses a six bit tag to provide for up to 64 different forwarding behaviors Based on network policies different kinds of traffic can be marked for different kinds of for...

Page 502: ...es or end stations comply with the IEEE 802 1p standard Group Attribute Registration Protocol GARP See Generic Attribute Registration Protocol IEEE 802 1D Specifies a general method for the operation...

Page 503: ...rectly to the network IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts IP Precedence The Type of Service ToS octet in the IPv4 header includ...

Page 504: ...within the subnet and to national time standards via wire or radio Out of Band Management Management of the network from a station not attached to the network Port Authentication See IEEE 802 1X Port...

Page 505: ...rnal clock based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers Spanning Tree Alg...

Page 506: ...targets UDP is useful when TCP would be too complex too slow or just unnecessary Virtual LAN VLAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of thei...

Page 507: ...4 204 queue mapping 3 160 4 201 queue mode 3 162 4 199 traffic class weights 3 163 4 200 D default gateway configuration 3 14 4 245 default priority ingress port 3 158 4 199 default settings system 1...

Page 508: ...parameters 4 152 protocol message statistics 4 152 link type STA 3 129 3 131 4 173 logging syslog traps 4 47 to syslog servers 4 46 log in Web interface 3 2 logon authentication 3 54 4 76 RADIUS clien...

Page 509: ...7 restarting the system 3 34 4 23 RSTP 3 117 4 162 global configuration 3 119 4 162 S secure shell 3 61 4 35 Secure Shell configuration 3 61 4 38 serial port configuring 4 11 Simple Network Management...

Page 510: ...ftware 3 20 4 70 user password 3 54 4 27 4 28 V VLANs 3 139 3 158 4 179 4 194 adding static members 3 147 3 148 4 185 creating 3 145 4 180 description 3 139 3 158 displaying basic information 3 142 4...

Page 511: ......

Page 512: ...ES3526XA ES3552XA E122006 CS R02D 149100005500H...

Reviews: