Accton Technology ES4512C Management Manual Download Page 293

Page: 293 / 426

Access Control List Commands

4-103

•

destination

– Destination MAC address range with bitmask.

•

address-bitmask*

– Bitmask for MAC address (in hexidecimal format).

• vid – VLAN ID. (Range: 1-4095)
•

vid-bitmask* –

VLAN bitmask. (Range: 1-4095)

•

protocol

– A specific Ethernet protocol number. (Range: 600-fff hex.)

•

protocol

bitmask*

– Protocol bitmask. (Range: 600-fff hex.)

* For all bitmasks, “1” means care and “0” means ignore.

Default Setting

None

Command Mode

MAC ACL

Command Usage

• New rules are added to the end of the list.
• The

ethertype

option can only be used to filter Ethernet II formatted packets.

• A detailed listing of Ethernet protocol types can be found in RFC 1060. A few

of the more common types include the following:
- 0800 - IP
- 0806 - ARP
- 8137 - IPX

Example

This rule permits packets from any source MAC address to the destination address
00-e0-29-94-34-de where the Ethernet type is 0800.

Related Commands

access-list mac (4-101)

show mac access-list

This command displays the rules for configured MAC ACLs.

Syntax

show mac access-list

[

acl_name

]

acl_name

– Name of the ACL. (Maximum length: 16 characters)

Command Mode

Privileged Exec

Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800
Console(config-mac-acl)#

Summary of Contents for ES4512C

Page 1: ...www edge core com Management Guide Powered by Accton ES4512C ES4524C ES4548C 12 24 48 Port Gigabit Intelligent Switch ...

Page 2: ......

Page 3: ... 45 Ports and 4 Combination RJ 45 SFP Ports ES4524C 24 Port Gigabit Intelligent Switch Layer 2 Workgroup Switch with 24 1000BASE T RJ 45 Ports and 4 Combination RJ 45 SFP Ports ES4548C 48 Port Gigabit Intelligent Switch Layer 2 Workgroup Switch with 48 1000BASE T RJ 45 Ports and 4 Combination RJ 45 SFP Ports ...

Page 4: ...ES4512C ES4524C ES4548C E052005 R02 ...

Page 5: ...ving Configuration Settings 2 7 Managing System Files 2 8 Chapter 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 2 Home Page 3 2 Configuration Options 3 3 Panel Display 3 3 Main Menu 3 4 Basic Configuration 3 9 Displaying System Information 3 9 Displaying Switch Hardware Software Versions 3 10 Displaying Bridge Extension Capabilities 3 11 Setting th...

Page 6: ...urity 3 41 Configuring 802 1x Port Authentication 3 43 Displaying 802 1x Global Settings 3 44 Configuring 802 1x Global Settings 3 46 Configuring Port Authorization Mode 3 47 Displaying 802 1x Statistics 3 48 Filtering IP Addresses for Management Access 3 50 Access Control Lists 3 52 Configuring Access Control Lists 3 52 Setting the ACL Name and Type 3 53 Configuring a Standard IP ACL 3 53 Configu...

Page 7: ...Enabling or Disabling GVRP Global Setting 3 113 Displaying Basic VLAN Information 3 113 Displaying Current VLANs 3 114 Creating VLANs 3 115 Adding Static Members to VLANs VLAN Index 3 116 Adding Static Members to VLANs Port Index 3 118 Configuring VLAN Behavior for Interfaces 3 119 Configuring Private VLANs 3 121 Enabling Private VLANs 3 121 Configuring Uplink and Downlink Ports 3 122 Configuring ...

Page 8: ...DNS Host to Address Entries 3 148 Displaying the DNS Cache 3 150 Chapter 4 Command Line Interface 4 1 Using the Command Line Interface 4 1 Accessing the CLI 4 1 Console Connection 4 1 Telnet Connection 4 1 Entering Commands 4 3 Keywords and Arguments 4 3 Minimum Abbreviation 4 3 Command Completion 4 3 Getting Help on Commands 4 3 Showing Commands 4 4 Partial Keyword Lookup 4 5 Negating the Effect ...

Page 9: ...nt 4 29 Web Server Commands 4 30 ip http port 4 30 ip http server 4 30 ip http secure server 4 31 ip http secure port 4 32 Telnet Server Commands 4 33 ip telnet port 4 33 ip telnet server 4 33 Secure Shell Commands 4 34 ip ssh server 4 36 ip ssh timeout 4 37 ip ssh authentication retries 4 37 ip ssh server key size 4 38 delete public key 4 38 ip ssh crypto host key generate 4 39 ip ssh crypto zero...

Page 10: ... calendar set 4 55 show calendar 4 56 System Status Commands 4 57 show startup config 4 57 show running config 4 58 show system 4 60 show users 4 61 show version 4 61 Frame Size Commands 4 62 jumbo frame 4 62 Flash File Commands 4 63 copy 4 63 delete 4 65 dir 4 66 whichboot 4 67 boot system 4 67 Authentication Commands 4 68 Authentication Sequence 4 69 authentication login 4 69 authentication enab...

Page 11: ...Commands 4 86 IP ACLs 4 87 access list ip 4 88 permit deny Standard ACL 4 89 permit deny Extended ACL 4 90 show ip access list 4 92 access list ip mask precedence 4 92 mask IP ACL 4 93 show access list ip mask precedence 4 96 ip access group 4 97 show ip access group 4 97 map access list ip 4 98 show map access list ip 4 99 match access list ip 4 99 show marking 4 100 MAC ACLs 4 101 access list ma...

Page 12: ... 4 123 show dns cache 4 123 clear dns cache 4 124 Interface Commands 4 123 interface 4 123 description 4 124 speed duplex 4 124 negotiation 4 125 capabilities 4 126 flowcontrol 4 127 combo forced mode 4 128 shutdown 4 128 switchport broadcast packet rate 4 129 clear counters 4 130 show interfaces status 4 131 show interfaces counters 4 132 show interfaces switchport 4 133 Mirror Port Commands 4 13...

Page 13: ...on limit 4 157 spanning tree mst configuration 4 157 mst vlan 4 158 mst priority 4 159 name 4 159 revision 4 160 max hops 4 161 spanning tree spanning disabled 4 161 spanning tree cost 4 162 spanning tree port priority 4 162 spanning tree edge port 4 163 spanning tree portfast 4 164 spanning tree link type 4 165 spanning tree mst cost 4 165 spanning tree mst port priority 4 166 spanning tree proto...

Page 14: ...ority Commands 4 189 Priority Commands Layer 2 4 189 queue mode 4 190 switchport priority default 4 191 queue bandwidth 4 192 queue cos map 4 192 show queue mode 4 193 show queue bandwidth 4 194 show queue cos map 4 194 Priority Commands Layer 3 and 4 4 195 map ip port Global Configuration 4 195 map ip port Interface Configuration 4 196 map ip precedence Global Configuration 4 196 map ip precedenc...

Page 15: ...s 4 209 ip igmp snooping vlan mrouter 4 209 show ip igmp snooping mrouter 4 210 IP Interface Commands 4 211 ip address 4 211 ip dhcp restart 4 212 ip default gateway 4 213 show ip interface 4 213 show ip redirects 4 214 ping 4 214 Appendix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Troubleshooting B 1 Proble...

Page 16: ...Contents xii ...

Page 17: ...ble 4 3 Keystroke Commands 4 9 Table 4 4 Command Group Index 4 10 Table 4 5 Line Commands 4 11 Table 4 6 General Commands 4 20 Table 4 7 System Management Commands 4 24 Table 4 8 Device Designation Commands 4 25 Table 4 9 User Access Commands 4 26 Table 4 10 Default Login Settings 4 26 Table 4 11 IP Filter Commands 4 28 Table 4 12 Web Server Commands 4 30 Table 4 13 HTTPS System Support 4 31 Table...

Page 18: ...46 Table 4 47 show lacp internal display description 4 147 Table 4 48 show lacp neighbors display description 4 148 Table 4 49 show lacp sysid display description 4 149 Table 4 50 Address Table Commands 4 149 Table 4 51 Spanning Tree Commands 4 153 Table 4 52 VLAN Commands 4 172 Table 4 53 Editing VLAN Groups 4 173 Table 4 54 Configuring VLAN Interfaces 4 175 Table 4 55 Show VLAN Commands 4 181 Ta...

Page 19: ...3 19 Configuring SNMP Community Strings 3 29 Figure 3 20 Configuring SNMP Trap Managers 3 30 Figure 3 21 Authentication Server Settings 3 33 Figure 3 22 HTTPS Settings 3 35 Figure 3 23 SSH Host Key Settings 3 39 Figure 3 24 SSH Server Settings 3 40 Figure 3 25 Port Security 3 42 Figure 3 26 802 1x Information 3 45 Figure 3 27 802 1X Configuration 3 47 Figure 3 28 802 1x Port Configuration 3 48 Fig...

Page 20: ...able 3 114 Figure 3 64 VLAN Static List Creating VLANs 3 116 Figure 3 65 VLAN Static Table Adding Static Members 3 117 Figure 3 66 VLAN Static Membership by Port 3 118 Figure 3 67 VLAN Port Configuration 3 120 Figure 3 68 Private VLAN Status 3 121 Figure 3 69 Private VLAN Link Status 3 122 Figure 3 70 Protocol VLAN Configuration 3 123 Figure 3 71 Protocol VLAN Port Configuration 3 124 Figure 3 72 ...

Page 21: ...Figures xvii Figure 3 88 DNS General Configuration 3 147 Figure 3 89 DNS Static Host Table 3 149 Figure 3 90 DNS Cache 3 150 ...

Page 22: ...Figures xviii ...

Page 23: ...ported DNS Server Supported Port Configuration Speed duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports up to 6 trunks using either static or dynamic trunking LACP Broadcast Storm Control Supported Static Address Up to 16K MAC addresses in the forwarding table IEEE 802 1D Bridge...

Page 24: ...ient s right to access the network via an authentication server Other authentication options include HTTPS for secure management access via the web SSH for secure management access over a Telnet equivalent connection IP address filtering for SNMP web Telnet management access and MAC address filtering for port access Access Control Lists ACLs provide packet filtering for IP frames based on address ...

Page 25: ...learning addresses and then filtering or forwarding traffic based on this information The address table supports up to 16K addresses Store and Forward Switching The switch copies each frame into its memory before forwarding them to another port This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check CRC This prevents bad frames...

Page 26: ...iginating VLAN Use private VLANs to restrict traffic to pass only between data ports and the uplink ports thereby isolating adjacent ports within the same VLAN and allowing you to limit the total number of VLANs that need to be configured Use protocol VLANs to restrict traffic to specified interfaces based on protocol type Traffic Prioritization This switch prioritizes each packet based on the req...

Page 27: ...none Local Console Timeout 0 disabled Authentication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1x Port Authentication Disabled HTTPS Enabled SSH Disabled Port Security Disabled IP Filtering Disabled Web Management H...

Page 28: ...ks None LACP all ports Disabled Broadcast Storm Protection Status Enabled all ports Broadcast Limit Rate 500 packets per second Spanning Tree Protocol Status Enabled MSTP Defaults All values based on IEEE 802 1s Fast Forwarding Edge Port Disabled Address Table Aging Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode ...

Page 29: ... Disabled DNS Server Lookup Disabled Multicast Filtering IGMP Snooping Snooping Enabled Querier Enabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Disabled SNTP Clock Synchronization Disabled Table 1 2 System Defaults Function Parameter Default ...

Page 30: ...Introduction 1 8 1 ...

Page 31: ...t on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView The switch s Web interface CLI configuration program and SNMP agent allow you to perform the following management ...

Page 32: ...nal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set to any of the following baud rates 9600 19200 38400 57600 115200 Note Set to 9600 baud if want to view all the system initialization messages Set the data format to 8 data bits 1 stop bit and no parity Set flow control to none Set the emulation mode to VT100 When using HyperTerminal select Term...

Page 33: ...ss to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of those available a...

Page 34: ...k This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the switch you will also need to specify the default gateway router Dynamic The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network Manual Configuration You can manua...

Page 35: ... therefore need to use the ip dhcp restart command to start broadcasting service requests Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the bootp or dhcp option is saved to the startup config file step 6 then the switch will start broadcasting service requests as soon as it ...

Page 36: ...o control management access to SNMP stations as well as to authorize SNMP stations to receive trap messages from the switch You therefore need to assign community strings to specified users or user groups and set the access level The default strings are public with read only access Authorized management stations are only able to retrieve MIB objects private with read write access Authorized manage...

Page 37: ...ddress for the trap receiver and community string is the string associated with that host Press Enter 2 In order to configure the switch to send SNMP notifications you must enter at least one snmp server enable traps command Type snmp server enable traps type where type is either authentication or link up down Press Enter Saving Configuration Settings Configuration commands only modify the running...

Page 38: ...code runs the switch operations and provides the CLI and Web management interfaces See Managing Firmware on page 3 16 for more information Diagnostic Code Software that is run during system boot up also known as POST Power On Self Test Due to the size limit of the flash memory the switch supports only two operation code files However you can have as many diagnostic code files and configuration fil...

Page 39: ...2 Set user names and passwords using an out of band serial connection Access to the Web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 4 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on the third fa...

Page 40: ...ayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Note The screen captures used in this manual are based on either the ES4512C ES4524C or ES4548C but are all the same for both switches except for the port count Fi...

Page 41: ...very visit to the page 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e with...

Page 42: ...ng process 3 22 System Logs Stores and displays error messages 3 19 Remote Logs Configures the logging of messages to a remote logging process 3 20 SMTP Sends an SMTP client message to a participating server 3 23 Reset Restarts the switch 3 25 SNTP 3 26 Configuration Configures SNTP client settings including broadcast mode or a specified list of servers 3 26 Clock Time Zone Sets the local time zon...

Page 43: ...ts to group into static trunks 3 70 LACP 3 71 Configuration Allows ports to dynamically join trunks 3 71 Aggregation Port Configures system priority admin key and port priority 3 73 Port Counters Information Displays statistics for LACP protocol messages 3 76 Port Internal Information Displays settings and operational state for local side 3 77 Port Neighbors Information Displays settings and opera...

Page 44: ...107 Trunk Information Displays trunk settings for a specified MST instance 3 107 Port Configuration Configures port settings for a specified MST instance 3 108 Trunk Configuration Configures trunk settings for a specified MST instance 3 108 VLAN 3 110 802 1Q VLAN 3 110 GVRP Status Enables GVRP VLAN registration protocol 3 113 Basic Information Displays information on the VLAN type supported by thi...

Page 45: ...ferentiated Services Code Point priority mapping a DSCP tag to a class of service value 3 133 IP Port Priority Status Globally enables or disables IP Port Priority 3 135 IP Port Priority Sets TCP UDP port priority defining the socket number and associated class of service value 3 135 ACL CoS Priority Sets the CoS value and corresponding output queue for packets matching an ACL rule 3 135 ACL Marke...

Page 46: ...name and domain list and specifies IP address of name servers for dynamic lookup 3 146 Static Host Table Configures static entries for domain name to address mapping 3 148 Cache Displays cache entries discovered by designated name servers 3 150 Table 3 2 Switch Main Menu Menu Description Page ...

Page 47: ...erver Shows if management access via HTTP is enabled Web server port Shows the TCP port number used by the web interface Web secure server Shows if management access via HTTPS is enabled Web secure server port Shows the TCP port used by the HTTPS interface Telnet server Shows if management access via Telnet is enabled Telnet server port Shows the TCP port used by the Telnet interface Authenticatio...

Page 48: ...3 Console config exit Console show version 4 61 Unit1 Serial number Hardware version Number of ports 24 Main power status up Redundant power status not present Agent master Unit id 1 Loader version 2 1 0 3 Boot rom version 2 0 2 11 Operation code version 1 4 0 0 Console show system 4 60 System description 20 10 100 1000 ports 4 Gigabit Combo ports L2 L4 managed standalone switch System OID string ...

Page 49: ...umber of runtime code Role Shows that this switch is operating as Master i e operating stand alone Web Click System Switch Information Figure 3 4 Switch Information CLI Use the following command to display version information Console show version 4 61 Unit1 Serial number Hardware version Number of ports 24 Main power status up Redundant power status not present Agent master Unit id 1 Loader versio...

Page 50: ...filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 88 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration ...

Page 51: ... VLAN as long as that VLAN has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values...

Page 52: ...ic enter the IP address subnet mask and gateway then click Apply Figure 3 6 IP Interface Configuration Manual CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 125 Console config if ip address 10 1 0 254 255 255 255 0 4 213 Console config if exit Console config ip default gateway 192 168 1 254 4 215 Console config ...

Page 53: ...rface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Renewing DCHP DHCP may lease addresses to clients indefinitely or for a specific period of time If the address expires or the switch is moved to another network segment you will lose management access to the switch In this case you can reboot the switch or submit a client request to restart DHCP service v...

Page 54: ...ch Valid characters A Z a z 0 9 _ Note Up to two copies of the system software i e the runtime firmware can be stored in the file directory on the switch The currently designated startup version of this file cannot be deleted Downloading System Software from a Server When downloading runtime code you can specify the destination file name to replace the current image or first download the file usin...

Page 55: ... later downloaded to restore the switch s settings Command Attributes TFTP Server IP Address The IP address of a TFTP server File Name The configuration file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch Valid characters A Z a z 0 9 _ N...

Page 56: ...o overwrite or specify a new file name and then click Transfer from Server Figure 3 10 Downloading Configuration Settings If you download to a new file name then select the new file from the drop down box for Startup Configuration File and press Apply Changes To use the new settings reboot the system via the System Reset menu Figure 3 11 Setting the Startup Configuration Settings CLI Enter the IP ...

Page 57: ... are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM Command Attributes System Log Status Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if l...

Page 58: ...r management stations You can also limit the event messages sent to only those messages at or above a specified level Command Attributes Remote Log Status Enables disables the logging of debug or error messages to the remote logging process Default Disabled Logging Facility Sets the facility type for remote logging of syslog messages There are eight facility types specified by values of 16 to 23 T...

Page 59: ...t IP List Displays the list of remote server IP addresses that will receive syslog messages The maximum number of host IP addresses allowed is five Host IP Address Specifies a new server IP address to add to the Host IP List Web Click System Logs Remote Logs To add an IP address to the Host IP List type the new IP address in the Host IP Address box and then click Add To delete an IP address click ...

Page 60: ...t flash memory Web Click System Log Logs Figure 3 14 Displaying Logs Console config logging host 10 1 0 9 4 45 Console config logging facility 23 4 45 Console config logging trap 4 4 46 Console config logging trap Console config Console show logging trap 4 47 Syslog logging Enabled REMOTELOG status Disabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG serve...

Page 61: ...slog severity threshold level see table on page 4 48 used to trigger alert messages All events at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 SMTP Server List Specifies a list of up to three recipient SMTP servers The switch attempts to connect to the other listed servers if the first ...

Page 62: ...ity level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Add To delete an IP address click the entry in the SMTP Server List and click Remove Specify up to five email addresses to receive the alert messages and click Apply Figure 3 15 Enabling and Configuring SMTP Alerts ...

Page 63: ...setting the System CLI Use the reload command to restart the switch Note When restarting the system it will always run the Power On Self Test Console config logging sendmail host 192 168 1 4 4 49 Console config logging sendmail level 3 4 49 Console config logging sendmail source email big wheels matel com 4 50 Console config logging sendmail destination email chris matel com 4 50 Console config lo...

Page 64: ... up to three time server IP addresses The switch will attempt to poll each server in the configured sequence Configuring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one time server to be specified in the SNTP Server field Default Disabled SNTP Poll In...

Page 65: ...ime Name Assigns a name to the time zone Range 1 29 characters Hours 0 12 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Direction Configures the time zone to be before east or after west UTC Web Select SNTP Clock Time Zone Set the offset for your time zone relative to the UTC and click Apply Figure 3 18 Clock Time Zone Console config sntp client 4 52 Cons...

Page 66: ... a valid community string for authentication The options for configuring community strings trap functions and restricting access to clients with specified IP addresses are described in the following sections Setting Community Access Strings You may configure up to five community strings authorized for management access All community strings used for IP Trap Managers should be listed in this table ...

Page 67: ...ve management stations that will receive authentication failure messages and other trap messages from the switch Command Attributes Trap Manager Capability This switch supports up to five trap managers Trap Manager IP Address IP address of a new management station to receive trap messages Trap Manager Community String Community string sent with the notification operation Range 1 32 characters case...

Page 68: ... Settings Provide a secure shell for secure Telnet access Port Security Configure secure addresses for individual ports 802 1x Use IEEE 802 1x port authentication to control access to specific ports IP Filter Filters management access to the web SNMP or Telnet interface Configuring the Logon Password The guest only has read access for most configuration parameters However the administrator has wri...

Page 69: ...tch or you can use a remote access authentication server based on RADIUS or TACACS protocols Remote Authentication Dial in User Service RADIUS and Terminal Access Controller Access Control System Plus TACACS are logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a da...

Page 70: ...e local user name and password is checked Command Attributes Authentication Select the authentication or authentication sequence required Local User authentication is performed only locally by the switch Radius User authentication is performed using a RADIUS server only TACACS User authentication is performed using a TACACS server only authentication sequence User authentication is performed by up...

Page 71: ...sing the CLI See username on page 4 26 Web Click Security Authentication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 3 21 Authentication Server Settings ...

Page 72: ...ncrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above and Netscape Navigator 4 x or above Console config authentication login radius 4 69 Console config radius server host 192 168 1 25 4 71 Console config radius server port 181 4 71 Console config radius server key green 4 72 Con...

Page 73: ... using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site This is because the certificate has not been signed by an approved certification authority If you want this warning to be replaced by a message confirmin...

Page 74: ...itch generates a public key that the client uses along with a local user name and password for access authentication SSH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered Note that you need to install an SSH client on the management station to access the switch for management via...

Page 75: ...sing these keys The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 006090253948408482717819437...

Page 76: ...ibutes Public Key of Host Key The public key for the host RSA Version 1 The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encoded modulus DSA Version 2 The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard DSS The last string is the encoded modulus Ho...

Page 77: ...320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA ssh dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa 2OrI...

Page 78: ...ge 1 to 120 seconds Default 120 seconds SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 SSH Server Key Size Specifies the SSH server key size Range 512 896 bits The server key is a private key that is never shared outside the switch The ...

Page 79: ...ames received on the port Note that you can also manually add secure addresses to the port using the Static Address Table page 3 88 When the port has reached the maximum number of MAC addresses the selected port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the ...

Page 80: ...message Shutdown Disable the port Trap and Shutdown Send an SNMP trap message and disable the port Security Status Enables or disables port security on the port Default Disabled Max MAC Count The maximum number of MAC addresses that can be learned on a port Range 0 20 Trunk Trunk number if port is a member page 3 70 and 3 71 Web Click Security Port Security Set the action to take when an invalid a...

Page 81: ...h an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and sends an access challenge back to the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can reject the authenticati...

Page 82: ...t runs between the switch and authentication server These parameters are described in this section Command Attributes 802 1X Re authentication Indicates if switch port requires a client to be re authenticated after a certain period of time 802 1X Max Request Count The maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication ...

Page 83: ...1X Parameters reauth enabled yes reauth period 3600 quiet period 60 tx period 30 supp timeout 30 server timeout 30 reauth max 2 max req 2 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Single Host ForceAuthorized n a 1 47 disabled Single Host ForceAuthorized n a 1 48 enabled Single Host Auto yes 802 1X Port Details 802 ...

Page 84: ...riod Sets the time that a switch port waits after the dot1X Max Request Count has been exceeded before attempting to acquire a new client Range 1 65535 seconds Default 60 seconds Timeout For Re authentication Period Sets the time period after which a connected client must be re authenticated Range 1 65535 seconds Default 3600 seconds Timeout For Tx Period Sets the time period during an authenticat...

Page 85: ...Single Host Max Count The maximum number of hosts that can connect to a port when the Multi Host operation mode is selected Range 1 20 Default 5 Mode Sets the authentication mode to one of the following options Auto Requires a dot1x aware client to be authorized by the authentication server Clients that are not dot1x aware will be denied access Force Authorized Forces the port to grant access to a...

Page 86: ...n display statistics for dot1x protocol exchanges for any port Console config interface ethernet 1 2 4 125 Console config if dot1x port control auto 4 80 Console config if dot1x operation mode multi host max count 10 4 80 Console config if Table 3 5 802 1x Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator Rx EAPOL Logoff ...

Page 87: ... in which the Packet Body Length field is invalid Rx Last EAPOLVer The protocol version number carried in the most recently received EAPOL frame Rx Last EAPOLSrc The source MAC address carried in the most recently received EAPOL frame Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator Tx EAP Req Id The number of EAP Req Id frames that have been t...

Page 88: ...the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both ...

Page 89: ...ure 3 30 IP Filter CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 28 Console config end Console show management all client Management Ip Filter Http Client Start ip address End ip address Snmp Client Start ip address End ip address 1 10 1 2 3 10 1 2 3 Telnet Client Start ip address End ip address Console ...

Page 90: ...er packets matching the permit deny rules specified in an ingress ACL You can also configure up to seven user defined masks for an ingress or egress ACL Command Usage The following restrictions apply to ACLs Each ACL can have up to 32 rules The maximum number of ACLs is also 32 However due to resource restrictions the average number of rules bound to the ports should not exceed 20 You must configu...

Page 91: ...ACL Configuration Enter an ACL name in the Name field select the list type IP Standard IP Extended or MAC and click Add to open the configuration page for the new list Figure 3 31 Selecting ACL Type CLI This example creates a standard IP ACL named bill Configuring a Standard IP ACL Command Attributes Action An ACL can contain all permit rules or all deny rules Default Permit rules IP Specifies the...

Page 92: ...ost or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address range Then click Add Figure 3 32 ACL Configuration Standard IP CLI This example configures one permit rule for the specific address 10 1 1 21 and another rule for the address range 168 92 16 x 168 92 31 x using a bitmask Console config std acl permit host 10 1 1 21 4 89 Console...

Page 93: ...dicates a specific protocol number 0 255 Options TCP UDP Others Default TCP Src Dst Port Source destination port number for the specified protocol type Range 0 65535 Src Dst Port Bitmask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Bitmask Decimal numbe...

Page 94: ...ming packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from class C addresses 192 168 1 0 with the ...

Page 95: ...4095 VID Mask VLAN bitmask Range 1 4095 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Mask Protocol bitmask Range 600 fff hex Packet Format This attribute includes the following packet types Any ...

Page 96: ...lect MAC enter a base address and a hexidecimal bitmask for an address range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 3 34 ACL Configuration MAC CLI This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Console config mac acl permit any host 00 e0 29 94 34 de etherty...

Page 97: ... order in which the ACL rules are entered First create the required ACLs and the ingress or egress masks before mapping an ACL to an interface You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule Specifying the Mask Type Use the ACL Mask Configuration page to edit the mask for the Ingress IP ACL Egress IP ACL Ingre...

Page 98: ...se Any to match any address Host to specify a host address not a subnet or IP to specify a range of addresses Options Any Host IP Default Any Src Dst IP Bitmask Source or destination address of rule must match this bitmask See the description for SubMask on page 3 53 Protocol Bitmask Check the protocol field Service Type Check the rule for the specified priority type Options Precedence TOS DSCP De...

Page 99: ...This shows that the entries in the mask override the precedence in which the rules are entered into the ACL In the following example packets with the source address 10 1 1 1 are dropped because the deny 10 1 1 1 255 255 255 255 rule has the higher precedence according the mask host any entry Console config access list ip standard A2 4 88 Console config std acl permit 10 1 1 0 255 255 255 0 4 89 Co...

Page 100: ... Destination MAC Bitmask Address of rule must match this bitmask VID Bitmask VLAN ID of rule must match this bitmask Ethernet Type Bitmask Ethernet type of rule must match this bitmask Packet Format Bitmask A packet format must be specified in the rule Web Configure the mask to match the required rules in the MAC ingress or egress ACLs Set the mask to check for any source or destination address a ...

Page 101: ...itch does not support the explicit deny any any rule for the egress IP ACL or the egress MAC ACLs If these rules are included in ACL and you attempt to bind the ACL to an interface for egress checking the bind operation will fail Command Attributes Port Fixed port or SFP module Range 1 24 1 48 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress ...

Page 102: ...control and auto negotiation Field Attributes Web Name Interface label Type Indicates the port type 1000BASE T or SFP Admin Status Shows if the interface is enabled or disabled Oper Status Indicates if the link is Up or Down Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Press...

Page 103: ... access this item on the web see Setting the Switch s IP Address on page 3 13 Configuration Name Interface label Port admin Shows if the interface is enabled or disabled i e up or down Speed duplex Shows the current speed and duplex mode Auto or fixed choice Capabilities Specifies the capabilities to be advertised for a port during auto negotiation To access this item on the web see Configuring In...

Page 104: ...er forced copper preferred auto SFP forced SFP preferred auto Current status Link Status Indicates if the link is up or down Operation speed duplex Shows the current speed and duplex mode Flow control type Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or none CLI This example shows the connection status for Port 5 Console show interfaces status ethernet 1 5 4 133 In...

Page 105: ...ull Supports 100 Mbps full duplex operation 1000full Supports 1000 Mbps full duplex operation Sym Gigabit only Check this item to transmit and receive pause frames or clear it to auto negotiate the sender and receiver for asymmetric pause frames The current switch chip only supports symmetric pause frames FC Supports flow control Flow control can eliminate frame loss by blocking traffic from end s...

Page 106: ...figuration CLI Select the interface and then enter the required settings Console config interface ethernet 1 13 4 125 Console config if description RD SW 13 4 126 Console config if shutdown 4 130 Console config if no shutdown Console config if no negotiation 4 127 Console config if speed duplex 100half 4 126 Console config if flowcontrol 4 129 Console config if negotiation Console config if capabi...

Page 107: ...ed in a standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on...

Page 108: ...eating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Web Click Port Trunk Membership Enter a trunk ID of 1 6 in the Trunk field select any of the switch ports from the scroll down port list and click Add After you have completed adding port...

Page 109: ...f one of the active links fails All ports on both ends of an LACP trunk must be configured for full duplex either by forced mode or auto negotiation Console config interface port channel 1 4 125 Console config if exit Console config interface ethernet 1 1 4 125 Console config if channel group 1 4 140 Console config if exit Console config interface ethernet 1 2 Console config if channel group 1 Con...

Page 110: ...1 Console config if exit Console config interface ethernet 1 6 Console config if lacp Console config if end Console show interfaces status port channel 1 4 133 Information of Trunk 1 Basic information Port type 1000T Mac address 22 22 22 22 22 2d Configuration Name Port admin status Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Flow control status Disabled Port security ...

Page 111: ...m Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG...

Page 112: ...You can optionally configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate link is formed with this device After you have completed setting the port LACP parameters click Apply Figure 3 43 LACP Aggregation Port ...

Page 113: ...priority 128 4 144 Console config if exit Console config interface ethernet 1 6 Console config if lacp actor system priority 3 Console config if lacp actor admin key 120 Console config if lacp actor port priority 512 Console config if end Console show lacp sysid 4 145 Channel Group System Priority System MAC Address 1 32768 00 00 E9 31 31 31 2 32768 00 00 E9 31 31 31 3 32768 00 00 E9 31 31 31 4 32...

Page 114: ...ker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Il...

Page 115: ...formation administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is n...

Page 116: ...CP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 4 145 Channel group 1 Oper Key 4 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 4 Oper Key 4 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long timeo...

Page 117: ...gned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation por...

Page 118: ... threshold is 500 packets per second Broadcast control does not effect IP multicast traffic The specified threshold applies to all ports on the switch Command Attributes Port Port number Type Indicates the port type 1000BASE T or SFP Protect Status Shows whether or not broadcast storm control has been enabled Default Enabled Threshold Threshold as percentage of port bandwidth Range 500 262143 pack...

Page 119: ...e config if no switchport broadcast 4 131 Console config if exit Console config interface ethernet 1 2 Console config if switchport broadcast packet rate 600 4 131 Console config if end Console show interfaces switchport ethernet 1 2 4 135 Information of Eth 1 2 Broadcast threshold Enabled 600 packets second Lacp status Disabled Ingress rate limit disable 1000M bits per second Egress rate limit di...

Page 120: ...essions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Type Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Target Port The port that will duplicate or mirror the traffic on the source port Web Click Port Mirror Port configuration Specify the source port the traffic type to be mirrored and the monitor p...

Page 121: ...onitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Command Attribute Rate Limit Sets the output rate limit for an interface Default Status Disabled Default Rate 1000 Mbps Range 1 1000 Mbps Web Click Rate Limit Input Output Port Trunk Configuration Set the Input Rate Limit Status or Output Rate Limit Status then set th...

Page 122: ... at this sub layer Received Broadcast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for dis...

Page 123: ...a particular interface fails due to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERRO...

Page 124: ...al number of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and trans...

Page 125: ...onfiguration 3 87 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 50 Port Statistics ...

Page 126: ...ddress of a device mapped to this interface VLAN ID of configured VLAN 1 4094 Web Only Console show interfaces counters ethernet 1 13 4 134 Ethernet 1 13 Iftable stats Octets input 868453 Octets output 3492122 Unicast input 7315 Unitcast output 6658 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cas...

Page 127: ...he destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4094 Address Table Sort Key You can sort the information d...

Page 128: ...x select the method of sorting the displayed addresses and then click Query Figure 3 52 Dynamic Addresses CLI This example also displays the address table entries for port 1 Console show mac address table interface ethernet 1 1 4 151 Interface Mac Address Vlan Type Eth 1 1 00 E0 29 94 34 DE 1 Permanent Eth 1 1 00 20 9C 23 CD 60 2 Learned Console ...

Page 129: ...en a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree Protocol IEEE 802 1w MSTP Multiple Spanning Tree Protocol IEEE 802 1s STA uses a distributed algorithm to select a bridging device STA compliant switch bridge or router that serves as the root of the spanning tree network It select...

Page 130: ...ased on VLAN groups Once you specify the VLANs to include in a Multiple Spanning Tree Instance MSTI the protocol will automatically build an MSTI tree to maintain connectivity among each of the VLANs MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree CST Displaying Global Settings You can display a summary of the current brid...

Page 131: ...e of spanning tree used on this switch STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree IEEE 802 1w MSTP Multiple Spanning Tree IEEE 802 1s Instance Instance identifier of this spanning tree This is always 0 for the CIST Vlans configuration VLANs assigned to the CIST Priority Bridge priority is used in selecting the root device root port and designated port The device with the highe...

Page 132: ...de Max hops The max number of hop counts for the MST region Remaining hops The remaining number of hop counts for the MST instance Transmission limit The minimum interval between the transmission of consecutive RSTP MSTP BPDUs Path Cost Method The path cost is used to determine the best path between devices The path cost method is used to determine the range of values that can be assigned to each ...

Page 133: ...tocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU i e STP BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migra...

Page 134: ...t device root port and designated port The device with the highest priority becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Note that lower numeric values indicate higher priority Default 32768 Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 491...

Page 135: ...gned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This is the default Short Specifies 16 bit based values that range from 1 65535 Transmission Limit The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages Range 1 10 Default 3 Configuration Settings for MSTP Max Instance Numb...

Page 136: ...Configuring the Switch 3 98 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 3 55 STA Configuration ...

Page 137: ...s packets and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning state to the Forwarding state Designated Cost The cost for a packet to travel from this port to the root in the current Spanning Tree configuration The slower t...

Page 138: ...e connectivity if other bridges bridge ports or LANs fail or are removed The role is set to disabled i e disabled port if a port has no role within the spanning tree Trunk Member Indicates if a port is a member of a trunk STA Port Information only These additional parameters are only displayed for the CLI Admin status Shows if this interface is enabled External path cost The path cost for the IST ...

Page 139: ...f an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to r...

Page 140: ...ormation Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses Trunk Indicates if a port is a member of a trunk STA Port Configuration only The following interface attributes can be configured Spanning Tree Enables disables STA on this interface Default Enabled Priority Defines the priority used for this port in the S...

Page 141: ...ly determines if the interface is attached to a point to point link or to shared media This is the default setting Admin Edge Port Fast Forwarding You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying E...

Page 142: ... cover the same general area of your network However remember that you must configure all bridges within the same MSTI Region page 3 97 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spanning tree ty...

Page 143: ...LANs in MST Instance VLANs assigned this instance MST ID Instance identifier to configure Range 0 4094 Default 0 VLAN ID VLAN to assign to this selected MST instance Range 1 4094 The other global attributes are described under Displaying Global Settings page 3 95 The attributes displayed by the CLI for individual interfaces are described under Displaying Interface Settings page 3 99 Web Click Span...

Page 144: ...d Root 4096 2 0000E9313131 Current root port 0 Current root cost 0 Number of topology changes 0 Last topology changes time sec 646 Transmission limit 3 Path Cost Method long Eth 1 7 information Admin status enable Role disable State discarding External path cost 10000 Internal path cost 10000 Priority 128 Designated cost 0 Designated port 128 7 Designated root 4096 2 0000E9313131 Designated bridge...

Page 145: ...CLI This displays STA settings for instance 0 followed by settings for each port The settings for instance 0 are global settings that apply to the IST page 3 92 the settings for other instances only apply to the local spanning tree Console show spanning tree mst 0 4 170 Spanning tree information Spanning tree mode MSTP Spanning tree enable disable enable Instance 0 Vlans configuration 1 4094 Prior...

Page 146: ... The following interface attributes can be configured MST Instance ID Instance identifier to configure Range 0 4094 Default 0 Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher...

Page 147: ...st Ethernet 20 000 2 000 000 Gigabit Ethernet 2 000 200 000 Default Ethernet Half duplex 2 000 000 full duplex 1 000 000 trunk 500 000 Fast Ethernet Half duplex 200 000 full duplex 100 000 trunk 50 000 Gigabit Ethernet Full duplex 10 000 trunk 5 000 Web Click Spanning Tree MSTP Port Configuration or Trunk Configuration Enter the priority and path cost for an interface and click Apply Figure 3 60 M...

Page 148: ...VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN This switch supports the following VLAN features Up to 255 VLANs based on the IEEE 802 1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol Port overlapping allowing a port to participate in mult...

Page 149: ...ame VLAN Untagged VLANs can be used to manually isolate user groups or subnets However you should use IEEE 802 3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration Automatic VLAN Registration GVRP GARP VLAN Registration Protocol defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned If an end station or its netwo...

Page 150: ...o the same untagged VLAN However to participate in a VLAN group that crosses several switches you should create a VLAN for that group and enable tagging on all ports Ports can be assigned to multiple tagged or untagged VLANs Each port on the switch is therefore capable of passing tagged or untagged frames When forwarding a frame from this switch along a path that contains any VLAN aware devices th...

Page 151: ...AN 802 1Q VLAN GVRP Status Enable or disable GVRP and click Apply Figure 3 61 Globally Enabling GVRP CLI This example enables GVRP for the switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch Field Attributes VLAN Version Number The VLAN version used by this switch as specified in the IEEE 802 1Q standard Maxim...

Page 152: ...ation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the list Figure 3 63 VLAN Current Table Console show bridge ex...

Page 153: ...ll the current VLAN groups created for this system Up to 255 VLAN groups can be defined VLAN 1 is the default untagged VLAN New Allows you to specify the name and numeric identifier for a new VLAN group The VLAN name is only used for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4094 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters Status ...

Page 154: ...N Static Membership by Port page to configure VLAN groups based on the port index page 3 118 However note that this configuration page can only add ports to a VLAN as tagged members 2 VLAN 1 is the default untagged VLAN containing all ports on the switch and can only be modified by first reassigning the default port VLAN ID as described under Configuring VLAN Behavior for Interfaces on page 3 119 ...

Page 155: ...will be untagged that is not carry a tag and therefore not carry VLAN or CoS information Note that an interface must be assigned to at least one group as an untagged port Forbidden Interface is forbidden from automatically joining the VLAN via GVRP For more information see Automatic VLAN Registration on page 3 111 None Interface is not a member of the VLAN Packets associated with this VLAN will no...

Page 156: ...ce Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 66 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a tagged port and removes Port 3 from VLAN 2 Console config interface ethernet 1 1 4 125 Console config if switchport allowed vlan ...

Page 157: ...ly tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Option All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Default Disabled Ingress filtering only affects tagged frames If ingress filtering is disabled and a port receives frames tagged for VL...

Page 158: ...unk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames Trunk Member Indicates i...

Page 159: ...function Default Disabled Web Click VLAN Private VLAN Status Select Enable or Disable from the scroll down box and click Apply Figure 3 68 Private VLAN Status CLI This example enables private VLANs Console config interface ethernet 1 3 4 125 Console config if switchport acceptable frame types tagged 4 176 Console config if switchport ingress filtering 4 177 Console config if switchport native vlan...

Page 160: ...articipating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the physical network into logical VLAN groups for each required protocol When a frame is received at a port its VLAN membership can then be determined based ...

Page 161: ...RP protocol types Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group Command Usage When creating a protocol based VLAN only assign interfaces using this configuration screen If you assign interfaces using any of the other VLAN commands such as VLAN Static Table page 3 116 or VLAN Static Membership page 3 118 these interfaces will admit t...

Page 162: ...er of this protocol group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4094 Web Click VLAN Protocol VLAN Port Configuration Select a a port or trunk enter a protocol group ID the corresponding VLAN ID and click Apply Figure 3 71 Protocol VLAN Port Configuration CLI The following maps the traffic entering Port 1 which matches the protocol type specified in...

Page 163: ...t priority and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802...

Page 164: ...ole config if switchport priority default 5 4 193 Console config if end Console show interfaces switchport ethernet 1 5 4 135 Information of Eth 1 3 Broadcast threshold Enabled 500 packets second Lacp status Disabled Ingress rate limit disable 1000M bits per second Egress rate limit disable 1000M bits per second VLAN membership mode Hybrid Ingress rule Disabled Acceptable frame type All frames Nat...

Page 165: ...ork applications are shown in the following table However you can map the priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class Output queue buffer Range 0 7 where 7 is the highest CoS priority queue CLI shows Queue ID Table 3 10 Mapping CoS Values...

Page 166: ...ow to change the CoS assignments to a one to one mapping Mapping specific values for CoS priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config interface ethernet 1 1 4 125 Console config if queue cos map 0 0 4 194 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if end Cons...

Page 167: ...cing lower priority queues Web Click Priority Queue Mode Select Strict or WRR then click Apply Figure 3 74 Queue Mode CLI The following sets the queue mode to strict priority service mode Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin WRR algorithm to determine the frequency at which it services each priority queue As described in Mapping CoS Values to Egr...

Page 168: ...5 Queue Scheduling CLI The following example shows how to assign WRR weights to each of the priority queues Console config interface ethernet 1 1 Console config if queue bandwidth 1 3 5 7 9 11 13 15 4 193 Console config if end Console show queue bandwidth 4 196 Information of Eth 1 1 Queue ID Weight 0 1 1 3 2 5 3 7 4 9 5 11 6 13 7 15 Information of Eth 1 2 Queue ID Weight ...

Page 169: ...s to the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and DSCP Priority cannot both be enabled Enabling one of these priority types will automatically disable the other Selecting IP Precedence DSCP Priority The switch allows you to choose between using IP Precedence or DSCP ...

Page 170: ...plication types ToS bits are defined in the following table Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP Precedence value Note that 0 represents low priority and 7 represent high priority Web Click Priority IP Precedence Priority Select an entry from the IP Precedence Priority Table enter a value in th...

Page 171: ... for different kinds of forwarding The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7 represent high priority Note IP DSC...

Page 172: ... and then displays the DSCP Priority settings Mapping specific values for IP DSCP is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip dscp 4 200 Console config interface ethernet 1 1 4 125 Console config if map ip dscp 1 cos 0 4 200 Console config if end Console show map ip dscp ethernet 1 1 4 203 DSCP mapping st...

Page 173: ...ce to which the settings apply IP Port Priority Table Shows the IP port to CoS map IP Port Number TCP UDP Set a new IP port number Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priority and 7 represents high priority Note IP Port Priority settings apply to all interfaces Web Click Priority IP Port Priority Status Set IP Port Priority Status to Enabled Figure ...

Page 174: ...atching packet to an output queue it is not written to the packet itself For information on mapping the CoS values to output queues see page 3 127 Command Usage You must configure an ACL mask before you can map CoS values to the rule Command Attributes Port Port identifier Name Name of ACL Type Type of ACL IP or MAC CoS Priority CoS value used for packets matching an IP ACL rule Range 0 7 For info...

Page 175: ...and Usage You must configure an ACL mask before you can change priorities based on a rule Traffic priorities may be included in the IEEE 802 1p priority tag This tag is also incorporated as part of the overall IEEE 802 1Q VLAN tag The 802 1p priority may be set for either Layer 2 or IP frames The IP frame header also includes priority bits in the Type of Service ToS octet The Type of Service octet...

Page 176: ... DSCP check box select Precedence or DSCP from the scroll down box and enter a priority To specify an 802 1p priority mark the 802 1p Priority check box and enter a priority Then click Add Figure 3 82 ACL Marker CLI This example changes the DSCP priority for packets matching an IP ACL rule and the 802 1p priority for packets matching a MAC ACL rule Console config interface ethernet 1 1 4 125 Conso...

Page 177: ...s called multicast filtering The purpose of IP multicast filtering is to optimize a switched network s performance so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers switches instead of flooding traffic to all ports in the subnet VLAN Layer 2 IGMP Snooping and Query IGMP Snooping and Query If multicast routing is not supported on other ...

Page 178: ... protocol such as DVMRP or PIM to support IP multicasting across the Internet Command Attributes IGMP Status When enabled the switch will monitor network traffic to determine which hosts want to receive multicast traffic This is also referred to as IGMP Snooping Default Enabled Act as IGMP Querier When enabled the switch can serve as the Querier which is responsible for asking hosts if they want t...

Page 179: ...mp snooping querier 4 208 Console config ip igmp snooping query count 10 4 208 Console config ip igmp snooping query interval 100 4 209 Console config ip igmp snooping query max response time 20 4 210 Console config ip igmp snooping router port expire time 300 4 210 Console config ip igmp snooping version 2 4 206 Console config exit Console show ip igmp snooping 4 206 Service status Enabled Querie...

Page 180: ...h attached to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the a...

Page 181: ... or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the corresponding multicast traffic and ...

Page 182: ...e Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 3 86 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating the correspo...

Page 183: ...N ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router switch Multicast IP The IP address for a specific multicast service Port or Trunk Specifies the interface attached to a multicast router switch Web Click IGMP Snooping IGMP Member Port Table Specify the interface attached to a multicast service via an IGMP enabled switch or multicast router indicate ...

Page 184: ...l order If there is no domain list the default domain name is used If there is a domain list the default domain name is not used When an incomplete host name is received by the DNS server on this switch and a domain name list has been specified the switch will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a mat...

Page 185: ...main list However remember that if a domain list is specified the default domain name is not used Console config ip domain name sample com 4 118 Console config ip domain list sample com uk 4 119 Console config ip domain list sample com jp Console config ip name server 192 168 1 55 10 1 0 55 4 120 Console config ip domain lookup 4 121 Console config end Console show dns 4 123 Domain Lookup Status D...

Page 186: ...may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Field Attributes Host Name Name of a host device that is mapped to one or more IP addresses Range 1 64 char...

Page 187: ...Figure 3 89 DNS Static Host Table CLI This example maps two address to a host name and then configures an alias host name for the same addresses Console config ip host rd5 192 168 1 55 10 1 0 55 4 117 Console config ip host rd6 10 1 0 55 Console config end Console show hosts 4 122 Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias 1 rd6 Console ...

Page 188: ...4 indicating a cache entry and therefore unreliable Type This field includes CNAME which specifies the canonical or primary name for the owner and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this record We...

Page 189: ...0 51 www microsoft akadns net 2 4 CNAME 207 46 134 155 51 www microsoft akadns net 3 4 CNAME 207 46 249 222 51 www microsoft akadns net 4 4 CNAME 207 46 249 27 51 www microsoft akadns net 5 4 ALIAS POINTER TO 4 51 www microsoft com 6 4 CNAME 207 46 68 27 71964 msn com tw 7 4 ALIAS POINTER TO 6 71964 www msn com tw 8 4 CNAME 65 54 131 192 605 passportimages com 9 4 ALIAS POINTER TO 8 605 www passpo...

Page 190: ...Configuring the Switch 3 152 3 ...

Page 191: ...But when the guest user name and password is entered the CLI displays the Console prompt and enters normal access mode i e Normal Exec 2 Enter the necessary commands to complete your desired tasks 3 When finished exit the session with the quit or exit command After connecting to the system through the console port the login screen displays Telnet Connection Telnet operates over the IP transport pr...

Page 192: ...access 2 At the prompt enter the user name and system password The CLI will display the Vty n prompt for the administrator to show that you are using privileged access mode i e Privileged Exec or Vty n for the guest to show that you are using normal access mode i e Normal Exec where n indicates the number of the current Telnet session 3 Enter the necessary commands to complete your desired tasks 4...

Page 193: ...how startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is am...

Page 194: ...e TTY line information logging Show the contents of logging buffers mac MAC access lists mac address table Set configuration of the address table management Show management ip filter map Map priority marking Specify marker port Characteristics of the port protocol vlan Protocol vlan information public key Show information of public key pvlan Information of private VLAN queue Information of priorit...

Page 195: ...to the default value For example the logging command will log system messages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displaye...

Page 196: ...r of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new console session with the user name and password admin The system will now display the Console command prompt You can also enter Privileged Exec mode from within Normal Exec mode by entering the enable command followed by ...

Page 197: ...dify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits VLAN Configuration Includes the command to create VLAN groups Multiple Spanning Tree Configuration These commands configure settings for the selected multiple spanning tree instance To enter the Global Co...

Page 198: ...e console vty Console config line 4 11 Access Control List access list ip standard access list ip extended access list ip mask precedence access list mac access list mac mask precedence Console config std acl Console config ext acl Console config ip mask acl Console config mac acl Console config mac mask acl 4 86 Interface interface ethernet port port channel id vlan id Console config if 4 125 VLA...

Page 199: ... Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters th...

Page 200: ... parameters for all Ethernet ports aggregated links and VLANs 4 125 Mirror Port Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port 4 136 Rate Limiting Controls the maximum rate for traffic transmitted or received on a port 4 138 Link Aggregation Statically groups multiple ports into a single logical trunk configures Link Ag...

Page 201: ...assword checking at login LC 4 12 password Specifies a password on a line LC 4 13 exec timeout Sets the interval that the command interpreter waits until user input is detected LC 4 14 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 4 15 silent time Sets the amount of time the management console is inaccessible after the number of unsuccess...

Page 202: ... screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Related Commands show line 4 19 show users 4 61 login This command enables password checking at login Use the no form to disable password checking and allow connections without a password Syntax login local no l...

Page 203: ...ontrols login authentication via the switch itself To configure user names and passwords for remote authentication servers you must use the RADIUS or TACACS software installed on those servers Example Related Commands username 4 26 password 4 13 password This command specifies the password for a line Use the no form to remove the password Syntax password 0 7 password no password 0 7 0 means plain ...

Page 204: ...system waits until user input is detected Use the no form to restore the default Syntax exec timeout seconds no exec timeout seconds Integer that specifies the number of seconds Range 0 65535 seconds 0 no timeout Default Setting CLI No timeout Telnet 10 minutes Command Mode Line Configuration Command Usage If user input is detected within the timeout interval the session is kept open otherwise the...

Page 205: ...o set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down This command applies to both the local console and Telnet connections Example To set the password threshold to five attempts enter this command Related Commands silent time 4 15 silent time This command sets the amount of time the management console is inaccessible after the number of unsuccessful l...

Page 206: ... character 8 Eight data bits per character Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character Example To specify 7 data bits en...

Page 207: ...evices such as terminals and modems often require a specific parity bit setting Example To specify no parity enter this command speed This command sets the terminal line s baud rate This command sets both the transmit to terminal and receive from terminal speeds Use the no form to restore the default setting Syntax speed bps no speed bps Baud rate in bits per second Options 9600 19200 38400 57600 ...

Page 208: ...ify 57600 bps enter this command stopbits This command sets the number of the stop bits transmitted per byte Use the no form to restore the default setting Syntax stopbits 1 2 1 One stop bit 2 Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits enter this command disconnect Use this command to terminate an SSH Telnet or console connection Syntax ...

Page 209: ...ameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec Example To show all lines enter this command Console disconnect 1 Console Console show line Console configuration Password threshold 3 times Interactive timeout Disabled Silent time Disabled Baudrate 96...

Page 210: ...om Normal Exec to Privileged Exec To set this password see the enable password command on page 4 27 The character is appended to the end of the prompt to indicate that the system is in privileged access mode Table 4 6 General Commands Command Function Mode Page enable Activates privileged mode NE 4 20 disable Returns to normal mode from privileged mode PE 4 21 configure Activates global configurat...

Page 211: ...e end of the prompt to indicate that the system is in normal access mode Example Related Commands enable 4 20 configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other configuration modes including Interface Configuration Line Configuration VLAN Database ...

Page 212: ... or Privileged Exec Mode and commands from the Configuration command history buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config reload This command restarts the system Note When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored ...

Page 213: ...iguration Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode exit This command returns to the previous configuration mode or exit the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console reload S...

Page 214: ...ds Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4 25 User Access Configures the basic user names and passwords for management access 4 26 IP Filter Configures IP addresses that are allowed management access 4 28 Web Server Enables management access via a Web browser 4 30 Telnet Server Enables management access via Telnet 4 33 Secure She...

Page 215: ... modifies the host name for this device Use the no form to restore the default host name Syntax hostname name no hostname name The name of this host Maximum length 255 characters Default Setting None Command Mode Global Configuration Table 4 8 Device Designation Commands Command Function Mode Page prompt Customizes the prompt used in PE and NE mode GC 4 25 hostname Specifies the host name for the ...

Page 216: ...e of the user Maximum length 8 characters case sensitive Maximum users 16 access level level Specifies the user level The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 8 characters pl...

Page 217: ...evel 0 7 password no enable password level level level level Level 15 for Privileged Exec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password password for this privilege level Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You...

Page 218: ...g address of a range end address The end address of a range Default Setting All addresses Command Mode Global Configuration Command Usage If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP Web and Telnet...

Page 219: ...ent access to the switch through various protocols Syntax show management all client http client snmp client telnet client all client Adds IP address es to the SNMP Web and Telnet groups http client Adds IP address es to the Web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management ...

Page 220: ...his command allows this device to be monitored or configured from a browser Use the no form to disable this function Syntax no ip http server Default Setting Enabled Command Mode Global Configuration Table 4 12 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the Web browser interface GC 4 30 ip http server Allows the switch to be monitored or configured...

Page 221: ... The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x and Netscape Navigator 4...

Page 222: ...secure port port_number The UDP port used for HTTPS SSL Range 1 65535 Default Setting 443 Command Mode Global Configuration Command Usage You cannot configure the HTTP and HTTPS servers to use the same port If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port_number Example Related Commands ip...

Page 223: ...tion Example Related Commands ip telnet server 4 33 ip telnet server This command allows this device to be monitored or configured from Telnet Use the no form to disable this function Syntax no ip telnet server Default Setting Enabled Command Mode Global Configuration Example Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet interface GC 4 30 ip telnet server Al...

Page 224: ...at you also need to install a SSH client on the management station when using this protocol to configure the switch Note The switch supports both SSH Version 1 5 and 2 0 Table 4 14 re Shell Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4 36 ip ssh timeout Specifies the authentication timeout for the SSH server GC 4 37 ip ssh authentication retries Specif...

Page 225: ...23329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 51941746772984865468615717739390164779355942303577413098022737087794545 24083971752646358058176716709574804776117 3 Import Client s Public Key to the Switch Use the copy tftp public key command to copy a file containing the public key for all the SSH client s granted management access to ...

Page 226: ... the host public key must still be given to the client either during initial connection or manually entered into the known host file However you do not need to configure the client s keys ip ssh server Use this command to enable the Secure Shell SSH server on this switch Use the no form to disable this service Syntax no ip ssh server Default Setting Disabled Command Mode Global Configuration Comma...

Page 227: ...H negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Related Commands exec timeout 4 14 show ip ssh 4 40 ip ssh authentication retries Use this command to configure the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting Syntax ip ssh aut...

Page 228: ...nd Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example delete public key Use this command to delete the specified user s public key Syntax delete public key username dsa rsa username Name of an SSH user Range 1 8 characters dsa DSA public key type rsa RSA public key type Default Setting Deletes b...

Page 229: ...ent programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it Example Related Commands ip ssh crypto zeroize 4 39 ip ssh save host key 4 40 ip...

Page 230: ...rate 4 39 ip ssh save host key 4 40 no ip ssh server 4 36 ip ssh save host key Use this command to save host key from RAM to flash memory Syntax ip ssh save host key Default Setting Saves both the DSA and RSA key Command Mode Privileged Exec Example Related Commands ip ssh crypto host key generate 4 39 show ip ssh Use this command to display the connection settings used when authenticating client ...

Page 231: ...d Authentication Started Session Started Username The user name of the client Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 3des cbc hmac sha1 blo...

Page 232: ...tring is the encoded modulus Example Console show public key host Host RSA 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA...

Page 233: ...nds logging history 4 44 clear logging 4 46 Table 4 16 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 43 logging history Limits syslog messages saved to switch memory based on severity GC 4 44 logging host Adds a syslog server host IP address that will receive logging messages GC 4 45 logging facility Sets the facility type for remote logging o...

Page 234: ...d Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 17 Logging Levels Level Name Level Description debugging 7 Debugging messages informational 6 Informational messages only notifications 5 Normal but significant condition such as cold start warnings 4 Warning conditions e...

Page 235: ...sets the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog ...

Page 236: ...g Disabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example clear logging This command clears messages from the log buffer Syntax clear loggin...

Page 237: ...level for flash memory is errors i e default level 3 0 the message level for RAM is debugging i e default level 7 0 and lists one sample error Console show logging flash Syslog logging Enable History logging in FLASH level errors Console show logging ram Syslog logging Enable History logging in RAM level debugging 0 02 07 30 01 01 2001 STA topology change notification level 6 module 6 function 1 a...

Page 238: ...ogging on command REMOTELOG status Shows if remote logging has been enabled via the logging trap command REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command REMOTELOG level type The severity threshold for syslog messages sent to a remote server as specified in the logging trap command REMOTELOG server IP address The address o...

Page 239: ... closes the connection To open a connection the switch first selects the server that successfully sent mail during the last connection or the first server configured by this command If it fails to send mail the switch selects the next server in the list and tries to send mail again If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch ca...

Page 240: ... 41 characters Default Setting None Command Mode Global Configuration Command Usage You may use a symbolic email address that identifies the switch or the address of an administrator responsible for the switch Example This example will send email alerts for system errors from level 3 through 0 logging sendmail destination email This command specifies the email recipients of alert messages Use the ...

Page 241: ...nd Mode Global Configuration Example show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console config logging sendmail destination email ted this company com Console config Console config logging sendmail Console config Console show logging sendmail SMTP servers Active SMTP server 192 168 1 19 SMTP minimum severity ...

Page 242: ...he switch only records the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the sntp servers command It issues time synchronization requests based on the interval set via the sntp poll command Table 4 21 Time Commands Command Function Mode Page sntp client Accepts time from specified time s...

Page 243: ... servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp client 4 52 sntp poll 4 54 show sntp 4 54 Console config sntp server 10 1 0 19 Console config sntp po...

Page 244: ...e when the switch is set to SNTP client mode Example Related Commands sntp client 4 52 show sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronizati...

Page 245: ...al time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Related Commands show sntp 4 54 calendar set This command sets the system clock Synta...

Page 246: ...ple shows how to set the system clock to 15 12 34 February 1st 2004 show calendar This command displays the system clock Default Setting None Command Mode Normal Exec Privileged Exec Example Console calendar set 15 12 34 1 February 2004 Console Console show calendar 15 12 34 February 1 2004 Console ...

Page 247: ...on SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for VLANs Spanning tree settings Any configured settings for the console port and Telnet Table 4 22 System Status Commands Command Function Mode Page show startup config Displays the co...

Page 248: ...separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information SNMP community strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state Console show startup config building startup config please wait username admin access level 15 username admin password 0 admin username guest access l...

Page 249: ...ame admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca logging sendmail destination email ted logging sendmail source email bill vlan database vlan 1 name DefaultVlan media ethernet state active spanning tree mst configur...

Page 250: ...Example Console show system System description 20 10 100 1000 ports 4 Gigabit Combo ports L2 L4 managed standalone switch System OID string 1 3 6 1 4 1 259 6 10 51 System information System Up time 0 days 1 hours 41 minutes and 43 31 seconds System Name NONE System Location NONE System Contact NONE MAC address 00 12 12 34 12 34 Web server enable Web server port 80 Web secure server enable Web secu...

Page 251: ...e version information for the system Default Setting None Command Mode Normal Exec Privileged Exec Command Usage See Displaying Switch Hardware Software Versions on page 3 10 for detailed information on the items displayed by this command Console show users Username accounts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP a...

Page 252: ... a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames Enabling jumbo frames will limit the maximum threshold for broadcast storm control to 64 packet...

Page 253: ...config https certificate public key file Keyword that allows you to copy to from a file running config Keyword that allows you to copy to from the current running configuration startup config The configuration used for system initialization tftp Keyword that allows you to copy to from a TFTP server https certificate Copies an HTTPS certificate from an TFTP server to the switch public key Keyword t...

Page 254: ...st use startup config as the destination The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server You must follow the instructions in the release notes for new firmware or contact your distributor for help For information on specifying an https certificate see Replacing the Default Secure site Certificate on page 3 35 For information on configuring the switch to use HTTPS SSL ...

Page 255: ... image name Default Setting None Command Mode Privileged Exec Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source priva...

Page 256: ...iagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the file or image If this file exists but contains errors information on this file cannot be shown Default Setting None Command Mode Privileged Exec Command Usage If you enter the command dir without any parameters the system displays all files File information is shown below Console de...

Page 257: ...o start up the system Syntax boot system boot rom config opcode filename The type of file or image to set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of the configuration file or image name The colon is required Console dir file name file type startup size byte Unit1 Diag bix Boot Rom image Y 818812 V11022 Operation Code Y 2402452 ...

Page 258: ...uthentication methods You can also enable port based authentication for network client access using IEEE 802 1x Console config boot system config startup Console config Table 4 26 Authentication Commands Command Group Function Page Authentication Sequence Defines logon authentication method and precedence 4 69 RADIUS Client Configures settings for authentication via a RADIUS server 4 70 TACACS Cli...

Page 259: ...ific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authentication login radius tacacs local the user name and password on the RADIUS server is verified first If the RADIUS ...

Page 260: ...ssword in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the...

Page 261: ...ault Setting 10 1 0 1 Command Mode Global Configuration Example radius server port This command sets the RADIUS server network port Use the no form to restore the default Syntax radius server port port_number no radius server port port_number RADIUS server UDP port used for authentication messages Range 1 65535 Table 4 28 RADIUS Client Commands Command Function Mode Page radius server host Specifi...

Page 262: ...string Maximum length 20 characters Default Setting None Command Mode Global Configuration Example radius server retransmit This command sets the number of retries Use the no form to restore the default Syntax radius server retransmit number_of_retries no radius server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 Def...

Page 263: ...resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example show radius server This command displays the current settings for the RADIUS server Default Setting None Command Mode Privileged Exec Example Console config radius server retransmit 5 Console config Console config radius server timeout 10 Console config Console show radius server Remote radius server conf...

Page 264: ...acs server host host_ip_address IP address of a TACACS server Default Setting 10 11 12 13 Command Mode Global Configuration Example tacacs server port This command specifies the TACACS server network port Use the no form to restore the default Syntax tacacs server port port_number no tacacs server port port_number TACACS server TCP port used for authentication messages Range 1 65535 Default Settin...

Page 265: ...paces in the string Maximum length 20 characters Default Setting None Command Mode Global Configuration Example show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console config tacacs server port 181 Console config Console config tacacs server key green Console config Console show tacacs server Remote TACAC...

Page 266: ...se the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violat...

Page 267: ...set the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot use port monitoring Cannot be a multi VLAN port Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled usin...

Page 268: ... values GC 4 79 dot1x max req Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session GC 4 79 dot1x port control Sets dot1x mode for a port interface IC 4 80 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 4 80 dot1x re authenticate Forces re authentication on specific ports PE...

Page 269: ...ets the maximum number of times the switch port will retransmit an EAP request identity packet to the client before it times out the authentication session Use the no form to restore the default Syntax dot1x max req count no dot1x max req count The maximum number of requests Range 1 10 Default 2 Command Mode Global Configuration Example Console config dot1x default Console config Console config do...

Page 270: ...ace Configuration Example dot1x operation mode This command allows single or multiple hosts clients to connect to an 802 1X authorized port Use the no form with no keywords to restore the default to single host Use the no form with the multi host max count keywords to restore the default maximum count Syntax dot1x operation mode single host multi host max count count no dot1x operation mode multi ...

Page 271: ... dot1x re authenticate This command forces re authentication on all ports or a specific interface Syntax dot1x re authenticate interface interface ethernet unit port unit This is device 1 port Port number Command Mode Privileged Exec Example dot1x re authentication This command enables periodic re authentication globally for all ports Use the no form to disable re authentication Syntax no dot1x re...

Page 272: ...he number of seconds Range 1 65535 Default 60 seconds Command Mode Global Configuration Example dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Global Configuration Example Conso...

Page 273: ...tication related settings on the switch or a specific interface Syntax show dot1x statistics interface interface statistics Displays dot1x status for each port interface ethernet unit port unit This is device 1 port Port number Command Mode Privileged Exec Command Usage This command displays the following information Global 802 1X Parameters Displays the global port access control parameters that ...

Page 274: ...es including Operation mode page 4 80 Max count page 4 80 Port control page 4 80 and Current Identifier It also displays the following information Status Authorization status authorized or unauthorized Supplicant MAC address of authorized client Authenticator State Machine State Current state including initialize disconnected connecting authenticating authenticated aborting held force_authorized f...

Page 275: ...Authorized n a 1 47 disabled Single Host ForceAuthorized n a 1 48 enabled Single Host Auto yes 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is disabled on port 1 2 802 1X is disabled on port 1 47 802 1X is enabled on port 1 48 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 00 e8 49 5e dc Current Identifier 3 Authenticator State Machine State A...

Page 276: ...mode MAC ACL filters packets based on the source or destination MAC address and the Ethernet frame type RFC 1060 The following restrictions apply to ACLs This switch supports ACLs for both ingress and egress filtering However you can only bind one IP ACL and one MAC ACL to any port for ingress filtering and one IP ACL and one MAC ACL to any port for egress filtering In other words only four ACLs c...

Page 277: ...rotocol type and TCP control code 4 87 MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type 4 101 ACL Information Displays ACLs and associated rules shows ACLs assigned to each port 4 111 Table 4 33 IP ACL Commands Command Function Mode Page access list ip Creates an IP ACL and enters configuration mode GC 4 88 permit deny Filters packets matching a specified source...

Page 278: ... rules When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Related Commands permit deny 4...

Page 279: ...nded to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned Example ...

Page 280: ...port bitmask destination port dport port bitmask control flag control flags flag bitmask protocol number A specific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address precedence IP precedence level Range 0 7 tos Type of Service level Range 0 15 d...

Page 281: ...syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 2 Both SYN and ACK valid use control code 18 18 SYN valid and ACK invalid use control code 2 18 Example This example accepts any incoming packets if the source address is within subnet 10 7 ...

Page 282: ...ated Commands permit deny 4 89 ip access group 4 97 access list ip mask precedence This command changes to the IP Mask mode used to configure access control masks Use the no form to delete the mask table Syntax no access list ip mask precedence in out in Ingress mask for ingress ACLs out Egress mask for egress ACLs Default Setting Default system mask Filter inbound packets according to specified I...

Page 283: ...any host source bitmask any host destination bitmask precedence tos dscp source port port bitmask destination port port bitmask control flag flag bitmask protocol Check the protocol field any Any address will be matched host The address must be for a host device not a subnetwork source bitmask Source address of rule must match this bitmask destination bitmask Destination address of rule must match...

Page 284: ... order of precedence to look for a match in the ACL entries The first entry matching a mask is applied to the inbound packet This shows that the entries in the mask override the precedence in which the rules are entered into the ACL In the following example packets with the source address 10 1 1 1 are dropped because the deny 10 1 1 1 255 255 255 255 rule has the higher precedence according the ma...

Page 285: ...Console config if ip access group A2 in Console config if end Console show access list IP standard access list A2 deny host 171 69 198 102 permit any Console Console config access list ip extended A3 Console config ext acl deny host 171 69 198 5 any Console config ext acl deny 171 69 198 0 255 255 255 0 any source port 23 Console config ext acl end Console show access list IP extended access list ...

Page 286: ...config ext acl permit any any Switch config ext acl deny tcp any any control flag 2 2 Switch config ext acl end Console show access list IP extended access list A6 permit any any deny tcp any any control flag 2 2 Console configure Switch config access list ip mask precedence in Switch config ip mask acl mask protocol any any control flag 2 Switch config ip mask acl end Console sh access list IP ex...

Page 287: ...e Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one You must configure a mask for an ACL rule before you can bind it to a port Example Related Commands show ip access list 4 92 show ip access group This command shows the ports assigned to IP ACLs C...

Page 288: ...e Range 0 7 Default Setting None Command Mode Interface Configuration Ethernet Command Usage You must configure an ACL mask before you can map CoS values to the rule A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table For information on mapping the CoS values to output queues see queue cos map on page 4 194 Example Related Command...

Page 289: ...rity of a frame matching the defined ACL rule This feature is commonly referred to as ACL packet marking Use the no form to remove the ACL marker Syntax match access list ip acl_name set priority priority set precedence precedence_value set dscp dscp_value no match access list ip acl_name acl_name Name of the ACL Maximum length 16 characters priority Class of Service value in the IEEE 802 1p prior...

Page 290: ...fy the IP precedence priority use the set tos keywords To specify the DSCP priority use the set dscp keywords Note that the IP frame header can include either the IP Precedence or DSCP priority type The precedence for priority mapping by this switch is IP Precedence or DSCP Priority and then 802 1p priority Example Related Commands show marking 4 100 show marking This command displays the current ...

Page 291: ... enters configuration mode GC 4 101 permit deny Filters packets matching a specified source and destination address packet format and Ethernet type MAC ACL 4 102 show mac access list Displays the rules for configured MAC ACLs PE 4 103 access list mac mask precedence Changes to the mode for configuring access control masks GC 4 104 mask Sets a precedence mask for the ACL rules MAC Mask 4 105 show a...

Page 292: ...t destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask no permit deny untagged eth2 any host source source address bitmask any host destination destination address bitmask ethertype protocol protocol bitmask no permit deny tagged 802 3 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask no permit den...

Page 293: ...rtype option can only be used to filter Ethernet II formatted packets A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include the following 0800 IP 0806 ARP 8137 IPX Example This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Related Commands access list mac 4 101 sh...

Page 294: ...n Command Usage You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule A mask can only be used by all ingress ACLs or all egress ACLs The precedence of the ACL rules applied to a packet is not determined by order of the rules but instead by the order of the masks i e the first mask that matches a rule will determine ...

Page 295: ...ource address of rule must match this bitmask destination bitmask Destination address of rule must match this bitmask vid Check the VLAN ID field vid bitmask VLAN ID of rule must match this bitmask ethertype Check the Ethernet type field ethertype bitmask Ethernet type of rule must match this bitmask Default Setting None Command Mode MAC Mask Command Usage Up to seven masks can be assigned to an i...

Page 296: ...ss list M4 deny tagged eth2 host 00 11 11 11 11 11 any vid 3 permit any any MAC ingress mask ACL mask pktformat host any vid Console Console config access list mac M5 Console config mac acl deny tagged 802 3 host 00 11 11 11 11 11 any Console config mac acl deny tagged eth2 00 11 11 11 11 11 ff ff ff ff ff ff any vid 3 ethertype 0806 Console config mac acl end Console show access list MAC access l...

Page 297: ...me of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets out Indicates that this list applies to egress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Y...

Page 298: ...packet itself Use the no form to remove the CoS mapping Syntax no map access list mac acl_name cos cos value acl_name Name of the ACL Maximum length 16 characters cos value CoS value Range 0 7 Default Setting None Command Mode Interface Configuration Ethernet Command Usage You must configure an ACL mask before you can map CoS values to the rule A packet matching a rule within the specified ACL is ...

Page 299: ...etermines the output queue for packets matching an ACL rule Syntax show map access list mac interface interface ethernet unit port unit This is device 1 port Port number Command Mode Privileged Exec Example Related Commands map access list mac 4 108 Console config int eth 1 5 Console config if map access list mac M5 cos 0 Console config if Console show map access list mac Access list to COS of Eth...

Page 300: ...ch access list mac acl_name acl_name Name of the ACL Maximum length 16 characters priority Class of Service value in the IEEE 802 1p priority tag Range 0 7 7 is the highest priority Default Setting None Command Mode Interface Configuration Ethernet Command Usage You must configure an ACL mask before you can change frame priorities based on an ACL rule Example Related Commands show marking 4 100 Co...

Page 301: ...s list Show all ACLs and associated rules PE 4 111 show access group Shows the ACLs assigned to each port PE 4 111 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 0 0 15 255 IP extended access list bob permit 10 7 1 1 0 0 0 255 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control cod...

Page 302: ...stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Command Mode Global Configuration Command Usage The first snmp server community command you enter enables SNMP SNMPv1 The no sn...

Page 303: ...figuration Example Related Commands snmp server location 4 113 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Console config snmp server c...

Page 304: ...tion Command Usage If you do not enter an snmp server host command no notifications are sent In order to configure the switch to send SNMP notifications you must enter at least one snmp server host command In order to enable multiple hosts you must issue a separate snmp server host command for each host The snmp server host command is used in conjunction with the snmp server enable traps command U...

Page 305: ...n order to configure this device to send SNMP notifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication and link up down notifications are enabled If you enter the command with a keyword only the notification type related to that keyword is enabled The snmp server enable traps command is used in conjunction with the snm...

Page 306: ...e SNMP communities 1 alpha and the privilege is read write 2 private and the privilege is read write 3 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get request PDUs 0 Get next PDUs 0 Set request PDUs 0 SNM...

Page 307: ...ng IP address address2 address8 Additional corresponding IP addresses Default Setting No static entries Command Mode Global Configuration Table 4 39 DNS Commands Command Function Mode Page ip host Creates a static host name to address mapping GC 4 117 clear host Deletes entries from the host name to address table PE 4 118 ip domain name Defines a default domain name for incomplete host names GC 4 ...

Page 308: ...moves all entries Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name Syntax ip domain name name no ip domain na...

Page 309: ...main name Range 1 64 characters Default Setting None Command Mode Global Configuration Command Usage Domain names are added to the end of the list one at a time When an incomplete host name is received by the DNS server on this switch it will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match If there is no ...

Page 310: ...ddress6 server address1 IP address of domain name server server address2 server address6 IP address of additional domain name servers Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response Console config ip domain list sample com jp Console con...

Page 311: ...ntax no ip domain lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before you can enable DNS If all name servers are deleted DNS will automatically be disabled Console config ip name server 192 168 1 55 10 1 0 55 Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name ...

Page 312: ...ileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address es as a previously configured entry Console config ip domain lookup Console config end Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List 192 168 1 55 10 1 0 55 Console Console show hosts Hostname rd5...

Page 313: ...8 71 83 298 www yahoo akadns net 4 4 CNAME 66 218 71 81 298 www yahoo akadns net 5 4 CNAME 66 218 71 80 298 www yahoo akadns net 6 4 CNAME 66 218 71 89 298 www yahoo akadns net 7 4 CNAME 66 218 71 86 298 www yahoo akadns net 8 4 ALIAS POINTER TO 7 298 www yahoo com Console Table 4 40 show dns cache display description Field Description NO The entry number for each resource record FLAG The flag is ...

Page 314: ...d Line Interface 4 124 4 clear dns cache This command clears all entries in the DNS cache Command Mode Privileged Exec Example Console clear dns cache Console show dns cache NO FLAG TYPE IP TTL DOMAIN Console ...

Page 315: ...uration IC 4 126 speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC 4 126 negotiation Enables autonegotiation of a given interface IC 4 127 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 4 128 flowcontrol Enables flow control on a given interface IC 4 129 combo forced mode Force port type sele...

Page 316: ...The following example adds a description to port 24 speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the default Syntax speed duplex 1000full 100full 100half 10full 10half no speed duplex 1000full Forces 1000 Mbps full duplex operation 100full Forces 100 Mbps full duplex operation 100half Forces 100 Mbps...

Page 317: ...negotiation the required mode must be specified in the capabilities list for an interface Example The following example configures port 5 to 100 Mbps half duplex operation Related Commands negotiation 4 127 capabilities 4 128 negotiation This command enables autonegotiation for a given interface Use the no form to disable autonegotiation Syntax no negotiation Default Setting Enabled Command Mode I...

Page 318: ...upports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit only When specified the port transmits and receives pause frames when not specified the port will auto negotiate to determine the sender and receiver for asymmetric pause frames The current switch ASIC only supports symmetric pause frames Default Setting 100BASE T...

Page 319: ...IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To enable flow control under auto negotiation flowcontrol must be in...

Page 320: ...he RJ 45 port has a valid link sfp forced Always uses the SFP port even if module not installed sfp preferred auto Uses SFP port if both combination types are functioning and the SFP port has a valid link Default Setting sfp preferred auto Command Mode Interface Configuration Ethernet Example This forces the switch to use the built in RJ 45 port for the combination port 48 shutdown This command di...

Page 321: ...trol Use the no form to disable broadcast storm control Syntax switchport broadcast packet rate rate no switchport broadcast rate Threshold level as a rate i e packets per second Range 500 262143 Default Setting Enabled for all ports Packet rate limit 500 packets per second Command Mode Interface Configuration Ethernet Command Usage When broadcast traffic exceeds the specified threshold packets ab...

Page 322: ...Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you log out and back into the management interface the statistics displayed will show the absolute value accumulated since the last power reset Example The following example clears statistics on port 5 C...

Page 323: ...played by this command see Displaying Connection Status on page 3 64 Example Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic information Port type 1000T Mac address 00 00 AB CD 00 01 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast storm Enabled Broadcast storm limit 500 packets second Flow control Disabled La...

Page 324: ...ard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac t...

Page 325: ...d Enabled 500 packets second Lacp status Disabled Ingress rate limit disable 1000M bits per second Egress rate limit disable 1000M bits per second VLAN membership mode Hybrid Ingress rule Disabled Acceptable frame type All frames Native VLAN 1 Priority for untagged traffic 0 Gvrp status Disabled Allowed Vlan 1 u Forbidden Vlan Console Table 4 42 interfaces switchport display description Field Desc...

Page 326: ...ngress rule Shows if ingress filtering is enabled or disabled page 4 177 Acceptable frame type Shows if acceptable VLAN frames include all types or tagged frames only page 4 176 Native VLAN Indicates the default Port VLAN ID page 4 178 Priority for untagged traffic Indicates the default priority for untagged frames page 4 191 Gvrp status Shows if GARP VLAN Registration Protocol is enabled or disab...

Page 327: ... all sessions must share the same destination port However you should avoid sending too much traffic to the destination port from multiple source ports Example The following example configures the switch to mirror all packets from port 6 to 11 show port monitor This command displays mirror information Syntax show port monitor interface interface ethernet unit port source port unit Switch unit 1 po...

Page 328: ...ing traffic is dropped conforming traffic is forwarded without any changes rate limit This command defines the rate limit for a specific interface Use this command without specifying a rate to restore the default rate Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate output Output rate rate Maximum value in Mbp...

Page 329: ...ction must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings Console config interface ethernet 1 1 Console config if rate limit input 600 Console config if Table 4 45 Link Aggregation Commands Command Function Mode Page Manual Configuration Commands interf...

Page 330: ... if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 6 Default ...

Page 331: ... will be placed in standby mode and will only be enabled if one of the active links fails Example The following shows LACP enabled on ports 11 13 Because LACP has also been enabled on the ports at the other end of the links the show interfaces status port channel 1 command shows that Trunk1 has been established Console config interface ethernet 1 11 Console config if lacp Console config if exit Co...

Page 332: ...d with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to...

Page 333: ...tem priority matches 2 the LACP port admin key matches and 3 the LACP port channel admin key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Once the remote sid...

Page 334: ... the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 Example lacp port priority This command configures LAC...

Page 335: ...artner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example show lacp This command displays LACP information Syntax show lacp port channel counters internal neighbors sysid port channel Local identifier for a link aggregation group Range 1 6 counters Statistics for LACP protocol messages...

Page 336: ...DUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the S...

Page 337: ... state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection o...

Page 338: ...signed by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol part...

Page 339: ...roup A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system priority and system MAC address are concatenated to form the LAG system ID Table 4 50 Address Table Commands Command Function Mode Page mac address table static Maps a static address to a port in a VLAN GC 4 150 clear mac address ...

Page 340: ...default mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static addresses will not be removed from the address table when a given interface link is down Static addresses ...

Page 341: ...nit This is device 1 port Port number port channel channel id Range 1 6 vlan id VLAN ID Range 1 4094 sort Sort by address vlan or interface Default Setting None Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Dele...

Page 342: ...ange 10 1000000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console show mac address table Interf...

Page 343: ...ing tree instance MST 4 161 name Configures the name for the multiple spanning tree MST 4 161 revision Configures the revision number for the multiple spanning tree MST 4 162 max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST 4 163 spanning tree spanning disabled Disables spanning tree for an interface IC 4 163 spanning tree cost Configures the span...

Page 344: ...nt switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down Example This example shows how to enable the Spanning Tree Algorithm for the switch spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the d...

Page 345: ...TP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same MSTP configuration allowing them to participate in a specific set of spanning tree instances A spanning tree instance can exis...

Page 346: ...scarding state otherwise temporary data loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time time no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 Default Setting 2 seconds C...

Page 347: ...nfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network Example spanning tree priority This command configures t...

Page 348: ...ore the default Syntax spanning tree pathcost method long short no spanning tree pathcost method long Specifies 32 bit based values that range from 1 200 000 000 short Specifies 16 bit based values that range from 1 65535 Default Setting Long method Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices Therefore lower values should ...

Page 349: ...l Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration Use this command to change to Multiple Spanning Tree MST configuration mode Default Setting No VLANs are mapped to any MST instance The region name is set the switch s MAC address Command Mode Global Configuration Example Related Commands mst vlan 4 160 mst priority 4 1...

Page 350: ... balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances You should try to group VLANs which cover the s...

Page 351: ...ecting the root bridge and alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by...

Page 352: ...anning tree configuration of this switch Use the no form to restore the default Syntax revision number number Revision number of the spanning tree Range 0 65535 Default Setting 0 Command Mode MST Configuration Command Usage The MST region name page 4 161 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to ...

Page 353: ...these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the hop count by one before passing on the BPDU When the hop count reaches zero the message is dropped Example spanning tree spanning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to reenable the spanning tree algorithm ...

Page 354: ...rface Configuration Ethernet Port Channel Command Usage This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 158 is set to short the max...

Page 355: ...Interface Configuration Ethernet Port Channel Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers reta...

Page 356: ...state changes more quickly than allowed by standard convergence time Fast forwarding can achieve quicker convergence for end node workstations and servers and also overcome other STA related timeout problems Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end node device This command is the same as spanning tre...

Page 357: ...lex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a shared link RSTP only works on point to point links between two bridges If you designate a port as a shared link RSTP is forbidden Since MSTP is an extension of RSTP this same restriction applies Example spanning tree mst cost This command configures the path cost on a spanning ...

Page 358: ...ce priority Example Related Commands spanning tree mst port priority 4 168 spanning tree mst port priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree mst instance_id port priority priority no spanning tree mst instance_id port priority instance_id Instance identifier of the spanning...

Page 359: ...is is device 1 port Port number port channel channel id Range 1 6 Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the...

Page 360: ...he show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tree mst instance_id command to display the spanning tree con...

Page 361: ... 0 0000ABCD0000 Current root port 1 Current root cost 200000 Number of topology changes 1 Last topology changes time sec 22 Transmission limit 3 Path Cost Method long Eth 1 1 information Admin status enable Role root State forwarding External path cost 100000 Internal path cost 100000 Priority 128 Designated cost 200000 Designated port 128 24 Designated root 32768 0 0000ABCD0000 Designated bridge ...

Page 362: ...ed interface Console show spanning tree mst configuration Mstp Configuration Information Configuration name 00 00 a3 42 00 80 Revision level 0 Instance Vlans 0 1 4094 Console Table 4 52 VLAN Commands Command Groups Function Page Editing VLAN Groups Sets up VLAN groups including name VID and state 4 173 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress ta...

Page 363: ...g the show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can display this file by entering the show running config command Example Related Commands show vlan 4 181 Table 4 53 Editing VLAN Groups Command Function Mode Page vlan database Enters...

Page 364: ...he VLAN state active VLAN is operational suspend VLAN is suspended Suspended VLANs do not pass packets Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan vlan id deletes the VLAN no vlan vlan id name removes the VLAN name no vlan vlan id state returns the VLAN to the default state i e active You can configure up to 255 VLANs o...

Page 365: ...terface configuration mode for a specified VLAN IC 4 175 switchport mode Configures VLAN membership mode for an interface IC 4 176 switchport acceptable frame types Configures frame types to be accepted by an interface IC 4 176 switchport ingress filtering Enables ingress filtering on an interface IC 4 177 switchport native vlan Configures the PVID native VLAN of an interface IC 4 178 switchport a...

Page 366: ...ntagged frames Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Example The following shows how to set the configuration mode to port 1 and then set the switchport mode to hybrid Related Commands switchport acceptable frame types 4 176 switchport acceptable frame types This command configures the acceptable frame ty...

Page 367: ...ed Command Mode Interface Configuration Ethernet Port Channel Command Usage Ingress filtering only affects tagged frames If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member these frames will be flooded to all other ports except for those VLANs explicitly forbidden on this port If ingress filtering is enabled and a port receives frames tagged fo...

Page 368: ...rface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untagged member before you can assign its PVID to that group If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames enter...

Page 369: ...switchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection support...

Page 370: ...to designate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set...

Page 371: ...on Mode Page show vlan Shows VLAN information NE PE 4 181 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 133 show interfaces switchport Displays the administrative and operational status of an interface NE PE 4 135 Console show vlan id 1 VLAN Type Name Status Ports Channel groups 1 Static DefaultVlan Active Eth1 1 Eth1 2 Eth1 3 Eth1 4 Eth1 5 Eth1 6 Eth1 7 Eth1...

Page 372: ... A private VLAN provides port based security and isolation between ports within the VLAN Data traffic on the downlink ports can only be forwarded to and from the uplink port Private VLANs and normal VLANs can exist simultaneously within the same switch Entering the pvlan command without any parameters enables the private VLAN Entering no pvlan disables the private VLAN Example This example enables...

Page 373: ...igure VLAN groups for the protocols you want to use page 4 174 Although not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each protocol you want to assign to a VLAN using the protocol vlan protocol group command General Configuration mode 3 Then map the protocol for each interface ...

Page 374: ...de Global Configuration Example The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types protocol vlan protocol group Configuring Interfaces This command maps a protocol group to a VLAN for the current interface Use the no form to remove the protocol mapping for this interface Syntax protocol vlan protocol group group id vlan vlan id no protocol vlan prot...

Page 375: ...the protocol type does not match the frame is forwarded to the default VLAN for this interface Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2 show protocol vlan protocol group This command shows the frame and protocol type associated with protocol groups Syntax show protocol vlan protocol group group id group i...

Page 376: ...ce interface ethernet unit port unit This is device 1 port Port number port channel channel id Range 1 6 Default Setting The mapping for all interfaces is displayed Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2 Console show interfaces protocol vlan protocol group Port ProtocolGroup ID Vlan ...

Page 377: ...tches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Example Table 4 58 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the switch GC 4 187 show bridge ext Shows the global...

Page 378: ...mmand enables GVRP for a port Use the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console show bridge ext Max support vlan numbers 255 Max support vlan ID 4094 Extended multicast filtering services No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No ...

Page 379: ...mand sets the values for the join leave and leaveall timers Use the no form to restore the timers default values Syntax garp timer join leave leaveall timer_value no garp timer join leave leaveall join leave leaveall Which timer to set timer_value Value of timer Ranges join 20 1000 centiseconds leave 60 3000 centiseconds leaveall 500 18000 centiseconds Default Setting join 20 centiseconds leave 60...

Page 380: ...ll leave Note Set GVRP timers on all Layer 2 devices connected in the same network to the same values Otherwise GVRP may not operate successfully Example Related Commands show garp timer 4 190 show garp timer This command shows the GARP timers for the selected interface Syntax show garp timer interface interface ethernet unit port unit This is device 1 port Port number port channel channel id Rang...

Page 381: ...y for untagged frames sets queue weights and maps class of service tags to hardware queues 4 191 Priority Layer 3 and 4 Maps TCP ports IP precedence tags or IP DSCP tags to class of service values 4 197 Table 4 60 Priority Commands Layer 2 Command Function Mode Page queue mode Sets the queue mode to strict priority or Weighted Round Robin WRR GC 4 192 switchport priority default Sets a port priori...

Page 382: ...ively Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for e...

Page 383: ...untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used This switch provides eight priority queues for each port It is configured to use Weighted Round Robin which can be viewed with the show queue bandwidth command Inbound frames that do not have VLAN tags ar...

Page 384: ...ress port by defining scheduling weights Example This example shows how to assign WRR weights to each of the priority queues Related Commands show queue bandwidth 4 196 queue cos map This command assigns class of service CoS values to the priority queues i e hardware output queues 0 7 Use the no form set the CoS map to the default values Syntax queue cos map queue_id cos1 cosn no queue cos map que...

Page 385: ...his command sets the CoS priority for all interfaces Example The following example shows how to change the CoS assignments to a one to one mapping Related Commands show queue cos map 4 196 show queue mode This command shows the current queue mode Default Setting None Command Mode Privileged Exec Table 4 61 Default CoS Priority Levels Queue 0 1 2 3 4 5 6 7 Priority 2 0 1 3 4 5 6 7 Console config in...

Page 386: ... show queue cos map This command shows the class of service priority map Syntax show queue cos map interface interface ethernet unit port unit This is device 1 port Port number port channel channel id Range 1 6 Default Setting None Command Mode Privileged Exec Console show queue mode Queue mode strict Console Console show queue bandwidth Information of Eth 1 1 Queue ID Weight 0 1 1 2 2 4 3 6 4 8 5...

Page 387: ...map ip port Maps TCP socket to a class of service IC 4 198 map ip precedence Enables IP precedence class of service mapping GC 4 198 map ip precedence Maps IP precedence value to a class of service IC 4 199 map ip dscp Enables IP DSCP class of service mapping GC 4 200 map ip dscp Maps IP DSCP value to a class of service IC 4 200 map access list ip Sets the CoS value and corresponding output queue ...

Page 388: ...e Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority This command sets the IP port priority for all interfaces Example The following example shows how to map HTTP traffic to CoS value 0 map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use th...

Page 389: ...e value Range 0 7 Default Setting The list below shows the default priority mapping Command Mode Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Service values on a one to one basis according to recommendations in the IEEE 802 1p st...

Page 390: ...ult switchport priority IP Precedence and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type Example The following example shows how to enable IP DSCP mapping globally map ip dscp Interface Configuration This command sets IP DSCP priority i e Differentiated Services Code Point priority Use the no form to restore the default table Syntax ma...

Page 391: ... IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 show map ip port This command shows the IP port priority map Syntax show map ip port interface interface ethernet unit port unit This is device 1 port Port number port channel...

Page 392: ... map ip port Interface Configuration 4 198 show map ip precedence This command shows the IP precedence priority map Syntax show map ip precedence interface interface ethernet unit port unit This is device 1 port Port number port channel channel id Range 1 6 Default Setting None Command Mode Privileged Exec Console show map ip port ethernet 1 5 TCP port mapping status enabled Port Port no COS Eth 1...

Page 393: ...y map Syntax show map ip dscp interface interface ethernet unit port unit This is device 1 port Port number port channel channel id Range 1 6 Default Setting None Command Mode Privileged Exec Console show map ip precedence ethernet 1 5 Precedence mapping status disabled Port Precedence COS Eth 1 5 0 0 Eth 1 5 1 1 Eth 1 5 2 2 Eth 1 5 3 3 Eth 1 5 4 4 Eth 1 5 5 5 Eth 1 5 6 6 Eth 1 5 7 7 Console ...

Page 394: ... 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console Table 4 65 Multicast Filtering Commands Command Groups Function Page IGMP Snooping Configures multicast groups via IGMP snooping or static assignment sets the IGMP version displays current snooping and query settings and displays the multicast service and group members 4 204 IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 4...

Page 395: ... Use the no form to remove the port Syntax no ip igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit This is device 1 port Port number port channel channel id Range 1 6 Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a multicast ...

Page 396: ...egacy devices in your network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 including ip igmp query max response time and ip igmp query timeout Example The following configures the switch to use IGMP Version 1 show ip igmp snooping This command shows the IGMP snooping configuration Default Setting None Command Mod...

Page 397: ...GMP snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Example The following shows the multicast entries learned through IGMP snooping for VLAN 1 Console show ip igmp snooping Service status Enabled Querier status Enabled Query count 2 Query interval 125 sec Query max response time 10 sec Router port ex...

Page 398: ...ip igmp snooping query count count no ip igmp snooping query count count The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group Range 2 10 Table 4 67 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 4 208 ip igmp sn...

Page 399: ... have left the multicast group Example The following shows how to configure the query count to 10 Related Commands ip igmp snooping query max response time 4 210 ip igmp snooping query interval This command configures the query interval Use the no form to restore the default Syntax ip igmp snooping query interval seconds no ip igmp snooping query interval seconds The frequency at which the switch ...

Page 400: ... but a client has not responded a countdown timer is started using an initial value set by this command If the countdown finishes and the client still has not responded then that client is considered to have left the multicast group Example The following shows how to configure the maximum response time to 20 seconds Related Commands ip igmp snooping version 4 206 ip igmp snooping router port expir...

Page 401: ... port Use the no form to remove the configuration Syntax no ip igmp snooping vlan vlan id mrouter interface vlan id VLAN ID Range 1 4094 interface ethernet unit port unit This is device 1 port Port number port channel channel id Range 1 6 Default Setting No static multicast router ports are configured Command Mode Global Configuration Console config ip igmp snooping router port expire time 300 Con...

Page 402: ...p igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports Syntax show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID Range 1 4094 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic Example The...

Page 403: ...s bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Command Usage You must assign an IP address to this device to gain management access over the network You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0...

Page 404: ...is command submits a BOOTP or DHCP client request Default Setting None Command Mode Privileged Exec Command Usage This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command DHCP requires the server to reassign the client s last address if available If the BOOTP or DHCP server has been moved to a different domain the ne...

Page 405: ...tablished Command Mode Global Configuration Command Usage A gateway must be defined if the management station is located in a different IP segment Example The following example defines a default gateway for this device Related Commands show ip redirects 4 216 show ip interface This command displays the settings of an IP interface Default Setting All interfaces Command Mode Privileged Exec Example ...

Page 406: ...es larger than the size specified because the switch adds header information count Number of packets to send Range 1 16 default 5 Default Setting This command has no default for the host Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached Following are some results of the ping command Normal response The normal response o...

Page 407: ...125 Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 0 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 0 ms Maximum 10 ms Average 8 ms Console ...

Page 408: ...Command Line Interface 4 218 4 ...

Page 409: ...ts one destination port Rate Limits Input Limit Output limit Range configured per port Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Protocol Spanning Tree Protocol STP IEEE 802 1D Rapid Spanning Tree Protocol RSTP IEEE 802 1w Multiple Spanning Tree Protocol MSTP IEEE 802 1s VLAN Support Up to 255 groups port based protocol ...

Page 410: ...t to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 3 Ethernet IEEE 802 3u Fast Ethernet IEEE 802 3x Full duplex flow control ISO IEC 8802 3 IEEE 802 3z Gigabit Ethernet IEEE 802 3ab 1000BASE T IEEE 802 3ac VLAN tagging IEEE 802 1Q VLAN IEEE 802 1v Protocol based VLANs IEEE 802 3ad Link Aggregation Control Protocol IEEE 802 1D Spanning Tree Protocol and traff...

Page 411: ...P Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 2668 MIB II RFC 1212 1213 Port Access Entity MIB IEEE 802 1x Private MIB Quality of Service MIB RADIUS Authentication Client MIB RFC 2621 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation TACA...

Page 412: ...Software Specifications A 4 A ...

Page 413: ...t Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured...

Page 414: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 415: ...ices Code Point Service DSCP DSCP uses a six bit tag to provide for up to 64 different forwarding behaviors Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP bits are mapped to the Class of Service categories and then into the output queues Domain Name Service DNS A system used for translating host names for network nodes into IP addresse...

Page 416: ...stations comply with the IEEE 802 1p standard Group Attribute Registration Protocol GARP See Generic Attribute Registration Protocol IEEE 802 1D Specifies a general method for the operation of MAC bridges including the Spanning Tree Protocol IEEE 802 1Q VLAN Tagging Defines Ethernet frame tags which carry VLAN information It allows switches to assign endstations to different virtual LANs and defin...

Page 417: ...d assumes responsibility for keeping track of group membership In Band Management Management of the network from a station attached directly to the network IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts IP Precedence The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ...

Page 418: ...x Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe This allows data on the target port to be studied unobstructively Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high speed logical link that combines several lower speed physical links Private VLANs ...

Page 419: ... Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers Spanning Tree Protocol STP A technology that checks your network for any loops A loop can often occur in complicated or backup linked network systems Spanning Tree detects and directs data along the shortest available path maximizing the performance and efficiency of ...

Page 420: ... targets UDP is useful when TCP would be too complex too slow or just unnecessary Virtual LAN VLAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same...

Page 421: ...27 4 192 queue mode 3 129 4 190 traffic class weights 3 129 4 192 D default gateway configuration 3 13 4 213 default priority ingress port 3 125 4 191 default settings system 1 5 DHCP 3 15 4 211 client 3 13 4 117 dynamic configuration 2 5 Differentiated Code Point Service See DSCP DNS default domain name 3 146 displaying the cache 3 150 domain name list 3 146 enabling lookup 3 146 name server list...

Page 422: ...3 4 Management Information Bases MIBs A 3 mirror port configuring 3 82 4 134 MSTP 4 152 global settings 3 104 4 151 interface settings 4 151 multicast filtering 3 139 4 202 multicast groups 3 144 4 205 displaying 4 205 static 3 144 4 203 4 205 multicast services configuring 3 145 4 203 displaying 3 144 4 205 multicast static router port 3 143 4 209 P password line 4 13 passwords 2 4 administrator ...

Page 423: ...k type 3 101 3 103 4 165 path cost 3 93 3 100 4 162 path cost method 3 97 4 156 port priority 3 101 4 162 protocol migration 3 103 4 167 transmission limit 3 97 4 157 standards IEEE A 2 startup files creating 3 18 4 63 displaying 3 16 4 57 setting 3 16 4 67 static addresses setting 3 88 4 148 statistics port 3 84 4 132 STP 3 95 4 152 STP Also see STA system clock setting 3 26 4 52 system software ...

Page 424: ...Index 4 Index W Web interface access requirements 3 1 configuration buttons 3 3 home page 3 2 menu list 3 3 3 4 panel display 3 3 ...

Page 425: ......

Page 426: ...ES4512C ES4524C ES4548C E052005 R02 ...

Search results

Summary of Contents for ES4512C

Reviews:

Brands by name

Popular brands

Accton Technology ES4512C, Management Manual

Search results

Summary of Contents for ES4512C

Reviews:

Brands by name

Popular brands